hulk inclusion category: feature feature: digest-lists
---------------------------
This patch modifies the existing "secure_boot" and "appraise_exec_tcb" policies, by adding the appraise_type=meta_immutable requirement for all appraise rules:
appraise func=MODULE_CHECK appraise_type=imasig appraise_type=meta_immutable appraise func=FIRMWARE_CHECK appraise_type=imasig appraise_type=meta_immutable appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig appraise_type=meta_immutable appraise func=POLICY_CHECK appraise_type=imasig appraise_type=meta_immutable appraise func=DIGEST_LIST_CHECK appraise_type=imasig appraise_type=meta_immutable dont_appraise fsmagic=0x9fa0 dont_appraise fsmagic=0x62656572 dont_appraise fsmagic=0x64626720 dont_appraise fsmagic=0x858458f6 dont_appraise fsmagic=0x1cd1 dont_appraise fsmagic=0x42494e4d dont_appraise fsmagic=0x73636673 dont_appraise fsmagic=0xf97cff8c dont_appraise fsmagic=0x43415d53 dont_appraise fsmagic=0x6e736673 dont_appraise fsmagic=0x27e0eb dont_appraise fsmagic=0x63677270 appraise func=BPRM_CHECK appraise_type=imasig appraise_type=meta_immutable appraise func=MMAP_CHECK appraise_type=meta_immutable
This policy can be selected by specifying ima_policy="appraise_exec_tcb|appraise_exec_immutable" in the kernel command line.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- Documentation/admin-guide/kernel-parameters.txt | 4 ++++ security/integrity/ima/ima_policy.c | 12 +++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 8904da12caf9..14fd02ce8367 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -1620,6 +1620,10 @@ latter, as it would break processes accessing files on tmpfs, e.g. firewalld).
+ The "appraise_exec_immutable" policy requires immutable + metadata for all files appraised by the "secure_boot" + and "appraise_exec_tcb" policies. + The "fail_securely" policy forces file signature verification failure also on privileged mounted filesystems with the SB_I_UNVERIFIABLE_SIGNATURE diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index cd76088878ee..94ba751a8191 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -222,6 +222,7 @@ __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata; static bool ima_use_appraise_exec_tcb __initdata; +static bool ima_use_appraise_exec_immutable __initdata; static bool ima_use_secure_boot __initdata; static bool ima_fail_unverifiable_sigs __ro_after_init; static int __init policy_setup(char *str) @@ -239,6 +240,8 @@ static int __init policy_setup(char *str) ima_use_appraise_tcb = true; else if (strcmp(p, "appraise_exec_tcb") == 0) ima_use_appraise_exec_tcb = true; + else if (strcmp(p, "appraise_exec_immutable") == 0) + ima_use_appraise_exec_immutable = true; else if (strcmp(p, "secure_boot") == 0) ima_use_secure_boot = true; else if (strcmp(p, "fail_securely") == 0) @@ -548,6 +551,9 @@ void __init ima_init_policy(void) * signatures, prior to any other appraise rules. */ for (i = 0; i < secure_boot_entries; i++) { + if (ima_use_appraise_exec_immutable) + secure_boot_rules[i].flags |= + IMA_META_IMMUTABLE_REQUIRED; list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); temp_ima_appraise |= ima_appraise_flag(secure_boot_rules[i].func); @@ -587,9 +593,13 @@ void __init ima_init_policy(void) temp_ima_appraise |= IMA_APPRAISE_POLICY; }
- for (i = 0; i < appraise_exec_entries; i++) + for (i = 0; i < appraise_exec_entries; i++) { + if (ima_use_appraise_exec_immutable) + appraise_exec_rules[i].flags |= + IMA_META_IMMUTABLE_REQUIRED; list_add_tail(&appraise_exec_rules[i].list, &ima_default_rules); + }
ima_update_policy_flag(); }