From: Roberto Sassu <roberto.sassu@huawei.com>
To: Mimi Zohar <zohar@linux.ibm.com>, <dmitry.kasatkin@huawei.com>,
<mjg59@google.com>
Cc: <linux-integrity@vger.kernel.org>, <linux-doc@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>,
<stable@vger.kernel.org>
Subject: Re: [PATCH 4/4] ima: only audit failed appraisal verifications
Date: Tue, 21 May 2019 09:32:26 +0200 [thread overview]
Message-ID: <4280cbe7-6596-1827-4358-fb45d7c13f25@huawei.com> (raw)
In-Reply-To: <1558387225.4039.78.camel@linux.ibm.com>
On 5/20/2019 11:20 PM, Mimi Zohar wrote:
> On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
>> This patch ensures that integrity_audit_msg() is called only when the
>> status is not INTEGRITY_PASS.
>>
>> Fixes: 8606404fa555c ("ima: digital signature verification support")
>> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
>> Cc: stable@vger.kernel.org
>> ---
>> security/integrity/ima/ima_appraise.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
>> index a32ed5d7afd1..f5f4506bcb8e 100644
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -359,8 +359,9 @@ int ima_appraise_measurement(enum ima_hooks func,
>> status = INTEGRITY_PASS;
>> }
>>
>> - integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
>> - op, cause, rc, 0);
>> + if (status != INTEGRITY_PASS)
>> + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
>> + filename, op, cause, rc, 0);
>
> For some reason, the integrity verification has failed. In some
> specific cases, we'll let it pass, but do we really want to remove any
> indication that it failed in all cases?
Ok. It is fine for me to discard the patch.
Roberto
--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI
next prev parent reply other threads:[~2019-05-21 7:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-16 16:12 [PATCH 1/4] evm: check hash algorithm passed to init_desc() Roberto Sassu
2019-05-16 16:12 ` [PATCH 2/4] evm: reset status in evm_inode_post_setattr() Roberto Sassu
2019-05-20 21:19 ` Mimi Zohar
2019-05-16 16:12 ` [PATCH 3/4] ima: don't ignore INTEGRITY_UNKNOWN EVM status Roberto Sassu
[not found] ` <20190517001001.9BEF620848@mail.kernel.org>
2019-05-17 0:30 ` Mimi Zohar
2019-05-17 1:07 ` Sasha Levin
2019-05-20 21:20 ` Mimi Zohar
2019-05-21 7:26 ` Roberto Sassu
2019-05-21 11:48 ` Mimi Zohar
2019-05-16 16:12 ` [PATCH 4/4] ima: only audit failed appraisal verifications Roberto Sassu
2019-05-20 21:20 ` Mimi Zohar
2019-05-21 7:32 ` Roberto Sassu [this message]
2019-05-20 21:19 ` [PATCH 1/4] evm: check hash algorithm passed to init_desc() Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4280cbe7-6596-1827-4358-fb45d7c13f25@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=dmitry.kasatkin@huawei.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).