Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3377685imm; Thu, 17 May 2018 07:53:04 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrx30agzw34ZmbGDJMSw7QSyersGyqK8Jb9bTxDN/oBZ/SQQSuovPREL7gichLU4CoqoDin X-Received: by 2002:a17:902:a711:: with SMTP id w17-v6mr5522035plq.292.1526568784820; Thu, 17 May 2018 07:53:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526568784; cv=none; d=google.com; s=arc-20160816; b=VvSuCMla/Rhs1l4EYfYyCejuhGP6FFFIAYYIBd6XQv4ZBe6Slil+V4kGGRgJSeknJr rC/3JSRvu6fEAh0v0y+pjKxTvGQwq34purp4iqQqwu6/FUfRJgA5Eq/lzwgT+U1kREH2 h3ids6EcagpbZ1Gk0uThAc4g6iz/RgzYKBLAiMt8TJe/nJwuovnYwIg4qlLkIrsfPIMk QpMUbQrNyON6qYIVgPgg6KBXfNAl//rSVLwtt+oOWkfuV19Sef6iJhm+jLfNaZgdYMts 8iV0hlaTd0lj9QIJ64ZaJJOmKg3lc+9HrlxedY+jqJs14ysczRD3efZFeJc8e3Kt8m5Z khPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from:arc-authentication-results; bh=Og13Nn5o9TslGHvcWaX+GxinxqZ6oGjDWoVYRy1aZLU=; b=Aq+S9OGpnQvnH/+vINPT7HnoChzSSLTZd0s6fZAMjr7z9o+HD6k3AnfKz5wFhtJ1kp 3g/+rMOzGTiDAkviwjKDIID3rNo3YpJvPQyeEnAzPE+eV8cQD/4/h0Y2ljXj2Mr8FU7a bem4mpFWhekeNHTpKFlTqxNPLp2S79PZa8/y/2UHi0FFpvue7RAbs+e6jorqulmZ1E6m LwPEOGGfCh6c/dCsgOpzfqV+dU+EQIgG73M47GIyKTM6ZVVvSbFNEvCxIe1K4dRzw8sc ps+XtZwhseshrtKz08dJwzISklfBLPcX9dAOHvneze03/vhoe05AFN9dOyacCoShxuVB RRhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v37-v6si5233795plg.426.2018.05.17.07.52.49; Thu, 17 May 2018 07:53:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752593AbeEQOv4 (ORCPT + 99 others); Thu, 17 May 2018 10:51:56 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:35338 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752453AbeEQOtk (ORCPT ); Thu, 17 May 2018 10:49:40 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4HEjSvU145620 for ; Thu, 17 May 2018 10:49:39 -0400 Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106]) by mx0b-001b2d01.pphosted.com with ESMTP id 2j199r82vn-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 17 May 2018 10:49:38 -0400 Received: from localhost by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 17 May 2018 15:49:37 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp10.uk.ibm.com (192.168.101.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 17 May 2018 15:49:33 +0100 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4HEnWdY4981186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 17 May 2018 14:49:32 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 056DC4C044; Thu, 17 May 2018 15:41:21 +0100 (BST) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 94AB94C050; Thu, 17 May 2018 15:41:19 +0100 (BST) Received: from localhost.ibm.com (unknown [9.80.108.64]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 17 May 2018 15:41:19 +0100 (BST) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel Subject: [PATCH v2 2/9] ima: fix updating the ima_appraise flag Date: Thu, 17 May 2018 10:48:43 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18051714-0040-0000-0000-0000043AE2EF X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051714-0041-0000-0000-0000264000E1 Message-Id: <1526568530-9144-3-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-17_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805170137 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As IMA policy rules are added, a mask of the type of rule (eg. kexec kernel image, firmware, IMA policy) is updated. Based on this mask, integrity decisions can be made quickly. Unlike custom IMA policy rules, which replace the original builtin policy rules and update the mask, the builtin "secure_boot" policy rules were loaded, but did not update the mask. This patch refactors the code to load custom policies, defining a new function named ima_appraise_flag(). The new function is called either when loading the builtin "secure_boot" or custom policies. Fixes: 503ceaef8e2e ("ima: define a set of appraisal rules requiring file signatures") Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 03cbba423e59..8bbc18eb07eb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -440,6 +440,17 @@ void ima_update_policy_flag(void) ima_policy_flag &= ~IMA_APPRAISE; } +static int ima_appraise_flag(enum ima_hooks func) +{ + if (func == MODULE_CHECK) + return IMA_APPRAISE_MODULES; + else if (func == FIRMWARE_CHECK) + return IMA_APPRAISE_FIRMWARE; + else if (func == POLICY_CHECK) + return IMA_APPRAISE_POLICY; + return 0; +} + /** * ima_init_policy - initialize the default measure rules. * @@ -478,9 +489,11 @@ void __init ima_init_policy(void) * Insert the appraise rules requiring file signatures, prior to * any other appraise rules. */ - for (i = 0; i < secure_boot_entries; i++) - list_add_tail(&secure_boot_rules[i].list, - &ima_default_rules); + for (i = 0; i < secure_boot_entries; i++) { + list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + temp_ima_appraise |= + ima_appraise_flag(secure_boot_rules[i].func); + } for (i = 0; i < appraise_entries; i++) { list_add_tail(&default_appraise_rules[i].list, @@ -934,12 +947,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) } if (!result && (entry->action == UNKNOWN)) result = -EINVAL; - else if (entry->func == MODULE_CHECK) - temp_ima_appraise |= IMA_APPRAISE_MODULES; - else if (entry->func == FIRMWARE_CHECK) - temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; - else if (entry->func == POLICY_CHECK) - temp_ima_appraise |= IMA_APPRAISE_POLICY; + else if (entry->action == APPRAISE) + temp_ima_appraise |= ima_appraise_flag(entry->func); + audit_log_format(ab, "res=%d", !result); audit_log_end(ab); return result; -- 2.7.5