diff options
Diffstat (limited to 'debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch')
| -rw-r--r-- | debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch b/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch new file mode 100644 index 000000000..0ab99ba64 --- /dev/null +++ b/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch @@ -0,0 +1,75 @@ +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Wed, 8 Nov 2017 15:11:32 +0000 +Subject: [03/29] ima: require secure_boot rules in lockdown mode +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=29c55d71a8185208c7962843a29c9a84ae27b2b0 + +Require the "secure_boot" rules, whether or not it is specified +on the boot command line, for both the builtin and custom policies +in secure boot lockdown mode. + +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +Signed-off-by: David Howells <dhowells@redhat.com> +[bwh: Adjust context to apply after commits 6f0911a666d1 + "ima: fix updating the ima_appraise flag" and ef96837b0de4 + "ima: add build time policy"] +--- + security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +Index: linux/security/integrity/ima/ima_policy.c +=================================================================== +--- linux.orig/security/integrity/ima/ima_policy.c ++++ linux/security/integrity/ima/ima_policy.c +@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_ho + */ + void __init ima_init_policy(void) + { +- int i, measure_entries, appraise_entries, secure_boot_entries; ++ int i; ++ int measure_entries = 0; ++ int appraise_entries = 0; ++ int secure_boot_entries = 0; ++ bool kernel_locked_down = __kernel_is_locked_down(NULL, false); + + /* if !ima_policy set entries = 0 so we load NO default rules */ +- measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; +- appraise_entries = ima_use_appraise_tcb ? +- ARRAY_SIZE(default_appraise_rules) : 0; +- secure_boot_entries = ima_use_secure_boot ? +- ARRAY_SIZE(secure_boot_rules) : 0; ++ if (ima_policy) ++ measure_entries = ARRAY_SIZE(dont_measure_rules); ++ ++ if (ima_use_appraise_tcb) ++ appraise_entries = ARRAY_SIZE(default_appraise_rules); ++ ++ if (ima_use_secure_boot || kernel_locked_down) ++ secure_boot_entries = ARRAY_SIZE(secure_boot_rules); + + for (i = 0; i < measure_entries; i++) + list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); +@@ -510,11 +517,24 @@ void __init ima_init_policy(void) + /* + * Insert the builtin "secure_boot" policy rules requiring file + * signatures, prior to any other appraise rules. ++ * In secure boot lock-down mode, also require these appraise ++ * rules for custom policies. + */ + for (i = 0; i < secure_boot_entries; i++) { ++ struct ima_rule_entry *entry; ++ ++ /* Include for builtin policies */ + list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + temp_ima_appraise |= + ima_appraise_flag(secure_boot_rules[i].func); ++ ++ /* Include for custom policies */ ++ if (kernel_locked_down) { ++ entry = kmemdup(&secure_boot_rules[i], sizeof(*entry), ++ GFP_KERNEL); ++ if (entry) ++ list_add_tail(&entry->list, &ima_policy_rules); ++ } + } + + /* |