| From 78d85db250b40ece6576d0339f95ba493df46741 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 9 Jul 2020 01:19:04 -0500 |
| Subject: ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with |
| an invalid cond |
| |
| From: Tyler Hicks <tyhicks@linux.microsoft.com> |
| |
| [ Upstream commit db2045f5892a9db7354442bf77f9b03b50ff9ee1 ] |
| |
| The KEXEC_CMDLINE hook function only supports the pcr conditional. Make |
| this clear at policy load so that IMA policy authors don't assume that |
| other conditionals are supported. |
| |
| Since KEXEC_CMDLINE's inception, ima_match_rules() has always returned |
| true on any loaded KEXEC_CMDLINE rule without any consideration for |
| other conditionals present in the rule. Make it clear that pcr is the |
| only supported KEXEC_CMDLINE conditional by returning an error during |
| policy load. |
| |
| An example of why this is a problem can be explained with the following |
| rule: |
| |
| dont_measure func=KEXEC_CMDLINE obj_type=foo_t |
| |
| An IMA policy author would have assumed that rule is valid because the |
| parser accepted it but the result was that measurements for all |
| KEXEC_CMDLINE operations would be disabled. |
| |
| Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments") |
| Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> |
| Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> |
| Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> |
| Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| security/integrity/ima/ima_policy.c | 21 +++++++++++++++++++++ |
| 1 file changed, 21 insertions(+) |
| |
| diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c |
| index a3d72342408ad..a77e0b34e72f7 100644 |
| --- a/security/integrity/ima/ima_policy.c |
| +++ b/security/integrity/ima/ima_policy.c |
| @@ -343,6 +343,17 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry) |
| return 0; |
| } |
| |
| +static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry) |
| +{ |
| + int i; |
| + |
| + for (i = 0; i < MAX_LSM_RULES; i++) |
| + if (entry->lsm[i].args_p) |
| + return true; |
| + |
| + return false; |
| +} |
| + |
| /* |
| * The LSM policy can be reloaded, leaving the IMA LSM based rules referring |
| * to the old, stale LSM policy. Update the IMA LSM based rules to reflect |
| @@ -998,6 +1009,16 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) |
| /* Validation of these hook functions is in ima_parse_rule() */ |
| break; |
| case KEXEC_CMDLINE: |
| + if (entry->action & ~(MEASURE | DONT_MEASURE)) |
| + return false; |
| + |
| + if (entry->flags & ~(IMA_FUNC | IMA_PCR)) |
| + return false; |
| + |
| + if (ima_rule_contains_lsm_cond(entry)) |
| + return false; |
| + |
| + break; |
| case KEY_CHECK: |
| if (entry->action & ~(MEASURE | DONT_MEASURE)) |
| return false; |
| -- |
| 2.25.1 |
| |