LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
	"Luis R . Rodriguez" <mcgrof@kernel.org>,
	Eric Biederman <ebiederm@xmission.com>,
	kexec@lists.infradead.org, Andres Rodriguez <andresx7@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH v2 2/9] ima: fix updating the ima_appraise flag
Date: Thu, 17 May 2018 10:48:43 -0400	[thread overview]
Message-ID: <1526568530-9144-3-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com>

As IMA policy rules are added, a mask of the type of rule (eg. kexec
kernel image, firmware, IMA policy) is updated.  Based on this mask,
integrity decisions can be made quickly.

Unlike custom IMA policy rules, which replace the original builtin
policy rules and update the mask, the builtin "secure_boot" policy
rules were loaded, but did not update the mask.

This patch refactors the code to load custom policies, defining a new
function named ima_appraise_flag().  The new function is called either
when loading the builtin "secure_boot" or custom policies.

Fixes: 503ceaef8e2e ("ima: define a set of appraisal rules requiring file signatures")
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 security/integrity/ima/ima_policy.c | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 03cbba423e59..8bbc18eb07eb 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -440,6 +440,17 @@ void ima_update_policy_flag(void)
 		ima_policy_flag &= ~IMA_APPRAISE;
 }
 
+static int ima_appraise_flag(enum ima_hooks func)
+{
+	if (func == MODULE_CHECK)
+		return IMA_APPRAISE_MODULES;
+	else if (func == FIRMWARE_CHECK)
+		return IMA_APPRAISE_FIRMWARE;
+	else if (func == POLICY_CHECK)
+		return IMA_APPRAISE_POLICY;
+	return 0;
+}
+
 /**
  * ima_init_policy - initialize the default measure rules.
  *
@@ -478,9 +489,11 @@ void __init ima_init_policy(void)
 	 * Insert the appraise rules requiring file signatures, prior to
 	 * any other appraise rules.
 	 */
-	for (i = 0; i < secure_boot_entries; i++)
-		list_add_tail(&secure_boot_rules[i].list,
-			      &ima_default_rules);
+	for (i = 0; i < secure_boot_entries; i++) {
+		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
+		temp_ima_appraise |=
+		    ima_appraise_flag(secure_boot_rules[i].func);
+	}
 
 	for (i = 0; i < appraise_entries; i++) {
 		list_add_tail(&default_appraise_rules[i].list,
@@ -934,12 +947,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 	}
 	if (!result && (entry->action == UNKNOWN))
 		result = -EINVAL;
-	else if (entry->func == MODULE_CHECK)
-		temp_ima_appraise |= IMA_APPRAISE_MODULES;
-	else if (entry->func == FIRMWARE_CHECK)
-		temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
-	else if (entry->func == POLICY_CHECK)
-		temp_ima_appraise |= IMA_APPRAISE_POLICY;
+	else if (entry->action == APPRAISE)
+		temp_ima_appraise |= ima_appraise_flag(entry->func);
+
 	audit_log_format(ab, "res=%d", !result);
 	audit_log_end(ab);
 	return result;
-- 
2.7.5

  parent reply	other threads:[~2018-05-17 14:48 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-17 14:48 [PATCH v2 0/9] kexec/firmware: support system wide policy requiring signatures Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 1/9] ima: based on policy verify firmware signatures (pre-allocated buffer) Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar [this message]
2018-05-17 14:48 ` [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper Mimi Zohar
2018-05-18  0:24   ` Casey Schaufler
2018-05-18  3:37     ` Eric W. Biederman
2018-05-18 11:30       ` Mimi Zohar
2018-05-18 14:58         ` Casey Schaufler
2018-05-18 15:29           ` Mimi Zohar
2018-05-18 17:13       ` James Morris
2018-05-18 17:55         ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 4/9] kexec: add call to LSM hook in original kexec_load syscall Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 5/9] ima: based on policy require signed kexec kernel images Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 6/9] firmware: add call to LSM hook before firmware sysfs fallback Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 7/9] ima: based on policy require signed firmware (sysfs fallback) Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 8/9] ima: add build time policy Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer) Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1526568530-9144-3-git-send-email-zohar@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=andresx7@gmail.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=kexec@lists.infradead.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --subject='Re: [PATCH v2 2/9] ima: fix updating the ima_appraise flag' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).