SETXATTR_CHECK poliy rules assume that any algorithm listed in the
'appraise_algos' flag must be accepted when performing setxattr()
on the security.ima xattr.
However nothing checks that they are available in the current kernel.
A userland application could hash a file with a digest that the kernel
wouldn't be able to verify. However, if SETXATTR_CHECK is not in use,
the kernel already forbids that xattr write.
Verify that algorithms listed in appraise_algos are available to the
current kernel and reject the policy update otherwise. This will fix
the inconsistency between SETXATTR_CHECK and non-SETXATTR_CHECK
behaviors.
That filtering is only performed in ima_parse_appraise_algos() when
updating policies so that we do not have to pay the price of allocating
a hash object every time validate_hash_algo() is called in
ima_inode_setxattr().
Signed-off-by: THOBY Simon <Simon.THOBY@xxxxxxxxxx>
---
security/integrity/ima/ima_policy.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 9eaa509f487a..87b9b71cb820 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1258,6 +1258,12 @@ static unsigned int ima_parse_appraise_algos(char *arg)
return 0;
}
+ if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) {
+ pr_err("unavailable hash algorithm \"%s\", check your kernel configuration",
+ token);
+ return 0;
+ }
+
/* Add the hash algorithm to the 'allowed' bitfield */
res |= (1U << idx);
}
--
2.31.1
