Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp894554imm; Fri, 1 Jun 2018 11:23:55 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKG1DiH5rHtH9+Bi/8bve8hJI9WXELcJ/HOZgGHyMMLGEyNQ11B95eWAz8ksq9GwRCT9u+i X-Received: by 2002:a62:f80c:: with SMTP id d12-v6mr11974704pfh.159.1527877435294; Fri, 01 Jun 2018 11:23:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527877435; cv=none; d=google.com; s=arc-20160816; b=SIQjizMLXXGNqrq9ZPboaHDYTbTk8qTadCksixe/nPiPHj8dVomKDXD9TcJ6R+mDCD uvR8ezpcG2GwAbqAb8PfAHqYsYch6GpeYWWn6qN7Ho8mZW0oB3u7zcccHuG02dTTaANk rQHcOzy1dEKOyzTAzjtJVV21awbY3/clMz1UJ498ChNTLjpKprCmHPLF6HRI3OkeJPtY 959HYW1EbX/Q4LXD+jzPzELQYMKjslFYKM+jmmB5A0xuo15EOpr9NzJVOXhOp7AUpRAb bmp6vegnzMf1JFVX3Dac8tQXk4iTI32FLXdOL42yzCWlquiB5Rc85IkwYq2IXaKOauwX 0YnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=uqJTxkawsk1wLqTY77fiGljd7jKDc+MKWWmCYFGuMrE=; b=s7ZAfHqO8IqIB/iXbobCpl3cuo70HXMNQda6KWhvrahf69ly+LYwlnij4mplMJkdfO x78w4A+5hBXk1sWhTk+0lqaNmq7cvClJke79qvte2UJk/zgg6zklfXyfARzsEdx0u+GS Djjcf3NvOFo8OKftoF8dLLdLWU22ILlVkNSx0LFHWBiVDW9FfmJY4umWg1R3jT5n2suk XizM5mTr7ERa2+xrd5l3srTEZ1gYeuuAVqehWQLAZ8WroqRqo1Bru126FYZOuysfs5MU K10icIjq0h+DL4CbFWY7cLdlwisp6wNMX7iPBy3BKM1msxbVFqanv1jYRHs39jga4m7S ooWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s88-v6si39601219pfa.339.2018.06.01.11.23.40; Fri, 01 Jun 2018 11:23:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753450AbeFASVm (ORCPT + 99 others); Fri, 1 Jun 2018 14:21:42 -0400 Received: from mx2.suse.de ([195.135.220.15]:35868 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753171AbeFASVJ (ORCPT ); Fri, 1 Jun 2018 14:21:09 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext-too.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id C4D85ACA8; Fri, 1 Jun 2018 18:21:07 +0000 (UTC) Date: Fri, 1 Jun 2018 20:21:07 +0200 From: "Luis R. Rodriguez" To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Matthew Garrett Subject: Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) Message-ID: <20180601182107.GO4511@wotan.suse.de> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-6-git-send-email-zohar@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1527616920-5415-6-git-send-email-zohar@linux.vnet.ibm.com> User-Agent: Mutt/1.6.0 (2016-04-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 29, 2018 at 02:01:57PM -0400, Mimi Zohar wrote: > Luis, is the security_kernel_post_read_file LSM hook in > firmware_loading_store() still needed after this patch? Should it be > calling security_kernel_load_data() instead? That's up to Kees to decide as he added that hook, and knows what LSMs may be doing with it. From my perspective it is confusing to have that hook there so I think it could be removed now. Kees? Luis > > --- > > With an IMA policy requiring signed firmware, this patch prevents > the sysfs fallback method of loading firmware. > > Signed-off-by: Mimi Zohar > Cc: Luis R. Rodriguez > Cc: David Howells > Cc: Matthew Garrett > --- > security/integrity/ima/ima_main.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index a565d46084c2..4a87f78098c8 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -475,8 +475,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > > if (!file && read_id == READING_FIRMWARE) { > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > - (ima_appraise & IMA_APPRAISE_ENFORCE)) > + (ima_appraise & IMA_APPRAISE_ENFORCE)) { > + pr_err("Prevent firmware loading_store.\n"); > return -EACCES; /* INTEGRITY_UNKNOWN */ > + } > return 0; > } > > @@ -520,6 +522,12 @@ int ima_load_data(enum kernel_load_data_id id) > pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); > return -EACCES; /* INTEGRITY_UNKNOWN */ > } > + break; > + case LOADING_FIRMWARE: > + if (ima_appraise & IMA_APPRAISE_FIRMWARE) { > + pr_err("Prevent firmware sysfs fallback loading.\n"); > + return -EACCES; /* INTEGRITY_UNKNOWN */ > + } > default: > break; > } > -- > 2.7.5 > > -- Do not panic