releases/5.7.16/ima-fail-rule-parsing-when-the-kexec_cmdline-hook-is.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 78d85db250b40ece6576d0339f95ba493df46741 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Thu, 9 Jul 2020 01:19:04 -0500
 Subject: ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with
  an invalid cond

 From: Tyler Hicks <tyhicks@linux.microsoft.com>

 [ Upstream commit db2045f5892a9db7354442bf77f9b03b50ff9ee1 ]

 The KEXEC_CMDLINE hook function only supports the pcr conditional. Make
 this clear at policy load so that IMA policy authors don't assume that
 other conditionals are supported.

 Since KEXEC_CMDLINE's inception, ima_match_rules() has always returned
 true on any loaded KEXEC_CMDLINE rule without any consideration for
 other conditionals present in the rule. Make it clear that pcr is the
 only supported KEXEC_CMDLINE conditional by returning an error during
 policy load.

 An example of why this is a problem can be explained with the following
 rule:

  dont_measure func=KEXEC_CMDLINE obj_type=foo_t

 An IMA policy author would have assumed that rule is valid because the
 parser accepted it but the result was that measurements for all
 KEXEC_CMDLINE operations would be disabled.

 Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments")
 Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
 Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
 Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  security/integrity/ima/ima_policy.c | 21 +++++++++++++++++++++
  1 file changed, 21 insertions(+)

 diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
 index a3d72342408ad..a77e0b34e72f7 100644
 --- a/security/integrity/ima/ima_policy.c
 +++ b/security/integrity/ima/ima_policy.c
 @@ -343,6 +343,17 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
  	return 0;
  }

 +static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
 +{
 +	int i;
 +
 +	for (i = 0; i < MAX_LSM_RULES; i++)
 +		if (entry->lsm[i].args_p)
 +			return true;
 +
 +	return false;
 +}
 +
  /*
   * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
   * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
 @@ -998,6 +1009,16 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
  		/* Validation of these hook functions is in ima_parse_rule() */
  		break;
  	case KEXEC_CMDLINE:
 +		if (entry->action & ~(MEASURE | DONT_MEASURE))
 +			return false;
 +
 +		if (entry->flags & ~(IMA_FUNC | IMA_PCR))
 +			return false;
 +
 +		if (ima_rule_contains_lsm_cond(entry))
 +			return false;
 +
 +		break;
  	case KEY_CHECK:
  		if (entry->action & ~(MEASURE | DONT_MEASURE))
  			return false;
 --
 2.25.1
	From 78d85db250b40ece6576d0339f95ba493df46741 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Thu, 9 Jul 2020 01:19:04 -0500
	Subject: ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with
	an invalid cond

	From: Tyler Hicks <tyhicks@linux.microsoft.com>

	[ Upstream commit db2045f5892a9db7354442bf77f9b03b50ff9ee1 ]

	The KEXEC_CMDLINE hook function only supports the pcr conditional. Make
	this clear at policy load so that IMA policy authors don't assume that
	other conditionals are supported.

	Since KEXEC_CMDLINE's inception, ima_match_rules() has always returned
	true on any loaded KEXEC_CMDLINE rule without any consideration for
	other conditionals present in the rule. Make it clear that pcr is the
	only supported KEXEC_CMDLINE conditional by returning an error during
	policy load.

	An example of why this is a problem can be explained with the following
	rule:

	dont_measure func=KEXEC_CMDLINE obj_type=foo_t

	An IMA policy author would have assumed that rule is valid because the
	parser accepted it but the result was that measurements for all
	KEXEC_CMDLINE operations would be disabled.

	Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments")
	Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
	Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
	Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
	Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	security/integrity/ima/ima_policy.c \| 21 +++++++++++++++++++++
	1 file changed, 21 insertions(+)

	diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
	index a3d72342408ad..a77e0b34e72f7 100644
	--- a/security/integrity/ima/ima_policy.c
	+++ b/security/integrity/ima/ima_policy.c
	@@ -343,6 +343,17 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
	return 0;
	}

	+static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
	+{
	+ int i;
	+
	+ for (i = 0; i < MAX_LSM_RULES; i++)
	+ if (entry->lsm[i].args_p)
	+ return true;
	+
	+ return false;
	+}
	+
	/*
	* The LSM policy can be reloaded, leaving the IMA LSM based rules referring
	* to the old, stale LSM policy. Update the IMA LSM based rules to reflect
	@@ -998,6 +1009,16 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
	/* Validation of these hook functions is in ima_parse_rule() */
	break;
	case KEXEC_CMDLINE:
	+ if (entry->action & ~(MEASURE \| DONT_MEASURE))
	+ return false;
	+
	+ if (entry->flags & ~(IMA_FUNC \| IMA_PCR))
	+ return false;
	+
	+ if (ima_rule_contains_lsm_cond(entry))
	+ return false;
	+
	+ break;
	case KEY_CHECK:
	if (entry->action & ~(MEASURE \| DONT_MEASURE))
	return false;
	--
	2.25.1