On Thu, 2022-01-27 at 14:35 +0800, Guozihua (Scott) wrote: > > On 2022/1/26 22:43, Roberto Sassu wrote: > >> From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > >> Sent: Wednesday, January 26, 2022 3:35 PM > >> On Wed, 2022-01-26 at 13:24 +0000, Roberto Sassu wrote: > >>>> From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > >>>> Sent: Wednesday, January 26, 2022 1:48 PM > >>>> On Wed, 2022-01-26 at 15:41 +0800, Guozihua (Scott) wrote: > >>>>> > >>>>> > >>>>> The main issue lies in ima_template_desc_current called by hash_setup, > >>>>> which does not just read ima_template global variable, but also tries to > >>>>> set it if that hasn't been done already. Causing ima_template_setup to quit. > >>>> > >>>> Right, which calls ima_init_template_list(). So part of the solution > >>>> could be to conditionally call ima_init_template_list() > >>>> in ima_template_setup(). > >>>> > >>>> - if (ima_template) > >>>> - return 1; > >>>> - > >>>> - ima_init_template_list(); > >>>> + if (!ima_template > >>>> + ima_init_template_list(); > >>>> > >>>> Roberto, what do you think? > >>> > >>> Hi Mimi > >>> > >>> I think we wanted to prevent to set a digest algorithm > >>> incompatible with the chosen template. > >>> > >>> If we have in the kernel command line: > >>> > >>> ima_template=ima ima_hash=sha256 > >>> > >>> ima_hash_algo would be set to HASH_ALGO_SHA1 despite > >>> the user choice and the template would be set to 'ima'. > >>> > >>> In the opposite case: > >>> > >>> ima_hash=sha256 ima_template=ima > >>> > >>> if the default template is 'ima', then ima_hash_algo would be > >>> set to HASH_ALGO_SHA1. Otherwise, it would be > >>> HASH_ALGO_SHA256. If we allow the template to be set after > >>> the digest algorithm is evaluated, the template selection will > >>> be rejected if the algorithm is incompatible with the template. > >> > >> The only time that would occur is in the unlikely case that the > >> template is being set to "ima". That sounds reasonable. In fact we > >> should consider preventing the template format being set to "ima". > > > > Ok. < snip > > > I understand that the solution proposed here is to decommission template > "ima" and potentially removing related algo checks altogether? Eventually we might decide to do that, but right now we just want to address not being able to set "ima_template" after setting "ima_hash". thanks, Mimi
