* Re: [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr [not found] <20210811114037.201887-1-simon.thoby@viveris.fr> @ 2021-08-11 19:40 ` Mimi Zohar 2021-08-11 23:53 ` Steve Grubb 0 siblings, 1 reply; 3+ messages in thread From: Mimi Zohar @ 2021-08-11 19:40 UTC (permalink / raw) To: THOBY Simon, dmitry.kasatkin@gmail.com, linux-integrity@vger.kernel.org, BARVAUX Didier Cc: linux-audit [Cc'ing linux-audit] Hi Simon, On Wed, 2021-08-11 at 11:40 +0000, THOBY Simon wrote: Other than the two questions on " IMA: add a policy option to restrict xattr hash algorithms on appraisal" patch, the patch set is looking good. thanks, Mimi > Here is also a short description of the new audit messages, but I can > send it in a followup mail if that is not the proper place: > > When writing the xattr with an algorithm not built in the kernel (here the > kernel was built with CONFIG_CRYPTO_MD5 unset), e.g. with > "evmctl ima_hash -a md5 /usr/bin/strace": > audit(1628066120.418:121): pid=1344 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data cause=unavailable-hash-algorithm comm="evmctl" name="/usr/bin/strace" dev="dm-0" ino=2632657 res=0 errno=0 > > With the same command and the policy rule > "appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512", we get: > audit(1628066210.141:127): pid=1362 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data cause=denied-hash-algorithm comm="evmctl" name="/usr/bin/strace" dev="dm-0" ino=2632657 res=0 errno=0 > > Note that the cause is now 'denied-hash-algorithm' instead of > 'unavailable-hash-algorithm'. We get that audit message for any algorithm > outside of sha256/384/512 (including algorithms not compiled in the kernel > like MD5). In a sense, 'denied-hash-algorithm' takes predecence over > 'unavailable-hash-algorithm'. > > When appraising files, e.g. trying to execute a file whose xattr was hashed > with sha1 while the policy rule > "appraise func=BPRM_CHECK fowner=0 appraise_algos=sha256" is enabled: > audit(1628066349.230:130): pid=1369 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=collect_data cause=denied-hash-algorithm comm="bash" name="/usr/bin/strace" dev="dm-0" ino=2632657 res=0 errno=0 > > > This series is based on the following repo/branch: > repo: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git > branch: next-integrity-testing > commit e37be5343ae2b9419aea1442b07e5d2428b437b4 ("Merge branch 'ima-buffer-measurement-changes-v4' into next-integrity") -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr 2021-08-11 19:40 ` [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr Mimi Zohar @ 2021-08-11 23:53 ` Steve Grubb 2021-08-12 0:17 ` Steve Grubb 0 siblings, 1 reply; 3+ messages in thread From: Steve Grubb @ 2021-08-11 23:53 UTC (permalink / raw) To: linux-integrity@vger.kernel.org, linux-audit, Mimi Zohar Cc: dmitry.kasatkin@gmail.com, BARVAUX Didier, THOBY Simon Hello, On Wednesday, August 11, 2021 3:40:51 PM EDT Mimi Zohar wrote: > On Wed, 2021-08-11 at 11:40 +0000, THOBY Simon wrote: > Other than the two questions on " IMA: add a policy option to restrict > xattr hash algorithms on appraisal" patch, the patch set is looking > good. > > thanks, > > Mimi > > > Here is also a short description of the new audit messages, but I can > > send it in a followup mail if that is not the proper place: > > > > When writing the xattr with an algorithm not built in the kernel (here > > the > > kernel was built with CONFIG_CRYPTO_MD5 unset), e.g. with > > > > "evmctl ima_hash -a md5 /usr/bin/strace": > > audit(1628066120.418:121): pid=1344 uid=0 auid=0 ses=1 > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data > > cause=unavailable-hash-algorithm comm="evmctl" name="/usr/bin/strace" > > dev="dm-0" ino=2632657 res=0 errno=0> Is this audit event accurate? I seem to be seeing name=value=value. I'm hoping this is a copy/paste/mail client issue. -Steve > > With the same command and the policy rule > > > > "appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512", we get: > > audit(1628066210.141:127): pid=1362 uid=0 auid=0 ses=1 > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data > > cause=denied-hash-algorithm comm="evmctl" name="/usr/bin/strace" > > dev="dm-0" ino=2632657 res=0 errno=0> > > Note that the cause is now 'denied-hash-algorithm' instead of > > 'unavailable-hash-algorithm'. We get that audit message for any algorithm > > outside of sha256/384/512 (including algorithms not compiled in the > > kernel > > like MD5). In a sense, 'denied-hash-algorithm' takes predecence over > > 'unavailable-hash-algorithm'. > > > > When appraising files, e.g. trying to execute a file whose xattr was > > hashed with sha1 while the policy rule > > > > "appraise func=BPRM_CHECK fowner=0 appraise_algos=sha256" is enabled: > > audit(1628066349.230:130): pid=1369 uid=0 auid=0 ses=1 > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > op=collect_data cause=denied-hash-algorithm comm="bash" > > name="/usr/bin/strace" dev="dm-0" ino=2632657 res=0 errno=0> > > This series is based on the following repo/branch: > > repo: > > https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.g > > it branch: next-integrity-testing > > commit e37be5343ae2b9419aea1442b07e5d2428b437b4 ("Merge branch > > 'ima-buffer-measurement-changes-v4' into next-integrity") > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr 2021-08-11 23:53 ` Steve Grubb @ 2021-08-12 0:17 ` Steve Grubb 0 siblings, 0 replies; 3+ messages in thread From: Steve Grubb @ 2021-08-12 0:17 UTC (permalink / raw) To: linux-integrity@vger.kernel.org, linux-audit, Mimi Zohar Cc: dmitry.kasatkin@gmail.com, BARVAUX Didier, THOBY Simon Hello, On Wednesday, August 11, 2021 7:53:15 PM EDT Steve Grubb wrote: > On Wednesday, August 11, 2021 3:40:51 PM EDT Mimi Zohar wrote: > > On Wed, 2021-08-11 at 11:40 +0000, THOBY Simon wrote: > > Other than the two questions on " IMA: add a policy option to restrict > > xattr hash algorithms on appraisal" patch, the patch set is looking > > good. > > > > thanks, > > > > Mimi > > > > > Here is also a short description of the new audit messages, but I can > > > send it in a followup mail if that is not the proper place: > > > > > > When writing the xattr with an algorithm not built in the kernel (here > > > the kernel was built with CONFIG_CRYPTO_MD5 unset), e.g. with > > > > > > "evmctl ima_hash -a md5 /usr/bin/strace": > > > audit(1628066120.418:121): pid=1344 uid=0 auid=0 ses=1 > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data > > > cause=unavailable-hash-algorithm comm="evmctl" name="/usr/bin/ strace" > > > dev="dm-0" ino=2632657 res=0 errno=0> > > Is this audit event accurate? I seem to be seeing name=value=value. I'm > hoping this is a copy/paste/mail client issue. Sorry for the noise...I see there is a space in there. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-12 0:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20210811114037.201887-1-simon.thoby@viveris.fr>
2021-08-11 19:40 ` [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr Mimi Zohar
2021-08-11 23:53 ` Steve Grubb
2021-08-12 0:17 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox