| From b9978846c6422625afd94147c7d4e0763b1223f7 Mon Sep 17 00:00:00 2001 |
| From: Bruno Meneguele <bmeneg@redhat.com> |
| Date: Mon, 13 Jul 2020 13:48:30 -0300 |
| Subject: [PATCH] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to |
| runtime |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| commit 311aa6aafea446c2f954cc19d66425bfed8c4b0b upstream. |
| |
| The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise=" |
| modes - log, fix, enforce - at run time, but not when IMA architecture |
| specific policies are enabled. This prevents properly labeling the |
| filesystem on systems where secure boot is supported, but not enabled on the |
| platform. Only when secure boot is actually enabled should these IMA |
| appraise modes be disabled. |
| |
| This patch removes the compile time dependency and makes it a runtime |
| decision, based on the secure boot state of that platform. |
| |
| Test results as follows: |
| |
| -> x86-64 with secure boot enabled |
| |
| [ 0.015637] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix |
| [ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=fix boot parameter option |
| |
| -> powerpc with secure boot disabled |
| |
| [ 0.000000] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix |
| [ 0.000000] Secure boot mode disabled |
| |
| -> Running the system without secure boot and with both options set: |
| |
| CONFIG_IMA_APPRAISE_BOOTPARAM=y |
| CONFIG_IMA_ARCH_POLICY=y |
| |
| Audit prompts "missing-hash" but still allow execution and, consequently, |
| filesystem labeling: |
| |
| type=INTEGRITY_DATA msg=audit(07/09/2020 12:30:27.778:1691) : pid=4976 |
| uid=root auid=root ses=2 |
| subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data |
| cause=missing-hash comm=bash name=/usr/bin/evmctl dev="dm-0" ino=493150 |
| res=no |
| |
| Cc: stable@vger.kernel.org |
| Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86") |
| Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> |
| Cc: stable@vger.kernel.org # 5.0 |
| Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig |
| index 2692c7358c2c..3ae199689d17 100644 |
| --- a/security/integrity/ima/Kconfig |
| +++ b/security/integrity/ima/Kconfig |
| @@ -226,7 +226,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS |
| |
| config IMA_APPRAISE_BOOTPARAM |
| bool "ima_appraise boot parameter" |
| - depends on IMA_APPRAISE && !IMA_ARCH_POLICY |
| + depends on IMA_APPRAISE |
| default y |
| help |
| This option enables the different "ima_appraise=" modes |
| diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c |
| index f0cd67cab6aa..9e2a3993a922 100644 |
| --- a/security/integrity/ima/ima_appraise.c |
| +++ b/security/integrity/ima/ima_appraise.c |
| @@ -18,6 +18,12 @@ |
| static int __init default_appraise_setup(char *str) |
| { |
| #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM |
| + if (arch_ima_get_secureboot()) { |
| + pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", |
| + str); |
| + return 1; |
| + } |
| + |
| if (strncmp(str, "off", 3) == 0) |
| ima_appraise = 0; |
| else if (strncmp(str, "log", 3) == 0) |
| -- |
| 2.27.0 |
| |