Re: [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
From: Bruno Meneguele
Date: Mon Jun 22 2020 - 16:16:35 EST
On Mon, Jun 22, 2020 at 03:28:13PM -0400, Mimi Zohar wrote:
> On Mon, 2020-06-22 at 14:27 -0300, Bruno Meneguele wrote:
> > IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
> > compile time, enforcing the appraisal whenever the kernel had the arch
> > policy option enabled.
> >
> > However it breaks systems where the option is actually set but the system
> > wasn't booted in a "secure boot" platform. In this scenario, anytime the
> > an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
> > forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
> > to actually measure system's files.
> >
> > This patch remove this compile time dependency and move it to a runtime
> > decision, based on the arch policy loading failure/success.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
> > Signed-off-by: Bruno Meneguele <bmeneg@xxxxxxxxxx>
> > ---
> > changes from v1:
> > - removed "ima:" prefix from pr_info() message
> >
> > security/integrity/ima/Kconfig | 2 +-
> > security/integrity/ima/ima_policy.c | 8 ++++++--
> > 2 files changed, 7 insertions(+), 3 deletions(-)
> >
> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > index edde88dbe576..62dc11a5af01 100644
> > --- a/security/integrity/ima/Kconfig
> > +++ b/security/integrity/ima/Kconfig
> > @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
> >
> > config IMA_APPRAISE_BOOTPARAM
> > bool "ima_appraise boot parameter"
> > - depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> > + depends on IMA_APPRAISE
> > default y
> > help
> > This option enables the different "ima_appraise=" modes
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index e493063a3c34..c876617d4210 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -733,11 +733,15 @@ void __init ima_init_policy(void)
> > * (Highest priority)
> > */
> > arch_entries = ima_init_arch_policy();
> > - if (!arch_entries)
> > + if (!arch_entries) {
> > pr_info("No architecture policies found\n");
> > - else
> > + } else {
> > + /* Force appraisal, preventing runtime xattr changes */
> > + pr_info("setting IMA appraisal to enforced\n");
> > + ima_appraise = IMA_APPRAISE_ENFORCE;
> > add_rules(arch_policy_entry, arch_entries,
> > IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> > + }
> >
> > /*
> > * Insert the builtin "secure_boot" policy rules requiring file
>
> CONFIG_IMA_APPRAISE_BOOTPARAM controls the "ima_appraise" mode bits.
> The mode bits are or'ed with the MODULES, FIRMWARE, POLICY, and KEXEC
> bits, which have already been set in ima_init_arch_policy().
>
Sorry for missing this part! Of course I should've spoted that just my
following ima_appraise down the code.
> From ima.h:
> /* Appraise integrity measurements */
> #define IMA_APPRAISE_ENFORCE 0x01
> #define IMA_APPRAISE_FIX 0x02
> #define IMA_APPRAISE_LOG 0x04
> #define IMA_APPRAISE_MODULES 0x08
> #define IMA_APPRAISE_FIRMWARE 0x10
> #define IMA_APPRAISE_POLICY 0x20
> #define IMA_APPRAISE_KEXEC 0x40
>
> As Nayna pointed out, only when an architecture specific "secure boot"
> policy is loaded, is this applicable.
Yes, will come up with patch covering only this case.
Thanks Mimi!
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
Attachment:
signature.asc
Description: PGP signature