Re: [PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig

[Nayna Jain]

On 10/24/19 12:48 PM, Lakshmi Ramasubramanian wrote:
> On 10/23/2019 8:47 PM, Nayna Jain wrote:
>
> > +/*
> > + * ima_check_blacklist - determine if the binary is blacklisted.
> > + *
> > + * Add the hash of the blacklisted binary to the measurement list, 
> > based
> > + * on policy.
> > + *
> > + * Returns -EPERM if the hash is blacklisted.
> > + */
> > +int ima_check_blacklist(struct integrity_iint_cache *iint,
> > +ÂÂÂÂÂÂÂÂÂÂÂ const struct modsig *modsig, int pcr)
> > +{
> > +ÂÂÂ enum hash_algo hash_algo;
> > +ÂÂÂ const u8 *digest = NULL;
> > +ÂÂÂ u32 digestsize = 0;
> > +ÂÂÂ int rc = 0;
> > +
> > +ÂÂÂ if (!(iint->flags & IMA_CHECK_BLACKLIST))
> > +ÂÂÂÂÂÂÂ return 0;
> > +
> > +ÂÂÂ if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
> > +ÂÂÂÂÂÂÂ ima_get_modsig_digest(modsig, &hash_algo, &digest, 
> > &digestsize);
> > +
> > +ÂÂÂÂÂÂÂ rc = is_binary_blacklisted(digest, digestsize);
> > +ÂÂÂÂÂÂÂ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
> > +ÂÂÂÂÂÂÂÂÂÂÂ process_buffer_measurement(digest, digestsize,
> > +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "blacklisted-hash", NONE,
> > +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ pcr);
> > +ÂÂÂ }
>
> The enum value "NONE" is being passed to process_buffer_measurement to 
> indicate that the check for required action based on ima policy is 
> already done by ima_check_blacklist. Not sure, but this can cause 
> confusion in the future when someone updates process_buffer_measurement.


As I explained in the response to other patch, the purpose is to 
indicate that it is an auxiliary measurement record. By passing func as 
NONE, it implies there is no explicit policy to be queried for the 
template as it is an additional record for an existing policy and is to 
use ima-buf template.

What type of confusion do you mean ?

Thanks & Regards,

ÂÂÂÂ - Nayna