[apparmor] [PATCH] apparmor: add the ability to report a crypto hash of loaded policy
John Johansen
john.johansen at canonical.com
Tue Aug 13 02:20:13 UTC 2013
On 08/12/2013 05:00 PM, Steve Beattie wrote:
> On Thu, Aug 08, 2013 at 05:41:31PM -0700, John Johansen wrote:
>> Provide userspace the ability to validate what policy is loaded via
>> an exported crypto hash value.
>
> To be clear, the hash value is of the profile blob minus the header,
> which means skipping the protocol blob version and the namespace, if
> any, correct? At least, that's based on my incomplete understanding
> and read of the policy_unpack code this would apply against.
>
> I guess it's okay that the same policy under multiple namespaces
> results in the same hash (just trying to understand the implications
> thereof).
>
it is, the implication is that information isn't part of the hash. This
is both good and bad. Its possible for profiles under different versions
to have the same binary format and thus the same hash.
Ignoring the namespace means profiles that are the same under different
namespaces should have the same hash.
It might be an idea to seed the hash with the profile version for each
profile and ignore the namespace. Or if we really want the namespace
info so that profiles loaded to different namespaces have different hashes
we could prepend that as well.
we are going to need an aa-hash tool to generate and compare these hashes
whether we do it from the parser, or parsing the binary blob I don't care.
> Acked-by: Steve Beattie <sbeattie at ubuntu.com>
>
>
>
More information about the AppArmor
mailing list