diff options
| author | THOBY Simon <Simon.THOBY@viveris.fr> | 2021-08-16 08:11:00 +0000 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2021-08-16 17:33:07 -0400 |
| commit | 583a80ae86b5ceb68119cfb9a37404cf22f6cc46 (patch) | |
| tree | 69a1369662423cbd98f3f39584633e7175d95c32 /Documentation/ABI/testing | |
| parent | 1624dc0086056c3a35fd34b0235bb1eb88c1c4d5 (diff) | |
| download | linux-583a80ae86b5ceb68119cfb9a37404cf22f6cc46.tar.bz2 | |
IMA: add a policy option to restrict xattr hash algorithms on appraisal
The kernel has the ability to restrict the set of hash algorithms it
accepts for the security.ima xattr when it appraises files.
Define a new IMA policy rule option "appraise_algos=", using the
mentioned mechanism to expose a user-toggable policy knob to opt-in
to that restriction and select the desired set of algorithms that
must be accepted.
When a policy rule uses the 'appraise_algos' option, appraisal of a
file referenced by that rule will now fail if the digest algorithm
employed to hash the file was not one of those explicitly listed in
the option. In its absence, any hash algorithm compiled in the
kernel will be accepted.
For example, on a system where SELinux is properly deployed, the rule
appraise func=BPRM_CHECK obj_type=iptables_exec_t \
appraise_algos=sha256,sha384
will block the execution of iptables if the xattr security.ima of its
executables were not hashed with either sha256 or sha384.
Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation/ABI/testing')
| -rw-r--r-- | Documentation/ABI/testing/ima_policy | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 070779e8d836..b0e3d278e799 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -27,7 +27,7 @@ Description: lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] option: [[appraise_type=]] [template=] [permit_directio] - [appraise_flag=] [keyrings=] + [appraise_flag=] [appraise_algos=] [keyrings=] base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] @@ -55,6 +55,10 @@ Description: label:= [selinux]|[kernel_info]|[data_label] data_label:= a unique string used for grouping and limiting critical data. For example, "selinux" to measure critical data for SELinux. + appraise_algos:= comma-separated list of hash algorithms + For example, "sha256,sha512" to only accept to appraise + files where the security.ima xattr was hashed with one + of these two algorithms. default policy: # PROC_SUPER_MAGIC |