dh/ima-evm-utils
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ima_verify: ignore -n flag

Browse Source 
"evmutil ima_verify -n <some file>" disabled using xattrs without enabling
using a signature file, resulting in the use of uninitialized memory in
ima_verify_signature() and thus unpredictable results.

Such a mode of operation makes no sense, so interpret -n as
documented ("print result to stdout instead of setting xattr") and ignore it
during ima_verify. Instead, switch between the two verification modes only
via the global sigfile variable.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
This commit is contained in:
Patrick Ohly
2015-08-13 18:21:54 +02:00
committed by Dmitry Kasatkin
parent 453d3db8a5
commit 199311e6a5
1 changed files with 6 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/evmctl.c
View File

@@ -734,19 +734,17 @@ static int verify_ima(const char *file)
unsigned char sig[1024];
int len;
if (xattr) {
len = lgetxattr(file, "security.ima", sig, sizeof(sig));
if (len < 0) {
log_err("getxattr failed: %s\n", file);
return len;
}
}
if (sigfile) {
void *tmp = file2bin(file, "sig", &len);
memcpy(sig, tmp, len);
free(tmp);
} else {
len = lgetxattr(file, "security.ima", sig, sizeof(sig));
if (len < 0) {
log_err("getxattr failed: %s\n", file);
return len;
}
}
return ima_verify_signature(file, sig, len);
@@ -1582,7 +1580,6 @@ int main(int argc, char *argv[])
break;
case 'f':
sigfile = 1;
xattr = 0;
break;
case 'u':
uuid_str = optarg;