Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2181452ybh; Fri, 17 Jul 2020 11:13:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz7tcYf/LuX3oFX1aRCHV7vxg6P0FYbsW2PHrh0e2mpZzcRf9ok9wEXwG4Ee2w4Ix57fmHR X-Received: by 2002:a17:906:f907:: with SMTP id lc7mr3906263ejb.143.1595009639628; Fri, 17 Jul 2020 11:13:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595009639; cv=none; d=google.com; s=arc-20160816; b=pAg+HnNppnXDTqn8my5sMoBss5wYd7ivGxmUr85IwIi1nOGAe3KfUExMmHUBBmZnFy D1C0BvW/W/k5yQAk2oyn+ytHkvs2gNlc3QfovnxtWmBU/qNWJWeClqlrWFRCoj2jITCs FipVZU2d1Uk9at50VbfC4K9ercd1sVMAfF87Ge9L4o1rb1SYTp0Z5C6HYT3FSrv52Kb9 UTGxD7sTCEratba7plj/T3awj3DPF8X/t+c+UoMlKJCl2qyzaH+3wy+pMjx7BUGkkWjl RZGOGtAXXx1PEKIyfd+F9TbJMH8rrX1NecHkHmHmWxHHpKWivE0fabaFz8Ei8zcTTSPc m9IA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-filter; bh=2Pzs4CmdDfnklLSKLq/qkdid1cilbcCSYYl7lLHXGe8=; b=0RdI8ZmtIysSYkQbFRC7FCp58KfpHWU8YWpcTNCEI/5EhNcddhTX+kR0TZ4sS9jGEz OX3TCVD387G2D/9xzkXW5os2WSxC8fQAE4YtMkuqVLJ8r1cNRcNZr7loIaYwmdJqNMJT d7i5xmdJH0e2Lc4iE96VJaC2kN4pKxgr+9WHDFzDdc1UGCFCmVvubLyIcgMJ8VwT7Ll1 6VX9C0s+hObAWRN+Hu6R/5m46hgKO/Vke4mEHftzrcGjBVtZRVYrmOyLDM7FhO4/0Iuv p5KLRvd029ie7poami9KWSRYQBlo99vAbkQUqycH19OVUTonlr9KFwsziKRo53+3zWl6 RhTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=mUU+5r9v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w24si5190548ejv.691.2020.07.17.11.13.36; Fri, 17 Jul 2020 11:13:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=mUU+5r9v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726439AbgGQSLh (ORCPT + 99 others); Fri, 17 Jul 2020 14:11:37 -0400 Received: from linux.microsoft.com ([13.77.154.182]:60054 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726205AbgGQSLg (ORCPT ); Fri, 17 Jul 2020 14:11:36 -0400 Received: from sequoia (162-237-133-238.lightspeed.rcsntx.sbcglobal.net [162.237.133.238]) by linux.microsoft.com (Postfix) with ESMTPSA id 1B3F420B4909; Fri, 17 Jul 2020 11:11:35 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 1B3F420B4909 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1595009495; bh=2Pzs4CmdDfnklLSKLq/qkdid1cilbcCSYYl7lLHXGe8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=mUU+5r9vVToweMQMPxEGv6yqTVSMaTYsYxEx7SRIAnhU+jY0WVAMStyXuuXe5TEWH gBXzbDKupNrVFU9HYirgAi2f+BA6YjG0a17Wfn2UzlHC/ZD6EBWE2FSgWUAqlEoqB/ OC5H9KsJwGW8pNp7776zHDJDSZZt4gMWkd0wAckE= Date: Fri, 17 Jul 2020 13:11:33 -0500 From: Tyler Hicks To: Nayna , Mimi Zohar Cc: Dmitry Kasatkin , James Morris , "Serge E . Hallyn" , Lakshmi Ramasubramanian , Prakhar Srivastava , linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Nayna Jain Subject: Re: [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable Message-ID: <20200717181133.GM3673@sequoia> References: <20200709061911.954326-1-tyhicks@linux.microsoft.com> <20200709061911.954326-8-tyhicks@linux.microsoft.com> <76d2b27b-3b59-1852-046a-b1718c62b167@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <76d2b27b-3b59-1852-046a-b1718c62b167@linux.vnet.ibm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-07-17 13:40:22, Nayna wrote: > > On 7/9/20 2:19 AM, Tyler Hicks wrote: > > The "appraise_flag" option is only appropriate for appraise actions > > and its "blacklist" value is only appropriate when > > CONFIG_IMA_APPRAISE_MODSIG is enabled and "appraise_flag=blacklist" is > > only appropriate when "appraise_type=imasig|modsig" is also present. > > Make this clear at policy load so that IMA policy authors don't assume > > that other uses of "appraise_flag=blacklist" are supported. > > > > Fixes: 273df864cf74 ("ima: Check against blacklisted hashes for files with modsig") > > Signed-off-by: Tyler Hicks > > Cc: Nayna Jain > > --- > > > > * v3 > > - New patch > > > > security/integrity/ima/ima_policy.c | 13 ++++++++++++- > > 1 file changed, 12 insertions(+), 1 deletion(-) > > > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > > index 81da02071d41..9842e2e0bc6d 100644 > > --- a/security/integrity/ima/ima_policy.c > > +++ b/security/integrity/ima/ima_policy.c > > @@ -1035,6 +1035,11 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > > return false; > > } > > + /* Ensure that combinations of flags are compatible with each other */ > > + if (entry->flags & IMA_CHECK_BLACKLIST && > > + !(entry->flags & IMA_MODSIG_ALLOWED)) > > + return false; > > + > > return true; > > } > > @@ -1371,8 +1376,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > > result = -EINVAL; > > break; > > case Opt_appraise_flag: > > + if (entry->action != APPRAISE) { > > + result = -EINVAL; > > + break; > > + } > > + > > ima_log_string(ab, "appraise_flag", args[0].from); > > - if (strstr(args[0].from, "blacklist")) > > + if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && > > + strstr(args[0].from, "blacklist")) > > entry->flags |= IMA_CHECK_BLACKLIST; > > If IMA_APPRAISE_MODSIG is disabled, it will allow the following rule to > load, which is not as expected. > > "appraise func=xxx_CHECK appraise_flag=blacklist appraise_type=imasig" > > Missing is the "else" condition to immediately reject the policy rule. Thanks for the review. You're right. This change is needed: diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 9842e2e0bc6d..cf3ddb38dfa8 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1385,6 +1385,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && strstr(args[0].from, "blacklist")) entry->flags |= IMA_CHECK_BLACKLIST; + else + result = -EINVAL; break; case Opt_permit_directio: entry->flags |= IMA_PERMIT_DIRECTIO; Making this change does not conflict with any later patches in the series. Mimi, I've rebased and force pushed to my fixup branch with this change, for your comparison: https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/linux.git/log/?h=next-integrity-testing-fixup Tyler > > Thanks & Regards, > > ???? - Nayna >