From patchwork Mon Aug 10 15:19:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266707 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9CE7CC433DF for ; Mon, 10 Aug 2020 15:20:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6568720866 for ; Mon, 10 Aug 2020 15:20:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597072847; bh=QWK7XBR5gvkHC3LExaNmD7qFaj0SX1A+sVIAOWe7vgc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=f+2f6wptlZjdLk7LmwylUSpCLDG4kCIDe7UIYhFVmNvIhuvCN8IqUMCWsALKOB+kH wykGlBZ8PJB8tJsCkkpasKUosoFqIK4zh0USX3az6JLYu6OnlRkgq2fFerExEL0Cao qHUTiSYVS7y3rH9BN66+TCZ7r/1DaIHECeMNx4W8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728049AbgHJPUq (ORCPT ); Mon, 10 Aug 2020 11:20:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:51152 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728027AbgHJPUh (ORCPT ); Mon, 10 Aug 2020 11:20:37 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 09DAC20656; Mon, 10 Aug 2020 15:20:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597072836; bh=QWK7XBR5gvkHC3LExaNmD7qFaj0SX1A+sVIAOWe7vgc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ke0AvMbkJ4ePH7ceF08eUXsgfkhrTzTaIujmJgjDyW3I8sKIuqezsBjxONprPzdyG siUojworDmN8eD75BQjS4D9DiFjacPmml0paU8a4inVNC7pZewzjZDUQ5aBhFzloNB gAxI/EdSgKXB1cPX8zILEkvi9Pk0aVydbYWqEpVs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bruno Meneguele , Mimi Zohar Subject: [PATCH 5.8 35/38] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Date: Mon, 10 Aug 2020 17:19:25 +0200 Message-Id: <20200810151805.648865607@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151803.920113428@linuxfoundation.org> References: <20200810151803.920113428@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Bruno Meneguele commit 311aa6aafea446c2f954cc19d66425bfed8c4b0b upstream. The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise=" modes - log, fix, enforce - at run time, but not when IMA architecture specific policies are enabled.  This prevents properly labeling the filesystem on systems where secure boot is supported, but not enabled on the platform.  Only when secure boot is actually enabled should these IMA appraise modes be disabled. This patch removes the compile time dependency and makes it a runtime decision, based on the secure boot state of that platform. Test results as follows: -> x86-64 with secure boot enabled [ 0.015637] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix [ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=fix boot parameter option -> powerpc with secure boot disabled [ 0.000000] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix [ 0.000000] Secure boot mode disabled -> Running the system without secure boot and with both options set: CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_ARCH_POLICY=y Audit prompts "missing-hash" but still allow execution and, consequently, filesystem labeling: type=INTEGRITY_DATA msg=audit(07/09/2020 12:30:27.778:1691) : pid=4976 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data cause=missing-hash comm=bash name=/usr/bin/evmctl dev="dm-0" ino=493150 res=no Cc: stable@vger.kernel.org Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86") Signed-off-by: Bruno Meneguele Cc: stable@vger.kernel.org # 5.0 Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman --- security/integrity/ima/Kconfig | 2 +- security/integrity/ima/ima_appraise.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS config IMA_APPRAISE_BOOTPARAM bool "ima_appraise boot parameter" - depends on IMA_APPRAISE && !IMA_ARCH_POLICY + depends on IMA_APPRAISE default y help This option enables the different "ima_appraise=" modes --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -19,6 +19,12 @@ static int __init default_appraise_setup(char *str) { #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM + if (arch_ima_get_secureboot()) { + pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", + str); + return 1; + } + if (strncmp(str, "off", 3) == 0) ima_appraise = 0; else if (strncmp(str, "log", 3) == 0)