From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH] ima: require secure_boot rules in lockdown mode
Date: Thu, 02 Nov 2017 17:30:53 -0400 [thread overview]
Message-ID: <1509658253.3416.1.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <22475.1509642717@warthog.procyon.org.uk>
On Thu, 2017-11-02 at 17:11 +0000, David Howells wrote:
> I've made the revisions suggested. See the attached patch.
It looks good, except for a mistake in the original I patch posted.
> ---
> commit 721c0994b824b91acd3c412abe55ae41287fc64d
> Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Date: Mon Oct 23 11:59:47 2017 -0400
>
> ima: require secure_boot rules in lockdown mode
>
> Require the "secure_boot" rules, whether or not it is specified
> on the boot command line, for both the builtin and custom policies
> in secure boot lockdown mode.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 95209a5f8595..f64f2be2dc0c 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -427,14 +427,21 @@ void ima_update_policy_flag(void)
> */
> void __init ima_init_policy(void)
> {
> - int i, measure_entries, appraise_entries, secure_boot_entries;
> + int i;
> + int measure_entries = 0;
> + int appraise_entries = 0;
> + int secure_boot_entries = 0;
> + bool kernel_locked_down = kernel_is_locked_down();
kernel_is_locked_down() requires a string.
Mimi
>
> /* if !ima_policy set entries = 0 so we load NO default rules */
> - measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
> - appraise_entries = ima_use_appraise_tcb ?
> - ARRAY_SIZE(default_appraise_rules) : 0;
> - secure_boot_entries = ima_use_secure_boot ?
> - ARRAY_SIZE(secure_boot_rules) : 0;
> + if (ima_policy)
> + measure_entries = ARRAY_SIZE(dont_measure_rules);
> +
> + if (ima_use_appraise_tcb)
> + appraise_entries = ARRAY_SIZE(default_appraise_rules);
> +
> + if (ima_use_secure_boot || kernel_locked_down)
> + secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
>
> for (i = 0; i < measure_entries; i++)
> list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
> @@ -455,11 +462,23 @@ void __init ima_init_policy(void)
>
> /*
> * Insert the appraise rules requiring file signatures, prior to
> - * any other appraise rules.
> + * any other appraise rules. In secure boot lock-down mode, also
> + * require these appraise rules for custom policies.
> */
> - for (i = 0; i < secure_boot_entries; i++)
> - list_add_tail(&secure_boot_rules[i].list,
> - &ima_default_rules);
> + for (i = 0; i < secure_boot_entries; i++) {
> + struct ima_rule_entry *entry;
> +
> + /* Include for builtin policies */
> + list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
> +
> + /* Include for custom policies */
> + if (kernel_locked_down) {
> + entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
> + GFP_KERNEL);
> + if (entry)
> + list_add_tail(&entry->list, &ima_policy_rules);
> + }
> + }
>
> for (i = 0; i < appraise_entries; i++) {
> list_add_tail(&default_appraise_rules[i].list,
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-11-02 21:30 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-23 15:59 [RFC PATCH] ima: require secure_boot rules in lockdown mode Mimi Zohar
2017-10-30 15:55 ` David Howells
2017-10-30 17:00 ` Mimi Zohar
2017-10-30 17:05 ` David Howells
2017-10-30 17:39 ` Mimi Zohar
2017-10-31 3:25 ` James Morris
2017-11-08 20:46 ` Mimi Zohar
2017-11-08 20:53 ` Stephen Rothwell
2017-11-08 21:04 ` Mimi Zohar
2017-11-08 23:26 ` Stephen Rothwell
2017-11-09 3:06 ` Mimi Zohar
2017-11-09 13:28 ` James Morris
2017-11-09 13:46 ` Mimi Zohar
2017-11-09 19:17 ` James Morris
2017-11-02 17:11 ` David Howells
2017-11-02 21:30 ` Mimi Zohar [this message]
2017-11-02 21:43 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1509658253.3416.1.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).