| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180111120256.oymjgfbndbofasp5@dwarf.suse.cz>
Date: Thu, 11 Jan 2018 13:02:56 +0100
From: Jiri Bohac <jbohac@...e.cz>
To: David Howells <dhowells@...hat.com>
Cc: linux-security-module@...r.kernel.org, gnomes@...rguk.ukuu.org.uk,
linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org,
jforbes@...hat.com, Chun-Yi Lee <joeyli.kernel@...il.com>
Subject: [PATCH 08b/30] kexec_file: Restrict at runtime if the kernel is
locked down
When KEXEC_VERIFY_SIG is not enabled, kernel should not load images through
kexec_file systemcall if the kernel is locked down unless IMA can be used
to validate the image.
Signed-off-by: Jiri Bohac <jbohac@...e.cz>
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -144,7 +144,13 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
pr_debug("kernel signature verification successful.\n");
#endif
- if (sig_err && IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
+ /* Don't permit images to be loaded into trusted kernels without
+ * a valid signature on them
+ */
+ if (sig_err &&
+ (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE) ||
+ (!is_ima_appraise_enabled() &&
+ kernel_is_locked_down("kexec of unsigned images")))) {
ret = sig_err;
goto out;
}
--
Jiri Bohac <jbohac@...e.cz>
SUSE Labs, Prague, Czechia
Powered by blists - more mailing lists