From patchwork Fri Oct 20 19:19:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Bruno E. O. Meneguele" X-Patchwork-Id: 10020871 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F35D460224 for ; Fri, 20 Oct 2017 19:20:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E292328F0E for ; Fri, 20 Oct 2017 19:20:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C0A7828F43; Fri, 20 Oct 2017 19:20:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FA2F28F42 for ; Fri, 20 Oct 2017 19:20:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752909AbdJTTT2 (ORCPT ); Fri, 20 Oct 2017 15:19:28 -0400 Received: from mx1.redhat.com ([209.132.183.28]:43718 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751028AbdJTTT1 (ORCPT ); Fri, 20 Oct 2017 15:19:27 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E507C806AC; Fri, 20 Oct 2017 19:19:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E507C806AC Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=brdeoliv@redhat.com Received: from glitch.redhat.com (ovpn-116-21.gru2.redhat.com [10.97.116.21]) by smtp.corp.redhat.com (Postfix) with ESMTP id BD3E460BEB; Fri, 20 Oct 2017 19:19:24 +0000 (UTC) From: "Bruno E. O. Meneguele" To: linux-kernel@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, serge@hallyn.com, james.l.morris@oracle.com, dmitry.kasatkin@gmail.com, zohar@linux.vnet.ibm.com, rusty@rustcorp.com.au, jeyu@kernel.org Subject: [PATCH 2/2] ima: check signature enforcement against cmdline param instead of CONFIG Date: Fri, 20 Oct 2017 17:19:16 -0200 Message-Id: <2530819c121999268c2c40ad9b907d1ca7726919.1508524595.git.brdeoliv@redhat.com> In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 20 Oct 2017 19:19:27 +0000 (UTC) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When the user requests MODULE_CHECK policy and its kernel is compiled with CONFIG_MODULE_SIG_FORCE not set, all modules would not load, just those loaded in initram time. One option the user would have would be set a kernel cmdline param (module.sig_enforce) to true, but the IMA module check code doesn't rely on this value, it checks just CONFIG_MODULE_SIG_FORCE. This patch solves this problem checking for the exported value of module.sig_enforce cmdline param intead of CONFIG_MODULE_SIG_FORCE, which holds the effective value (CONFIG || param). Signed-off-by: Bruno E. O. Meneguele --- security/integrity/ima/ima_main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e4ab8ef8016e..d11a7fcc5c8b 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -356,12 +356,12 @@ void ima_post_path_mknod(struct dentry *dentry) */ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) { + bool sig_enforce = is_module_sig_enforced(); + if (!file && read_id == READING_MODULE) { -#ifndef CONFIG_MODULE_SIG_FORCE - if ((ima_appraise & IMA_APPRAISE_MODULES) && + if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) && (ima_appraise & IMA_APPRAISE_ENFORCE)) return -EACCES; /* INTEGRITY_UNKNOWN */ -#endif return 0; /* We rely on module signature checking */ } return 0;