Re: [PATCH v4 4/5] IMA: add a policy option to restrict xattr hash algorithms on appraisal

[Mimi Zohar <zohar@linux.ibm.com>]

On Tue, 2021-07-27 at 16:33 +0000, THOBY Simon wrote:
> The kernel have the ability to restrict the set of hash algorithms

^kernel has

> it accepts for the security.ima xattr when it appraises files.
> 
> Define a new IMA policy rule option "appraise_hash=",
> using the mentionned mechanism to expose a user-toggable policy

^mentioned

> knob to opt-in to that restriction and select the desired set of
> algorithms that must be accepted.
> 
> When a policy rule uses the 'appraise_hash' option, appraisal of a
> file referenced by that rule will now fail if the digest algorithm
> employed to hash the file was not one of those explicitly listed
> in the option. In its absence, any hash algorithm compiled in the
> kernel will be accepted.
> 
> For example, on a system where SELinux is properly deployed, the rule
>   appraise func=BPRM_CHECK obj_type=iptables_exec_t appraise_hash=sha256,sha384
> will block the execution of iptables if the xattr security.ima of its
> executables were not hashed with either sha256 or sha384.
> 
> Signed-off-by: Simon Thoby <simon.thoby@viveris.fr>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---

<snip>

> @@ -1204,6 +1228,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  	entry->uid_op = &uid_eq;
>  	entry->fowner_op = &uid_eq;
>  	entry->action = UNKNOWN;
> +	entry->allowed_hashes = 0;

"entry" is zeroed when allocated.