| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Aug 2017 11:43:30 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@...ux.vnet.ibm.com>,
linux-security-module@...r.kernel.org
Cc: linux-ima-devel@...ts.sourceforge.net, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-kernel@...r.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
James Morris <james.l.morris@...cle.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
Jessica Yu <jeyu@...hat.com>,
Rusty Russell <rusty@...tcorp.com.au>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
"AKASHI, Takahiro" <takahiro.akashi@...aro.org>
Subject: Re: [PATCH v4 7/7] ima: Support module-style appended signatures
for appraisal
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 87d2b601cf8e..5a244ebc61d9 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -190,6 +190,64 @@ int ima_read_xattr(struct dentry *dentry,
> return ret;
> }
>
> +static void process_xattr_error(int rc, struct integrity_iint_cache *iint,
> + int opened, char const **cause,
> + enum integrity_status *status)
> +{
> + if (rc && rc != -ENODATA)
> + return;
> +
> + *cause = iint->flags & IMA_DIGSIG_REQUIRED ?
> + "IMA-signature-required" : "missing-hash";
> + *status = INTEGRITY_NOLABEL;
> +
> + if (opened & FILE_CREATED)
> + iint->flags |= IMA_NEW_FILE;
> +
> + if ((iint->flags & IMA_NEW_FILE) &&
> + !(iint->flags & IMA_DIGSIG_REQUIRED))
> + *status = INTEGRITY_PASS;
> +}
> +
> +static int appraise_modsig(struct integrity_iint_cache *iint,
> + struct evm_ima_xattr_data *xattr_value,
> + int xattr_len)
> +{
> + enum hash_algo algo;
> + const void *digest;
> + void *buf;
> + int rc, len;
> + u8 dig_len;
> +
> + rc = ima_modsig_verify(INTEGRITY_KEYRING_IMA, xattr_value);
> + if (rc)
> + return rc;
> +
> + /*
> + * The signature is good. Now let's put the sig hash
> + * into the iint cache so that it gets stored in the
> + * measurement list.
> + */
> +
> + rc = ima_get_modsig_hash(xattr_value, &algo, &digest, &dig_len);
> + if (rc)
> + return rc;
> +
> + len = sizeof(iint->ima_hash) + dig_len;
> + buf = krealloc(iint->ima_hash, len, GFP_NOFS);
> + if (!buf)
> + return -ENOMEM;
> +
> + iint->ima_hash = buf;
> + iint->flags |= IMA_DIGSIG;
> + iint->ima_hash->algo = algo;
> + iint->ima_hash->length = dig_len;
> +
> + memcpy(iint->ima_hash->digest, digest, dig_len);
> +
> + return 0;
> +}
Depending on the IMA policy, the file could already have been
measured. That measurement list entry might include the file
signature, as stored in the xattr, in the ima-sig template data.
I think even if a measurement list entry exists, we would want an
additional measurement list entry, which includes the appended
signature in the ima-sig template data.
Mimi
Powered by blists - more mailing lists