From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jeremy Kerr <jk@ozlabs.org>,
Matthew Garret <matthew.garret@nebula.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Claudio Carvalho <cclaudio@linux.ibm.com>,
George Wilson <gcwilson@linux.ibm.com>,
Elaine Palmer <erpalmer@us.ibm.com>,
Eric Ricther <erichte@linux.ibm.com>,
"Oliver O'Halloran" <oohall@gmail.com>,
Prakhar Srivastava <prsriva02@gmail.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Subject: Re: [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig
Date: Sat, 19 Oct 2019 20:58:41 -0400 [thread overview]
Message-ID: <1571533121.5250.329.camel@linux.ibm.com> (raw)
In-Reply-To: <1571508377-23603-8-git-send-email-nayna@linux.ibm.com>
On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 29ebe9afdac4..4c97afcc0f3c 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -25,6 +25,7 @@ Description:
> lsm: [[subj_user=] [subj_role=] [subj_type=]
> [obj_user=] [obj_role=] [obj_type=]]
> option: [[appraise_type=]] [template=] [permit_directio]
> + [appraise_flag=[check_blacklist]]
Like the other options, only "[[appraise_flag=]]" should be defined
here. The values should be defined in the "option:" section.
> base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
> [FIRMWARE_CHECK]
>
> [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 136ae4e0ee92..7a002b08dde8 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -303,6 +304,36 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
> return rc;
> }
>
> +/*
> + * ima_blacklist_measurement - Checks whether the binary is blacklisted. If
Please update the function name to reflect the actual function name.
> + * yes, then adds the hash of the blacklisted binary to the measurement list.
Refer to Documentation/process/coding-style.rst section "8)
Commenting" on how to format function comments. Don't start a
sentence with "If yes,".
> + *
> + * Returns -EPERM if the hash is blacklisted.
> + */
> +int ima_check_blacklist(struct integrity_iint_cache *iint,
> + const struct modsig *modsig, int pcr)
> +{
> + enum hash_algo hash_algo;
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 5380aca2b351..bfaae7a8443a 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1172,6 +1173,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> else
> result = -EINVAL;
> break;
> + case Opt_appraise_flag:
> + ima_log_string(ab, "appraise_flag", args[0].from);
> + if (strstr(args[0].from, "blacklist"))
> + entry->flags |= IMA_CHECK_BLACKLIST;
> + break;
When adding a new policy rule option, ima_policy_show() needs to be
updated as well.
Mimi
> case Opt_permit_directio:
> entry->flags |= IMA_PERMIT_DIRECTIO;
> break;
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Eric Ricther <erichte@linux.ibm.com>,
Prakhar Srivastava <prsriva02@gmail.com>,
linux-kernel@vger.kernel.org,
Claudio Carvalho <cclaudio@linux.ibm.com>,
Matthew Garret <matthew.garret@nebula.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Paul Mackerras <paulus@samba.org>, Jeremy Kerr <jk@ozlabs.org>,
Elaine Palmer <erpalmer@us.ibm.com>,
Oliver O'Halloran <oohall@gmail.com>,
George Wilson <gcwilson@linux.ibm.com>
Subject: Re: [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig
Date: Sat, 19 Oct 2019 20:58:41 -0400 [thread overview]
Message-ID: <1571533121.5250.329.camel@linux.ibm.com> (raw)
In-Reply-To: <1571508377-23603-8-git-send-email-nayna@linux.ibm.com>
On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 29ebe9afdac4..4c97afcc0f3c 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -25,6 +25,7 @@ Description:
> lsm: [[subj_user=] [subj_role=] [subj_type=]
> [obj_user=] [obj_role=] [obj_type=]]
> option: [[appraise_type=]] [template=] [permit_directio]
> + [appraise_flag=[check_blacklist]]
Like the other options, only "[[appraise_flag=]]" should be defined
here. The values should be defined in the "option:" section.
> base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
> [FIRMWARE_CHECK]
>
> [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 136ae4e0ee92..7a002b08dde8 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -303,6 +304,36 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
> return rc;
> }
>
> +/*
> + * ima_blacklist_measurement - Checks whether the binary is blacklisted. If
Please update the function name to reflect the actual function name.
> + * yes, then adds the hash of the blacklisted binary to the measurement list.
Refer to Documentation/process/coding-style.rst section "8)
Commenting" on how to format function comments. Don't start a
sentence with "If yes,".
> + *
> + * Returns -EPERM if the hash is blacklisted.
> + */
> +int ima_check_blacklist(struct integrity_iint_cache *iint,
> + const struct modsig *modsig, int pcr)
> +{
> + enum hash_algo hash_algo;
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 5380aca2b351..bfaae7a8443a 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1172,6 +1173,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> else
> result = -EINVAL;
> break;
> + case Opt_appraise_flag:
> + ima_log_string(ab, "appraise_flag", args[0].from);
> + if (strstr(args[0].from, "blacklist"))
> + entry->flags |= IMA_CHECK_BLACKLIST;
> + break;
When adding a new policy rule option, ima_policy_show() needs to be
updated as well.
Mimi
> case Opt_permit_directio:
> entry->flags |= IMA_PERMIT_DIRECTIO;
> break;
>
next prev parent reply other threads:[~2019-10-20 0:58 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-19 18:06 [PATCH v8 0/8] powerpc: Enabling IMA arch specific secure boot policies Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-19 18:06 ` [PATCH v8 1/8] powerpc: detect the secure boot mode of the system Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-22 23:37 ` Michael Ellerman
2019-10-22 23:37 ` Michael Ellerman
2019-10-19 18:06 ` [PATCH v8 2/8] powerpc/ima: add support to initialize ima policy rules Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 0:16 ` Mimi Zohar
2019-10-20 0:16 ` Mimi Zohar
2019-10-19 18:06 ` [PATCH v8 3/8] powerpc: detect the trusted boot state of the system Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 12:48 ` Mimi Zohar
2019-10-20 12:48 ` Mimi Zohar
2019-10-22 23:38 ` Michael Ellerman
2019-10-22 23:38 ` Michael Ellerman
2019-10-19 18:06 ` [PATCH v8 4/8] powerpc/ima: add measurement rules to ima arch specific policy Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 0:16 ` Mimi Zohar
2019-10-20 0:16 ` Mimi Zohar
2019-10-19 18:06 ` [PATCH v8 5/8] ima: make process_buffer_measurement() generic Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 1:21 ` Mimi Zohar
2019-10-20 1:21 ` Mimi Zohar
2019-10-19 18:06 ` [PATCH v8 6/8] certs: add wrapper function to check blacklisted binary hash Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-19 18:06 ` [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 0:58 ` Mimi Zohar [this message]
2019-10-20 0:58 ` Mimi Zohar
2019-10-20 16:06 ` Mimi Zohar
2019-10-20 16:06 ` Mimi Zohar
2019-10-20 16:09 ` Mimi Zohar
2019-10-20 16:09 ` Mimi Zohar
2019-10-19 18:06 ` [PATCH v8 8/8] powerpc/ima: update ima arch policy to check for blacklist Nayna Jain
2019-10-19 18:06 ` Nayna Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1571533121.5250.329.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=cclaudio@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=erpalmer@us.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jk@ozlabs.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=matthew.garret@nebula.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=oohall@gmail.com \
--cc=paulus@samba.org \
--cc=prsriva02@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.