Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\integrity\ima\ima_appraise.c Create Date:2022-07-28 19:59:24
Last Modify:2020-03-12 14:18:49 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:ma_appraise_measurement - appraise file measurement* Call evm_verifyxattr() to verify the integrity of 'security.ima'.* Assuming success, compare the xattr hash with the collected measurement.* Return 0 on success, error code otherwise

Proto:int ima_appraise_measurement(enum ima_hooks func, struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, int xattr_len, const struct modsig *modsig)

Type:int

Parameter:

TypeParameterName
enum ima_hooksfunc
struct integrity_iint_cache *iint
struct file *file
const unsigned char *filename
struct evm_ima_xattr_data *xattr_value
intxattr_len
const struct modsig *modsig
353  op[] = "appraise_data"
354  cause = "unknown"
355  dentry = file_dentry(file)
356  inode = d_backing_inode - Get upper or lower inode we should be using*@upper: The upper layer* This is the helper that should be used to get at the inode that will be used* if this dentry were to be opened as a file. The inode may be on the upper
357  status = INTEGRITY_UNKNOWN
358  rc = xattr_len
359  try_modsig = flags & IMA_MODSIG_ALLOWED && modsig
362  If Not (i_opflags & IOP_XATTR) && Not try_modsig Then Return INTEGRITY_UNKNOWN
366  If rc <= 0 && Not try_modsig Then
367  If rc && rc != -ENODATA Then Go to out
370  cause = If flags & IMA_DIGSIG_REQUIRED Then "IMA-signature-required" Else "missing-hash"
372  status = INTEGRITY_NOLABEL
373  If f_mode & FMODE_CREATED Then flags |= IMA_NEW_FILE
375  If flags & IMA_NEW_FILE && ( Not (flags & IMA_DIGSIG_REQUIRED) || i_size == 0 ) Then status = INTEGRITY_PASS
379  Go to out
382  status = vm_verifyxattr - verify the integrity of the requested xattr*@dentry: object of the verify xattr*@xattr_name: requested xattr*@xattr_value: requested xattr value*@xattr_value_len: requested xattr value length* Calculate the HMAC for the given dentry and
384  Case status == INTEGRITY_PASS
385  Case status == INTEGRITY_PASS_IMMUTABLE
386  Case status == INTEGRITY_UNKNOWN
387  Break
388  Case status == INTEGRITY_NOXATTRS
390  If try_modsig Then Break
393  Case status == INTEGRITY_NOLABEL
394  cause = "missing-HMAC"
395  Go to out
396  Case status == INTEGRITY_FAIL
397  cause = "invalid-HMAC"
398  Go to out
399  Default
400  WARN_ONCE(true, "Unexpected integrity status %d\n", status)
403  If xattr_value Then rc = xattr_verify - verify xattr digest or signature* Verify whether the hash or signature matches the file contents.* Return 0 on success, error code otherwise.
411  If try_modsig && ( Not xattr_value || type == IMA_XATTR_DIGEST_NG || rc == -ENOKEY ) Then rc = modsig_verify - verify modsig signature* Verify whether the signature matches the file contents.* Return 0 on success, error code otherwise.
416  out :
423  If s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE && ( s_iflags & SB_I_UNTRUSTED_MOUNTER || flags & IMA_FAIL_UNVERIFIABLE_SIGS ) Then
426  status = INTEGRITY_FAIL
427  cause = "unverifiable-signature"
428  integrity_audit_msg(Data integrity verification , inode, filename, op, cause, rc, 0)
430  Else if status != INTEGRITY_PASS Then
440  If i_size == 0 && flags & IMA_NEW_FILE && xattr_value && type == EVM_IMA_XATTR_DIGSIG Then
445  integrity_audit_msg(Data integrity verification , inode, filename, op, cause, rc, 0)
447  Else
448  ima_cache_flags(iint, func)
451  ima_set_cache_status(iint, func, status)
452  Return status
Caller
NameDescribe
process_measurement