From: Mimi Zohar <zohar@linux.ibm.com>
To: THOBY Simon <Simon.THOBY@viveris.fr>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
BARVAUX Didier <Didier.BARVAUX@viveris.fr>
Subject: Re: [PATCH v5 5/5] IMA: introduce a new policy option func=SETXATTR_CHECK
Date: Wed, 28 Jul 2021 18:57:13 -0400 [thread overview]
Message-ID: <acf4fc349a59b4390e0ff57728f8f4920f89386a.camel@linux.ibm.com> (raw)
In-Reply-To: <20210728132112.258606-6-simon.thoby@viveris.fr>
Hi Simon,
On Wed, 2021-07-28 at 13:21 +0000, THOBY Simon wrote:
> @@ -914,6 +918,42 @@ int ima_check_policy(void)
> return 0;
> }
>
> +/** update_allowed_hash_algorithms - update the hash algorithms allowed
The first line of kernel-doc is just "/**" by itself, followed by the
function name and a brief description. The brief description should
not wrap to the next line. Refer to Documentation/doc-guide/kernel-
doc.rst.
> + * for setxattr writes
> + *
> + * Update the atomic variable holding the set of allowed hash algorithms
> + * that can be used to update the security.ima xattr of a file.
> + *
> + * Context: called when updating the IMA policy.
> + *
> + * SETXATTR_CHECK rules do not implement a full policy check because of
> + * the performance impact performing rules checking on setxattr() would
> + * have. The consequence is that only one SETXATTR_CHECK can be active at
> + * a time.
> + */
> +static void update_allowed_hash_algorithms(void)
> +{
> + struct ima_rule_entry *entry;
> +
> + /*
> + * We scan in reverse order because only the last entry with the
> + * 'func=SETXATTR_CHECK' apply: this allows runtime upgrades of the
> + * digest algorithm policy, unlike the other IMA rules that are
> + * usually append-only. Old rules will still be present in the
> + * ruleset, but inactive.
> + */
Oh, my! I really hope this won't be used as precedent. Before
agreeing to this, the existing policy rules must require loading of
only signed IMA policies.
thanks,
Mimi
> + rcu_read_lock();
> + list_for_each_entry_reverse(entry, ima_rules, list) {
> + if (entry->func != SETXATTR_CHECK)
> + continue;
> +
> + atomic_xchg(&ima_setxattr_allowed_hash_algorithms,
> + entry->allowed_hashes);
> + break;
> + }
> + rcu_read_unlock();
> +}
> +
next prev parent reply other threads:[~2021-07-28 22:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-28 13:21 [PATCH v5 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr THOBY Simon
2021-07-28 13:21 ` [PATCH v5 1/5] IMA: remove the dependency on CRYPTO_MD5 THOBY Simon
2021-08-03 16:01 ` Lakshmi Ramasubramanian
2021-07-28 13:21 ` [PATCH v5 2/5] IMA: block writes of the security.ima xattr with unsupported algorithms THOBY Simon
2021-08-03 16:33 ` Lakshmi Ramasubramanian
2021-07-28 13:21 ` [PATCH v5 3/5] IMA: add support to restrict the hash algorithms used for file appraisal THOBY Simon
2021-08-03 16:41 ` Lakshmi Ramasubramanian
2021-07-28 13:21 ` [PATCH v5 4/5] IMA: add a policy option to restrict xattr hash algorithms on appraisal THOBY Simon
2021-07-28 13:21 ` [PATCH v5 5/5] IMA: introduce a new policy option func=SETXATTR_CHECK THOBY Simon
2021-07-28 22:57 ` Mimi Zohar [this message]
2021-07-29 7:47 ` THOBY Simon
2021-07-29 16:15 ` Mimi Zohar
2021-07-28 22:56 ` [PATCH v5 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acf4fc349a59b4390e0ff57728f8f4920f89386a.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=Didier.BARVAUX@viveris.fr \
--cc=Simon.THOBY@viveris.fr \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).