lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c051d807-59a1-5dd0-40b7-be0867f0e43a@linux.vnet.ibm.com>
Date:   Fri, 25 Oct 2019 12:36:37 -0500
From:   Nayna Jain <nayna@...ux.vnet.ibm.com>
To:     Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        Nayna Jain <nayna@...ux.ibm.com>, linuxppc-dev@...abs.org,
        linux-efi@...r.kernel.org, linux-integrity@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org,
        Michael Ellerman <mpe@...erman.id.au>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Paul Mackerras <paulus@...ba.org>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        Jeremy Kerr <jk@...abs.org>,
        Matthew Garret <matthew.garret@...ula.com>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Claudio Carvalho <cclaudio@...ux.ibm.com>,
        George Wilson <gcwilson@...ux.ibm.com>,
        Elaine Palmer <erpalmer@...ibm.com>,
        Eric Ricther <erichte@...ux.ibm.com>,
        "Oliver O'Halloran" <oohall@...il.com>,
        Prakhar Srivastava <prsriva02@...il.com>
Subject: Re: [PATCH v9 7/8] ima: check against blacklisted hashes for files
 with modsig


On 10/24/19 12:48 PM, Lakshmi Ramasubramanian wrote:
> On 10/23/2019 8:47 PM, Nayna Jain wrote:
>
>> +/*
>> + * ima_check_blacklist - determine if the binary is blacklisted.
>> + *
>> + * Add the hash of the blacklisted binary to the measurement list, 
>> based
>> + * on policy.
>> + *
>> + * Returns -EPERM if the hash is blacklisted.
>> + */
>> +int ima_check_blacklist(struct integrity_iint_cache *iint,
>> +            const struct modsig *modsig, int pcr)
>> +{
>> +    enum hash_algo hash_algo;
>> +    const u8 *digest = NULL;
>> +    u32 digestsize = 0;
>> +    int rc = 0;
>> +
>> +    if (!(iint->flags & IMA_CHECK_BLACKLIST))
>> +        return 0;
>> +
>> +    if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
>> +        ima_get_modsig_digest(modsig, &hash_algo, &digest, 
>> &digestsize);
>> +
>> +        rc = is_binary_blacklisted(digest, digestsize);
>> +        if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
>> +            process_buffer_measurement(digest, digestsize,
>> +                           "blacklisted-hash", NONE,
>> +                           pcr);
>> +    }
>
> The enum value "NONE" is being passed to process_buffer_measurement to 
> indicate that the check for required action based on ima policy is 
> already done by ima_check_blacklist. Not sure, but this can cause 
> confusion in the future when someone updates process_buffer_measurement.


As I explained in the response to other patch, the purpose is to 
indicate that it is an auxiliary measurement record. By passing func as 
NONE, it implies there is no explicit policy to be queried for the 
template as it is an additional record for an existing policy and is to 
use ima-buf template.

What type of confusion do you mean ?

Thanks & Regards,

      - Nayna

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ