Hi Mimi,

On 8/17/21 12:20 AM, Mimi Zohar wrote:

On Mon, 2021-08-16 at 08:11 +0000, THOBY Simon wrote:

quoted

SETXATTR_CHECK poliy rules assume that any algorithm listed in the
'appraise_algos' flag must be accepted when performing setxattr()
on the security.ima xattr.
However nothing checks that they are available in the current kernel.
A userland application could hash a file with a digest that the kernel
wouldn't be able to verify. However, if SETXATTR_CHECK is not in use,
the kernel already forbids that xattr write.

I assume the above couple of sentences are a continuation of the
previous paragraph and concatenated them.  If it really is meant to be
a separate paragraph a blank line needs to separate them.

No you're right, it makes more sense as a single paragraph.

quoted

Verify that algorithms listed in appraise_algos are available to the
current kernel and reject the policy update otherwise. This will fix
the inconsistency between SETXATTR_CHECK and non-SETXATTR_CHECK
behaviors.

That filtering is only performed in ima_parse_appraise_algos() when
updating policies so that we do not have to pay the price of allocating
a hash object every time validate_hash_algo() is called in
ima_inode_setxattr().

Signed-off-by: THOBY Simon <redacted>

Thanks, Simon.  Before pushing out the entire patch set, including this
one, to next-integrity-testing branch,  I reverted the tag re-ordering, 
fixed the line length of the sample appraise rule, and added the commit
number (for stable) in the patch description.  Please verify.

Looks great to me!

While testing, I noticed similar support is needed for appended
signatures.  For example, "scripts/sign-file" can be used to sign
kernel modules or the kernel image.

Sample kexec rules:
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_algos=sha256

Oh yeah, I didn't think of that. I'll take a look to see if it's
simple to add these checks on module and kernel signatures.

thanks,

Mimi

Thanks again,
Simon