|
 |
bbfe8b3 |
From patchwork Fri Apr 13 15:27:52 2018
|
|
|
bbfe8b3 |
Content-Type: text/plain; charset="utf-8"
|
|
|
bbfe8b3 |
MIME-Version: 1.0
|
|
|
bbfe8b3 |
Content-Transfer-Encoding: 7bit
|
|
|
bbfe8b3 |
Subject: lockdown: fix coordination of kernel module signature verification
|
|
|
bbfe8b3 |
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
|
|
bbfe8b3 |
X-Patchwork-Id: 10340277
|
|
|
bbfe8b3 |
Message-Id: <1523633272.3272.30.camel@linux.vnet.ibm.com>
|
|
|
bbfe8b3 |
To: David Howells <dhowells@redhat.com>
|
|
|
bbfe8b3 |
Cc: Luca Boccassi <bluca@debian.org>,
|
|
|
bbfe8b3 |
"Bruno E. O. Meneguele" <bmeneg@redhat.com>,
|
|
|
bbfe8b3 |
linux-integrity <linux-integrity@vger.kernel.org>,
|
|
|
bbfe8b3 |
linux-security-module <linux-security-module@vger.kernel.org>,
|
|
|
bbfe8b3 |
linux-kernel <linux-kernel@vger.kernel.org>
|
|
|
bbfe8b3 |
Date: Fri, 13 Apr 2018 11:27:52 -0400
|
|
|
bbfe8b3 |
|
|
|
bbfe8b3 |
If both IMA-appraisal and sig_enforce are enabled, then both signatures
|
|
|
bbfe8b3 |
are currently required. If the IMA-appraisal signature verification
|
|
|
bbfe8b3 |
fails, it could rely on the appended signature verification; but with the
|
|
|
bbfe8b3 |
lockdown patch set, the appended signature verification assumes that if
|
|
|
bbfe8b3 |
IMA-appraisal is enabled, it has verified the signature. Basically each
|
|
|
bbfe8b3 |
signature verification method would be relying on the other to verify the
|
|
|
bbfe8b3 |
kernel module signature.
|
|
|
bbfe8b3 |
|
|
|
bbfe8b3 |
This patch addresses the problem of requiring both kernel module signature
|
|
|
bbfe8b3 |
verification methods, when both are enabled, by verifying just the
|
|
|
bbfe8b3 |
appended signature.
|
|
|
bbfe8b3 |
|
|
|
bbfe8b3 |
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
|
|
bbfe8b3 |
Acked-by: Bruno E. O. Meneguele <bmeneg@redhat.com>
|
|
|
bbfe8b3 |
---
|
|
|
bbfe8b3 |
kernel/module.c | 4 +---
|
|
|
bbfe8b3 |
security/integrity/ima/ima_main.c | 7 ++++++-
|
|
|
bbfe8b3 |
2 files changed, 7 insertions(+), 4 deletions(-)
|
|
|
bbfe8b3 |
|
|
|
bbfe8b3 |
diff --git a/kernel/module.c b/kernel/module.c
|
|
|
bbfe8b3 |
index 9c1709a05037..60861eb7bc4d 100644
|
|
|
bbfe8b3 |
--- a/kernel/module.c
|
|
|
bbfe8b3 |
+++ b/kernel/module.c
|
|
|
bbfe8b3 |
@@ -2803,9 +2803,7 @@ static int module_sig_check(struct load_info *info, int flags,
|
|
|
bbfe8b3 |
if (sig_enforce) {
|
|
|
bbfe8b3 |
pr_notice("%s is rejected\n", reason);
|
|
|
bbfe8b3 |
return -EKEYREJECTED;
|
|
|
bbfe8b3 |
- }
|
|
|
bbfe8b3 |
-
|
|
|
bbfe8b3 |
- if (can_do_ima_check && is_ima_appraise_enabled())
|
|
|
bbfe8b3 |
+ } else if (can_do_ima_check && is_ima_appraise_enabled())
|
|
|
bbfe8b3 |
return 0;
|
|
|
bbfe8b3 |
if (kernel_is_locked_down(reason))
|
|
|
bbfe8b3 |
return -EPERM;
|
|
|
bbfe8b3 |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
|
|
|
bbfe8b3 |
index 754ece08e1c6..2155b1f316a4 100644
|
|
|
bbfe8b3 |
--- a/security/integrity/ima/ima_main.c
|
|
|
bbfe8b3 |
+++ b/security/integrity/ima/ima_main.c
|
|
|
bbfe8b3 |
@@ -480,6 +480,7 @@ static int read_idmap[READING_MAX_ID] = {
|
|
|
bbfe8b3 |
int ima_post_read_file(struct file *file, void *buf, loff_t size,
|
|
|
bbfe8b3 |
enum kernel_read_file_id read_id)
|
|
|
bbfe8b3 |
{
|
|
|
bbfe8b3 |
+ bool sig_enforce = is_module_sig_enforced();
|
|
|
bbfe8b3 |
enum ima_hooks func;
|
|
|
bbfe8b3 |
u32 secid;
|
|
|
bbfe8b3 |
|
|
|
bbfe8b3 |
@@ -490,7 +491,11 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
|
|
|
bbfe8b3 |
return 0;
|
|
|
bbfe8b3 |
}
|
|
|
bbfe8b3 |
|
|
|
bbfe8b3 |
- if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
|
|
|
bbfe8b3 |
+ /*
|
|
|
bbfe8b3 |
+ * If both IMA-appraisal and appended signature verification are
|
|
|
bbfe8b3 |
+ * enabled, rely on the appended signature verification.
|
|
|
bbfe8b3 |
+ */
|
|
|
bbfe8b3 |
+ if (sig_enforce && read_id == READING_MODULE)
|
|
|
bbfe8b3 |
return 0;
|
|
|
bbfe8b3 |
|
|
|
bbfe8b3 |
/* permit signed certs */
|