Re: [PATCH v7 4/5] IMA: add a policy option to restrict xattr hash algorithms on appraisal

public inbox for linux-integrity@vger.kernel.org
 help / color / mirror / Atom feed

From: THOBY Simon <Simon.THOBY@viveris.fr>
To: Mimi Zohar <zohar@linux.ibm.com>,
	"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
	"linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	BARVAUX Didier <Didier.BARVAUX@viveris.fr>
Cc: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Subject: Re: [PATCH v7 4/5] IMA: add a policy option to restrict xattr hash algorithms on appraisal
Date: Fri, 13 Aug 2021 07:17:55 +0000	[thread overview]
Message-ID: <b7cd3e6d-a23d-177b-5a6b-fb81d9bca4aa@viveris.fr> (raw)
In-Reply-To: <aef8a1e8cee322409ef3dc6723c7e77bc16f6b2f.camel@linux.ibm.com>

Hi Mimi,

On 8/12/21 8:31 PM, Mimi Zohar wrote:
> Hi Simon,
> 
> On Thu, 2021-08-12 at 09:16 -0400, Mimi Zohar wrote:
>> On Thu, 2021-08-12 at 08:06 +0000, THOBY Simon wrote:
> 
>>> However your comment does applies to the next patch ("IMA: introduce a new policy
>>> option func=SETXATTR_CHECK"), and we probably could restrict the algorithms referenced in
>>> ima_setxattr_allowed_hash_algorithms to ones the current kernel can use. 
>>> The easiest way to enforce this would probably be to check that when parsing 'appraise_algos'
>>> in ima_parse_appraise_algos(), we only add algorithms that are available, ignoring - or
>>> rejecting, according to the outcome of the discussion above - the other algorithms. That way,
>>> we do not have to pay the price of allocating a hash object every time validate_hash_algo() is
>>> called.
>>>
>>> Would it be ok if I did that?
>>
>> Without knowing and understanding all the environments in which IMA is
>> enabled (e.g. front end, back end build system), you're correct -
>> protecting the user from themselves -might not be the right answer.
>>
>> What you suggested, above, would be the correct solution.  Perhaps post
>> that change as a separate patch, on top of this patch set, for
>> additional discussion.
> 
> Before posting the patch, please fix your user name and email address
> in the git configuration.  scripts/checkpatch.pl is complaining:
> 
> ERROR: Missing Signed-off-by: line by nominal patch author 'THOBY Simon
> <Simon.THOBY@viveris.fr>'

> 
> total: 1 errors, 0 warnings, 218 lines checked

I guess Microsoft Exchange strikes again :/
On my end, the patches have the correct 'From: Simon Thoby <simon.thoby@viveris.fr>'
header, but it seems Outlook likes to rewrite headers to match my Microsoft work account
information. I will update my git config, as I can't edit the name and email of the corporate
account.
Sorry about that.


> 
> thanks,
> 
> Mimi
> 

Thanks,
Simon

next prev parent reply	other threads:[~2021-08-13  7:17 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-11 11:40 [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr THOBY Simon
2021-08-11 11:40 ` [PATCH v7 1/5] IMA: remove the dependency on CRYPTO_MD5 THOBY Simon
2021-08-11 11:40 ` [PATCH v7 2/5] IMA: block writes of the security.ima xattr with unsupported algorithms THOBY Simon
2021-08-11 11:40 ` [PATCH v7 3/5] IMA: add support to restrict the hash algorithms used for file appraisal THOBY Simon
2021-08-11 11:40 ` [PATCH v7 4/5] IMA: add a policy option to restrict xattr hash algorithms on appraisal THOBY Simon
2021-08-11 16:26   ` Mimi Zohar
2021-08-12  8:06     ` THOBY Simon
2021-08-12 13:16       ` Mimi Zohar
2021-08-12 18:31         ` Mimi Zohar
2021-08-13  7:17           ` THOBY Simon [this message]
2021-08-13 12:49             ` Mimi Zohar
2021-08-11 11:40 ` [PATCH v7 5/5] IMA: introduce a new policy option func=SETXATTR_CHECK THOBY Simon
2021-08-11 19:40 ` [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr Mimi Zohar
2021-08-11 23:53   ` Steve Grubb
2021-08-12  0:17     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b7cd3e6d-a23d-177b-5a6b-fb81d9bca4aa@viveris.fr \
    --to=simon.thoby@viveris.fr \
    --cc=Didier.BARVAUX@viveris.fr \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox