Re: [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable

From: Nayna
Date: Mon Jul 20 2020 - 13:03:17 EST

Next message: Kanchan Joshi: "Re: [PATCH v3 4/4] io_uring: add support for zone-append"
Previous message: Jens Axboe: "Re: io_uring vs in_compat_syscall()"
In reply to: Tyler Hicks: "Re: [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 7/17/20 2:11 PM, Tyler Hicks wrote:

On 2020-07-17 13:40:22, Nayna wrote:

On 7/9/20 2:19 AM, Tyler Hicks wrote:

The "appraise_flag" option is only appropriate for appraise actions
and its "blacklist" value is only appropriate when
CONFIG_IMA_APPRAISE_MODSIG is enabled and "appraise_flag=blacklist" is
only appropriate when "appraise_type=imasig|modsig" is also present.
Make this clear at policy load so that IMA policy authors don't assume
that other uses of "appraise_flag=blacklist" are supported.

Fixes: 273df864cf74 ("ima: Check against blacklisted hashes for files with modsig")
Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx>
Cc: Nayna Jain <nayna@xxxxxxxxxxxxx>
---

* v3
- New patch

security/integrity/ima/ima_policy.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 81da02071d41..9842e2e0bc6d 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1035,6 +1035,11 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
return false;
}
+ /* Ensure that combinations of flags are compatible with each other */
+ if (entry->flags & IMA_CHECK_BLACKLIST &&
+ !(entry->flags & IMA_MODSIG_ALLOWED))
+ return false;
+
return true;
}
@@ -1371,8 +1376,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
result = -EINVAL;
break;
case Opt_appraise_flag:
+ if (entry->action != APPRAISE) {
+ result = -EINVAL;
+ break;
+ }
+
ima_log_string(ab, "appraise_flag", args[0].from);
- if (strstr(args[0].from, "blacklist"))
+ if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
+ strstr(args[0].from, "blacklist"))
entry->flags |= IMA_CHECK_BLACKLIST;

If IMA_APPRAISE_MODSIG is disabled, it will allow the following rule to
load, which is not as expected.

"appraise func=xxx_CHECK appraise_flag=blacklist appraise_type=imasig"

Missing is the "else" condition to immediately reject the policy rule.

Thanks for the review. You're right. This change is needed:

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 9842e2e0bc6d..cf3ddb38dfa8 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1385,6 +1385,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
strstr(args[0].from, "blacklist"))
entry->flags |= IMA_CHECK_BLACKLIST;
+ else
+ result = -EINVAL;
break;
case Opt_permit_directio:
entry->flags |= IMA_PERMIT_DIRECTIO;

Reviewed-by: Nayna Jain<nayna@xxxxxxxxxxxxx>

Tested-by: Nayna Jain<nayna@xxxxxxxxxxxxx>

Thanks & Regards,

ÂÂÂÂÂ - Nayna

Next message: Kanchan Joshi: "Re: [PATCH v3 4/4] io_uring: add support for zone-append"
Previous message: Jens Axboe: "Re: io_uring vs in_compat_syscall()"
In reply to: Tyler Hicks: "Re: [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]