diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2018-07-13 14:05:58 -0400 |
---|---|---|
committer | James Morris <james.morris@microsoft.com> | 2018-07-16 15:31:57 -0400 |
commit | 16c267aac86b463b1fcccd43c89f4c8e5c5c86fa (patch) | |
tree | 550e6fcb00d732a3c018b3258302f8ffd61a4379 | |
parent | a210fd32a46bae6d05b43860fe3b47732501d63b (diff) |
ima: based on policy require signed kexec kernel images
The original kexec_load syscall can not verify file signatures, nor can
the kexec image be measured. Based on policy, deny the kexec_load
syscall.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
-rw-r--r-- | include/linux/ima.h | 7 | ||||
-rw-r--r-- | security/integrity/ima/ima.h | 1 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 27 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 2 | ||||
-rw-r--r-- | security/security.c | 7 |
5 files changed, 43 insertions, 1 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h index 0e4647e0eb60..84806b54b50a 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h | |||
@@ -11,6 +11,7 @@ | |||
11 | #define _LINUX_IMA_H | 11 | #define _LINUX_IMA_H |
12 | 12 | ||
13 | #include <linux/fs.h> | 13 | #include <linux/fs.h> |
14 | #include <linux/security.h> | ||
14 | #include <linux/kexec.h> | 15 | #include <linux/kexec.h> |
15 | struct linux_binprm; | 16 | struct linux_binprm; |
16 | 17 | ||
@@ -19,6 +20,7 @@ extern int ima_bprm_check(struct linux_binprm *bprm); | |||
19 | extern int ima_file_check(struct file *file, int mask, int opened); | 20 | extern int ima_file_check(struct file *file, int mask, int opened); |
20 | extern void ima_file_free(struct file *file); | 21 | extern void ima_file_free(struct file *file); |
21 | extern int ima_file_mmap(struct file *file, unsigned long prot); | 22 | extern int ima_file_mmap(struct file *file, unsigned long prot); |
23 | extern int ima_load_data(enum kernel_load_data_id id); | ||
22 | extern int ima_read_file(struct file *file, enum kernel_read_file_id id); | 24 | extern int ima_read_file(struct file *file, enum kernel_read_file_id id); |
23 | extern int ima_post_read_file(struct file *file, void *buf, loff_t size, | 25 | extern int ima_post_read_file(struct file *file, void *buf, loff_t size, |
24 | enum kernel_read_file_id id); | 26 | enum kernel_read_file_id id); |
@@ -49,6 +51,11 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot) | |||
49 | return 0; | 51 | return 0; |
50 | } | 52 | } |
51 | 53 | ||
54 | static inline int ima_load_data(enum kernel_load_data_id id) | ||
55 | { | ||
56 | return 0; | ||
57 | } | ||
58 | |||
52 | static inline int ima_read_file(struct file *file, enum kernel_read_file_id id) | 59 | static inline int ima_read_file(struct file *file, enum kernel_read_file_id id) |
53 | { | 60 | { |
54 | return 0; | 61 | return 0; |
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 354bb5716ce3..78c15264b17b 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
@@ -232,6 +232,7 @@ int ima_policy_show(struct seq_file *m, void *v); | |||
232 | #define IMA_APPRAISE_MODULES 0x08 | 232 | #define IMA_APPRAISE_MODULES 0x08 |
233 | #define IMA_APPRAISE_FIRMWARE 0x10 | 233 | #define IMA_APPRAISE_FIRMWARE 0x10 |
234 | #define IMA_APPRAISE_POLICY 0x20 | 234 | #define IMA_APPRAISE_POLICY 0x20 |
235 | #define IMA_APPRAISE_KEXEC 0x40 | ||
235 | 236 | ||
236 | #ifdef CONFIG_IMA_APPRAISE | 237 | #ifdef CONFIG_IMA_APPRAISE |
237 | int ima_appraise_measurement(enum ima_hooks func, | 238 | int ima_appraise_measurement(enum ima_hooks func, |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dca44cf7838e..71fecfef0939 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
@@ -496,6 +496,33 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, | |||
496 | MAY_READ, func, 0); | 496 | MAY_READ, func, 0); |
497 | } | 497 | } |
498 | 498 | ||
499 | /** | ||
500 | * ima_load_data - appraise decision based on policy | ||
501 | * @id: kernel load data caller identifier | ||
502 | * | ||
503 | * Callers of this LSM hook can not measure, appraise, or audit the | ||
504 | * data provided by userspace. Enforce policy rules requring a file | ||
505 | * signature (eg. kexec'ed kernel image). | ||
506 | * | ||
507 | * For permission return 0, otherwise return -EACCES. | ||
508 | */ | ||
509 | int ima_load_data(enum kernel_load_data_id id) | ||
510 | { | ||
511 | if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE) | ||
512 | return 0; | ||
513 | |||
514 | switch (id) { | ||
515 | case LOADING_KEXEC_IMAGE: | ||
516 | if (ima_appraise & IMA_APPRAISE_KEXEC) { | ||
517 | pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); | ||
518 | return -EACCES; /* INTEGRITY_UNKNOWN */ | ||
519 | } | ||
520 | default: | ||
521 | break; | ||
522 | } | ||
523 | return 0; | ||
524 | } | ||
525 | |||
499 | static int __init init_ima(void) | 526 | static int __init init_ima(void) |
500 | { | 527 | { |
501 | int error; | 528 | int error; |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index cdcc9a7b4e24..d5b4958decc5 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
@@ -448,6 +448,8 @@ static int ima_appraise_flag(enum ima_hooks func) | |||
448 | return IMA_APPRAISE_FIRMWARE; | 448 | return IMA_APPRAISE_FIRMWARE; |
449 | else if (func == POLICY_CHECK) | 449 | else if (func == POLICY_CHECK) |
450 | return IMA_APPRAISE_POLICY; | 450 | return IMA_APPRAISE_POLICY; |
451 | else if (func == KEXEC_KERNEL_CHECK) | ||
452 | return IMA_APPRAISE_KEXEC; | ||
451 | return 0; | 453 | return 0; |
452 | } | 454 | } |
453 | 455 | ||
diff --git a/security/security.c b/security/security.c index c2de2f134854..4927e7cc7d96 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -1058,7 +1058,12 @@ EXPORT_SYMBOL_GPL(security_kernel_post_read_file); | |||
1058 | 1058 | ||
1059 | int security_kernel_load_data(enum kernel_load_data_id id) | 1059 | int security_kernel_load_data(enum kernel_load_data_id id) |
1060 | { | 1060 | { |
1061 | return call_int_hook(kernel_load_data, 0, id); | 1061 | int ret; |
1062 | |||
1063 | ret = call_int_hook(kernel_load_data, 0, id); | ||
1064 | if (ret) | ||
1065 | return ret; | ||
1066 | return ima_load_data(id); | ||
1062 | } | 1067 | } |
1063 | 1068 | ||
1064 | int security_task_fix_setuid(struct cred *new, const struct cred *old, | 1069 | int security_task_fix_setuid(struct cred *new, const struct cred *old, |