IMA: prevent SETXATTR_CHECK policy rules with unavailable algorithms

SETXATTR_CHECK policy rules assume that any algorithm listed in the
'appraise_algos' flag must be accepted when performing setxattr() on
the security.ima xattr.  However nothing checks that they are
available in the current kernel.  A userland application could hash
a file with a digest that the kernel wouldn't be able to verify.
However, if SETXATTR_CHECK is not in use, the kernel already forbids
that xattr write.

Verify that algorithms listed in appraise_algos are available to the
current kernel and reject the policy update otherwise. This will fix
the inconsistency between SETXATTR_CHECK and non-SETXATTR_CHECK
behaviors.

That filtering is only performed in ima_parse_appraise_algos() when
updating policies so that we do not have to pay the price of
allocating a hash object every time validate_hash_algo() is called
in ima_inode_setxattr().

Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 9eaa509f487aa921bb41c4a550b5bc8f23830095..87b9b71cb8201ab7840120da7f7241d30cfbbb35 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1258,6 +1258,12 @@ static unsigned int ima_parse_appraise_algos(char *arg)
                        return 0;
                }
 
+               if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) {
+                       pr_err("unavailable hash algorithm \"%s\", check your kernel configuration",
+                              token);
+                       return 0;
+               }
+
                /* Add the hash algorithm to the 'allowed' bitfield */
                res |= (1U << idx);
        }