Re: [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is... | linux-security-module

[PATCH v3 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support · Tyler Hicks <hidden> · 2020-07-09
[PATCH v3 01/12] ima: Have the LSM free its audit rule · Tyler Hicks <hidden> · 2020-07-09
Re: [PATCH v3 01/12] ima: Have the LSM free its audit rule · Nayna <hidden> · 2020-07-17
Re: [PATCH v3 01/12] ima: Have the LSM free its audit rule · Tyler Hicks <hidden> · 2020-07-17
Re: [PATCH v3 01/12] ima: Have the LSM free its audit rule · Mimi Zohar <zohar@linux.ibm.com> · 2020-07-19
[PATCH v3 02/12] ima: Free the entire rule when deleting a list of rules · Tyler Hicks <hidden> · 2020-07-09
[PATCH v3 03/12] ima: Free the entire rule if it fails to parse · Tyler Hicks <hidden> · 2020-07-09
[PATCH v3 04/12] ima: Fail rule parsing when buffer hook functions have an invalid action · Tyler Hicks <hidden> · 2020-07-09
[PATCH v3 06/12] ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond · Tyler Hicks <hidden> · 2020-07-09
Re: [PATCH v3 06/12] ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond · Nayna <hidden> · 2020-07-17
Re: [PATCH v3 06/12] ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond · Tyler Hicks <hidden> · 2020-07-17
Re: [PATCH v3 06/12] ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond · Tyler Hicks <hidden> · 2020-07-17
[PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable · Tyler Hicks <hidden> · 2020-07-09
Re: [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable · Mimi Zohar <zohar@linux.ibm.com> · 2020-07-16
Re: [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable · Tyler Hicks <hidden> · 2020-07-16
[PATCH v3 10/12] ima: Move comprehensive rule validation checks out of the token parser · Tyler Hicks <hidden> · 2020-07-09
[PATCH v3 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function · Tyler Hicks <hidden> · 2020-07-09
[PATCH v3 09/12] ima: Use correct type for the args_p member of ima_rule_entry.lsm elements · Tyler Hicks <hidden> · 2020-07-09
[PATCH v3 11/12] ima: Use the common function to detect LSM conditionals in a rule · Tyler Hicks <hidden> · 2020-07-09
[PATCH v3 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements · Tyler Hicks <hidden> · 2020-07-09
Re: [PATCH v3 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements · Konsta Karsisto <hidden> · 2020-07-17
Re: [PATCH v3 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements · Tyler Hicks <hidden> · 2020-07-17
[PATCH v3 05/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond · Tyler Hicks <hidden> · 2020-07-09
Re: [PATCH v3 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support · Mimi Zohar <zohar@linux.ibm.com> · 2020-07-17
Re: [PATCH v3 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support · Tyler Hicks <hidden> · 2020-07-17
Re: [PATCH v3 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support · Mimi Zohar <zohar@linux.ibm.com> · 2020-07-20

Re: [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable

From: Tyler Hicks <hidden>
Date: 2020-07-16 18:21:05
Also in: linux-integrity, lkml

On 2020-07-16 14:14:50, Mimi Zohar wrote:

On Thu, 2020-07-09 at 01:19 -0500, Tyler Hicks wrote:

quoted

The "appraise_flag" option is only appropriate for appraise actions
and its "blacklist" value is only appropriate when
CONFIG_IMA_APPRAISE_MODSIG is enabled and "appraise_flag=blacklist" is
only appropriate when "appraise_type=imasig|modsig" is also present.
Make this clear at policy load so that IMA policy authors don't assume
that other uses of "appraise_flag=blacklist" are supported.

The code looks correct, but this patch description could be written at
a higher level.  Perhaps it just needs to be prefixed with something
like this:

Verifying that a file hash is not blacklisted is currently only
supported for files with appended signatures (modsig).  In the future,
this might change.  For now, ...

That makes sense. I'm not up to speed on the intent behind the blacklist
feature or where it may go in the future so I didn't think to add
anything along those lines.

If you are happy with the rest of the series, please feel free to append
this to the commit message. Otherwise, I can add it if I need to submit
a new revision of the series.

Tyler

Mimi

quoted

Fixes: 273df864cf74 ("ima: Check against blacklisted hashes for files with modsig")
Signed-off-by: Tyler Hicks <redacted>
Cc: Nayna Jain <nayna@linux.ibm.com>

quoted

---

* v3
  - New patch

 security/integrity/ima/ima_policy.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 81da02071d41..9842e2e0bc6d 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c

@@ -1035,6 +1035,11 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 		return false;
 	}
 
+	/* Ensure that combinations of flags are compatible with each other */
+	if (entry->flags & IMA_CHECK_BLACKLIST &&
+	    !(entry->flags & IMA_MODSIG_ALLOWED))
+		return false;
+
 	return true;
 }

@@ -1371,8 +1376,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 				result = -EINVAL;
 			break;
 		case Opt_appraise_flag:
+			if (entry->action != APPRAISE) {
+				result = -EINVAL;
+				break;
+			}
+
 			ima_log_string(ab, "appraise_flag", args[0].from);
-			if (strstr(args[0].from, "blacklist"))
+			if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
+			    strstr(args[0].from, "blacklist"))
 				entry->flags |= IMA_CHECK_BLACKLIST;
 			break;
 		case Opt_permit_directio:

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help