RE: [RESEND][PATCH] Documentation: added order requirement for ima_hash=

From: Roberto Sassu
Date: Wed Jan 26 2022 - 09:43:36 EST

Next message: Christian Brauner: "Re: [PATCH v9 22/23] ima: Show owning user namespace's uid and gid when displaying policy"
Previous message: Jarkko Sakkinen: "Re: [PATCH 05/25] x86/sgx: Introduce runtime protection bits"
In reply to: Mimi Zohar: "Re: [RESEND][PATCH] Documentation: added order requirement for ima_hash="
Next in thread: Jonathan Corbet: "RE: [RESEND][PATCH] Documentation: added order requirement for ima_hash="
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
> Sent: Wednesday, January 26, 2022 3:35 PM
> On Wed, 2022-01-26 at 13:24 +0000, Roberto Sassu wrote:
> > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
> > > Sent: Wednesday, January 26, 2022 1:48 PM
> > > On Wed, 2022-01-26 at 15:41 +0800, Guozihua (Scott) wrote:
> > > >
> > > >
> > > > The main issue lies in ima_template_desc_current called by hash_setup,
> > > > which does not just read ima_template global variable, but also tries to
> > > > set it if that hasn't been done already. Causing ima_template_setup to quit.
> > >
> > > Right, which calls ima_init_template_list(). So part of the solution
> > > could be to conditionally call ima_init_template_list()
> > > in ima_template_setup().
> > >
> > > - if (ima_template)
> > > - return 1;
> > > -
> > > - ima_init_template_list();
> > > + if (!ima_template
> > > + ima_init_template_list();
> > >
> > > Roberto, what do you think?
> >
> > Hi Mimi
> >
> > I think we wanted to prevent to set a digest algorithm
> > incompatible with the chosen template.
> >
> > If we have in the kernel command line:
> >
> > ima_template=ima ima_hash=sha256
> >
> > ima_hash_algo would be set to HASH_ALGO_SHA1 despite
> > the user choice and the template would be set to 'ima'.
> >
> > In the opposite case:
> >
> > ima_hash=sha256 ima_template=ima
> >
> > if the default template is 'ima', then ima_hash_algo would be
> > set to HASH_ALGO_SHA1. Otherwise, it would be
> > HASH_ALGO_SHA256. If we allow the template to be set after
> > the digest algorithm is evaluated, the template selection will
> > be rejected if the algorithm is incompatible with the template.
>
> The only time that would occur is in the unlikely case that the
> template is being set to "ima". That sounds reasonable. In fact we
> should consider preventing the template format being set to "ima".

Ok.

> > I'm trying to remember why we still have the digest recalculation
> > in ima_eventdigest_init(). Maybe the only possibility is if we
> > set the template from the policy?
>
> The recalculation was relatively recently added in commit 6cc7c266e5b4
> ("ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()").

There is also recalculation for the file digest:

hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
ima_hash_algo : HASH_ALGO_SHA1;
result = ima_calc_file_hash(event_data->file, &hash.hdr);

I understood that Jonathan already applied the patch. If it is possible
to make a new patch according to your suggestion, I would ask Zihua
to do that.

Jonathan, would it be fine for you to discard this patch?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua

> thanks,
>
> Mimi

Next message: Christian Brauner: "Re: [PATCH v9 22/23] ima: Show owning user namespace's uid and gid when displaying policy"
Previous message: Jarkko Sakkinen: "Re: [PATCH 05/25] x86/sgx: Introduce runtime protection bits"
In reply to: Mimi Zohar: "Re: [RESEND][PATCH] Documentation: added order requirement for ima_hash="
Next in thread: Jonathan Corbet: "RE: [RESEND][PATCH] Documentation: added order requirement for ima_hash="
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]