evm: prevent passing integrity check if xattr read fails
authorDmitry Kasatkin <d.kasatkin@samsung.com>
Fri, 15 Aug 2014 10:49:22 +0000 (13:49 +0300)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Mon, 8 Sep 2014 21:36:10 +0000 (17:36 -0400)
This patch fixes a bug, where evm_verify_hmac() returns INTEGRITY_PASS
if inode->i_op->getxattr() returns an error in evm_find_protected_xattrs.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
security/integrity/evm/evm_main.c

index fb71f55295dc0004139c5834b77299fc57728d44..40220124364caa075019cef979a4a13387955835 100644 (file)
@@ -126,14 +126,15 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
        rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
                                GFP_NOFS);
        if (rc <= 0) {
-               if (rc == 0)
-                       evm_status = INTEGRITY_FAIL; /* empty */
-               else if (rc == -ENODATA) {
+               evm_status = INTEGRITY_FAIL;
+               if (rc == -ENODATA) {
                        rc = evm_find_protected_xattrs(dentry);
                        if (rc > 0)
                                evm_status = INTEGRITY_NOLABEL;
                        else if (rc == 0)
                                evm_status = INTEGRITY_NOXATTRS; /* new file */
+               } else if (rc == -EOPNOTSUPP) {
+                       evm_status = INTEGRITY_UNKNOWN;
                }
                goto out;
        }