From: Roberto Sassu Date: Fri, 7 Jun 2013 10:16:39 +0000 (+0200) Subject: ima: defer determining the appraisal hash algorithm for 'ima' template X-Git-Tag: v3.13-rc1~18^2~16 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=add1c05dceb495a45036d66cdcbb3b2306de26c1;p=platform%2Fkernel%2Flinux-exynos.git ima: defer determining the appraisal hash algorithm for 'ima' template The same hash algorithm should be used for calculating the file data hash for the IMA measurement list, as for appraising the file data integrity. (The appraise hash algorithm is stored in the 'security.ima' extended attribute.) The exception is when the reference file data hash digest, stored in the extended attribute, is larger than the one supported by the template. In this case, the file data hash needs to be calculated twice, once for the measurement list and, again, for appraisal. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar --- diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 5e8b1f7..0b11bb4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -145,6 +145,7 @@ static int process_measurement(struct file *file, const char *filename, { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint; + struct ima_template_desc *template_desc = ima_template_desc_current(); char *pathbuf = NULL; const char *pathname = NULL; int rc = -ENOMEM, action, must_appraise, _func; @@ -188,7 +189,10 @@ static int process_measurement(struct file *file, const char *filename, goto out_digsig; } - if (action & IMA_APPRAISE_SUBMASK) + if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { + if (action & IMA_APPRAISE_SUBMASK) + xattr_ptr = &xattr_value; + } else xattr_ptr = &xattr_value; rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);