From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.vnet.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
jforbes@redhat.com
Subject: Re: [PATCH v4 5/6] ima: add support for external setting of ima_appraise
Date: Thu, 27 Sep 2018 09:20:12 -0400 [thread overview]
Message-ID: <1538054412.3459.105.camel@linux.ibm.com> (raw)
In-Reply-To: <20180926122210.14642-6-nayna@linux.vnet.ibm.com>
Hi Nayna,
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> The "ima_appraise" mode defaults to enforcing, unless configured to allow
> the boot command line "ima_appraise" option. This patch explicitly sets the
> "ima_appraise" mode for the arch specific policy setting.
Eventually this patch might be needed if/when we need to differentiate
between different secure boot modes.
Only if CONFIG_IMA_APPRAISE_BOOTPARAM is enabled, can the IMA appraise
mode be modified on the boot command line. Instead of this patch, how
about making the ability to change the IMA appraise mode also
dependent on CONFIG_IMA_ARCH_POLICY not being enabled?
Mimi
>
> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
> ---
> security/integrity/ima/ima.h | 5 +++++
> security/integrity/ima/ima_appraise.c | 11 +++++++++--
> security/integrity/ima/ima_policy.c | 5 ++++-
> 3 files changed, 18 insertions(+), 3 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 588e4813370c..6e5fa7c42809 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -248,6 +248,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
> int xattr_len);
> int ima_read_xattr(struct dentry *dentry,
> struct evm_ima_xattr_data **xattr_value);
> +void set_ima_appraise(char *str);
>
> #else
> static inline int ima_appraise_measurement(enum ima_hooks func,
> @@ -290,6 +291,10 @@ static inline int ima_read_xattr(struct dentry *dentry,
> return 0;
> }
>
> +static inline void set_ima_appraise(char *str)
> +{
> +}
> +
> #endif /* CONFIG_IMA_APPRAISE */
>
> /* LSM based policy rules require audit */
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 8bd7a0733e51..e061613bcb87 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -18,15 +18,22 @@
>
> #include "ima.h"
>
> -static int __init default_appraise_setup(char *str)
> +void set_ima_appraise(char *str)
> {
> -#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
> if (strncmp(str, "off", 3) == 0)
> ima_appraise = 0;
> else if (strncmp(str, "log", 3) == 0)
> ima_appraise = IMA_APPRAISE_LOG;
> else if (strncmp(str, "fix", 3) == 0)
> ima_appraise = IMA_APPRAISE_FIX;
> + else if (strncmp(str, "enforce", 7) == 0)
> + ima_appraise = IMA_APPRAISE_ENFORCE;
> +}
> +
> +static int __init default_appraise_setup(char *str)
> +{
> +#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
> + set_ima_appraise(str);
> #endif
> return 1;
> }
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 5fb4b0c123a3..410fee31b162 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -585,9 +585,12 @@ void __init ima_init_policy(void)
> arch_entries = ima_init_arch_policy();
> if (!arch_entries)
> pr_info("No architecture policies found\n");
> - else
> + else {
> add_rules(arch_policy_entry, arch_entries,
> IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> + if (temp_ima_appraise)
> + set_ima_appraise("enforce");
> + }
>
> /*
> * Insert the builtin "secure_boot" policy rules requiring file
next prev parent reply other threads:[~2018-09-27 19:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-26 12:22 [PATCH v4 0/6] Add support for architecture specific IMA policies Nayna Jain
2018-09-26 12:22 ` [PATCH v4 1/6] x86/ima: define arch_ima_get_secureboot Nayna Jain
2018-09-27 11:33 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 2/6] ima: prevent kexec_load syscall based on runtime secureboot flag Nayna Jain
2018-09-27 11:33 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 3/6] ima: refactor ima_init_policy() Nayna Jain
2018-09-27 12:16 ` Mimi Zohar
2018-09-28 0:51 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 4/6] ima: add support for arch specific policies Nayna Jain
2018-09-27 13:27 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 5/6] ima: add support for external setting of ima_appraise Nayna Jain
2018-09-27 13:20 ` Mimi Zohar [this message]
2018-10-05 17:44 ` Nayna Jain
2018-10-05 17:44 ` Nayna Jain
2018-09-26 12:22 ` [PATCH v4 6/6] x86/ima: define arch_get_ima_policy() for x86 Nayna Jain
2018-09-27 13:31 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538054412.3459.105.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jforbes@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).