[PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig
Lakshmi Ramasubramanian
nramas at linux.microsoft.com
Fri Oct 25 04:48:19 AEDT 2019
On 10/23/2019 8:47 PM, Nayna Jain wrote:
> +/*
> + * ima_check_blacklist - determine if the binary is blacklisted.
> + *
> + * Add the hash of the blacklisted binary to the measurement list, based
> + * on policy.
> + *
> + * Returns -EPERM if the hash is blacklisted.
> + */
> +int ima_check_blacklist(struct integrity_iint_cache *iint,
> + const struct modsig *modsig, int pcr)
> +{
> + enum hash_algo hash_algo;
> + const u8 *digest = NULL;
> + u32 digestsize = 0;
> + int rc = 0;
> +
> + if (!(iint->flags & IMA_CHECK_BLACKLIST))
> + return 0;
> +
> + if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
> + ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
> +
> + rc = is_binary_blacklisted(digest, digestsize);
> + if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
> + process_buffer_measurement(digest, digestsize,
> + "blacklisted-hash", NONE,
> + pcr);
> + }
The enum value "NONE" is being passed to process_buffer_measurement to
indicate that the check for required action based on ima policy is
already done by ima_check_blacklist. Not sure, but this can cause
confusion in the future when someone updates process_buffer_measurement.
Would it instead be better to add another parameter to
process_buffer_measurement to indicate the above condition?
-lakshmi
More information about the Linuxppc-dev
mailing list