[PATCH v2 5/9] evm: Use the inode holding the metadata to calculate metadata hash
kernel test robot
lkp at intel.com
Tue Feb 6 18:22:48 UTC 2024
Hi Stefan,
kernel test robot noticed the following build errors:
[auto build test ERROR on zohar-integrity/next-integrity]
[also build test ERROR on pcmoore-selinux/next linus/master v6.8-rc3 next-20240206]
[cannot apply to mszeredi-vfs/overlayfs-next mszeredi-vfs/next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Stefan-Berger/ima-Rename-backing_inode-to-real_inode/20240206-022848
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
patch link: https://lore.kernel.org/r/20240205182506.3569743-6-stefanb%40linux.ibm.com
patch subject: [PATCH v2 5/9] evm: Use the inode holding the metadata to calculate metadata hash
config: x86_64-rhel-8.3 (https://download.01.org/0day-ci/archive/20240207/202402070220.eYpQ6zcm-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240207/202402070220.eYpQ6zcm-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp at intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202402070220.eYpQ6zcm-lkp@intel.com/
All errors (new ones prefixed by >>):
security/integrity/evm/evm_crypto.c: In function 'evm_calc_hmac_or_hash':
>> security/integrity/evm/evm_crypto.c:226:54: error: 'D_REAL_METADATA' undeclared (first use in this function)
226 | struct inode *inode = d_inode(d_real(dentry, D_REAL_METADATA));
| ^~~~~~~~~~~~~~~
security/integrity/evm/evm_crypto.c:226:54: note: each undeclared identifier is reported only once for each function it appears in
vim +/D_REAL_METADATA +226 security/integrity/evm/evm_crypto.c
212
213 /*
214 * Calculate the HMAC value across the set of protected security xattrs.
215 *
216 * Instead of retrieving the requested xattr, for performance, calculate
217 * the hmac using the requested xattr value. Don't alloc/free memory for
218 * each xattr, but attempt to re-use the previously allocated memory.
219 */
220 static int evm_calc_hmac_or_hash(struct dentry *dentry,
221 const char *req_xattr_name,
222 const char *req_xattr_value,
223 size_t req_xattr_value_len,
224 uint8_t type, struct evm_digest *data)
225 {
> 226 struct inode *inode = d_inode(d_real(dentry, D_REAL_METADATA));
227 struct xattr_list *xattr;
228 struct shash_desc *desc;
229 size_t xattr_size = 0;
230 char *xattr_value = NULL;
231 int error;
232 int size, user_space_size;
233 bool ima_present = false;
234
235 if (!(inode->i_opflags & IOP_XATTR) ||
236 inode->i_sb->s_user_ns != &init_user_ns)
237 return -EOPNOTSUPP;
238
239 desc = init_desc(type, data->hdr.algo);
240 if (IS_ERR(desc))
241 return PTR_ERR(desc);
242
243 data->hdr.length = crypto_shash_digestsize(desc->tfm);
244
245 error = -ENODATA;
246 list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
247 bool is_ima = false;
248
249 if (strcmp(xattr->name, XATTR_NAME_IMA) == 0)
250 is_ima = true;
251
252 /*
253 * Skip non-enabled xattrs for locally calculated
254 * signatures/HMACs.
255 */
256 if (type != EVM_XATTR_PORTABLE_DIGSIG && !xattr->enabled)
257 continue;
258
259 if ((req_xattr_name && req_xattr_value)
260 && !strcmp(xattr->name, req_xattr_name)) {
261 error = 0;
262 crypto_shash_update(desc, (const u8 *)req_xattr_value,
263 req_xattr_value_len);
264 if (is_ima)
265 ima_present = true;
266
267 dump_security_xattr(req_xattr_name,
268 req_xattr_value,
269 req_xattr_value_len);
270 continue;
271 }
272 size = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr->name,
273 &xattr_value, xattr_size, GFP_NOFS);
274 if (size == -ENOMEM) {
275 error = -ENOMEM;
276 goto out;
277 }
278 if (size < 0)
279 continue;
280
281 user_space_size = vfs_getxattr(&nop_mnt_idmap, dentry,
282 xattr->name, NULL, 0);
283 if (user_space_size != size)
284 pr_debug("file %s: xattr %s size mismatch (kernel: %d, user: %d)\n",
285 dentry->d_name.name, xattr->name, size,
286 user_space_size);
287 error = 0;
288 xattr_size = size;
289 crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size);
290 if (is_ima)
291 ima_present = true;
292
293 dump_security_xattr(xattr->name, xattr_value, xattr_size);
294 }
295 hmac_add_misc(desc, inode, type, data->digest);
296
297 /* Portable EVM signatures must include an IMA hash */
298 if (type == EVM_XATTR_PORTABLE_DIGSIG && !ima_present)
299 error = -EPERM;
300 out:
301 kfree(xattr_value);
302 kfree(desc);
303 return error;
304 }
305
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
More information about the Linux-security-module-archive
mailing list