mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 07:13:34 +00:00
Code Issues Releases Wiki Activity
linux-stable/security
History
Mimi Zohar 09091c44cb ima: use IMA default hash algorithm for integrity violations 
Integrity file violations - ToM/ToU, open writers - are recorded in the IMA
measurement list, containing 0x00's in both the template data and file data
hash fields, but 0xFF's are actually extended into TPM PCRs.  Although the
original 'ima' template data field ('d') is limited to 20 bytes, the 'd-ng'
template digest field is not.

The violation file data hash template field ('d-ng') is unnecessarily hard
coded to SHA1.  Instead of simply replacing the hard coded SHA1 hash
algorithm with a larger hash algorithm, use the hash algorithm as defined
in "ima_hash_algo".  ima_hash_algo is set to either the Kconfig IMA default
hash algorithm or as defined on the boot command line (ima_hash=).

Including a non-SHA1 file data hash algorithm in the 'd-ng' field of
violations is a cosmetic change.  The template data hash field, which is
extended into the TPM PCRs, is not affected by this change and should not
affect attestation of the IMA measurement list.

Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2022-05-01 16:39:10 -04:00
..
apparmor tracehook: Remove tracehook.h 2022-03-10 16:51:51 -06:00
bpf
integrity ima: use IMA default hash algorithm for integrity violations 2022-05-01 16:39:10 -04:00
keys ARM driver updates for 5.18 2022-03-23 18:23:13 -07:00
landlock landlock: Use square brackets around "landlock-ruleset" 2022-02-04 14:07:44 +01:00
loadpin
lockdown
safesetid LSM: SafeSetID: Mark safesetid_initialized as __initdata 2021-06-10 09:52:32 -07:00
selinux ptrace: Cleanups for v5.18 2022-03-28 17:29:53 -07:00
smack Fix incorrect type in assignment of ipv6 port for audit 2022-02-28 15:45:32 -08:00
tomoyo drm for 5.18-rc1 2022-03-24 16:19:43 -07:00
yama
commoncap.c fs: support mapped mounts of mapped filesystems 2021-12-05 10:28:57 +01:00
device_cgroup.c bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean 2022-01-19 12:51:30 -08:00
inode.c
Kconfig hardening updates for v5.18-rc1-fix1 2022-03-31 11:43:01 -07:00
Kconfig.hardening gcc-plugins/stackleak: Provide verbose mode 2022-02-06 10:49:57 -08:00
lsm_audit.c lsm_audit: avoid overloading the "key" audit field 2021-09-19 22:47:04 -04:00
Makefile security: remove unneeded subdir-$(CONFIG_...) 2021-09-03 08:17:20 +09:00
min_addr.c
security.c selinux/stable-5.18 PR 20220321 2022-03-21 20:47:54 -07:00