IMA: prevent SETXATTR_CHECK policy rules with unavailable algorithms

SETXATTR_CHECK policy rules assume that any algorithm listed in the
'appraise_algos' flag must be accepted when performing setxattr() on
the security.ima xattr.  However nothing checks that they are
available in the current kernel.  A userland application could hash
a file with a digest that the kernel wouldn't be able to verify.
However, if SETXATTR_CHECK is not in use, the kernel already forbids
that xattr write.

Verify that algorithms listed in appraise_algos are available to the
current kernel and reject the policy update otherwise. This will fix
the inconsistency between SETXATTR_CHECK and non-SETXATTR_CHECK
behaviors.

That filtering is only performed in ima_parse_appraise_algos() when
updating policies so that we do not have to pay the price of
allocating a hash object every time validate_hash_algo() is called
in ima_inode_setxattr().

Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 9eaa509f487a..87b9b71cb820 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1258,6 +1258,12 @@ static unsigned int ima_parse_appraise_algos(char *arg)
 			return 0;
 		}
 
+		if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) {
+			pr_err("unavailable hash algorithm \"%s\", check your kernel configuration",
+			       token);
+			return 0;
+		}
+
 		/* Add the hash algorithm to the 'allowed' bitfield */
 		res |= (1U << idx);
 	}