From patchwork Wed Sep 27 22:16:52 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <mjg59@google.com>
X-Patchwork-Id: 9974987
Return-Path: <linux-integrity-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7D96960375 for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed, 27 Sep 2017 22:17:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6FAF31FE76
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed, 27 Sep 2017 22:17:18 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 63ED31FF8E; Wed, 27 Sep 2017 22:17:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 086751FE76
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed, 27 Sep 2017 22:17:18 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752275AbdI0WRR (ORCPT
	<rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
	Wed, 27 Sep 2017 18:17:17 -0400
Received: from mail-oi0-f73.google.com ([209.85.218.73]:61291 "EHLO
	mail-oi0-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752111AbdI0WRR (ORCPT
	<rfc822;linux-integrity@vger.kernel.org>);
	Wed, 27 Sep 2017 18:17:17 -0400
Received: by mail-oi0-f73.google.com with SMTP id m198so8758110oig.19
	for <linux-integrity@vger.kernel.org>;
	Wed, 27 Sep 2017 15:17:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:date:in-reply-to:message-id:references:subject:from:to
	:cc; bh=S67bSrTNooI5wS2OazT+M5KB4IngfVjaL+W+1+5e7w0=;
	b=YLTX0abNSkmN7vI46t1aV6z8HX0hd8TLP93mErfLA1UcV4iBxHVofoTNUy/tmY3wzv
	zBe69uu5SZA39Us5ZR3SavChE3aNinJSRuUHkSEZ/17CGEYfOoXW33P7N68EQzNxzWLH
	qAEnm4Mr8t8pL+SSsKVmoWxxJKprAnO5OLAfuwmbIct3VjpK+DJDyU5NFI3I//YL0cSb
	YzYvRnGQE+nKBqgEk16m51YkrglKf2W3VxgmlLU5OPLCCdN+FtaDWXXbobf8NXxBuUph
	YxnRtXvFI4uE1EezxGisKYi+cTXJqZJM0w78TA3tyqJKNAYJwyq3qHtmWMA3NggsmbUN
	/MGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:in-reply-to:message-id
	:references:subject:from:to:cc;
	bh=S67bSrTNooI5wS2OazT+M5KB4IngfVjaL+W+1+5e7w0=;
	b=YYBlA8ttJjqaYic4MUk+gqImJWrn0wF9TqBnVgzQ+R/T7Ic9Y2xe3YcZI07tJz6XQ1
	joWMfnPClrIdmBQJkpoemP7DgWu6bZ1wcxbd9FKzZpRLa1wNMs3tCWPOhLnSwpFAkCyY
	qbYOe/TqFNNJ1doVFQZCpN2Xgbnp+LF18+8quVgySlQBAgbRQHGilrkQ8Z6PlABmPITK
	0AnsbmeN/rlU9j+qEt/0PEzsun1uE/S9FRjqmunkp10KypbpjnzPWz+wDY4gxJsSXrua
	EnbfGKKJvwH+6rJFoaCUwuHUCd4k4c6r0tdbPzPuZIzjsrUKNExftDz5K1Q78fsu02kZ
	Z4rw==
X-Gm-Message-State: AMCzsaXxM0U7JhiMf6ilFd78k5BKs8zX9CXbjoOXVsO+pGPCkKjyWNO1
	KwP4xnOLDLFj/mSbhcEi8gEk0Ko1iG7uYT8KSjkfnui9EENpW+OjfIIXatH+KKOkP6czQ4/LT9D
	hhEYLz+F/9TD6aNFy7nQQKPF0w6w3iXMRvUU=
X-Google-Smtp-Source: 
 AOwi7QD8S+dGBt97VsL9B7lHCnPgHHb5wAMae/CMqwjPMXWblPGhR+8VS7fZ5SQYvYX4HcY528/BcdCA6TnU4oncgBQVOg==
MIME-Version: 1.0
X-Received: by 10.157.56.125 with SMTP id r58mr1191532otd.44.1506550636643;
	Wed, 27 Sep 2017 15:17:16 -0700 (PDT)
Date: Wed, 27 Sep 2017 15:16:52 -0700
In-Reply-To: <20170927221653.11219-1-mjg59@google.com>
Message-Id: <20170927221653.11219-6-mjg59@google.com>
References: <20170927221653.11219-1-mjg59@google.com>
X-Mailer: git-send-email 2.14.2.822.g60be5d43e6-goog
Subject: [PATCH 5/6] EVM: Write out HMAC xattrs in the new format
From: Matthew Garrett <mjg59@google.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.vnet.ibm.com, Matthew Garrett <mjg59@google.com>
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Write out HMACs in the NG format rather than the original format.

Signed-off-by: Matthew Garrett <mjg59@google.com>
---
 security/integrity/evm/evm.h        |  2 +-
 security/integrity/evm/evm_crypto.c | 10 ++++++----
 security/integrity/evm/evm_main.c   | 10 ++++++----
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 1d8201b1fb8a..e4de787508f2 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -56,7 +56,7 @@ int evm_init_key(void);
 int evm_update_evmxattr(struct dentry *dentry,
 			const char *req_xattr_name,
 			const char *req_xattr_value,
-			size_t req_xattr_value_len);
+			size_t req_xattr_value_len, u64 flags);
 int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
 		  const char *req_xattr_value,
 		  size_t req_xattr_value_len, u64 flags, char *digest);
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 9ce55ac6781e..a00c48c52307 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -259,16 +259,18 @@ int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
  * Expects to be called with i_mutex locked.
  */
 int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
-			const char *xattr_value, size_t xattr_value_len)
+			const char *xattr_value, size_t xattr_value_len,
+			u64 flags)
 {
 	struct inode *inode = d_backing_inode(dentry);
-	struct evm_ima_xattr_data xattr_data;
+	struct evm_hmac_ng_data xattr_data;
 	int rc = 0;
 
 	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
-			xattr_value_len, evm_default_flags, xattr_data.digest);
+			   xattr_value_len, flags, xattr_data.digest);
 	if (rc == 0) {
-		xattr_data.type = EVM_XATTR_HMAC;
+		xattr_data.hdr.type = EVM_XATTR_HMAC_NG;
+		xattr_data.hdr.flags = cpu_to_be64(flags);
 		rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM,
 					   &xattr_data,
 					   sizeof(xattr_data), 0);
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 383f003b428e..77eda423824d 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -188,7 +188,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 			    !IS_IMMUTABLE(d_backing_inode(dentry)))
 				evm_update_evmxattr(dentry, xattr_name,
 						    xattr_value,
-						    xattr_value_len);
+						    xattr_value_len,
+						    evm_default_flags);
 		}
 		break;
 	case EVM_XATTR_HMAC_NG:
@@ -427,7 +428,8 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
 
 	evm_reset_status(dentry->d_inode);
 
-	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
+	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len,
+			    evm_default_flags);
 }
 
 /**
@@ -447,7 +449,7 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
 
 	evm_reset_status(dentry->d_inode);
 
-	evm_update_evmxattr(dentry, xattr_name, NULL, 0);
+	evm_update_evmxattr(dentry, xattr_name, NULL, 0, evm_default_flags);
 }
 
 /**
@@ -488,7 +490,7 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
 		return;
 
 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
-		evm_update_evmxattr(dentry, NULL, NULL, 0);
+		evm_update_evmxattr(dentry, NULL, NULL, 0, evm_default_flags);
 }
 
 /*