Re: [PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig
From: Lakshmi Ramasubramanian
Date: Thu Oct 24 2019 - 13:48:04 EST
On 10/23/2019 8:47 PM, Nayna Jain wrote:
+/*
+ * ima_check_blacklist - determine if the binary is blacklisted.
+ *
+ * Add the hash of the blacklisted binary to the measurement list, based
+ * on policy.
+ *
+ * Returns -EPERM if the hash is blacklisted.
+ */
+int ima_check_blacklist(struct integrity_iint_cache *iint,
+ const struct modsig *modsig, int pcr)
+{
+ enum hash_algo hash_algo;
+ const u8 *digest = NULL;
+ u32 digestsize = 0;
+ int rc = 0;
+
+ if (!(iint->flags & IMA_CHECK_BLACKLIST))
+ return 0;
+
+ if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
+ ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
+
+ rc = is_binary_blacklisted(digest, digestsize);
+ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
+ process_buffer_measurement(digest, digestsize,
+ "blacklisted-hash", NONE,
+ pcr);
+ }
The enum value "NONE" is being passed to process_buffer_measurement to
indicate that the check for required action based on ima policy is
already done by ima_check_blacklist. Not sure, but this can cause
confusion in the future when someone updates process_buffer_measurement.
Would it instead be better to add another parameter to
process_buffer_measurement to indicate the above condition?
-lakshmi