hulk inclusion category: feature feature: digest-lists
---------------------------
In some cases digest lists already exists (e.g. RPM headers) and only their content is signed.
Allowing appraisal of digest lists without metadata won't be an issue as they must be immutable and even if corrupted metadata allow unauthorized read, system integrity won't be compromised, as the integrity of digest lists is assumed to be good.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- security/integrity/ima/ima_appraise.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index bd00611b3cec..78b7f2fcd7d8 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -244,6 +244,16 @@ int ima_appraise_measurement(enum ima_hooks func, */ if (ima_appraise_no_metadata && found_digest) break; + /* Allow access to digest lists without metadata, only if they + * are signed or found in a digest list (immutable) + */ + if (func == DIGEST_LIST_CHECK) { + if (xattr_value->type == EVM_IMA_XATTR_DIGSIG) + break; + if (found_digest && + ima_digest_is_immutable(found_digest)) + break; + } cause = "missing-HMAC"; goto out; case INTEGRITY_FAIL_IMMUTABLE: