lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1450873498.2774.33.camel@linux.vnet.ibm.com>
Date:	Wed, 23 Dec 2015 07:24:58 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Petko Manolov <petkan@...-labs.com>
Cc:	Sasha Levin <sasha.levin@...cle.com>, dmitry.kasatkin@...il.com,
	james.l.morris@...cle.com, serge@...lyn.com,
	linux-ima-devel@...ts.sourceforge.net,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] IMA: policy can be updated zero times

On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote:

> On 15-12-22 16:50:01, Sasha Levin wrote:
> > On 12/22/2015 04:40 PM, Petko Manolov wrote:
> > >> Thanks, Sasha.  By the time ima_update_policy() is called
> > >> >ima_release_policy() has already output the policy update status
> > >> >message.  I guess an empty policy could be considered a valid policy.
> > >> >Could you add a msg indicating that the new policy was empty?
> > > 
> > > As far as I can say we can't get to ima_update_policy() with empty 
> > > ima_temp_rules because ima_write_policy() will set valid_policy to 0 in case 
> > > of an empty rule.  I'll double check it tomorrow, but please you do that 
> > > too.
> > 
> > This is based on an actual crash rather than code analysis.
> 
> I was able to reproduce the crash with: echo "" > /sys/kernel/security/ima/policy
> 
> It turns out ima_parse_add_rule() returns 1, even though the string is empty 
> This logic may be part of "empty policy is a valid policy" or something else.  
> As it is more dangerous to change the behavior at this point i assume your patch 
> is the right solution for the problem.
> 
> Acked-by: Petko Manolov <petkan@...-labs.com>
> 
> Mimi, shall we change ima_parse_add_rule's behavior in the future or it's too 
> much work?

ima_parse_add_rules() has no way of knowing if the policy as a whole is
valid.  I would define a new function in ima_policy.c to return the
number of rules being added and call it at the beginning of
ima_release_policy() before the status message.  That way the number of
rules added can be included in the status message.

For now, the function could just return have rules or no rules, instead
of the number of rules.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ