On Mon, 2021-08-16 at 08:11 +0000, THOBY Simon wrote: > SETXATTR_CHECK poliy rules assume that any algorithm listed in the > 'appraise_algos' flag must be accepted when performing setxattr() > on the security.ima xattr. > However nothing checks that they are available in the current kernel. > A userland application could hash a file with a digest that the kernel > wouldn't be able to verify. However, if SETXATTR_CHECK is not in use, > the kernel already forbids that xattr write. I assume the above couple of sentences are a continuation of the previous paragraph and concatenated them. If it really is meant to be a separate paragraph a blank line needs to separate them. > > Verify that algorithms listed in appraise_algos are available to the > current kernel and reject the policy update otherwise. This will fix > the inconsistency between SETXATTR_CHECK and non-SETXATTR_CHECK > behaviors. > > That filtering is only performed in ima_parse_appraise_algos() when > updating policies so that we do not have to pay the price of allocating > a hash object every time validate_hash_algo() is called in > ima_inode_setxattr(). > > Signed-off-by: THOBY Simon <Simon.THOBY@xxxxxxxxxx> Thanks, Simon. Before pushing out the entire patch set, including this one, to next-integrity-testing branch, I reverted the tag re-ordering, fixed the line length of the sample appraise rule, and added the commit number (for stable) in the patch description. Please verify. While testing, I noticed similar support is needed for appended signatures. For example, "scripts/sign-file" can be used to sign kernel modules or the kernel image. Sample kexec rules: measure func=KEXEC_KERNEL_CHECK template=ima-modsig appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_algos=sha256 thanks, Mimi
