lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200622172754.10763-1-bmeneg@redhat.com>
Date:   Mon, 22 Jun 2020 14:27:54 -0300
From:   Bruno Meneguele <bmeneg@...hat.com>
To:     linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     zohar@...ux.ibm.com, erichte@...ux.ibm.com, nayna@...ux.ibm.com,
        Bruno Meneguele <bmeneg@...hat.com>, stable@...r.kernel.org
Subject: [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
compile time, enforcing the appraisal whenever the kernel had the arch
policy option enabled.

However it breaks systems where the option is actually set but the system
wasn't booted in a "secure boot" platform. In this scenario, anytime the
an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
to actually measure system's files.

This patch remove this compile time dependency and move it to a runtime
decision, based on the arch policy loading failure/success.

Cc: stable@...r.kernel.org
Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
Signed-off-by: Bruno Meneguele <bmeneg@...hat.com>
---
changes from v1:
	- removed "ima:" prefix from pr_info() message

 security/integrity/ima/Kconfig      | 2 +-
 security/integrity/ima/ima_policy.c | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index edde88dbe576..62dc11a5af01 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
 
 config IMA_APPRAISE_BOOTPARAM
 	bool "ima_appraise boot parameter"
-	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
+	depends on IMA_APPRAISE
 	default y
 	help
 	  This option enables the different "ima_appraise=" modes
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e493063a3c34..c876617d4210 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -733,11 +733,15 @@ void __init ima_init_policy(void)
 	 * (Highest priority)
 	 */
 	arch_entries = ima_init_arch_policy();
-	if (!arch_entries)
+	if (!arch_entries) {
 		pr_info("No architecture policies found\n");
-	else
+	} else {
+		/* Force appraisal, preventing runtime xattr changes */
+		pr_info("setting IMA appraisal to enforced\n");
+		ima_appraise = IMA_APPRAISE_ENFORCE;
 		add_rules(arch_policy_entry, arch_entries,
 			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
+	}
 
 	/*
 	 * Insert the builtin "secure_boot" policy rules requiring file
-- 
2.26.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ