On Tue, 2021-07-27 at 16:33 +0000, THOBY Simon wrote: > The kernel have the ability to restrict the set of hash algorithms ^kernel has > it accepts for the security.ima xattr when it appraises files. > > Define a new IMA policy rule option "appraise_hash=", > using the mentionned mechanism to expose a user-toggable policy ^mentioned > knob to opt-in to that restriction and select the desired set of > algorithms that must be accepted. > > When a policy rule uses the 'appraise_hash' option, appraisal of a > file referenced by that rule will now fail if the digest algorithm > employed to hash the file was not one of those explicitly listed > in the option. In its absence, any hash algorithm compiled in the > kernel will be accepted. > > For example, on a system where SELinux is properly deployed, the rule > appraise func=BPRM_CHECK obj_type=iptables_exec_t appraise_hash=sha256,sha384 > will block the execution of iptables if the xattr security.ima of its > executables were not hashed with either sha256 or sha384. > > Signed-off-by: Simon Thoby <simon.thoby@xxxxxxxxxx> Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- <snip> > @@ -1204,6 +1228,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > entry->uid_op = &uid_eq; > entry->fowner_op = &uid_eq; > entry->action = UNKNOWN; > + entry->allowed_hashes = 0; "entry" is zeroed when allocated.
