Re: [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig

Sat, 19 Oct 2019 17:59:25 -0700 

On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:

> diff --git a/Documentation/ABI/testing/ima_policy 
> b/Documentation/ABI/testing/ima_policy
> index 29ebe9afdac4..4c97afcc0f3c 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -25,6 +25,7 @@ Description:
>                       lsm:    [[subj_user=] [subj_role=] [subj_type=]
>                                [obj_user=] [obj_role=] [obj_type=]]
>                       option: [[appraise_type=]] [template=] [permit_directio]
> +                             [appraise_flag=[check_blacklist]]

Like the other options, only "[[appraise_flag=]]" should be defined
here.  The values should be defined in the "option:" section.

>               base:   func:= 
> [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
>                               [FIRMWARE_CHECK]
> 

>                               [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
> diff --git a/security/integrity/ima/ima_appraise.c 
> b/security/integrity/ima/ima_appraise.c
> index 136ae4e0ee92..7a002b08dde8 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c

> @@ -303,6 +304,36 @@ static int modsig_verify(enum ima_hooks func, const 
> struct modsig *modsig,
>       return rc;
>  }
>  
> +/*
> + * ima_blacklist_measurement - Checks whether the binary is blacklisted. If

Please update the function name to reflect the actual function name.

> + * yes, then adds the hash of the blacklisted binary to the measurement list.

Refer to Documentation/process/coding-style.rst section "8)
Commenting" on how to format function comments.  Don't start a
sentence with "If yes,".

> + *
> + * Returns -EPERM if the hash is blacklisted.
> + */
> +int ima_check_blacklist(struct integrity_iint_cache *iint,
> +                     const struct modsig *modsig, int pcr)
> +{
> +     enum hash_algo hash_algo;

> diff --git a/security/integrity/ima/ima_policy.c 
> b/security/integrity/ima/ima_policy.c
> index 5380aca2b351..bfaae7a8443a 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c

> @@ -1172,6 +1173,11 @@ static int ima_parse_rule(char *rule, struct 
> ima_rule_entry *entry)
>                       else
>                               result = -EINVAL;
>                       break;
> +             case Opt_appraise_flag:
> +                     ima_log_string(ab, "appraise_flag", args[0].from);
> +                     if (strstr(args[0].from, "blacklist"))
> +                             entry->flags |= IMA_CHECK_BLACKLIST;
> +                     break;

When adding a new policy rule option, ima_policy_show() needs to be
updated as well.

Mimi

>               case Opt_permit_directio:
>                       entry->flags |= IMA_PERMIT_DIRECTIO;
>                       break;
>

Reply via email to