From patchwork Mon Dec 4 20:23:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Bruno E. O. Meneguele" X-Patchwork-Id: 10091461 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 72B9B600C5 for ; Mon, 4 Dec 2017 20:24:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 66BFB291DD for ; Mon, 4 Dec 2017 20:24:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5AB5D2923C; Mon, 4 Dec 2017 20:24:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 198F0291DD for ; Mon, 4 Dec 2017 20:24:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752546AbdLDUXx (ORCPT ); Mon, 4 Dec 2017 15:23:53 -0500 Received: from mx1.redhat.com ([209.132.183.28]:35152 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751757AbdLDUXt (ORCPT ); Mon, 4 Dec 2017 15:23:49 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 004827CBB1; Mon, 4 Dec 2017 20:23:49 +0000 (UTC) Received: from localhost (ovpn-116-6.gru2.redhat.com [10.97.116.6]) by smtp.corp.redhat.com (Postfix) with ESMTP id 88D276F7E3; Mon, 4 Dec 2017 20:23:48 +0000 (UTC) From: "Bruno E. O. Meneguele" To: Mimi Zohar , Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org, linux-ima-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] ima: log message to module appraisal error Date: Mon, 4 Dec 2017 18:23:47 -0200 Message-Id: <20171204202347.16261-1-brdeoliv@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Mon, 04 Dec 2017 20:23:49 +0000 (UTC) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Simple but useful message log to the user in case of module appraise is forced and fails due to the lack of file descriptor, that might be caused by kmod calls to compressed modules. Signed-off-by: Bruno E. O. Meneguele --- security/integrity/ima/ima_main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 770654694efc..95ec39910058 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -366,8 +366,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) if (!file && read_id == READING_MODULE) { if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) && - (ima_appraise & IMA_APPRAISE_ENFORCE)) + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("impossible to appraise a module without a file \ + descriptor. sig_enforce kernel parameter might \ + help\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ + } return 0; /* We rely on module signature checking */ } return 0;