From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Thu, 24 May 2018 07:09:34 -0400 Subject: [PATCH v3 5/7] ima: based on policy require signed firmware (sysfs fallback) In-Reply-To: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com> Message-ID: <1527160176-29269-6-git-send-email-zohar@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org With an IMA policy requiring signed firmware, this patch prevents the sysfs fallback method of loading firmware. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Matthew Garrett --- security/integrity/ima/ima_main.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index fbbcc02a1380..dd1f263f950a 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -451,10 +451,17 @@ int ima_read_data(struct file *file, enum kernel_read_file_id read_id) pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file syscall.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } + break; + case READING_FIRMWARE_FALLBACK_SYSFS: + if (ima_appraise & IMA_APPRAISE_FIRMWARE) { + pr_err("Prevent firmware sysfs fallback loading.\n"); + return -EACCES; /* INTEGRITY_UNKNOWN */ + } default: break; } return 0; + } static int read_idmap[READING_MAX_ID] = { -- 2.7.5 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html