From: Mimi Zohar <zohar@linux.ibm.com>
To: THOBY Simon <Simon.THOBY@viveris.fr>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
BARVAUX Didier <Didier.BARVAUX@viveris.fr>
Subject: Re: [PATCH v2 2/3] IMA: add policy support for restricting the accepted hash algorithms
Date: Fri, 23 Jul 2021 07:36:23 -0400 [thread overview]
Message-ID: <7841c6025e3f51db3cd74a330d37ae333d041dc5.camel@linux.ibm.com> (raw)
In-Reply-To: <20210720092404.120172-3-simon.thoby@viveris.fr>
Hi Simon,
On Tue, 2021-07-20 at 09:25 +0000, THOBY Simon wrote:
> This patch defines a new IMA policy rule option "appraise_hash=",
> that restricts the hash algorithms accepted for the extended attribute
> security.ima when appraising.
> This patch is *not* self-contained, as it plugs in the support for
> parsing the parameter and showing it to the user, but it doesn't enforce
> the hashes yet, this will come in a subsequent patch.
Right, in order for the patch set to be bisect safe, the order of
patches 2 & 3 should be reversed. First implement the support, then
add the policy rule support. Otherwise the policy rules could be
processed, but not enforced.
thanks,
Mimi
>
> Here is an example of a valid rule that enforces the use of sha256 or
> sha512 when appraising iptables binaries:
> appraise func=BPRM_CHECK obj_type=iptables_exec_t appraise_type=imasig appraise_hash=sha256,sha512
>
> This do not apply only to IMA in hash mode, it also works with digital
> signatures, in which case it requires the hash (which was then signed
> by a trusted private key) to have been generated with one of the
> whitelisted algorithms.
>
> Signed-off-by: Simon Thoby <simon.thoby@viveris.fr>
next prev parent reply other threads:[~2021-07-23 11:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-20 9:25 [PATCH v2 0/3] IMA: restrict the accepted digest algorithms THOBY Simon
2021-07-20 9:25 ` [PATCH v2 1/3] IMA: block writes of the security.ima xattr with weak hash algorithms THOBY Simon
2021-07-23 11:46 ` Mimi Zohar
2021-07-26 9:49 ` THOBY Simon
2021-07-26 16:02 ` Mimi Zohar
2021-07-20 9:25 ` [PATCH v2 2/3] IMA: add policy support for restricting the accepted " THOBY Simon
2021-07-23 11:36 ` Mimi Zohar [this message]
2021-07-20 9:25 ` [PATCH v2 3/3] IMA: honor the appraise_hash policy option THOBY Simon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7841c6025e3f51db3cd74a330d37ae333d041dc5.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=Didier.BARVAUX@viveris.fr \
--cc=Simon.THOBY@viveris.fr \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox