From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, James Morris <jmorris@namei.org>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [PATCH 3/4] ima: Improvements in ima_appraise_measurement()
Date: Thu, 15 Mar 2018 15:18:34 -0400 [thread overview]
Message-ID: <1521141514.3547.637.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <87efkmjjc7.fsf@morokweng.localdomain>
On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote:
> Hello Serge,
>
> Thanks for quickly reviewing these patches!
>
> Serge E. Hallyn <serge@hallyn.com> writes:
>
> > Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com):
> >> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >> }
> >>
> >> status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
> >> - if ((status != INTEGRITY_PASS) &&
> >> - (status != INTEGRITY_PASS_IMMUTABLE) &&
> >> - (status != INTEGRITY_UNKNOWN)) {
> >> - if ((status == INTEGRITY_NOLABEL)
> >> - || (status == INTEGRITY_NOXATTRS))
> >> - cause = "missing-HMAC";
> >> - else if (status == INTEGRITY_FAIL)
> >> - cause = "invalid-HMAC";
> >> + switch (status) {
> >> + case INTEGRITY_PASS:
> >> + case INTEGRITY_PASS_IMMUTABLE:
> >> + case INTEGRITY_UNKNOWN:
> >
> > Wouldn't it be more future-proof to replace this with a 'default', or
> > to at least add a "default: BUG()" to catch new status values?
>
> I agree. I like the "default: BUG()" option.
Agreed. I would put it at the end after INTEGRITY_FAIL.
>
> >> + break;
> >> + case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
> >> + case INTEGRITY_NOLABEL: /* No security.evm xattr. */
> >> + cause = "missing-HMAC";
> >> + goto out;
> >> + case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
> >> + cause = "invalid-HMAC";
> >> goto out;
> >> }
> >> +
> >> switch (xattr_value->type) {
> >> case IMA_XATTR_DIGEST_NG:
> >> /* first byte contains algorithm id */
> >> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >> op, cause, rc, 0);
> >> } else if (status != INTEGRITY_PASS) {
> >> + /* Fix mode, but don't replace file signatures. */
> >> if ((ima_appraise & IMA_APPRAISE_FIX) &&
> >> (!xattr_value ||
> >> xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> >> if (!ima_fix_xattr(dentry, iint))
> >> status = INTEGRITY_PASS;
> >> - } else if ((inode->i_size == 0) &&
> >> - (iint->flags & IMA_NEW_FILE) &&
> >> - (xattr_value &&
> >> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
> >> + }
> >> +
> >> + /* Permit new files with file signatures, but without data. */
> >> + if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
> >
> > This may be correct, but it's not identical to what you're replacing.
> > Since in either case you're setting status to INTEGRITY_PASS the final
> > result is the same, but with a few extra possible steps. Not sure
> > whether that matters.
>
> Good point. I'll have to defer this one to Mimi though.
The end result is the same, but add some needed comments.
Mimi
>
> >
> >> + xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
> >> status = INTEGRITY_PASS;
> >> }
> >> +
> >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >> op, cause, rc, 0);
> >> } else {
>
>
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 3/4] ima: Improvements in ima_appraise_measurement()
Date: Thu, 15 Mar 2018 15:18:34 -0400 [thread overview]
Message-ID: <1521141514.3547.637.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <87efkmjjc7.fsf@morokweng.localdomain>
On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote:
> Hello Serge,
>
> Thanks for quickly reviewing these patches!
>
> Serge E. Hallyn <serge@hallyn.com> writes:
>
> > Quoting Thiago Jung Bauermann (bauerman at linux.vnet.ibm.com):
> >> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >> }
> >>
> >> status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
> >> - if ((status != INTEGRITY_PASS) &&
> >> - (status != INTEGRITY_PASS_IMMUTABLE) &&
> >> - (status != INTEGRITY_UNKNOWN)) {
> >> - if ((status == INTEGRITY_NOLABEL)
> >> - || (status == INTEGRITY_NOXATTRS))
> >> - cause = "missing-HMAC";
> >> - else if (status == INTEGRITY_FAIL)
> >> - cause = "invalid-HMAC";
> >> + switch (status) {
> >> + case INTEGRITY_PASS:
> >> + case INTEGRITY_PASS_IMMUTABLE:
> >> + case INTEGRITY_UNKNOWN:
> >
> > Wouldn't it be more future-proof to replace this with a 'default', or
> > to at least add a "default: BUG()" to catch new status values?
>
> I agree. I like the "default: BUG()" option.
Agreed. ?I would put it at the end after INTEGRITY_FAIL.
>
> >> + break;
> >> + case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
> >> + case INTEGRITY_NOLABEL: /* No security.evm xattr. */
> >> + cause = "missing-HMAC";
> >> + goto out;
> >> + case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
> >> + cause = "invalid-HMAC";
> >> goto out;
> >> }
> >> +
> >> switch (xattr_value->type) {
> >> case IMA_XATTR_DIGEST_NG:
> >> /* first byte contains algorithm id */
> >> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >> op, cause, rc, 0);
> >> } else if (status != INTEGRITY_PASS) {
> >> + /* Fix mode, but don't replace file signatures. */
> >> if ((ima_appraise & IMA_APPRAISE_FIX) &&
> >> (!xattr_value ||
> >> xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> >> if (!ima_fix_xattr(dentry, iint))
> >> status = INTEGRITY_PASS;
> >> - } else if ((inode->i_size == 0) &&
> >> - (iint->flags & IMA_NEW_FILE) &&
> >> - (xattr_value &&
> >> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
> >> + }
> >> +
> >> + /* Permit new files with file signatures, but without data. */
> >> + if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
> >
> > This may be correct, but it's not identical to what you're replacing.
> > Since in either case you're setting status to INTEGRITY_PASS the final
> > result is the same, but with a few extra possible steps. Not sure
> > whether that matters.
>
> Good point. I'll have to defer this one to Mimi though.
The end result is the same, but add some needed comments.
Mimi
>
> >
> >> + xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
> >> status = INTEGRITY_PASS;
> >> }
> >> +
> >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >> op, cause, rc, 0);
> >> } else {
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, James Morris <jmorris@namei.org>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [PATCH 3/4] ima: Improvements in ima_appraise_measurement()
Date: Thu, 15 Mar 2018 15:18:34 -0400 [thread overview]
Message-ID: <1521141514.3547.637.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <87efkmjjc7.fsf@morokweng.localdomain>
On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote:
> Hello Serge,
>
> Thanks for quickly reviewing these patches!
>
> Serge E. Hallyn <serge@hallyn.com> writes:
>
> > Quoting Thiago Jung Bauermann (bauerman@linux.vnet.ibm.com):
> >> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >> @@ -241,16 +241,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >> }
> >>
> >> status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
> >> - if ((status != INTEGRITY_PASS) &&
> >> - (status != INTEGRITY_PASS_IMMUTABLE) &&
> >> - (status != INTEGRITY_UNKNOWN)) {
> >> - if ((status == INTEGRITY_NOLABEL)
> >> - || (status == INTEGRITY_NOXATTRS))
> >> - cause = "missing-HMAC";
> >> - else if (status == INTEGRITY_FAIL)
> >> - cause = "invalid-HMAC";
> >> + switch (status) {
> >> + case INTEGRITY_PASS:
> >> + case INTEGRITY_PASS_IMMUTABLE:
> >> + case INTEGRITY_UNKNOWN:
> >
> > Wouldn't it be more future-proof to replace this with a 'default', or
> > to at least add a "default: BUG()" to catch new status values?
>
> I agree. I like the "default: BUG()" option.
Agreed. I would put it at the end after INTEGRITY_FAIL.
>
> >> + break;
> >> + case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
> >> + case INTEGRITY_NOLABEL: /* No security.evm xattr. */
> >> + cause = "missing-HMAC";
> >> + goto out;
> >> + case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
> >> + cause = "invalid-HMAC";
> >> goto out;
> >> }
> >> +
> >> switch (xattr_value->type) {
> >> case IMA_XATTR_DIGEST_NG:
> >> /* first byte contains algorithm id */
> >> @@ -316,17 +320,20 @@ int ima_appraise_measurement(enum ima_hooks func,
> >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >> op, cause, rc, 0);
> >> } else if (status != INTEGRITY_PASS) {
> >> + /* Fix mode, but don't replace file signatures. */
> >> if ((ima_appraise & IMA_APPRAISE_FIX) &&
> >> (!xattr_value ||
> >> xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> >> if (!ima_fix_xattr(dentry, iint))
> >> status = INTEGRITY_PASS;
> >> - } else if ((inode->i_size == 0) &&
> >> - (iint->flags & IMA_NEW_FILE) &&
> >> - (xattr_value &&
> >> - xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
> >> + }
> >> +
> >> + /* Permit new files with file signatures, but without data. */
> >> + if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
> >
> > This may be correct, but it's not identical to what you're replacing.
> > Since in either case you're setting status to INTEGRITY_PASS the final
> > result is the same, but with a few extra possible steps. Not sure
> > whether that matters.
>
> Good point. I'll have to defer this one to Mimi though.
The end result is the same, but add some needed comments.
Mimi
>
> >
> >> + xattr_value && xattr_value->type == EVM_IMA_XATTR_DIGSIG) {
> >> status = INTEGRITY_PASS;
> >> }
> >> +
> >> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> >> op, cause, rc, 0);
> >> } else {
>
>
next prev parent reply other threads:[~2018-03-15 19:18 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-14 20:20 [PATCH 0/4] Code improvements in integrity and IMA Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-14 20:20 ` [PATCH 1/4] integrity: Remove unused macro IMA_ACTION_RULE_FLAGS Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-14 21:33 ` Serge E. Hallyn
2018-03-14 21:33 ` Serge E. Hallyn
2018-03-14 20:20 ` [PATCH 2/4] ima: Simplify ima_eventsig_init() Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-14 21:31 ` Serge E. Hallyn
2018-03-14 21:31 ` Serge E. Hallyn
2018-03-14 20:20 ` [PATCH 3/4] ima: Improvements in ima_appraise_measurement() Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-14 21:40 ` Serge E. Hallyn
2018-03-14 21:40 ` Serge E. Hallyn
2018-03-15 0:03 ` Thiago Jung Bauermann
2018-03-15 0:03 ` Thiago Jung Bauermann
2018-03-15 19:18 ` Mimi Zohar [this message]
2018-03-15 19:18 ` Mimi Zohar
2018-03-15 19:18 ` Mimi Zohar
2018-03-15 20:33 ` Thiago Jung Bauermann
2018-03-15 20:33 ` Thiago Jung Bauermann
2018-03-15 20:33 ` Thiago Jung Bauermann
2018-03-17 15:09 ` Serge E. Hallyn
2018-03-17 15:09 ` Serge E. Hallyn
2018-03-14 20:20 ` [PATCH 4/4] integrity: Introduce struct evm_xattr Thiago Jung Bauermann
2018-03-14 20:20 ` Thiago Jung Bauermann
2018-03-15 21:01 ` [PATCH 0/4] Code improvements in integrity and IMA Mimi Zohar
2018-03-15 21:01 ` Mimi Zohar
2018-03-15 21:01 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1521141514.3547.637.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=bauerman@linux.vnet.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.