Received: by 10.213.65.68 with SMTP id h4csp148330imn; Thu, 15 Mar 2018 12:19:48 -0700 (PDT) X-Google-Smtp-Source: AG47ELveSzKfWo/BcGC1uG4JFFHXuUvXUVQCnFSwwxc+vTrW0q8YGdAbMWqeqQLQhNgAWzn4pS3u X-Received: by 2002:a17:902:a2:: with SMTP id a31-v6mr9266379pla.204.1521141588195; Thu, 15 Mar 2018 12:19:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521141588; cv=none; d=google.com; s=arc-20160816; b=OzzOcOYAGiE3d72KGxjJHkbHc2tT29n/QzxEudN0a+77ebKEiKRyrQcoBViVHFpq2B 6UD5dviNp8GihhrlkVPJsYzfJbK0DL8IlHs3vujlIPFsWgFCu9TOKAil09Q00/eVzeBR yzKJONEGZQDnSCweqtFo2neEO6MCCy42kzZdwbsq7CsVXmmXZY3RLO/oyrWaSidthpGo ciAgOom2QbUHwq80RJ94quX6R+SZ2CHe98myEGw0hjNGagtNu9fMVZfD4JROiEbJO1+1 YBGx56uEjyX0TH/nZG6s/MA6sxFxVQ4YXCTeWBH7RkBOM62PsZ7FshasE8I/TVIj2Kuo fCQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=qjy82VY4I2gvAnetS+MPNs8NlCS0EmP1RyfR/ENS2hw=; b=GCLunohOKi3CBXK5l6WIKo3r93PUH3oCmS5YHOX4Zcg18BeDBh9EGkPKVFjr927/rF m4wtH9sOdPr3NifmoSNvl/3wdIarpeF/ssK8x2OSoKm4l0YsUQpI0lWsBu1ipjpoKK36 OS4NnjqbT+n/H1dPATJdYHlO0DeZUEJsRH0Ouy5U1MYpZ0x7noXmvZ6sTTghjIj+9XY2 sBUHjlNrQbRhEVCupRECF4uRLV5LojVNpGsq57RI4iH9lcm9ADahdq0bFq2SRjlWT0/M WvD3WOsud/hVrqDA9DHhAv/2IbWTI3yKjqssgHrvlzzCFVnwnjS/sny//di4ZZjyK6i/ pbJw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x75si1577857pfa.74.2018.03.15.12.19.33; Thu, 15 Mar 2018 12:19:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752815AbeCOTSr (ORCPT + 99 others); Thu, 15 Mar 2018 15:18:47 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:53556 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752337AbeCOTSo (ORCPT ); Thu, 15 Mar 2018 15:18:44 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2FJIMOt038930 for ; Thu, 15 Mar 2018 15:18:43 -0400 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0a-001b2d01.pphosted.com with ESMTP id 2gqv6f7wgr-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 15 Mar 2018 15:18:43 -0400 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 15 Mar 2018 19:18:40 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 15 Mar 2018 19:18:37 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w2FJIabU57934010; Thu, 15 Mar 2018 19:18:36 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 431F311C058; Thu, 15 Mar 2018 19:11:13 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4B9B611C04C; Thu, 15 Mar 2018 19:11:12 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.100.228]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 15 Mar 2018 19:11:12 +0000 (GMT) Subject: Re: [PATCH 3/4] ima: Improvements in ima_appraise_measurement() From: Mimi Zohar To: Thiago Jung Bauermann , "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, James Morris , Dmitry Kasatkin Date: Thu, 15 Mar 2018 15:18:34 -0400 In-Reply-To: <87efkmjjc7.fsf@morokweng.localdomain> References: <20180314202020.3794-1-bauerman@linux.vnet.ibm.com> <20180314202020.3794-4-bauerman@linux.vnet.ibm.com> <20180314214045.GC14289@mail.hallyn.com> <87efkmjjc7.fsf@morokweng.localdomain> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18031519-0020-0000-0000-00000405797A X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18031519-0021-0000-0000-00004299837D Message-Id: <1521141514.3547.637.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-15_10:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803150209 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote: > Hello Serge, > > Thanks for quickly reviewing these patches! > > Serge E. Hallyn writes: > > > Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com): > >> From: Mimi Zohar > >> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func, > >> } > >> > >> status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); > >> - if ((status != INTEGRITY_PASS) && > >> - (status != INTEGRITY_PASS_IMMUTABLE) && > >> - (status != INTEGRITY_UNKNOWN)) { > >> - if ((status == INTEGRITY_NOLABEL) > >> - || (status == INTEGRITY_NOXATTRS)) > >> - cause = "missing-HMAC"; > >> - else if (status == INTEGRITY_FAIL) > >> - cause = "invalid-HMAC"; > >> + switch (status) { > >> + case INTEGRITY_PASS: > >> + case INTEGRITY_PASS_IMMUTABLE: > >> + case INTEGRITY_UNKNOWN: > > > > Wouldn't it be more future-proof to replace this with a 'default', or > > to at least add a "default: BUG()" to catch new status values? > > I agree. I like the "default: BUG()" option. Agreed.  I would put it at the end after INTEGRITY_FAIL. > > >> + break; > >> + case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ > >> + case INTEGRITY_NOLABEL: /* No security.evm xattr. */ > >> + cause = "missing-HMAC"; > >> + goto out; > >> + case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ > >> + cause = "invalid-HMAC"; > >> goto out; > >> } > >> + > >> switch (xattr_value->type) { > >> case IMA_XATTR_DIGEST_NG: > >> /* first byte contains algorithm id */ > >> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func, > >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, > >> op, cause, rc, 0); > >> } else if (status != INTEGRITY_PASS) { > >> + /* Fix mode, but don't replace file signatures. */ > >> if ((ima_appraise & IMA_APPRAISE_FIX) && > >> (!xattr_value || > >> xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { > >> if (!ima_fix_xattr(dentry, iint)) > >> status = INTEGRITY_PASS; > >> - } else if ((inode->i_size == 0) && > >> - (iint->flags & IMA_NEW_FILE) && > >> - (xattr_value && > >> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { > >> + } > >> + > >> + /* Permit new files with file signatures, but without data. */ > >> + if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && > > > > This may be correct, but it's not identical to what you're replacing. > > Since in either case you're setting status to INTEGRITY_PASS the final > > result is the same, but with a few extra possible steps. Not sure > > whether that matters. > > Good point. I'll have to defer this one to Mimi though. The end result is the same, but add some needed comments. Mimi > > > > >> + xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) { > >> status = INTEGRITY_PASS; > >> } > >> + > >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, > >> op, cause, rc, 0); > >> } else { > >