| Message ID | 20230616192358.314906-3-roberto.sassu@huaweicloud.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Simple EVM HMAC calculation tests | expand |
On 6/16/23 15:23, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for > directory signing") removes fetching the inode generation for directories. > > While directories might not be signed, EVM currently calculates the HMAC on > them, including the inode generation. > > To keep user space and kernel space aligned, reenable fetching the inode > generation for directories, and add again the comment that the inode > generation cannot be obtained for special files. The user wouldn't notice anything, right? > > Fixes: Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for directory signing") > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > src/evmctl.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/src/evmctl.c b/src/evmctl.c > index c24261cf0e6..7a3ffd7c823 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -1229,7 +1229,11 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s > goto out; > } > > - if (S_ISREG(st.st_mode)) { > + if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) { > + /* > + * We cannot at the moment get generation of special files.. > + * kernel API does not support it. > + */ > int fd = open(file, 0); > > if (fd < 0) { Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
On Mon, 2023-06-19 at 11:54 -0400, Stefan Berger wrote: > > On 6/16/23 15:23, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for > > directory signing") removes fetching the inode generation for directories. > > > > While directories might not be signed, EVM currently calculates the HMAC on > > them, including the inode generation. > > To keep user space and kernel space aligned, reenable fetching the inode > > generation for directories, and add again the comment that the inode > > generation cannot be obtained for special files. > > The user wouldn't notice anything, right? Probably not. This is just to verify that the HMAC is correct on directories. If it is possible to set the HMAC, that would mean that the HMAC on directories is invalid. But 'evmctl hmac' is just for debugging purposes. Thanks Roberto > > Fixes: Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for directory signing") > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > --- > > src/evmctl.c | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/src/evmctl.c b/src/evmctl.c > > index c24261cf0e6..7a3ffd7c823 100644 > > --- a/src/evmctl.c > > +++ b/src/evmctl.c > > @@ -1229,7 +1229,11 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s > > goto out; > > } > > > > - if (S_ISREG(st.st_mode)) { > > + if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) { > > + /* > > + * We cannot at the moment get generation of special files.. > > + * kernel API does not support it. > > + */ > > int fd = open(file, 0); > > > > if (fd < 0) { > > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/src/evmctl.c b/src/evmctl.c index c24261cf0e6..7a3ffd7c823 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1229,7 +1229,11 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s goto out; } - if (S_ISREG(st.st_mode)) { + if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) { + /* + * We cannot at the moment get generation of special files.. + * kernel API does not support it. + */ int fd = open(file, 0); if (fd < 0) {