lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 27 Jun 2020 16:39:08 -0700 From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com> To: Tyler Hicks <tyhicks@...ux.microsoft.com>, Mimi Zohar <zohar@...ux.ibm.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com> Cc: James Morris <jmorris@...ei.org>, "Serge E . Hallyn" <serge@...lyn.com>, Prakhar Srivastava <prsriva02@...il.com>, linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: [PATCH v2 06/11] ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond On 6/26/20 3:38 PM, Tyler Hicks wrote: > The KEY_CHECK function only supports the uid, pcr, and keyrings > conditionals. Make this clear at policy load so that IMA policy authors > don't assume that other conditionals are supported. > > Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") > Signed-off-by: Tyler Hicks <tyhicks@...ux.microsoft.com> > --- > > * v2 > - No change > > security/integrity/ima/ima_policy.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 676d5557af1a..f9b1bdb897da 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -1018,6 +1018,13 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > if (entry->action & ~(MEASURE | DONT_MEASURE)) > return false; > > + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | > + IMA_KEYRINGS)) > + return false; > + > + if (ima_rule_contains_lsm_cond(entry)) > + return false; > + > break; > default: > return false; > Reviewed-by: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Powered by blists - more mailing lists