Re: [PATCH 2/6] ima: Return INTEGRITY_FAIL if digital signature can't be verified

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, dmitry.kasatkin@intel.com
Subject: Re: [PATCH 2/6] ima: Return INTEGRITY_FAIL if digital signature can't be verified
Date: Mon, 04 Mar 2013 08:48:36 -0500	[thread overview]
Message-ID: <1362404916.4392.25.camel@falcor1> (raw)
In-Reply-To: <1360871745-20616-3-git-send-email-vgoyal@redhat.com>

On Thu, 2013-02-14 at 14:55 -0500, Vivek Goyal wrote:
> Digital signature verification happens using integrity_digsig_verify().
> Curently we set integrity to FAIL for all error codes except -EOPNOTSUPP.
> This sounds out of line.
> 
> - If appropriate kernel code is not compiled in to verify signature of
>   a file, then prractically it is a failed signature.
> 
> - For so many other possible errors we are setting the status to fail.
>   For example, -EINVAL, -ENOKEY, -ENOMEM, -EINVAL, -ENOTSUPP etc, it
>   beats me that why -EOPNOTSUPP is special.
> 
> This patch should make the semantics more consistent. That is, if digital
> signature is present in security.ima, then any error happened during
> signature processing leads to status INTEGRITY_FAIL.
> 
> AFAICS, it should not have any user visible effect on existing
> application. In some cases we will start returning INTEGRITY_FAIL
> instead of INTEGRITY_UNKNOWN. And process_measurement() will deny access
> to file both in case of INTEGRITY_UNKNOWN and INTEGRITY_FAIL.
> 
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

A number of patches in this patchset more finely differentiate return
codes, which is good.  I agree with you totally that there is no good
reason for -EOPNOTSUPP to be handled differently.  Unfortunately, the
initramfs is CPIO, which doesn't support xattrs.  With the proposed
change and 'ima_appraise_tcb' flag enabled, we wouldn't be able to boot.
I really dislike hard coding policy in the kernel.

thanks,

Mimi

> ---
>  security/integrity/ima/ima_appraise.c |    4 +---
>  1 files changed, 1 insertions(+), 3 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 3710f44..6f1eeb8 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -178,9 +178,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
>  					     xattr_value->digest, rc - 1,
>  					     iint->ima_xattr.digest,
>  					     IMA_DIGEST_SIZE);
> -		if (rc == -EOPNOTSUPP) {
> -			status = INTEGRITY_UNKNOWN;
> -		} else if (rc) {
> +		if (rc) {
>  			cause = "invalid-signature";
>  			status = INTEGRITY_FAIL;
>  		} else {

next prev parent reply	other threads:[~2013-03-04 13:49 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-14 19:55 [RFC PATCH 0/6][v3] ima: Support a mode to appraise signed files only Vivek Goyal
2013-02-14 19:55 ` [PATCH 1/6] ima: detect security xattrs not enabled Vivek Goyal
2013-02-14 19:55 ` [PATCH 2/6] ima: Return INTEGRITY_FAIL if digital signature can't be verified Vivek Goyal
2013-03-04 13:48   ` Mimi Zohar [this message]
2013-03-04 16:20     ` Vivek Goyal
2013-03-05 13:30       ` Mimi Zohar
2013-03-05 13:54         ` Mimi Zohar
2013-03-05 15:35         ` Vivek Goyal
2013-02-14 19:55 ` [PATCH 3/6] ima/evm: Differentiate between ima/evm nolabel return code Vivek Goyal
2013-02-14 19:55 ` [PATCH 4/6] ima: Introduce new integrity error code INTEGRITY_XATTR_NOTSUPP Vivek Goyal
2013-02-14 19:55 ` [PATCH 5/6] ima: Allow appraisal of digitally signed files only Vivek Goyal
2013-03-05 19:13   ` Vivek Goyal
2013-03-07  7:44     ` Kasatkin, Dmitry
2013-02-14 19:55 ` [PATCH 6/6] ima: With appraise_type=optional, audit log some messages as info Vivek Goyal
2013-02-14 20:51 ` [RFC PATCH 0/6][v3] ima: Support a mode to appraise signed files only Mimi Zohar
2013-02-14 21:44   ` Vivek Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1362404916.4392.25.camel@falcor1 \
    --to=zohar@linux.vnet.ibm.com \
    --cc=dmitry.kasatkin@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=vgoyal@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.