All of lore.kernel.org
 help / color / mirror / Atom feed
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org,
	Eric Biggers <ebiggers@kernel.org>
Subject: Re: [PATCH 3/4] ima: limit including fs-verity's file digest in measurement list
Date: Mon, 29 Nov 2021 21:46:30 -0800	[thread overview]
Message-ID: <e99c6bdd-de23-7e07-37ce-c01b51961402@linux.microsoft.com> (raw)
In-Reply-To: <20211129170057.243127-4-zohar@linux.ibm.com>

Hi Mimi,

Just one nit comment below in the patch description.

On 11/29/2021 9:00 AM, Mimi Zohar wrote:
> Without the file signature included the IMA measurement list, the type
Without the file signature included in the IMA measurement list, the type...

  -lakshmi

> of file digest is unclear.  Limit including fs-verity's file digest in
> the IMA measurement list based on whether the template name is ima-sig.
> In the future, this could be relaxed to include any template format that
> includes the file signature.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   security/integrity/ima/ima.h              | 3 ++-
>   security/integrity/ima/ima_api.c          | 3 ++-
>   security/integrity/ima/ima_appraise.c     | 3 ++-
>   security/integrity/ima/ima_main.c         | 7 ++++++-
>   security/integrity/ima/ima_template_lib.c | 3 ++-
>   5 files changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index be965a8715e4..ab257e404f8e 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -262,7 +262,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
>   int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
>   int ima_collect_measurement(struct integrity_iint_cache *iint,
>   			    struct file *file, void *buf, loff_t size,
> -			    enum hash_algo algo, struct modsig *modsig);
> +			    enum hash_algo algo, struct modsig *modsig,
> +			    bool veritysig);
>   void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
>   			   const unsigned char *filename,
>   			   struct evm_ima_xattr_data *xattr_value,
> diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> index 42c6ff7056e6..179c7f0364c2 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -217,7 +217,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
>    */
>   int ima_collect_measurement(struct integrity_iint_cache *iint,
>   			    struct file *file, void *buf, loff_t size,
> -			    enum hash_algo algo, struct modsig *modsig)
> +			    enum hash_algo algo, struct modsig *modsig,
> +			    bool veritysig)
>   {
>   	const char *audit_cause = "failed";
>   	struct inode *inode = file_inode(file);
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index d43a27a9a9b6..b31be383e668 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -510,7 +510,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
>   	    !(iint->flags & IMA_HASH))
>   		return;
>   
> -	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
> +	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo,
> +				     NULL, FALSE);
>   	if (rc < 0)
>   		return;
>   
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 465865412100..a73e1e845ea8 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -216,6 +216,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
>   	bool violation_check;
>   	enum hash_algo hash_algo;
>   	unsigned int allowed_algos = 0;
> +	int veritysig = FALSE;
>   
>   	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
>   		return 0;
> @@ -333,8 +334,12 @@ static int process_measurement(struct file *file, const struct cred *cred,
>   	}
>   
>   	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
> +	if (xattr_value && xattr_value->type == IMA_VERITY_DIGSIG &&
> +	    strcmp(template_desc->name, "ima-sig") == 0)
> +		veritysig = TRUE;
>   
> -	rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
> +	rc = ima_collect_measurement(iint, file, buf, size, hash_algo,
> +				     modsig, veritysig);
>   	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
>   		goto out_locked;
>   
> diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
> index ca017cae73eb..5bad251f3b07 100644
> --- a/security/integrity/ima/ima_template_lib.c
> +++ b/security/integrity/ima/ima_template_lib.c
> @@ -478,7 +478,8 @@ int ima_eventsig_init(struct ima_event_data *event_data,
>   {
>   	struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
>   
> -	if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
> +	if ((!xattr_value) || !(xattr_value->type == EVM_IMA_XATTR_DIGSIG ||
> +				xattr_value->type == IMA_VERITY_DIGSIG))
>   		return ima_eventevmsig_init(event_data, field_data);
>   
>   	return ima_write_template_field_data(xattr_value, event_data->xattr_len,
> 

  parent reply	other threads:[~2021-11-30  5:46 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-29 17:00 [PATCH 0/4] ima: support fs-verity signatures stored as Mimi Zohar
2021-11-29 17:00 ` [PATCH 1/4] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2021-11-29 23:16   ` kernel test robot
2021-11-29 23:16     ` kernel test robot
2021-11-29 23:36   ` kernel test robot
2021-11-29 23:36     ` kernel test robot
2021-11-30  2:19   ` Eric Biggers
2021-11-30  5:33     ` Lakshmi Ramasubramanian
2021-11-30  6:30       ` Eric Biggers
2021-11-29 17:00 ` [PATCH 2/4] ima: define a new signature type named IMA_VERITY_DIGSIG Mimi Zohar
2021-11-30  2:33   ` Eric Biggers
2021-11-30 18:14     ` Mimi Zohar
2021-12-02 16:25       ` Mimi Zohar
2021-12-02 21:17         ` Eric Biggers
2021-12-02 21:56           ` Mimi Zohar
2021-11-29 17:00 ` [PATCH 3/4] ima: limit including fs-verity's file digest in measurement list Mimi Zohar
2021-11-30  2:35   ` Eric Biggers
2021-11-30 13:15     ` Mimi Zohar
2021-11-30  5:46   ` Lakshmi Ramasubramanian [this message]
2021-11-29 17:00 ` [PATCH 4/4] ima: support fs-verity file digest based signatures Mimi Zohar
2021-11-30  5:56   ` Lakshmi Ramasubramanian
2021-11-30 13:36     ` Mimi Zohar
2021-11-30  2:36 ` [PATCH 0/4] ima: support fs-verity signatures stored as Eric Biggers
2021-11-30 12:56   ` Mimi Zohar
2021-11-30 22:49     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e99c6bdd-de23-7e07-37ce-c01b51961402@linux.microsoft.com \
    --to=nramas@linux.microsoft.com \
    --cc=ebiggers@kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.