lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c9dffd9d29df095660beaa631ff252c4b33629a0.camel@linux.ibm.com>
Date:   Thu, 29 Jul 2021 17:20:42 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>,
        gregkh@...uxfoundation.org, mchehab+huawei@...nel.org
Cc:     linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC][PATCH v2 06/12] diglim: Interfaces - digest_list_add,
 digest_list_del

Hi Roberto,

On Mon, 2021-07-26 at 18:36 +0200, Roberto Sassu wrote:
> /*
> + * digest_list_read: read and parse the digest list from the path
> + */
> +static ssize_t digest_list_read(char *path, enum ops op)
> +{
> +       void *data = NULL;
> +       char *datap;
> +       size_t size;
> +       u8 actions = 0;
> +       struct file *file;
> +       char event_name[NAME_MAX + 9 + 1];
> +       u8 digest[IMA_MAX_DIGEST_SIZE] = { 0 };
> +       enum hash_algo algo;
> +       int rc, pathlen = strlen(path);
> +
> +       /* Remove \n. */
> +       datap = path;
> +       strsep(&datap, "\n");
> +
> +       file = filp_open(path, O_RDONLY, 0);
> +       if (IS_ERR(file)) {
> +               pr_err("unable to open file: %s (%ld)", path, PTR_ERR(file));
> +               return PTR_ERR(file);
> +       }
> +
> +       rc = kernel_read_file(file, 0, &data, INT_MAX, NULL,
> +                             READING_DIGEST_LIST);
> +       if (rc < 0) {
> +               pr_err("unable to read file: %s (%d)", path, rc);
> +               goto out;
> +       }
> +
> +       size = rc;
> +
> +       snprintf(event_name, sizeof(event_name), "%s_file_%s",
> +                op == DIGEST_LIST_ADD ? "add" : "del",
> +                file_dentry(file)->d_name.name);
> +
> +       rc = ima_measure_critical_data("diglim", event_name, data, size, false,
> +                                      digest, sizeof(digest));
> +       if (rc < 0 && rc != -EEXIST)
> +               goto out_vfree;

The digest lists could easily be measured while reading the digest list
file above in kernel_read_file().  What makes it "critical-data"?  In
the SELinux case, the in memory SELinux policy is being measured and
re-measured to make sure it hasn't been modified.  Is the digest list
file data being measured more than once?

I understand that with your changes to ima_measure_critical_data(),
which are now in next-integrity-testing branch, allow IMA to calculate
the file data hash.

thanks,

Mimi

> +
> +       algo = ima_get_current_hash_algo();
> +


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ