From 083f41e874ee0f3b389b650a90c5ebd111244333 Mon Sep 17 00:00:00 2001
From: Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
Date: Wed, 9 Mar 2011 14:28:20 -0500
Subject: [PATCH] --- yaml --- r: 264481 b: refs/heads/master c:
 6be5cc5246f807fd8ede9f5f1bb2826f2c598658 h: refs/heads/master i:   264479:
 db9f3de5e094fb0c8899abfb5077b4fa2e4c1738 v: v3

---
 [refs]                                    |  2 +-
 trunk/include/linux/integrity.h           |  1 +
 trunk/security/integrity/evm/evm_crypto.c | 11 +++++++----
 trunk/security/integrity/evm/evm_main.c   | 10 +++++-----
 trunk/security/integrity/integrity.h      | 11 +++++++++++
 5 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/[refs] b/[refs]
index e423e24f9353..27a7c35d7c3b 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 66dbc325afcef909043c30e90930a36823fc734c
+refs/heads/master: 6be5cc5246f807fd8ede9f5f1bb2826f2c598658
diff --git a/trunk/include/linux/integrity.h b/trunk/include/linux/integrity.h
index e715a2abcea2..968443385678 100644
--- a/trunk/include/linux/integrity.h
+++ b/trunk/include/linux/integrity.h
@@ -19,6 +19,7 @@ enum integrity_status {
 	INTEGRITY_UNKNOWN,
 };
 
+/* List of EVM protected security xattrs */
 #ifdef CONFIG_INTEGRITY
 extern int integrity_inode_alloc(struct inode *inode);
 extern void integrity_inode_free(struct inode *inode);
diff --git a/trunk/security/integrity/evm/evm_crypto.c b/trunk/security/integrity/evm/evm_crypto.c
index d49bb002f3da..c631b99bda95 100644
--- a/trunk/security/integrity/evm/evm_crypto.c
+++ b/trunk/security/integrity/evm/evm_crypto.c
@@ -141,14 +141,17 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
 			const char *xattr_value, size_t xattr_value_len)
 {
 	struct inode *inode = dentry->d_inode;
-	u8 hmac[SHA1_DIGEST_SIZE];
+	struct evm_ima_xattr_data xattr_data;
 	int rc = 0;
 
 	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
-			   xattr_value_len, hmac);
-	if (rc == 0)
+			   xattr_value_len, xattr_data.digest);
+	if (rc == 0) {
+		xattr_data.type = EVM_XATTR_HMAC;
 		rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM,
-					   hmac, SHA1_DIGEST_SIZE, 0);
+					   &xattr_data,
+					   sizeof(xattr_data), 0);
+	}
 	else if (rc == -ENODATA)
 		rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM);
 	return rc;
diff --git a/trunk/security/integrity/evm/evm_main.c b/trunk/security/integrity/evm/evm_main.c
index a8fa45fef8f1..c0580dd15ec0 100644
--- a/trunk/security/integrity/evm/evm_main.c
+++ b/trunk/security/integrity/evm/evm_main.c
@@ -51,20 +51,20 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 					     size_t xattr_value_len,
 					     struct integrity_iint_cache *iint)
 {
-	char hmac_val[SHA1_DIGEST_SIZE];
+	struct evm_ima_xattr_data xattr_data;
 	int rc;
 
 	if (iint->hmac_status != INTEGRITY_UNKNOWN)
 		return iint->hmac_status;
 
-	memset(hmac_val, 0, sizeof hmac_val);
 	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
-			   xattr_value_len, hmac_val);
+			   xattr_value_len, xattr_data.digest);
 	if (rc < 0)
 		return INTEGRITY_UNKNOWN;
 
-	rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, hmac_val, sizeof hmac_val,
-			   GFP_NOFS);
+	xattr_data.type = EVM_XATTR_HMAC;
+	rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, (u8 *)&xattr_data,
+			   sizeof xattr_data, GFP_NOFS);
 	if (rc < 0)
 		goto err_out;
 	iint->hmac_status = INTEGRITY_PASS;
diff --git a/trunk/security/integrity/integrity.h b/trunk/security/integrity/integrity.h
index 397a46b3992f..7efbf560b7d5 100644
--- a/trunk/security/integrity/integrity.h
+++ b/trunk/security/integrity/integrity.h
@@ -18,6 +18,17 @@
 /* iint cache flags */
 #define IMA_MEASURED		0x01
 
+enum evm_ima_xattr_type {
+	IMA_XATTR_DIGEST = 0x01,
+	EVM_XATTR_HMAC,
+	EVM_IMA_XATTR_DIGSIG,
+};
+
+struct evm_ima_xattr_data {
+	u8 type;
+	u8 digest[SHA1_DIGEST_SIZE];
+}  __attribute__((packed));
+
 /* integrity data associated with an inode */
 struct integrity_iint_cache {
 	struct rb_node rb_node; /* rooted in integrity_iint_tree */