Hi Mimi,
On 8/12/21 8:31 PM, Mimi Zohar wrote:
> Hi Simon,
>
> On Thu, 2021-08-12 at 09:16 -0400, Mimi Zohar wrote:
>> On Thu, 2021-08-12 at 08:06 +0000, THOBY Simon wrote:
>
>>> However your comment does applies to the next patch ("IMA: introduce a new policy
>>> option func=SETXATTR_CHECK"), and we probably could restrict the algorithms referenced in
>>> ima_setxattr_allowed_hash_algorithms to ones the current kernel can use.
>>> The easiest way to enforce this would probably be to check that when parsing 'appraise_algos'
>>> in ima_parse_appraise_algos(), we only add algorithms that are available, ignoring - or
>>> rejecting, according to the outcome of the discussion above - the other algorithms. That way,
>>> we do not have to pay the price of allocating a hash object every time validate_hash_algo() is
>>> called.
>>>
>>> Would it be ok if I did that?
>>
>> Without knowing and understanding all the environments in which IMA is
>> enabled (e.g. front end, back end build system), you're correct -
>> protecting the user from themselves -might not be the right answer.
>>
>> What you suggested, above, would be the correct solution. Perhaps post
>> that change as a separate patch, on top of this patch set, for
>> additional discussion.
>
> Before posting the patch, please fix your user name and email address
> in the git configuration. scripts/checkpatch.pl is complaining:
>
> ERROR: Missing Signed-off-by: line by nominal patch author 'THOBY Simon
> <Simon.THOBY@xxxxxxxxxx>'
>
> total: 1 errors, 0 warnings, 218 lines checked
I guess Microsoft Exchange strikes again :/
On my end, the patches have the correct 'From: Simon Thoby <simon.thoby@xxxxxxxxxx>'
header, but it seems Outlook likes to rewrite headers to match my Microsoft work account
information. I will update my git config, as I can't edit the name and email of the corporate
account.
Sorry about that.
>
> thanks,
>
> Mimi
>
Thanks,
Simon
