lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180504000600.GQ27853@wotan.suse.de>
Date:   Fri, 4 May 2018 00:06:00 +0000
From:   "Luis R. Rodriguez" <mcgrof@...nel.org>
To:     Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:     linux-integrity@...r.kernel.org,
        Hans de Goede <hdegoede@...hat.com>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        Peter Jones <pjones@...hat.com>,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, David Howells <dhowells@...hat.com>,
        "Luis R . Rodriguez" <mcgrof@...nel.org>,
        Matthew Garrett <mjg59@...gle.com>,
        Andres Rodriguez <andresx7@...il.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH 2/6] ima: prevent sysfs fallback firmware loading

On Tue, May 01, 2018 at 09:48:19AM -0400, Mimi Zohar wrote:
> With an IMA policy requiring signed firmware, this patch prevents
> the sysfs fallback method of loading firmware.
> 
> Signed-off-by: Mimi Zohar <zohar@...ux.vnet.ibm.com>
> Cc: Luis R. Rodriguez <mcgrof@...e.com>
> Cc: David Howells <dhowells@...hat.com>
> Cc: Matthew Garrett <mjg59@...gle.com>
> ---
>  security/integrity/ima/ima_main.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 754ece08e1c6..8759280dccf6 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -453,7 +453,17 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
>  		}
>  		return 0;
>  	}
> +
> +	if (read_id == READING_FIRMWARE_FALLBACK) {
> +		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
> +		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> +			pr_err("Prevent firmware sysfs fallback loading.\n");
> +			return -EACCES;
> +		}
> +		return 0;
> +	}
>  	return 0;
> +
>  }
>  

Due to the lack of ability to appraise these calls, it has me wondering if having
these drivers be wrapped into a their own kconfig may make sense, ie, they use
a mechanism which IMA cannot possibly work with. Then at least some kernel
builds can exist in which we know we can count on this run time to never
happen. Thoughts?

See for instance use of CONFIG_PREVENT_FIRMWARE_BUILD.

  Luis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ