From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753704AbeDLWmc (ORCPT ); Thu, 12 Apr 2018 18:42:32 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39242 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753611AbeDLWmP (ORCPT ); Thu, 12 Apr 2018 18:42:15 -0400 From: Mimi Zohar To: David Howells Cc: Matthew Garrett , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Eric Biederman , kexec@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH 3/3] ima: based on policy require signed kexec kernel images Date: Thu, 12 Apr 2018 18:41:51 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18041222-0040-0000-0000-0000044CF105 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18041222-0041-0000-0000-000020F126C6 Message-Id: <1523572911-16363-4-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-04-12_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1804120213 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The original kexec_load syscall can not verify file signatures. This patch differentiates between the kexec_load and kexec_file_load syscalls. Signed-off-by: Mimi Zohar --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 9 +++++++++ security/integrity/ima/ima_policy.c | 2 ++ 3 files changed, 12 insertions(+) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 35fe91aa1fc9..03c9c37ee345 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -233,6 +233,7 @@ int ima_policy_show(struct seq_file *m, void *v); #define IMA_APPRAISE_MODULES 0x08 #define IMA_APPRAISE_FIRMWARE 0x10 #define IMA_APPRAISE_POLICY 0x20 +#define IMA_APPRAISE_KEXEC 0x40 #ifdef CONFIG_IMA_APPRAISE int ima_appraise_measurement(enum ima_hooks func, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 74d0bd7e76d7..754ece08e1c6 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -444,6 +444,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) } return 0; /* We rely on module signature checking */ } + + if (!file && read_id == READING_KEXEC_IMAGE) { + if ((ima_appraise & IMA_APPRAISE_KEXEC) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file syscall.\n"); + return -EACCES; /* INTEGRITY_UNKNOWN */ + } + return 0; + } return 0; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 1bdb5bc57568..3444352caf80 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -443,6 +443,8 @@ static int ima_appraise_flag(enum ima_hooks func) return IMA_APPRAISE_FIRMWARE; else if (func == POLICY_CHECK) return IMA_APPRAISE_POLICY; + else if (func == KEXEC_KERNEL_CHECK) + return IMA_APPRAISE_KEXEC; return 0; } -- 2.7.5