From patchwork Thu Nov 2 17:11:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 10039031 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 61F5B60291 for ; Thu, 2 Nov 2017 17:12:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4A98C2917B for ; Thu, 2 Nov 2017 17:12:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3F28D291B8; Thu, 2 Nov 2017 17:12:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DBC1C2917B for ; Thu, 2 Nov 2017 17:12:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752538AbdKBRMA convert rfc822-to-8bit (ORCPT ); Thu, 2 Nov 2017 13:12:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50750 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752304AbdKBRL7 (ORCPT ); Thu, 2 Nov 2017 13:11:59 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8319A80467; Thu, 2 Nov 2017 17:11:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 8319A80467 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=dhowells@redhat.com Received: from warthog.procyon.org.uk (ovpn-121-14.rdu2.redhat.com [10.10.121.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id 25997600C0; Thu, 2 Nov 2017 17:11:57 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <1509382827.3583.143.camel@linux.vnet.ibm.com> References: <1509382827.3583.143.camel@linux.vnet.ibm.com> <1508774387.3639.128.camel@linux.vnet.ibm.com> <750.1509378910@warthog.procyon.org.uk> To: Mimi Zohar Cc: dhowells@redhat.com, linux-integrity , Matthew Garrett , linux-security-module Subject: Re: [RFC PATCH] ima: require secure_boot rules in lockdown mode MIME-Version: 1.0 Content-ID: <22474.1509642715.1@warthog.procyon.org.uk> Date: Thu, 02 Nov 2017 17:11:57 +0000 Message-ID: <22475.1509642717@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 02 Nov 2017 17:11:59 +0000 (UTC) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP I've made the revisions suggested. See the attached patch. David --- commit 721c0994b824b91acd3c412abe55ae41287fc64d Author: Mimi Zohar Date: Mon Oct 23 11:59:47 2017 -0400 ima: require secure_boot rules in lockdown mode Require the "secure_boot" rules, whether or not it is specified on the boot command line, for both the builtin and custom policies in secure boot lockdown mode. Signed-off-by: Mimi Zohar Signed-off-by: David Howells diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 95209a5f8595..f64f2be2dc0c 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -427,14 +427,21 @@ void ima_update_policy_flag(void) */ void __init ima_init_policy(void) { - int i, measure_entries, appraise_entries, secure_boot_entries; + int i; + int measure_entries = 0; + int appraise_entries = 0; + int secure_boot_entries = 0; + bool kernel_locked_down = kernel_is_locked_down(); /* if !ima_policy set entries = 0 so we load NO default rules */ - measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; - appraise_entries = ima_use_appraise_tcb ? - ARRAY_SIZE(default_appraise_rules) : 0; - secure_boot_entries = ima_use_secure_boot ? - ARRAY_SIZE(secure_boot_rules) : 0; + if (ima_policy) + measure_entries = ARRAY_SIZE(dont_measure_rules); + + if (ima_use_appraise_tcb) + appraise_entries = ARRAY_SIZE(default_appraise_rules); + + if (ima_use_secure_boot || kernel_locked_down) + secure_boot_entries = ARRAY_SIZE(secure_boot_rules); for (i = 0; i < measure_entries; i++) list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); @@ -455,11 +462,23 @@ void __init ima_init_policy(void) /* * Insert the appraise rules requiring file signatures, prior to - * any other appraise rules. + * any other appraise rules. In secure boot lock-down mode, also + * require these appraise rules for custom policies. */ - for (i = 0; i < secure_boot_entries; i++) - list_add_tail(&secure_boot_rules[i].list, - &ima_default_rules); + for (i = 0; i < secure_boot_entries; i++) { + struct ima_rule_entry *entry; + + /* Include for builtin policies */ + list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + + /* Include for custom policies */ + if (kernel_locked_down) { + entry = kmemdup(&secure_boot_rules[i], sizeof(*entry), + GFP_KERNEL); + if (entry) + list_add_tail(&entry->list, &ima_policy_rules); + } + } for (i = 0; i < appraise_entries; i++) { list_add_tail(&default_appraise_rules[i].list,