From: Mimi Zohar <zohar@linux.ibm.com>
To: THOBY Simon <Simon.THOBY@viveris.fr>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
BARVAUX Didier <Didier.BARVAUX@viveris.fr>
Subject: Re: [PATCH v5 5/5] IMA: introduce a new policy option func=SETXATTR_CHECK
Date: Thu, 29 Jul 2021 12:15:55 -0400 [thread overview]
Message-ID: <07dced7b64c88b3212a8539da8e10450d62704dd.camel@linux.ibm.com> (raw)
In-Reply-To: <1fdf70ea-a5db-75d5-3e33-71229fcfd31d@viveris.fr>
Hi Simon,
On Thu, 2021-07-29 at 07:47 +0000, THOBY Simon wrote:
>
> >> + * for setxattr writes
> >> + *
> >> + * Update the atomic variable holding the set of allowed hash algorithms
> >> + * that can be used to update the security.ima xattr of a file.
> >> + *
> >> + * Context: called when updating the IMA policy.
> >> + *
> >> + * SETXATTR_CHECK rules do not implement a full policy check because of
> >> + * the performance impact performing rules checking on setxattr() would
> >> + * have. The consequence is that only one SETXATTR_CHECK can be active at
> >> + * a time.
> >> + */
> >> +static void update_allowed_hash_algorithms(void)
> >> +{
> >> + struct ima_rule_entry *entry;
> >> +
> >> + /*
> >> + * We scan in reverse order because only the last entry with the
> >> + * 'func=SETXATTR_CHECK' apply: this allows runtime upgrades of the
> >> + * digest algorithm policy, unlike the other IMA rules that are
> >> + * usually append-only. Old rules will still be present in the
> >> + * ruleset, but inactive.
> >> + */
> >
> > Oh, my! I really hope this won't be used as precedent. Before
> > agreeing to this, the existing policy rules must require loading of
> > only signed IMA policies.
> >
>
>
> After some though, I think you're right, there is not much point to do anything
> different from the other IMA rules,
>
> Below is the modified version that I will submit in the next patch.
>
> However given the similarities between this function and ima_update_policy_flag,
> I think maybe I should merge them together: they are mostly called from the
> same places and they both serve the same role: updating some of the global ima
> variables after a policy update or at system initialization.
>
> Do you think it would be ok to add that functionality to ima_update_policy_flag?
> Maybe updating the name to reflect that the function updates multiples flags?
We've gone through a couple of iterations of this patch. At this
point, it's defining a single set of setxattr permitted hash
algorithms. Renaming and adding the change to
ima_update_policy_flags() definitely makes sense.
At the same time, I'd appreciate your fixing the RCU locking there.
> As a side note on the patchset, maybe I should refrain from posting for a few days to give people time
> to comment on it, instead of sending new versions in such a quick succession?
Definitely.
thanks,
Mimi
next prev parent reply other threads:[~2021-07-29 16:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-28 13:21 [PATCH v5 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr THOBY Simon
2021-07-28 13:21 ` [PATCH v5 1/5] IMA: remove the dependency on CRYPTO_MD5 THOBY Simon
2021-08-03 16:01 ` Lakshmi Ramasubramanian
2021-07-28 13:21 ` [PATCH v5 2/5] IMA: block writes of the security.ima xattr with unsupported algorithms THOBY Simon
2021-08-03 16:33 ` Lakshmi Ramasubramanian
2021-07-28 13:21 ` [PATCH v5 3/5] IMA: add support to restrict the hash algorithms used for file appraisal THOBY Simon
2021-08-03 16:41 ` Lakshmi Ramasubramanian
2021-07-28 13:21 ` [PATCH v5 4/5] IMA: add a policy option to restrict xattr hash algorithms on appraisal THOBY Simon
2021-07-28 13:21 ` [PATCH v5 5/5] IMA: introduce a new policy option func=SETXATTR_CHECK THOBY Simon
2021-07-28 22:57 ` Mimi Zohar
2021-07-29 7:47 ` THOBY Simon
2021-07-29 16:15 ` Mimi Zohar [this message]
2021-07-28 22:56 ` [PATCH v5 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=07dced7b64c88b3212a8539da8e10450d62704dd.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=Didier.BARVAUX@viveris.fr \
--cc=Simon.THOBY@viveris.fr \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).