[-next,v2] ima: Refactor hash algo compatibility check

Commit Message

Guozihua (Scott) June 17, 2022, 8:06 a.m. UTC

Make ima_template_hash_algo_allowed a utility function and refector the
compatibility checks in a couple places. This should unify the
compatibility check and make the code more streamlined.

Also, rename the i in hash_setup to algo.

No functional change in this patch.

Signed-off-by: GUO Zihua <guozihua@huawei.com>
---

v2: fix the check in hash_setup which is wrong

---
 security/integrity/ima/ima_main.c         | 23 ++++++++++-------------
 security/integrity/ima/ima_template.c     |  2 +-
 security/integrity/ima/ima_template_lib.c |  8 --------
 security/integrity/ima/ima_template_lib.h |  8 ++++++++
 4 files changed, 19 insertions(+), 22 deletions(-)

Patch

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 040b03ddc1c7..e7e1c5480ca7 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -28,6 +28,7 @@ 
 #include <linux/fs.h>
 
 #include "ima.h"
+#include "ima_template_lib.h"
 
 #ifdef CONFIG_IMA_APPRAISE
 int ima_appraise = IMA_APPRAISE_ENFORCE;
@@ -45,17 +46,19 @@  static struct notifier_block ima_lsm_policy_notifier = {
 static int __init hash_setup(char *str)
 {
 	struct ima_template_desc *template_desc = ima_template_desc_current();
-	int i;
+	int algo;
 
 	if (hash_setup_done)
 		return 1;
 
+	algo = match_string(hash_algo_name, HASH_ALGO__LAST, str);
+	if (algo < 0) {
+		pr_err("invalid hash algorithm \"%s\"", str);
+		return 1;
+	}
+
 	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
-		if (strncmp(str, "sha1", 4) == 0) {
-			ima_hash_algo = HASH_ALGO_SHA1;
-		} else if (strncmp(str, "md5", 3) == 0) {
-			ima_hash_algo = HASH_ALGO_MD5;
-		} else {
+		if (!ima_template_hash_algo_allowed(algo)) {
 			pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
 				str, IMA_TEMPLATE_IMA_NAME);
 			return 1;
@@ -63,13 +66,7 @@  static int __init hash_setup(char *str)
 		goto out;
 	}
 
-	i = match_string(hash_algo_name, HASH_ALGO__LAST, str);
-	if (i < 0) {
-		pr_err("invalid hash algorithm \"%s\"", str);
-		return 1;
-	}
-
-	ima_hash_algo = i;
+	ima_hash_algo = algo;
 out:
 	hash_setup_done = 1;
 	return 1;
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index c25079faa208..b030edb33fa6 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -128,7 +128,7 @@  static int __init ima_template_setup(char *str)
 	 * by the 'ima' template.
 	 */
 	if (template_len == 3 && strcmp(str, IMA_TEMPLATE_IMA_NAME) == 0 &&
-	    ima_hash_algo != HASH_ALGO_SHA1 && ima_hash_algo != HASH_ALGO_MD5) {
+	    !ima_template_hash_algo_allowed(ima_hash_algo)) {
 		pr_err("template does not support hash alg\n");
 		return 1;
 	}
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index c877f01a5471..7efae3041a40 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -13,14 +13,6 @@ 
 #include <linux/xattr.h>
 #include <linux/evm.h>
 
-static bool ima_template_hash_algo_allowed(u8 algo)
-{
-	if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5)
-		return true;
-
-	return false;
-}
-
 enum data_formats {
 	DATA_FMT_DIGEST = 0,
 	DATA_FMT_DIGEST_WITH_ALGO,
diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
index 9f7c335f304f..c4663595f1c8 100644
--- a/security/integrity/ima/ima_template_lib.h
+++ b/security/integrity/ima/ima_template_lib.h
@@ -66,4 +66,12 @@  int ima_eventinodexattrlengths_init(struct ima_event_data *event_data,
 				    struct ima_field_data *field_data);
 int ima_eventinodexattrvalues_init(struct ima_event_data *event_data,
 				   struct ima_field_data *field_data);
+
+static inline bool ima_template_hash_algo_allowed(int algo)
+{
+	if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5)
+		return true;
+
+	return false;
+}
 #endif /* __LINUX_IMA_TEMPLATE_LIB_H */