evmctl: Remove filtering support for file types unsupported by IMA

Remove support for filtering on file types unsupported by IMA from evmctl. This now prevents func(de->d_name) to be invoked on symlinks, block device files, etc. since signature verification on those file types is not supported by IMA in the kernel. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-27 22:32:31 +02:00 · 2021-07-08 12:04:05 -04:00 · 2021-07-08 12:04:05 -04:00 · 3f806e1100
commit 3f806e1100
parent 309d3369bb
2 changed files with 2 additions and 13 deletions
--- a/2
+++ b/2
@ -51,7 +51,7 @@ OPTIONS
  -o, --portable     generate portable EVM signatures
  -p, --pass         password for encrypted signing key
  -r, --recursive    recurse into directories (sign)
-  -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
+  -t, --type         file types to fix 'fxm' (f: file)
                     x - skip fixing if both ima and evm xattrs exist (use with caution)
                     m - stay on the same filesystem (like 'find -xdev')
  -n                 print result to stdout instead of setting xattr
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -142,10 +142,6 @@ typedef int (*find_cb_t)(const char *path);
 static int find(const char *path, int dts, find_cb_t func);

 #define REG_MASK	(1 << DT_REG)
-#define DIR_MASK	(1 << DT_DIR)
-#define LNK_MASK	(1 << DT_LNK)
-#define CHR_MASK	(1 << DT_CHR)
-#define BLK_MASK	(1 << DT_BLK)

 struct command cmds[];
 static void print_usage(struct command *cmd);
@ -668,10 +664,6 @@ static int get_file_type(const char *path, const char *search_type)
 		switch (search_type[i]) {
 		case 'f':
 			dts |= REG_MASK; break;
-		case 'd':
-			dts |= DIR_MASK; break;
-		case 's':
-			dts |= BLK_MASK | CHR_MASK | LNK_MASK; break;
 		case 'x':
 			check_xattr = true; break;
 		case 'm':
@ -1371,9 +1363,6 @@ static int find(const char *path, int dts, find_cb_t func)
 		return -1;
 	}

-	if (dts & DIR_MASK)
-		func(path);
-
 	closedir(dir);

 	return 0;
@ -2517,7 +2506,7 @@ static void usage(void)
 		"  -o, --portable     generate portable EVM signatures\n"
 		"  -p, --pass         password for encrypted signing key\n"
 		"  -r, --recursive    recurse into directories (sign)\n"
-		"  -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)\n"
+		"  -t, --type         file types to fix 'fxm' (f: file)\n"
 		"                     x - skip fixing if both ima and evm xattrs exist (use with caution)\n"
 		"                     m - stay on the same filesystem (like 'find -xdev')\n"
 		"  -n                 print result to stdout instead of setting xattr\n"