Re: [PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig

From: Nayna Jain
Date: Fri Oct 25 2019 - 13:37:16 EST

On 10/24/19 12:48 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:

+ * ima_check_blacklist - determine if the binary is blacklisted.
+ *
+ * Add the hash of the blacklisted binary to the measurement list, based
+ * on policy.
+ *
+ * Returns -EPERM if the hash is blacklisted.
+ */
+int ima_check_blacklist(struct integrity_iint_cache *iint,
+ÂÂÂÂÂÂÂÂÂÂÂ const struct modsig *modsig, int pcr)
+ÂÂÂ enum hash_algo hash_algo;
+ÂÂÂ const u8 *digest = NULL;
+ÂÂÂ u32 digestsize = 0;
+ÂÂÂ int rc = 0;
+ÂÂÂ if (!(iint->flags & IMA_CHECK_BLACKLIST))
+ÂÂÂÂÂÂÂ return 0;
+ÂÂÂ if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
+ÂÂÂÂÂÂÂ ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
+ÂÂÂÂÂÂÂ rc = is_binary_blacklisted(digest, digestsize);
+ÂÂÂÂÂÂÂ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
+ÂÂÂÂÂÂÂÂÂÂÂ process_buffer_measurement(digest, digestsize,
+ÂÂÂ }

The enum value "NONE" is being passed to process_buffer_measurement to indicate that the check for required action based on ima policy is already done by ima_check_blacklist. Not sure, but this can cause confusion in the future when someone updates process_buffer_measurement.

As I explained in the response to other patch, the purpose is to indicate that it is an auxiliary measurement record. By passing func as NONE, it implies there is no explicit policy to be queried for the template as it is an additional record for an existing policy and is to use ima-buf template.

What type of confusion do you mean ?

Thanks & Regards,

ÂÂÂÂ - Nayna