Hi Simon, On Tue, 2021-07-20 at 09:25 +0000, THOBY Simon wrote: > This patch defines a new IMA policy rule option "appraise_hash=", > that restricts the hash algorithms accepted for the extended attribute > security.ima when appraising. > This patch is *not* self-contained, as it plugs in the support for > parsing the parameter and showing it to the user, but it doesn't enforce > the hashes yet, this will come in a subsequent patch. Right, in order for the patch set to be bisect safe, the order of patches 2 & 3 should be reversed. First implement the support, then add the policy rule support. Otherwise the policy rules could be processed, but not enforced. thanks, Mimi > > Here is an example of a valid rule that enforces the use of sha256 or > sha512 when appraising iptables binaries: > appraise func=BPRM_CHECK obj_type=iptables_exec_t appraise_type=imasig appraise_hash=sha256,sha512 > > This do not apply only to IMA in hash mode, it also works with digital > signatures, in which case it requires the hash (which was then signed > by a trusted private key) to have been generated with one of the > whitelisted algorithms. > > Signed-off-by: Simon Thoby <simon.thoby@xxxxxxxxxx>
