Re: [PATCH v8 6/6] IMA: prevent SETXATTR_CHECK policy rules with unavailable algorithms

[Mimi Zohar <zohar@linux.ibm.com>]

On Mon, 2021-08-16 at 08:11 +0000, THOBY Simon wrote:
> SETXATTR_CHECK poliy rules assume that any algorithm listed in the
> 'appraise_algos' flag must be accepted when performing setxattr()
> on the security.ima xattr.
> However nothing checks that they are available in the current kernel.
> A userland application could hash a file with a digest that the kernel
> wouldn't be able to verify. However, if SETXATTR_CHECK is not in use,
> the kernel already forbids that xattr write.

I assume the above couple of sentences are a continuation of the
previous paragraph and concatenated them.  If it really is meant to be
a separate paragraph a blank line needs to separate them.

> 
> Verify that algorithms listed in appraise_algos are available to the
> current kernel and reject the policy update otherwise. This will fix
> the inconsistency between SETXATTR_CHECK and non-SETXATTR_CHECK
> behaviors.
> 
> That filtering is only performed in ima_parse_appraise_algos() when
> updating policies so that we do not have to pay the price of allocating
> a hash object every time validate_hash_algo() is called in
> ima_inode_setxattr().
> 
> Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>

Thanks, Simon.  Before pushing out the entire patch set, including this
one, to next-integrity-testing branch,  I reverted the tag re-ordering, 
fixed the line length of the sample appraise rule, and added the commit
number (for stable) in the patch description.  Please verify.

While testing, I noticed similar support is needed for appended
signatures.  For example, "scripts/sign-file" can be used to sign
kernel modules or the kernel image.

Sample kexec rules:
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_algos=sha256

thanks,

Mimi