[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1523572911-16363-2-git-send-email-zohar@linux.vnet.ibm.com>
Date: Thu, 12 Apr 2018 18:41:49 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: David Howells <dhowells@...hat.com>
Cc: Matthew Garrett <mjg59@...gle.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
Eric Biederman <ebiederm@...ssion.com>,
kexec@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: [PATCH 1/3] ima: based on the "secure_boot" policy limit syscalls
The builtin "secure_boot" policy adds IMA appraisal rules requiring kernel
modules (finit_module syscall), direct firmware load, kexec kernel image
(kexec_file_load syscall), and the IMA policy to be signed, but did not
prevent the other syscalls/methods from working. Loading an equivalent
custom policy containing these same rules would have prevented the other
syscalls/methods from working.
This patch refactors the code to load custom policies, defining a new
function named ima_appraise_flag(). The new function is called either
when loading the builtin "secure_boot" or custom policies.
Fixes: 503ceaef8e2e ("ima: define a set of appraisal rules requiring file signatures")
Signed-off-by: Mimi Zohar <zohar@...ux.vnet.ibm.com>
---
security/integrity/ima/ima_policy.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d89bebf85421..1bdb5bc57568 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -435,6 +435,17 @@ void ima_update_policy_flag(void)
ima_policy_flag &= ~IMA_APPRAISE;
}
+static int ima_appraise_flag(enum ima_hooks func)
+{
+ if (func == MODULE_CHECK)
+ return IMA_APPRAISE_MODULES;
+ else if (func == FIRMWARE_CHECK)
+ return IMA_APPRAISE_FIRMWARE;
+ else if (func == POLICY_CHECK)
+ return IMA_APPRAISE_POLICY;
+ return 0;
+}
+
/**
* ima_init_policy - initialize the default measure rules.
*
@@ -473,9 +484,12 @@ void __init ima_init_policy(void)
* Insert the appraise rules requiring file signatures, prior to
* any other appraise rules.
*/
- for (i = 0; i < secure_boot_entries; i++)
+ for (i = 0; i < secure_boot_entries; i++) {
list_add_tail(&secure_boot_rules[i].list,
&ima_default_rules);
+ temp_ima_appraise |=
+ ima_appraise_flag(secure_boot_rules[i].func);
+ }
for (i = 0; i < appraise_entries; i++) {
list_add_tail(&default_appraise_rules[i].list,
@@ -917,12 +931,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
}
if (!result && (entry->action == UNKNOWN))
result = -EINVAL;
- else if (entry->func == MODULE_CHECK)
- temp_ima_appraise |= IMA_APPRAISE_MODULES;
- else if (entry->func == FIRMWARE_CHECK)
- temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
- else if (entry->func == POLICY_CHECK)
- temp_ima_appraise |= IMA_APPRAISE_POLICY;
+ else if (entry->action == APPRAISE)
+ temp_ima_appraise |= ima_appraise_flag(entry->func);
+
audit_log_format(ab, "res=%d", !result);
audit_log_end(ab);
return result;
--
2.7.5
Powered by blists - more mailing lists