On Wed, 2021-08-04 at 09:20 +0000, THOBY Simon wrote: > The kernel accepts any hash algorithm as a value for the security.ima > xattr. Users may wish to restrict the accepted algorithms to only > support strong cryptographic ones. > > Provide the plumbing to restrict the permitted set of hash algorithms > used for verifying file hashes and digest algorithms stored in > security.ima xattr. simplify by saying "file hashes and signatures stored ..." > > This do not apply only to IMA in hash mode, it also works with digital > signatures, where the hash from which the signature is derived (by > signing it with the trusted private key) must obey the same > restrictions. The patch is limited to appraisal. Is the above paragraph needed? > > Signed-off-by: Simon Thoby <simon.thoby@xxxxxxxxxx> > Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> This patch restricts the "hash algorithms". Looking this over again after some time, does truncating variable names here, and in the other patches, to just "_hash|_hashes" make sense? Perhaps the emphasis should not be on "hash", but on "algo". > @@ -684,8 +695,11 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, > action &= ~IMA_HASH; > if (ima_fail_unverifiable_sigs) > action |= IMA_FAIL_UNVERIFIABLE_SIGS; > - } > > + if (allowed_hashes && > + entry->flags & IMA_VALIDATE_HASH) > + *allowed_hashes = entry->allowed_hashes; > + } > > if (entry->action & IMA_DO_MASK) > actmask &= ~(entry->action | entry->action << 1); "allowed_hashes" sounds like a set of digests. Instead of "allowed_hashes" and "IMA_VALIDATE_HASH", should it be "allowed_algo" and "IMA_ALLOWED_ALGO"? thanks, Mimi
