From 1fcac50e302c332faed232263a3b5770ac3d0fb3 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.ibm.com>
Date: Fri, 28 Oct 2022 16:13:52 -0400
Subject: [PATCH] Log and reset 'errno' on lsetxattr failure

Writing either security.ima hashes or security.evm hmacs from userspace
will fail regardless of the IMA or EVM fix mode.  In fix mode, 'touch'
will force security.ima and security.evm to be updated.

Make the setxattr error messages more explicit and clear errno.

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 955bd90..6c7f3d4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -572,7 +572,8 @@ static int sign_evm(const char *file, const char *key)
 	if (xattr) {
 		err = lsetxattr(file, xattr_evm, sig, len, 0);
 		if (err < 0) {
-			log_err("setxattr failed: %s\n", file);
+			log_errno_reset(LOG_ERR, "Setting EVM xattr failed: %s",
+					file);
 			return err;
 		}
 	}
@@ -615,7 +616,9 @@ static int hash_ima(const char *file)
 	if (xattr) {
 		err = lsetxattr(file, xattr_ima, hash, len, 0);
 		if (err < 0) {
-			log_err("setxattr failed: %s\n", file);
+			log_errno_reset(LOG_ERR,
+					"Setting IMA hash xattr failed: %s",
+					file);
 			return err;
 		}
 	}
@@ -652,7 +655,9 @@ static int sign_ima(const char *file, const char *key)
 	if (xattr) {
 		err = lsetxattr(file, xattr_ima, sig, len, 0);
 		if (err < 0) {
-			log_err("setxattr failed: %s\n", file);
+			log_errno_reset(LOG_ERR,
+					"Setting IMA sig xattr failed: %s",
+					file);
 			return err;
 		}
 	}
@@ -1125,7 +1130,8 @@ static int setxattr_ima(const char *file, char *sig_file)
 
 	err = lsetxattr(file, xattr_ima, sig, len, 0);
 	if (err < 0)
-		log_err("setxattr failed: %s\n", file);
+		log_errno_reset(LOG_ERR, "Setting IMA sig xattr failed: %s",
+				file);
 	free(sig);
 	return err;
 }
@@ -1323,7 +1329,9 @@ static int hmac_evm(const char *file, const char *key)
 		sig[0] = EVM_XATTR_HMAC;
 		err = lsetxattr(file, xattr_evm, sig, len + 1, 0);
 		if (err < 0) {
-			log_err("setxattr failed: %s\n", file);
+			log_errno_reset(LOG_ERR,
+					"Setting EVM hmac xattr failed: %s",
+					file);
 			return err;
 		}
 	}