ima_verify: ignore -n flag
"evmutil ima_verify -n <some file>" disabled using xattrs without enabling
using a signature file, resulting in the use of uninitialized memory in
ima_verify_signature() and thus unpredictable results.
Such a mode of operation makes no sense, so interpret -n as
documented ("print result to stdout instead of setting xattr") and ignore it
during ima_verify. Instead, switch between the two verification modes only
via the global sigfile variable.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
This commit is contained in:
Patrick Ohly
Dmitry Kasatkin
parent
453d3db8a5
commit
199311e6a5
15
src/evmctl.c
15
src/evmctl.c
@ -734,19 +734,17 @@ static int verify_ima(const char *file)
|
|||||||
unsigned char sig[1024];
|
unsigned char sig[1024];
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
if (xattr) {
|
|
||||||
len = lgetxattr(file, "security.ima", sig, sizeof(sig));
|
|
||||||
if (len < 0) {
|
|
||||||
log_err("getxattr failed: %s\n", file);
|
|
||||||
return len;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sigfile) {
|
if (sigfile) {
|
||||||
void *tmp = file2bin(file, "sig", &len);
|
void *tmp = file2bin(file, "sig", &len);
|
||||||
|
|
||||||
memcpy(sig, tmp, len);
|
memcpy(sig, tmp, len);
|
||||||
free(tmp);
|
free(tmp);
|
||||||
|
} else {
|
||||||
|
len = lgetxattr(file, "security.ima", sig, sizeof(sig));
|
||||||
|
if (len < 0) {
|
||||||
|
log_err("getxattr failed: %s\n", file);
|
||||||
|
return len;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return ima_verify_signature(file, sig, len);
|
return ima_verify_signature(file, sig, len);
|
||||||
@ -1582,7 +1580,6 @@ int main(int argc, char *argv[])
|
|||||||
break;
|
break;
|
||||||
case 'f':
|
case 'f':
|
||||||
sigfile = 1;
|
sigfile = 1;
|
||||||
xattr = 0;
|
|
||||||
break;
|
break;
|
||||||
case 'u':
|
case 'u':
|
||||||
uuid_str = optarg;
|
uuid_str = optarg;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user