Message ID | 20230129004637.191106-1-xiujianfeng@huawei.com (mailing list archive) |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | [-next] evm: call dump_security_xattr() in all cases to remove code duplication | expand |
> @@ -254,15 +264,9 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, > if (is_ima) > ima_present = true; > > - if (req_xattr_value_len < 64) > - pr_debug("%s: (%zu) [%*phN]\n", req_xattr_name, > - req_xattr_value_len, > - (int)req_xattr_value_len, > - req_xattr_value); > - else > - dump_security_xattr(req_xattr_name, > - req_xattr_value, > - req_xattr_value_len); > + dump_security_xattr(req_xattr_name, > + req_xattr_value, > + req_xattr_value_len); > continue; > } > size = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr->name, Hm, this patch doesn't apply properly. Mimi
Hi, On 2023/1/30 0:15, Mimi Zohar wrote: >> @@ -254,15 +264,9 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, >> if (is_ima) >> ima_present = true; >> >> - if (req_xattr_value_len < 64) >> - pr_debug("%s: (%zu) [%*phN]\n", req_xattr_name, >> - req_xattr_value_len, >> - (int)req_xattr_value_len, >> - req_xattr_value); >> - else >> - dump_security_xattr(req_xattr_name, >> - req_xattr_value, >> - req_xattr_value_len); >> + dump_security_xattr(req_xattr_name, >> + req_xattr_value, >> + req_xattr_value_len); >> continue; >> } >> size = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr->name, > > Hm, this patch doesn't apply properly. I noticed that the patch fails to apply on linux master, however this patch is meant for linux-next, would you please maybe have a look? > > Mimi> >
[Cc: Christian Brauner <brauner@kernel.org>] On Mon, 2023-01-30 at 12:02 +0800, xiujianfeng wrote: > Hi, > > On 2023/1/30 0:15, Mimi Zohar wrote: > >> @@ -254,15 +264,9 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, > >> if (is_ima) > >> ima_present = true; > >> > >> - if (req_xattr_value_len < 64) > >> - pr_debug("%s: (%zu) [%*phN]\n", req_xattr_name, > >> - req_xattr_value_len, > >> - (int)req_xattr_value_len, > >> - req_xattr_value); > >> - else > >> - dump_security_xattr(req_xattr_name, > >> - req_xattr_value, > >> - req_xattr_value_len); > >> + dump_security_xattr(req_xattr_name, > >> + req_xattr_value, > >> + req_xattr_value_len); > >> continue; > >> } > >> size = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr->name, > > > > Hm, this patch doesn't apply properly. > > I noticed that the patch fails to apply on linux master, however this > patch is meant for linux-next, would you please maybe have a look? I wasn't aware of the change. However, merge conflicts should not be "fixed", but mentioned immediately after the patch break line ("---") . FYI, this merge conflict is a result of commit 4609e1f18e19 ("fs: port ->permission() to pass mnt_idmap"). Patches for the linux-integrity branch should be based on the next- integrity branch.
On 2023/1/30 20:17, Mimi Zohar wrote: > [Cc: Christian Brauner <brauner@kernel.org>] > > On Mon, 2023-01-30 at 12:02 +0800, xiujianfeng wrote: >> Hi, >> >> On 2023/1/30 0:15, Mimi Zohar wrote: >>>> @@ -254,15 +264,9 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, >>>> if (is_ima) >>>> ima_present = true; >>>> >>>> - if (req_xattr_value_len < 64) >>>> - pr_debug("%s: (%zu) [%*phN]\n", req_xattr_name, >>>> - req_xattr_value_len, >>>> - (int)req_xattr_value_len, >>>> - req_xattr_value); >>>> - else >>>> - dump_security_xattr(req_xattr_name, >>>> - req_xattr_value, >>>> - req_xattr_value_len); >>>> + dump_security_xattr(req_xattr_name, >>>> + req_xattr_value, >>>> + req_xattr_value_len); >>>> continue; >>>> } >>>> size = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr->name, >>> >>> Hm, this patch doesn't apply properly. >> >> I noticed that the patch fails to apply on linux master, however this >> patch is meant for linux-next, would you please maybe have a look? > > I wasn't aware of the change. However, merge conflicts should not be > "fixed", but mentioned immediately after the patch break line ("---") . > FYI, this merge conflict is a result of commit 4609e1f18e19 ("fs: port > ->permission() to pass mnt_idmap"). > > Patches for the linux-integrity branch should be based on the next- > integrity branch. Thanks mimi, I assume you mean next-integrity branch on https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/, new patch already sent.
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 52b811da6989..033804f5a5f2 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -183,8 +183,8 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode, * Dump large security xattr values as a continuous ascii hexademical string. * (pr_debug is limited to 64 bytes.) */ -static void dump_security_xattr(const char *prefix, const void *src, - size_t count) +static void dump_security_xattr_l(const char *prefix, const void *src, + size_t count) { #if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG) char *asciihex, *p; @@ -200,6 +200,16 @@ static void dump_security_xattr(const char *prefix, const void *src, #endif } +static void dump_security_xattr(const char *name, const char *value, + size_t value_len) +{ + if (value_len < 64) + pr_debug("%s: (%zu) [%*phN]\n", name, value_len, + (int)value_len, value); + else + dump_security_xattr_l(name, value, value_len); +} + /* * Calculate the HMAC value across the set of protected security xattrs. * @@ -254,15 +264,9 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, if (is_ima) ima_present = true; - if (req_xattr_value_len < 64) - pr_debug("%s: (%zu) [%*phN]\n", req_xattr_name, - req_xattr_value_len, - (int)req_xattr_value_len, - req_xattr_value); - else - dump_security_xattr(req_xattr_name, - req_xattr_value, - req_xattr_value_len); + dump_security_xattr(req_xattr_name, + req_xattr_value, + req_xattr_value_len); continue; } size = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr->name, @@ -286,12 +290,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, if (is_ima) ima_present = true; - if (xattr_size < 64) - pr_debug("%s: (%zu) [%*phN]", xattr->name, xattr_size, - (int)xattr_size, xattr_value); - else - dump_security_xattr(xattr->name, xattr_value, - xattr_size); + dump_security_xattr(xattr->name, xattr_value, xattr_size); } hmac_add_misc(desc, inode, type, data->digest);
Currently dump_security_xattr() is used to dump security xattr value which is larger than 64 bytes, otherwise, pr_debug() is used. In order to remove code duplication, refator dump_security_xattr() and call it in all cases. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> --- security/integrity/evm/evm_crypto.c | 33 ++++++++++++++--------------- 1 file changed, 16 insertions(+), 17 deletions(-)