path: root/security/integrity
diff options
authorRoberto Sassu <roberto.sassu@polito.it>2013-06-07 12:16:39 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-10-26 21:32:53 -0400
commitadd1c05dceb495a45036d66cdcbb3b2306de26c1 (patch)
treeb432080d2151c60c3ce7d07f68336113befa096d /security/integrity
parent5278aa52f35003ddafda80b0243b3693f935b134 (diff)
ima: defer determining the appraisal hash algorithm for 'ima' template
The same hash algorithm should be used for calculating the file data hash for the IMA measurement list, as for appraising the file data integrity. (The appraise hash algorithm is stored in the 'security.ima' extended attribute.) The exception is when the reference file data hash digest, stored in the extended attribute, is larger than the one supported by the template. In this case, the file data hash needs to be calculated twice, once for the measurement list and, again, for appraisal. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
1 files changed, 5 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5e8b1f7becd2..0b11bb49ac4f 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -145,6 +145,7 @@ static int process_measurement(struct file *file, const char *filename,
struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint;
+ struct ima_template_desc *template_desc = ima_template_desc_current();
char *pathbuf = NULL;
const char *pathname = NULL;
int rc = -ENOMEM, action, must_appraise, _func;
@@ -188,7 +189,10 @@ static int process_measurement(struct file *file, const char *filename,
goto out_digsig;
- if (action & IMA_APPRAISE_SUBMASK)
+ if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
+ if (action & IMA_APPRAISE_SUBMASK)
+ xattr_ptr = &xattr_value;
+ } else
xattr_ptr = &xattr_value;
rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);