Hi Mimi, On 8/17/21 12:20 AM, Mimi Zohar wrote: > On Mon, 2021-08-16 at 08:11 +0000, THOBY Simon wrote: >> SETXATTR_CHECK poliy rules assume that any algorithm listed in the >> 'appraise_algos' flag must be accepted when performing setxattr() >> on the security.ima xattr. >> However nothing checks that they are available in the current kernel. >> A userland application could hash a file with a digest that the kernel >> wouldn't be able to verify. However, if SETXATTR_CHECK is not in use, >> the kernel already forbids that xattr write. > > I assume the above couple of sentences are a continuation of the > previous paragraph and concatenated them. If it really is meant to be > a separate paragraph a blank line needs to separate them. No you're right, it makes more sense as a single paragraph. > >> >> Verify that algorithms listed in appraise_algos are available to the >> current kernel and reject the policy update otherwise. This will fix >> the inconsistency between SETXATTR_CHECK and non-SETXATTR_CHECK >> behaviors. >> >> That filtering is only performed in ima_parse_appraise_algos() when >> updating policies so that we do not have to pay the price of allocating >> a hash object every time validate_hash_algo() is called in >> ima_inode_setxattr(). >> >> Signed-off-by: THOBY Simon <Simon.THOBY@xxxxxxxxxx> > > Thanks, Simon. Before pushing out the entire patch set, including this > one, to next-integrity-testing branch, I reverted the tag re-ordering, > fixed the line length of the sample appraise rule, and added the commit > number (for stable) in the patch description. Please verify. Looks great to me! > > While testing, I noticed similar support is needed for appended > signatures. For example, "scripts/sign-file" can be used to sign > kernel modules or the kernel image. > > Sample kexec rules: > measure func=KEXEC_KERNEL_CHECK template=ima-modsig > appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_algos=sha256 Oh yeah, I didn't think of that. I'll take a look to see if it's simple to add these checks on module and kernel signatures. > > thanks, > > Mimi > > > Thanks again, Simon
