| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bdd8d85e-8ae9-6095-bb58-24653862f682@linux.vnet.ibm.com>
Date: Mon, 20 Jul 2020 13:02:57 -0400
From: Nayna <nayna@...ux.vnet.ibm.com>
To: Tyler Hicks <tyhicks@...ux.microsoft.com>,
Mimi Zohar <zohar@...ux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
Prakhar Srivastava <prsriva02@...il.com>,
linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
Nayna Jain <nayna@...ux.ibm.com>
Subject: Re: [PATCH v3 07/12] ima: Fail rule parsing when
appraise_flag=blacklist is unsupportable
On 7/17/20 2:11 PM, Tyler Hicks wrote:
> On 2020-07-17 13:40:22, Nayna wrote:
>> On 7/9/20 2:19 AM, Tyler Hicks wrote:
>>> The "appraise_flag" option is only appropriate for appraise actions
>>> and its "blacklist" value is only appropriate when
>>> CONFIG_IMA_APPRAISE_MODSIG is enabled and "appraise_flag=blacklist" is
>>> only appropriate when "appraise_type=imasig|modsig" is also present.
>>> Make this clear at policy load so that IMA policy authors don't assume
>>> that other uses of "appraise_flag=blacklist" are supported.
>>>
>>> Fixes: 273df864cf74 ("ima: Check against blacklisted hashes for files with modsig")
>>> Signed-off-by: Tyler Hicks <tyhicks@...ux.microsoft.com>
>>> Cc: Nayna Jain <nayna@...ux.ibm.com>
>>> ---
>>>
>>> * v3
>>> - New patch
>>>
>>> security/integrity/ima/ima_policy.c | 13 ++++++++++++-
>>> 1 file changed, 12 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>>> index 81da02071d41..9842e2e0bc6d 100644
>>> --- a/security/integrity/ima/ima_policy.c
>>> +++ b/security/integrity/ima/ima_policy.c
>>> @@ -1035,6 +1035,11 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
>>> return false;
>>> }
>>> + /* Ensure that combinations of flags are compatible with each other */
>>> + if (entry->flags & IMA_CHECK_BLACKLIST &&
>>> + !(entry->flags & IMA_MODSIG_ALLOWED))
>>> + return false;
>>> +
>>> return true;
>>> }
>>> @@ -1371,8 +1376,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>>> result = -EINVAL;
>>> break;
>>> case Opt_appraise_flag:
>>> + if (entry->action != APPRAISE) {
>>> + result = -EINVAL;
>>> + break;
>>> + }
>>> +
>>> ima_log_string(ab, "appraise_flag", args[0].from);
>>> - if (strstr(args[0].from, "blacklist"))
>>> + if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
>>> + strstr(args[0].from, "blacklist"))
>>> entry->flags |= IMA_CHECK_BLACKLIST;
>> If IMA_APPRAISE_MODSIG is disabled, it will allow the following rule to
>> load, which is not as expected.
>>
>> "appraise func=xxx_CHECK appraise_flag=blacklist appraise_type=imasig"
>>
>> Missing is the "else" condition to immediately reject the policy rule.
> Thanks for the review. You're right. This change is needed:
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 9842e2e0bc6d..cf3ddb38dfa8 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1385,6 +1385,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
> strstr(args[0].from, "blacklist"))
> entry->flags |= IMA_CHECK_BLACKLIST;
> + else
> + result = -EINVAL;
> break;
> case Opt_permit_directio:
> entry->flags |= IMA_PERMIT_DIRECTIO;
>
Reviewed-by: Nayna Jain<nayna@...ux.ibm.com>
Tested-by: Nayna Jain<nayna@...ux.ibm.com>
Thanks & Regards,
- Nayna
Powered by blists - more mailing lists