lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4280cbe7-6596-1827-4358-fb45d7c13f25@huawei.com>
Date:   Tue, 21 May 2019 09:32:26 +0200
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>, <dmitry.kasatkin@...wei.com>,
        <mjg59@...gle.com>
CC:     <linux-integrity@...r.kernel.org>, <linux-doc@...r.kernel.org>,
        <linux-security-module@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <silviu.vlasceanu@...wei.com>,
        <stable@...r.kernel.org>
Subject: Re: [PATCH 4/4] ima: only audit failed appraisal verifications

On 5/20/2019 11:20 PM, Mimi Zohar wrote:
> On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
>> This patch ensures that integrity_audit_msg() is called only when the
>> status is not INTEGRITY_PASS.
>>
>> Fixes: 8606404fa555c ("ima: digital signature verification support")
>> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
>> Cc: stable@...r.kernel.org
>> ---
>>   security/integrity/ima/ima_appraise.c | 5 +++--
>>   1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
>> index a32ed5d7afd1..f5f4506bcb8e 100644
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -359,8 +359,9 @@ int ima_appraise_measurement(enum ima_hooks func,
>>   			status = INTEGRITY_PASS;
>>   		}
>>   
>> -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
>> -				    op, cause, rc, 0);
>> +		if (status != INTEGRITY_PASS)
>> +			integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
>> +					    filename, op, cause, rc, 0);
> 
> For some reason, the integrity verification has failed.  In some
> specific cases, we'll let it pass, but do we really want to remove any
> indication that it failed in all cases?

Ok. It is fine for me to discard the patch.

Roberto

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ