Received: by 10.192.165.156 with SMTP id m28csp942892imm;
        Wed, 11 Apr 2018 09:38:19 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49RYHUAQLSP9wUyyQl4Yxkc46Y/U38dx+EUzwz9zzP89xw8YzyhuPRIjQ39QG4lpKR8Z9AP
X-Received: by 2002:a17:902:748a:: with SMTP id h10-v6mr5937655pll.160.1523464699914;
        Wed, 11 Apr 2018 09:38:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523464699; cv=none;
        d=google.com; s=arc-20160816;
        b=cR+Rx8AwNFkV59XJc1hJMnDaemeglrZCWqaDBFhB1aD5KnQE1Nr0BWERvsAnavQjFR
         1WDtoRp68NUOinSlg1vgqNzcDJ0uNcN91AFs0BfTvTZAtUxdhh89fWAH9iNZkkvIO6e3
         4Yvn/ZBZKs0+gwAkKU35S3uv6+7ml4nfJTrDhuAh7clqUoc5GKq8bYjejFXxPp5ut2Qr
         ZPzFCWJ9Otq06KwUbnIXUCmq4T63twCcYPLLaJy/cwAUVGURojhL/O/2KP6h3PyvWWF7
         iWYJ0AJzeCJCbTFXJWHDquBG6vD3pobDd9cuegg30jiX3wt5DzjM750Yx0pssUY2PbiO
         1+3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:cc:to:from
         :subject:organization:arc-authentication-results;
        bh=AZLJcN5nQ/BDkxL9Yaxnlqa7tfrV7yU1M6KgsyHdMZM=;
        b=lNvcjZWZjPt/VDAdHiualMtlvqalowqABHJ08iYAAKH2xlFbTXNGakFjCwtn+3uIsn
         oBnHAO7S9wsAqQas2LJ1/gUj59SNMcsW1cFwm7W1PfbppGP58sfQiFE2AyQz5Q+ci1wB
         D3s85G3Mzqw4xk3dGFGJpklTgnFIiU7JSsNHK6kSP+GGjcQ92S9VJUhcWVCqWIGkqyQo
         Tmx7fUN3NO5TdDWHICqETmk7pysr0W2ZARpIzhJJrYn7Ot47fiQQaoeiQTV+IP1laEpE
         gxTNnMFfPYBs56U1Wa0s8oZZIRSjYz9OcncA5o6LxyrvGrD9TEHnDAKv8VkkP3MKCX21
         EUQw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r9si954174pgq.535.2018.04.11.09.37.42;
        Wed, 11 Apr 2018 09:38:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753966AbeDKQZG (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Wed, 11 Apr 2018 12:25:06 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:54006 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1753755AbeDKQZB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Apr 2018 12:25:01 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 4145F4057296;
        Wed, 11 Apr 2018 16:25:00 +0000 (UTC)
Received: from warthog.procyon.org.uk (ovpn-120-8.rdu2.redhat.com [10.10.120.8])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 6B2142026E03;
        Wed, 11 Apr 2018 16:24:59 +0000 (UTC)
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
 Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
 Kingdom.
 Registered in England and Wales under Company Registration No. 3798903
Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode
From:   David Howells <dhowells@redhat.com>
To:     torvalds@linux-foundation.org
Cc:     linux-man@vger.kernel.org, linux-api@vger.kernel.org,
        jmorris@namei.org, linux-kernel@vger.kernel.org,
        dhowells@redhat.com, linux-security-module@vger.kernel.org
Date:   Wed, 11 Apr 2018 17:24:58 +0100
Message-ID: <152346389895.4030.16084163640865771766.stgit@warthog.procyon.org.uk>
In-Reply-To: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk>
References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 11 Apr 2018 16:25:00 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 11 Apr 2018 16:25:00 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Mimi Zohar <zohar@linux.vnet.ibm.com>

Require the "secure_boot" rules, whether or not it is specified
on the boot command line, for both the builtin and custom policies
in secure boot lockdown mode.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---

 security/integrity/ima/ima_policy.c |   39 ++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d89bebf85421..da6f55c96a61 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -443,14 +443,21 @@ void ima_update_policy_flag(void)
  */
 void __init ima_init_policy(void)
 {
-	int i, measure_entries, appraise_entries, secure_boot_entries;
+	int i;
+	int measure_entries = 0;
+	int appraise_entries = 0;
+	int secure_boot_entries = 0;
+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
 
 	/* if !ima_policy set entries = 0 so we load NO default rules */
-	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
-	appraise_entries = ima_use_appraise_tcb ?
-			 ARRAY_SIZE(default_appraise_rules) : 0;
-	secure_boot_entries = ima_use_secure_boot ?
-			ARRAY_SIZE(secure_boot_rules) : 0;
+	if (ima_policy)
+		measure_entries = ARRAY_SIZE(dont_measure_rules);
+
+	if (ima_use_appraise_tcb)
+		appraise_entries = ARRAY_SIZE(default_appraise_rules);
+
+	if (ima_use_secure_boot || kernel_locked_down)
+		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
 
 	for (i = 0; i < measure_entries; i++)
 		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
@@ -471,11 +478,23 @@ void __init ima_init_policy(void)
 
 	/*
 	 * Insert the appraise rules requiring file signatures, prior to
-	 * any other appraise rules.
+	 * any other appraise rules.  In secure boot lock-down mode, also
+	 * require these appraise rules for custom policies.
 	 */
-	for (i = 0; i < secure_boot_entries; i++)
-		list_add_tail(&secure_boot_rules[i].list,
-			      &ima_default_rules);
+	for (i = 0; i < secure_boot_entries; i++) {
+		struct ima_rule_entry *entry;
+
+		/* Include for builtin policies */
+		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
+
+		/* Include for custom policies */
+		if (kernel_locked_down) {
+			entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
+					GFP_KERNEL);
+			if (entry)
+				list_add_tail(&entry->list, &ima_policy_rules);
+		}
+	}
 
 	for (i = 0; i < appraise_entries; i++) {
 		list_add_tail(&default_appraise_rules[i].list,