lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1593204023.27152.476.camel@linux.ibm.com>
Date:   Fri, 26 Jun 2020 16:40:23 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Bruno Meneguele <bmeneg@...hat.com>,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     erichte@...ux.ibm.com, nayna@...ux.ibm.com
Subject: Re: [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on
 ARCH_POLICY to runtime

On Tue, 2020-06-23 at 17:26 -0300, Bruno Meneguele wrote:
<snip>

> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index edde88dbe576..62dc11a5af01 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
>  
>  config IMA_APPRAISE_BOOTPARAM
>  	bool "ima_appraise boot parameter"
> -	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> +	depends on IMA_APPRAISE

Ok

>  	default y
>  	help
>  	  This option enables the different "ima_appraise=" modes
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e493063a3c34..6742f86b6c60 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -732,12 +732,20 @@ void __init ima_init_policy(void)
>  	 * and custom policies, prior to other appraise rules.
>  	 * (Highest priority)
>  	 */
> -	arch_entries = ima_init_arch_policy();
> -	if (!arch_entries)
> -		pr_info("No architecture policies found\n");
> -	else
> -		add_rules(arch_policy_entry, arch_entries,
> -			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> +	if (arch_ima_secure_or_trusted_boot()) {

Today only "measure" and "appraise" rules are included in the arch
specific policy, but someone might decide they want to include "audit"
rules as well.

I'm not if the "secure_boot" flag is available prior to calling
default_appraise_setup(), but if it is, you could modify the test
there to also check if the system is booted in secure boot mode (eg.
IS_ENABLED(CONFIG_IMA_APPRAISE_BOOTPARAM) &&
!arch_ima_get_secureboot())

> +		/* In secure and/or trusted boot the appraisal must be
> +		 * enforced, regardless kernel parameters, preventing
> +		 * runtime changes */

Only "appraise" rules are enforced.

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ