xref: /kernel/linux/linux-5.10/security/integrity/ima/ima_appraise.c

79 			 struct integrity_iint_cache *iint)
82 	u8 algo = iint->ima_hash->algo;
86 		iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
89 		iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
90 		iint->ima_hash->xattr.ng.algo = algo;
93 				   &iint->ima_hash->xattr.data[offset],
94 				   (sizeof(iint->ima_hash->xattr) - offset) +
95 				   iint->ima_hash->length, 0);
100 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
105 		return iint->ima_mmap_status;
107 		return iint->ima_bprm_status;
109 		return iint->ima_creds_status;
112 		return iint->ima_file_status;
115 		return iint->ima_read_status;
119 static void ima_set_cache_status(struct integrity_iint_cache *iint,
125 		iint->ima_mmap_status = status;
128 		iint->ima_bprm_status = status;
131 		iint->ima_creds_status = status;
135 		iint->ima_file_status = status;
139 		iint->ima_read_status = status;
144 static void ima_cache_flags(struct integrity_iint_cache *iint,
149 		iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
152 		iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
155 		iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
159 		iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
163 		iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
227 static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
239 		if (iint->flags & IMA_DIGSIG_REQUIRED) {
244 		clear_bit(IMA_DIGSIG, &iint->atomic_flags);
246 				iint->ima_hash->length)
252 				    iint->ima_hash->digest,
253 				    iint->ima_hash->length);
264 		set_bit(IMA_DIGSIG, &iint->atomic_flags);
268 					     iint->ima_hash->digest,
269 					     iint->ima_hash->length);
279 						     iint->ima_hash->digest,
280 						     iint->ima_hash->length);
332 int ima_check_blacklist(struct integrity_iint_cache *iint,
340 	if (!(iint->flags & IMA_CHECK_BLACKLIST))
343 	if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
347 		if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
365 			     struct integrity_iint_cache *iint,
376 	bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
387 		cause = iint->flags & IMA_DIGSIG_REQUIRED ?
391 			iint->flags |= IMA_NEW_FILE;
392 		if ((iint->flags & IMA_NEW_FILE) &&
393 		    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
400 				 rc < 0 ? 0 : rc, iint);
422 		rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
443 	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
453 			if (!ima_fix_xattr(dentry, iint))
458 		if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
466 		ima_cache_flags(iint, func);
469 	ima_set_cache_status(iint, func, status);
476 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
482 	if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
485 	if ((iint->ima_file_status != INTEGRITY_PASS) &&
486 	    !(iint->flags & IMA_HASH))
489 	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
494 	ima_fix_xattr(dentry, iint);
510 	struct integrity_iint_cache *iint;
520 	iint = integrity_iint_find(inode);
521 	if (iint) {
522 		set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
524 			clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
546 	struct integrity_iint_cache *iint;
551 	iint = integrity_iint_find(inode);
552 	if (!iint)
554 	iint->measured_pcrs = 0;
555 	set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
557 		set_bit(IMA_DIGSIG, &iint->atomic_flags);
559 		clear_bit(IMA_DIGSIG, &iint->atomic_flags);

Indexes created Thu Nov 07 10:32:03 CST 2024