linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
	dmitry.kasatkin@huawei.com, mjg59@google.com
Cc: linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com,
	stable@vger.kernel.org
Subject: Re: [PATCH 4/4] ima: only audit failed appraisal verifications
Date: Mon, 20 May 2019 17:20:25 -0400	[thread overview]
Message-ID: <1558387225.4039.78.camel@linux.ibm.com> (raw)
In-Reply-To: <20190516161257.6640-4-roberto.sassu@huawei.com>

On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> This patch ensures that integrity_audit_msg() is called only when the
> status is not INTEGRITY_PASS.
> 
> Fixes: 8606404fa555c ("ima: digital signature verification support")
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Cc: stable@vger.kernel.org
> ---
>  security/integrity/ima/ima_appraise.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index a32ed5d7afd1..f5f4506bcb8e 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -359,8 +359,9 @@ int ima_appraise_measurement(enum ima_hooks func,
>  			status = INTEGRITY_PASS;
>  		}
>  
> -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> -				    op, cause, rc, 0);
> +		if (status != INTEGRITY_PASS)
> +			integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
> +					    filename, op, cause, rc, 0);

For some reason, the integrity verification has failed.  In some
specific cases, we'll let it pass, but do we really want to remove any
indication that it failed in all cases?

Mimi


>  	} else {
>  		ima_cache_flags(iint, func);
>  	}


  reply	other threads:[~2019-05-20 21:20 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-16 16:12 [PATCH 1/4] evm: check hash algorithm passed to init_desc() Roberto Sassu
2019-05-16 16:12 ` [PATCH 2/4] evm: reset status in evm_inode_post_setattr() Roberto Sassu
2019-05-20 21:19   ` Mimi Zohar
2019-05-16 16:12 ` [PATCH 3/4] ima: don't ignore INTEGRITY_UNKNOWN EVM status Roberto Sassu
     [not found]   ` <20190517001001.9BEF620848@mail.kernel.org>
2019-05-17  0:30     ` Mimi Zohar
2019-05-17  1:07       ` Sasha Levin
2019-05-20 21:20   ` Mimi Zohar
2019-05-21  7:26     ` Roberto Sassu
2019-05-21 11:48       ` Mimi Zohar
2019-05-16 16:12 ` [PATCH 4/4] ima: only audit failed appraisal verifications Roberto Sassu
2019-05-20 21:20   ` Mimi Zohar [this message]
2019-05-21  7:32     ` Roberto Sassu
2019-05-20 21:19 ` [PATCH 1/4] evm: check hash algorithm passed to init_desc() Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1558387225.4039.78.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=dmitry.kasatkin@huawei.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=roberto.sassu@huawei.com \
    --cc=silviu.vlasceanu@huawei.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).