From patchwork Mon Dec  4 19:54:56 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bruno E O Meneguele <bmeneguele@gmail.com>
X-Patchwork-Id: 10091419
Return-Path: <linux-integrity-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E7E2160327 for <patchwork-linux-integrity@patchwork.kernel.org>;
	Mon,  4 Dec 2017 19:55:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DAFDB28902
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Mon,  4 Dec 2017 19:55:18 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CF7822894A; Mon,  4 Dec 2017 19:55:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 89C5E28902
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Mon,  4 Dec 2017 19:55:18 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751436AbdLDTzE (ORCPT
	<rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
	Mon, 4 Dec 2017 14:55:04 -0500
Received: from mail-qt0-f195.google.com ([209.85.216.195]:45778 "EHLO
	mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751104AbdLDTzD (ORCPT
	<rfc822;linux-integrity@vger.kernel.org>);
	Mon, 4 Dec 2017 14:55:03 -0500
Received: by mail-qt0-f195.google.com with SMTP id g10so23815246qtj.12;
	Mon, 04 Dec 2017 11:55:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=07pVG2QP5JhijdgTKD9IVTXpMpIcASgPYjChhvLLiis=;
	b=uXpayk9LdSOZRoVdFB4GD2dqJTxTwq7XMhEcZ1l+z+B8pleL7rB5ScnVPaD9OWNH6S
	m88ePRmTY9ZZ0d6iI2pTFRWgUSzr2T82L0cBkkh2MI5xWe7zXleJCazKWejrECtbpdH+
	jABGe5ApCAuVyTSU2W640wCEEBKlnDwAdk8+oZMaTHST+OUpto4ipKA9nNuzD/kCHtlc
	W1/jFMePeheQKQ88Am5hdYSnDj2rHKsYL67EYBpht2hMx0U1TJLADlkHA0rpDLerSmta
	Hy18AiXI3o1xwuBVZOA+8FaVcvlw9HvLoi8GPg7eXJ+S3fPHun0MSCtt9gqG0jFVQaGm
	jgIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=07pVG2QP5JhijdgTKD9IVTXpMpIcASgPYjChhvLLiis=;
	b=NYC7Un9lfdXlt+YmsHdRikFCQC7VXHEbw4aIy62FJmd2hCosfzirMKilcE9MypVQ9/
	VAk75yWI+EZ36cwHlXsMOwZcjcFHFgaUx9Jy/JwWSLx3Svu3URBfZ0lC1KbKcv3WZJ9I
	Si8hFh5rFAMGRy1xbeiLnEKWu+NWbSKI71bCwmsmcpwtsSlaBXASKigubtUtCC5O3AGf
	v6LZljaVzOrDodbs5uuNrISxGb5ML9TQ7nQQE+Jld6hxFH7BrcEWGRsIZTAhSUmsMsVv
	+JUkAKTAG/EHUjxigsazKU4xl/g4BQqk5We0oKjqEZBmBcVTOqQaVEACb+15aCQxSdqa
	LovQ==
X-Gm-Message-State: AKGB3mITxsZ04GdL3rletcLB8dTq7MJr2lb9Tjg2ETlEwrDu2dhRTQSf
	GgjCZc4z1zFi9H1EELYdi8k=
X-Google-Smtp-Source: 
 AGs4zMYmArsvChyYx4lncq4wFhO5C3pCqoQ9blNb1dmpyJF+0BcrB+v3zdTZTVEcmaaepvTlW4aLDA==
X-Received: by 10.200.50.165 with SMTP id z34mr89216qta.137.1512417302704;
	Mon, 04 Dec 2017 11:55:02 -0800 (PST)
Received: from localhost ([186.251.13.253]) by smtp.gmail.com with ESMTPSA id
	b47sm9990606qtb.89.2017.12.04.11.55.01
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 04 Dec 2017 11:55:02 -0800 (PST)
From: "Bruno E. O. Meneguele" <bmeneguele@gmail.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-integrity@vger.kernel.org, linux-ima-devel@lists.sourceforge.net,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] ima: log message to module appraisal error
Date: Mon,  4 Dec 2017 17:54:56 -0200
Message-Id: <20171204195456.17193-1-bmeneguele@gmail.com>
X-Mailer: git-send-email 2.14.3
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Simple but useful message log to the user in case of module appraise is
forced and fails due to the lack of file descriptor, that might be
caused by kmod calls to compressed modules.

Signed-off-by: Bruno E. O. Meneguele <bmeneguele@gmail.com>
---
 security/integrity/ima/ima_main.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 770654694efc..95ec39910058 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -366,8 +366,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
 
 	if (!file && read_id == READING_MODULE) {
 		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
-		    (ima_appraise & IMA_APPRAISE_ENFORCE))
+		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+			pr_err("impossible to appraise a module without a file \
+			       descriptor. sig_enforce kernel parameter might \
+			       help\n");
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
+		}
 		return 0;	/* We rely on module signature checking */
 	}
 	return 0;