On 10/23/2019 8:47 PM, Nayna Jain wrote:
+/*
+ * ima_check_blacklist - determine if the binary is blacklisted.
+ *
+ * Add the hash of the blacklisted binary to the measurement list, based
+ * on policy.
+ *
+ * Returns -EPERM if the hash is blacklisted.
+ */
+int ima_check_blacklist(struct integrity_iint_cache *iint,
+ÂÂÂÂÂÂÂÂÂÂÂ const struct modsig *modsig, int pcr)
+{
+ÂÂÂ enum hash_algo hash_algo;
+ÂÂÂ const u8 *digest = NULL;
+ÂÂÂ u32 digestsize = 0;
+ÂÂÂ int rc = 0;
+
+ÂÂÂ if (!(iint->flags & IMA_CHECK_BLACKLIST))
+ÂÂÂÂÂÂÂ return 0;
+
+ÂÂÂ if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
+ÂÂÂÂÂÂÂ ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
+
+ÂÂÂÂÂÂÂ rc = is_binary_blacklisted(digest, digestsize);
+ÂÂÂÂÂÂÂ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
+ÂÂÂÂÂÂÂÂÂÂÂ process_buffer_measurement(digest, digestsize,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "blacklisted-hash", NONE,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ pcr);
+ÂÂÂ }
The enum value "NONE" is being passed to process_buffer_measurement to indicate that the check for required action based on ima policy is already done by ima_check_blacklist. Not sure, but this can cause confusion in the future when someone updates process_buffer_measurement.