Commit c2baec7f authored Oct 01, 2014 by Dmitry Kasatkin Committed by Mimi Zohar Oct 07, 2014

evm: skip replacing EVM signature with HMAC on read-only filesystem



If filesystem is mounted read-only or file is immutable, updating
xattr will fail. This is a usual case during early boot until
filesystem is remount read-write. This patch verifies conditions
to skip unnecessary attempt to calculate HMAC and set xattr.

Changes in v2:
* indention changed according to Lindent (requested by Mimi)

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

parent d16a8585

security/integrity/evm/evm_main.c

+8 −3

Original line number	Diff line number	Diff line
		@@ -162,8 +162,13 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
		(const char *)xattr_data, xattr_len,
		calc.digest, sizeof(calc.digest));
		if (!rc) {
		/* we probably want to replace rsa with hmac here */
		evm_update_evmxattr(dentry, xattr_name, xattr_value,
		/* Replace RSA with HMAC if not mounted readonly and
		* not immutable
		*/
		if (!IS_RDONLY(dentry->d_inode) &&
		!IS_IMMUTABLE(dentry->d_inode))
		evm_update_evmxattr(dentry, xattr_name,
		xattr_value,
		xattr_value_len);
		}
		break;