| Message ID | 20180725233200.761-5-erichte@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add support for architecture-specific IMA policies | expand |
Hi Eric,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on integrity/next-integrity]
[also build test WARNING on next-20180727]
[cannot apply to v4.18-rc6]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Eric-Richter/ima-add-support-for-arch-specific-policies/20180728-072442
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
smatch warnings:
security/integrity/ima/ima_policy.c:522 ima_init_arch_policy() error: potential null dereference 'arch_policy_entry'. (kcalloc returns null)
vim +/arch_policy_entry +522 security/integrity/ima/ima_policy.c
b4c0791e Nayna Jain 2018-07-25 484
b4c0791e Nayna Jain 2018-07-25 485 /*
b4c0791e Nayna Jain 2018-07-25 486 * ima_init_arch_policy - convert arch policy strings to rules
b4c0791e Nayna Jain 2018-07-25 487 *
b4c0791e Nayna Jain 2018-07-25 488 * Return number of arch specific rules.
b4c0791e Nayna Jain 2018-07-25 489 */
b4c0791e Nayna Jain 2018-07-25 490 static int __init ima_init_arch_policy(void)
b4c0791e Nayna Jain 2018-07-25 491 {
b4c0791e Nayna Jain 2018-07-25 492 const char * const *arch_rules;
b4c0791e Nayna Jain 2018-07-25 493 const char * const *rules;
b4c0791e Nayna Jain 2018-07-25 494 int arch_entries = 0;
b4c0791e Nayna Jain 2018-07-25 495 int i = 0;
b4c0791e Nayna Jain 2018-07-25 496
b4c0791e Nayna Jain 2018-07-25 497 arch_rules = arch_get_ima_policy();
b4c0791e Nayna Jain 2018-07-25 498 if (!arch_rules) {
b4c0791e Nayna Jain 2018-07-25 499 pr_info("No architecture policy rules.\n");
b4c0791e Nayna Jain 2018-07-25 500 return arch_entries;
b4c0791e Nayna Jain 2018-07-25 501 }
b4c0791e Nayna Jain 2018-07-25 502
b4c0791e Nayna Jain 2018-07-25 503 /* Get number of rules */
b4c0791e Nayna Jain 2018-07-25 504 for (rules = arch_rules; *rules != NULL; rules++)
b4c0791e Nayna Jain 2018-07-25 505 arch_entries++;
b4c0791e Nayna Jain 2018-07-25 506
b4c0791e Nayna Jain 2018-07-25 507 arch_policy_rules = kcalloc(arch_entries + 1,
b4c0791e Nayna Jain 2018-07-25 508 sizeof(*arch_policy_rules), GFP_KERNEL);
b4c0791e Nayna Jain 2018-07-25 509 if (!arch_policy_rules)
b4c0791e Nayna Jain 2018-07-25 510 return 0;
b4c0791e Nayna Jain 2018-07-25 511
b4c0791e Nayna Jain 2018-07-25 512 arch_policy_entry = kcalloc(arch_entries + 1,
b4c0791e Nayna Jain 2018-07-25 513 sizeof(*arch_policy_entry), GFP_KERNEL);
b4c0791e Nayna Jain 2018-07-25 514
b4c0791e Nayna Jain 2018-07-25 515 /* Convert arch policy string rules to struct ima_rule_entry format */
b4c0791e Nayna Jain 2018-07-25 516 for (rules = arch_rules, i = 0; *rules != NULL; rules++) {
b4c0791e Nayna Jain 2018-07-25 517 char rule[255];
b4c0791e Nayna Jain 2018-07-25 518 int result;
b4c0791e Nayna Jain 2018-07-25 519
b4c0791e Nayna Jain 2018-07-25 520 result = strlcpy(rule, *rules, sizeof(rule));
b4c0791e Nayna Jain 2018-07-25 521
b4c0791e Nayna Jain 2018-07-25 @522 INIT_LIST_HEAD(&arch_policy_entry[i].list);
b4c0791e Nayna Jain 2018-07-25 523 result = ima_parse_rule(rule, &arch_policy_entry[i]);
b4c0791e Nayna Jain 2018-07-25 524 if (result) {
b4c0791e Nayna Jain 2018-07-25 525 pr_warn("Skipping unknown architecture policy rule: %s\n", rule);
b4c0791e Nayna Jain 2018-07-25 526 memset(&arch_policy_entry[i], 0,
b4c0791e Nayna Jain 2018-07-25 527 sizeof(*arch_policy_entry));
b4c0791e Nayna Jain 2018-07-25 528 continue;
b4c0791e Nayna Jain 2018-07-25 529 }
b4c0791e Nayna Jain 2018-07-25 530 arch_policy_rules[i] = &arch_policy_entry[i];
b4c0791e Nayna Jain 2018-07-25 531 i++;
b4c0791e Nayna Jain 2018-07-25 532 }
b4c0791e Nayna Jain 2018-07-25 533 return i;
b4c0791e Nayna Jain 2018-07-25 534 }
b4c0791e Nayna Jain 2018-07-25 535
:::::: The code at line 522 was first introduced by commit
:::::: b4c0791e0facd968a3e0502a8a544390025a9a38 ima: add support for arch specific policies
:::::: TO: Nayna Jain <nayna@linux.vnet.ibm.com>
:::::: CC: 0day robot <lkp@intel.com>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 02d6f5cf4e7..f3e1d76ed9b 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -149,3 +149,5 @@ ifeq ($(CONFIG_X86_64),y) obj-$(CONFIG_MMCONF_FAM10H) += mmconf-fam10h_64.o obj-y += vsmp_64.o endif + +obj-$(CONFIG_IMA_ARCH_POLICY) += ima_arch.o diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c new file mode 100644 index 00000000000..5eb10e29db0 --- /dev/null +++ b/arch/x86/kernel/ima_arch.c @@ -0,0 +1,27 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (C) 2018 IBM Corporation + */ +#include <linux/efi.h> +#include <linux/ima.h> + +extern struct boot_params boot_params; + +/* arch rules for audit and user mode */ +static const char * const sb_arch_rules[] = { +#ifdef CONFIG_KEXEC_VERIFY_SIG + "appraise func=KEXEC_ORIG_KERNEL_CHECK appraise_type=imasig", +#else + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", +#endif /* CONFIG_KEXEC_VERIFY_SIG */ + "measure func=KEXEC_KERNEL_CHECK", + NULL +}; + +const char * const *arch_get_ima_policy(void) +{ + if (efi_enabled(EFI_BOOT) && + (boot_params.secure_boot == efi_secureboot_mode_enabled)) + return sb_arch_rules; + return NULL; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index 7fd272f0b1f..495fa290b14 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -30,10 +30,14 @@ extern void ima_post_path_mknod(struct dentry *dentry); extern void ima_add_kexec_buffer(struct kimage *image); #endif +#if defined(CONFIG_IMA_ARCH_POLICY) && defined(CONFIG_X86) +extern const char * const *arch_get_ima_policy(void); +#else static inline const char * const *arch_get_ima_policy(void) { return NULL; } +#endif #else static inline int ima_bprm_check(struct linux_binprm *bprm) @@ -77,6 +81,10 @@ static inline void ima_post_path_mknod(struct dentry *dentry) return; } +static inline const char * const *arch_get_ima_policy(void) +{ + return NULL; +} #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 13b446328dd..18de132bbda 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -157,6 +157,14 @@ config IMA_APPRAISE <http://linux-ima.sourceforge.net> If unsure, say N. +config IMA_ARCH_POLICY + bool "Enable loading an IMA architecture specific policy" + depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS + default n + help + This option enables loading an IMA architecture specific policy + based on run time secure boot flags. + config IMA_APPRAISE_BUILD_POLICY bool "IMA build time configured policy rules" depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
This patch implements an example arch-specific IMA policy for x86 to enable measurement and appraisal of any kernel images loaded for kexec, and disables the kexec_load syscall. To avoid conflicting with the existing CONFIG_KERNEL_VERIFY_SIG option, the policy only "appraises" the target image on kexec_load. Without this, the target kexec image would have to be verified by both the above option as well as by IMA appraisal. Since signature verification for kexec_load is not possible via appraisal (or VERIFY_SIG), this results in a failure and thus effectively prevents the kexec_load syscall from succeeding when set. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> --- arch/x86/kernel/Makefile | 2 ++ arch/x86/kernel/ima_arch.c | 27 +++++++++++++++++++++++++++ include/linux/ima.h | 8 ++++++++ security/integrity/ima/Kconfig | 8 ++++++++ 4 files changed, 45 insertions(+) create mode 100644 arch/x86/kernel/ima_arch.c