| Message ID | 20200905012020.7024-1-bmeneg@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | None | expand |
Hi Bruno, On Fri, 2020-09-04 at 22:20 -0300, Bruno Meneguele wrote: > Only prompt the unknown/invalid appraisal option if secureboot is enabled and > if the current appraisal state is different from the original one. > > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> Thanks. I tweaked this patch description and that of 4/4. This patch set is in next-integrity-testing. Please take a look. thanks, Mimi
On Fri, Sep 11, 2020 at 11:07:43AM -0400, Mimi Zohar wrote: > Hi Bruno, > > On Fri, 2020-09-04 at 22:20 -0300, Bruno Meneguele wrote: > > Only prompt the unknown/invalid appraisal option if secureboot is enabled and > > if the current appraisal state is different from the original one. > > > > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> > > Thanks. I tweaked this patch description and that of 4/4. This patch > set is in next-integrity-testing. Please take a look. > Thanks Mimi! Just checked in the branch and they're fine. > thanks, > > Mimi >
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 2193b51c2743..4f028f6e8f8d 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -19,22 +19,29 @@ static int __init default_appraise_setup(char *str) { #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM - if (arch_ima_get_secureboot()) { - pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", - str); - return 1; - } + bool sb_state = arch_ima_get_secureboot(); + int appraisal_state = ima_appraise; if (strncmp(str, "off", 3) == 0) - ima_appraise = 0; + appraisal_state = 0; else if (strncmp(str, "log", 3) == 0) - ima_appraise = IMA_APPRAISE_LOG; + appraisal_state = IMA_APPRAISE_LOG; else if (strncmp(str, "fix", 3) == 0) - ima_appraise = IMA_APPRAISE_FIX; + appraisal_state = IMA_APPRAISE_FIX; else if (strncmp(str, "enforce", 7) == 0) - ima_appraise = IMA_APPRAISE_ENFORCE; + appraisal_state = IMA_APPRAISE_ENFORCE; else pr_err("invalid \"%s\" appraise option", str); + + /* If appraisal state was changed, but secure boot is enabled, + * keep its default */ + if (sb_state) { + if (!(appraisal_state & IMA_APPRAISE_ENFORCE)) + pr_info("Secure boot enabled: ignoring ima_appraise=%s option", + str); + } else { + ima_appraise = appraisal_state; + } #endif return 1; }
Only prompt the unknown/invalid appraisal option if secureboot is enabled and if the current appraisal state is different from the original one. Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> --- Changelog: v3: - fix sb_state conditional (Mimi) v2: - update commit message (Mimi) - work with a temporary var instead of directly with ima_appraise (Mimi) security/integrity/ima/ima_appraise.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-)