Re: [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig

From: Mimi Zohar
Date: Sat Oct 19 2019 - 20:59:28 EST

Next message: Mimi Zohar: "Re: [PATCH v8 5/8] ima: make process_buffer_measurement() generic"
Previous message: pr-tracker-bot: "Re: [GIT] Networking"
In reply to: Nayna Jain: "[PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig"
Next in thread: Mimi Zohar: "Re: [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:

> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 29ebe9afdac4..4c97afcc0f3c 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -25,6 +25,7 @@ Description:
> lsm: [[subj_user=] [subj_role=] [subj_type=]
> [obj_user=] [obj_role=] [obj_type=]]
> option: [[appraise_type=]] [template=] [permit_directio]
> + [appraise_flag=[check_blacklist]]

Like the other options, only "[[appraise_flag=]]" should be defined
here. ÂThe values should be defined in the "option:" section.

> base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
> [FIRMWARE_CHECK]
>

> [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 136ae4e0ee92..7a002b08dde8 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c

> @@ -303,6 +304,36 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
> return rc;
> }
>
> +/*
> + * ima_blacklist_measurement - Checks whether the binary is blacklisted. If

Please update the function name to reflect the actual function name.

> + * yes, then adds the hash of the blacklisted binary to the measurement list.

Refer to Documentation/process/coding-style.rst section "8)
Commenting" on how to format function comments. ÂDon't start a
sentence with "If yes,".

> + *
> + * Returns -EPERM if the hash is blacklisted.
> + */
> +int ima_check_blacklist(struct integrity_iint_cache *iint,
> + const struct modsig *modsig, int pcr)
> +{
> + enum hash_algo hash_algo;

> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 5380aca2b351..bfaae7a8443a 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c

> @@ -1172,6 +1173,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> else
> result = -EINVAL;
> break;
> + case Opt_appraise_flag:
> + ima_log_string(ab, "appraise_flag", args[0].from);
> + if (strstr(args[0].from, "blacklist"))
> + entry->flags |= IMA_CHECK_BLACKLIST;
> + break;

When adding a new policy rule option,Âima_policy_show() needs to be
updated as well.

Mimi

> case Opt_permit_directio:
> entry->flags |= IMA_PERMIT_DIRECTIO;
> break;
>

Next message: Mimi Zohar: "Re: [PATCH v8 5/8] ima: make process_buffer_measurement() generic"
Previous message: pr-tracker-bot: "Re: [GIT] Networking"
In reply to: Nayna Jain: "[PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig"
Next in thread: Mimi Zohar: "Re: [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]