diff options
author | Tyler Hicks <tyhicks@linux.microsoft.com> | 2020-07-09 01:19:06 -0500 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2020-07-20 13:06:26 -0400 |
commit | 5f3e92657bbfb63ad3109433d843c89996114b03 (patch) | |
tree | ac5c817f82eff72c557ebfa6ee21221bedd0ad77 /security | |
parent | eb624fe214a2e156ddafd9868377cf91499f789d (diff) | |
download | lwn-5f3e92657bbfb63ad3109433d843c89996114b03.tar.gz lwn-5f3e92657bbfb63ad3109433d843c89996114b03.zip |
ima: Fail rule parsing when appraise_flag=blacklist is unsupportable
Verifying that a file hash is not blacklisted is currently only
supported for files with appended signatures (modsig). In the future,
this might change.
For now, the "appraise_flag" option is only appropriate for appraise
actions and its "blacklist" value is only appropriate when
CONFIG_IMA_APPRAISE_MODSIG is enabled and "appraise_flag=blacklist" is
only appropriate when "appraise_type=imasig|modsig" is also present.
Make this clear at policy load so that IMA policy authors don't assume
that other uses of "appraise_flag=blacklist" are supported.
Fixes: 273df864cf74 ("ima: Check against blacklisted hashes for files with modsig")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reivewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_policy.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 81da02071d41..cf3ddb38dfa8 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1035,6 +1035,11 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) return false; } + /* Ensure that combinations of flags are compatible with each other */ + if (entry->flags & IMA_CHECK_BLACKLIST && + !(entry->flags & IMA_MODSIG_ALLOWED)) + return false; + return true; } @@ -1371,9 +1376,17 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) result = -EINVAL; break; case Opt_appraise_flag: + if (entry->action != APPRAISE) { + result = -EINVAL; + break; + } + ima_log_string(ab, "appraise_flag", args[0].from); - if (strstr(args[0].from, "blacklist")) + if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && + strstr(args[0].from, "blacklist")) entry->flags |= IMA_CHECK_BLACKLIST; + else + result = -EINVAL; break; case Opt_permit_directio: entry->flags |= IMA_PERMIT_DIRECTIO; |