Skip to content

GitLab

Switch branch/tag
History Find file
Clone
ima: Fail rule parsing when appraise_flag=blacklist is unsupportable
Tyler Hicks authored 
[ Upstream commit 5f3e9265 ]

Verifying that a file hash is not blacklisted is currently only
supported for files with appended signatures (modsig).  In the future,
this might change.

For now, the "appraise_flag" option is only appropriate for appraise
actions and its "blacklist" value is only appropriate when
CONFIG_IMA_APPRAISE_MODSIG is enabled and "appraise_flag=blacklist" is
only appropriate when "appraise_type=imasig|modsig" is also present.
Make this clear at policy load so that IMA policy authors don't assume
that other uses of "appraise_flag=blacklist" are supported.

Fixes: 273df864

 ("ima: Check against blacklisted hashes for files with modsig")
Signed-off-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
Reivewed-by: default avatarNayna Jain <nayna@linux.ibm.com>
Tested-by: default avatarNayna Jain <nayna@linux.ibm.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
ed276b46
Name Last commit Last update
..
apparmor Merge tag 'linux-kselftest-kunit-5.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
bpf bpf: lsm: Initialize the BPF LSM hooks
integrity ima: Fail rule parsing when appraise_flag=blacklist is unsupportable
keys Merge tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
loadpin proc/sysctl: add shared variables for range check
lockdown Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
safesetid security/safesetid: Replace rcu_swap_protected() with rcu_replace_pointer()
selinux Merge tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
smack Smack: prevent underflow in smk_set_cipso()
tomoyo treewide: replace '---help---' in Kconfig files with 'help'
yama sysctl: pass kernel pointers to ->proc_handler
Kconfig bpf: lsm: Initialize the BPF LSM hooks
Kconfig.hardening Merge tag 'meminit-v5.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Makefile device_cgroup: Cleanup cgroup eBPF device filter code
commoncap.c exec: Compute file based creds only once
device_cgroup.c device_cgroup: Cleanup cgroup eBPF device filter code
inode.c Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
lsm_audit.c security,lockdown,selinux: implement SELinux lockdown
min_addr.c sysctl: pass kernel pointers to ->proc_handler
security.c security: Fix hook iteration and default value for inode_copy_up_xattr