Commit 5f3e9265 authored Jul 09, 2020 by Tyler Hicks Committed by Mimi Zohar Jul 20, 2020

ima: Fail rule parsing when appraise_flag=blacklist is unsupportable



Verifying that a file hash is not blacklisted is currently only
supported for files with appended signatures (modsig).  In the future,
this might change.

For now, the "appraise_flag" option is only appropriate for appraise
actions and its "blacklist" value is only appropriate when
CONFIG_IMA_APPRAISE_MODSIG is enabled and "appraise_flag=blacklist" is
only appropriate when "appraise_type=imasig|modsig" is also present.
Make this clear at policy load so that IMA policy authors don't assume
that other uses of "appraise_flag=blacklist" are supported.

Fixes: 273df864 ("ima: Check against blacklisted hashes for files with modsig")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reivewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

parent eb624fe2

security/integrity/ima/ima_policy.c

+14 −1

Original line number	Diff line number	Diff line
		@@ -1035,6 +1035,11 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
		return false;
		}

		/* Ensure that combinations of flags are compatible with each other */
		if (entry->flags & IMA_CHECK_BLACKLIST &&
		!(entry->flags & IMA_MODSIG_ALLOWED))
		return false;

		return true;
		}

		@@ -1371,9 +1376,17 @@ static int ima_parse_rule(char rule, struct ima_rule_entry entry)
		result = -EINVAL;
		break;
		case Opt_appraise_flag:
		if (entry->action != APPRAISE) {
		result = -EINVAL;
		break;
		}

		ima_log_string(ab, "appraise_flag", args[0].from);
		if (strstr(args[0].from, "blacklist"))
		if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
		strstr(args[0].from, "blacklist"))
		entry->flags \|= IMA_CHECK_BLACKLIST;
		else
		result = -EINVAL;
		break;
		case Opt_permit_directio:
		entry->flags \|= IMA_PERMIT_DIRECTIO;

Admin message