dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 22:53:37 +02:00
Code Releases Activity

evmctl: Remove filtering support for file types unsupported by IMA

Browse Source 
Remove support for filtering on file types unsupported by IMA from evmctl.
This now prevents func(de->d_name) to be invoked on symlinks, block device
files, etc. since signature verification on those file types is not
supported by IMA in the kernel.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Stefan Berger 2021-07-08 12:04:05 -04:00 committed by Mimi Zohar
parent 309d3369bb
commit 3f806e1100
2 changed files with 2 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README
View File

@ -51,7 +51,7 @@ OPTIONS
-o, --portable generate portable EVM signatures -o, --portable generate portable EVM signatures
-p, --pass password for encrypted signing key -p, --pass password for encrypted signing key
-r, --recursive recurse into directories (sign) -r, --recursive recurse into directories (sign)
-t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink) -t, --type file types to fix 'fxm' (f: file)
x - skip fixing if both ima and evm xattrs exist (use with caution) x - skip fixing if both ima and evm xattrs exist (use with caution)
m - stay on the same filesystem (like 'find -xdev') m - stay on the same filesystem (like 'find -xdev')
-n print result to stdout instead of setting xattr -n print result to stdout instead of setting xattr

13
src/evmctl.c
View File

@ -142,10 +142,6 @@ typedef int (*find_cb_t)(const char *path);
static int find(const char *path, int dts, find_cb_t func); static int find(const char *path, int dts, find_cb_t func);
#define REG_MASK (1 << DT_REG) #define REG_MASK (1 << DT_REG)
#define DIR_MASK (1 << DT_DIR)
#define LNK_MASK (1 << DT_LNK)
#define CHR_MASK (1 << DT_CHR)
#define BLK_MASK (1 << DT_BLK)
struct command cmds[]; struct command cmds[];
static void print_usage(struct command *cmd); static void print_usage(struct command *cmd);
@ -668,10 +664,6 @@ static int get_file_type(const char *path, const char *search_type)
switch (search_type[i]) { switch (search_type[i]) {
case 'f': case 'f':
dts |= REG_MASK; break; dts |= REG_MASK; break;
case 'd':
dts |= DIR_MASK; break;
case 's':
dts |= BLK_MASK | CHR_MASK | LNK_MASK; break;
case 'x': case 'x':
check_xattr = true; break; check_xattr = true; break;
case 'm': case 'm':
@ -1371,9 +1363,6 @@ static int find(const char *path, int dts, find_cb_t func)
return -1; return -1;
} }
if (dts & DIR_MASK)
func(path);
closedir(dir); closedir(dir);
return 0; return 0;
@ -2517,7 +2506,7 @@ static void usage(void)
" -o, --portable generate portable EVM signatures\n" " -o, --portable generate portable EVM signatures\n"
" -p, --pass password for encrypted signing key\n" " -p, --pass password for encrypted signing key\n"
" -r, --recursive recurse into directories (sign)\n" " -r, --recursive recurse into directories (sign)\n"
" -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)\n" " -t, --type file types to fix 'fxm' (f: file)\n"
" x - skip fixing if both ima and evm xattrs exist (use with caution)\n" " x - skip fixing if both ima and evm xattrs exist (use with caution)\n"
" m - stay on the same filesystem (like 'find -xdev')\n" " m - stay on the same filesystem (like 'find -xdev')\n"
" -n print result to stdout instead of setting xattr\n" " -n print result to stdout instead of setting xattr\n"