76 lines
2.8 KiB
Diff
76 lines
2.8 KiB
Diff
|
From patchwork Fri Apr 13 15:27:52 2018
|
||
|
Content-Type: text/plain; charset="utf-8"
|
||
|
MIME-Version: 1.0
|
||
|
Content-Transfer-Encoding: 7bit
|
||
|
Subject: lockdown: fix coordination of kernel module signature verification
|
||
|
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
||
|
X-Patchwork-Id: 10340277
|
||
|
Message-Id: <1523633272.3272.30.camel@linux.vnet.ibm.com>
|
||
|
To: David Howells <dhowells@redhat.com>
|
||
|
Cc: Luca Boccassi <bluca@debian.org>,
|
||
|
"Bruno E. O. Meneguele" <bmeneg@redhat.com>,
|
||
|
linux-integrity <linux-integrity@vger.kernel.org>,
|
||
|
linux-security-module <linux-security-module@vger.kernel.org>,
|
||
|
linux-kernel <linux-kernel@vger.kernel.org>
|
||
|
Date: Fri, 13 Apr 2018 11:27:52 -0400
|
||
|
|
||
|
If both IMA-appraisal and sig_enforce are enabled, then both signatures
|
||
|
are currently required. If the IMA-appraisal signature verification
|
||
|
fails, it could rely on the appended signature verification; but with the
|
||
|
lockdown patch set, the appended signature verification assumes that if
|
||
|
IMA-appraisal is enabled, it has verified the signature. Basically each
|
||
|
signature verification method would be relying on the other to verify the
|
||
|
kernel module signature.
|
||
|
|
||
|
This patch addresses the problem of requiring both kernel module signature
|
||
|
verification methods, when both are enabled, by verifying just the
|
||
|
appended signature.
|
||
|
|
||
|
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
||
|
Acked-by: Bruno E. O. Meneguele <bmeneg@redhat.com>
|
||
|
---
|
||
|
kernel/module.c | 4 +---
|
||
|
security/integrity/ima/ima_main.c | 7 ++++++-
|
||
|
2 files changed, 7 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/kernel/module.c b/kernel/module.c
|
||
|
index 9c1709a05037..60861eb7bc4d 100644
|
||
|
--- a/kernel/module.c
|
||
|
+++ b/kernel/module.c
|
||
|
@@ -2803,9 +2803,7 @@ static int module_sig_check(struct load_info *info, int flags,
|
||
|
if (sig_enforce) {
|
||
|
pr_notice("%s is rejected\n", reason);
|
||
|
return -EKEYREJECTED;
|
||
|
- }
|
||
|
-
|
||
|
- if (can_do_ima_check && is_ima_appraise_enabled())
|
||
|
+ } else if (can_do_ima_check && is_ima_appraise_enabled())
|
||
|
return 0;
|
||
|
if (kernel_is_locked_down(reason))
|
||
|
return -EPERM;
|
||
|
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
|
||
|
index 754ece08e1c6..2155b1f316a4 100644
|
||
|
--- a/security/integrity/ima/ima_main.c
|
||
|
+++ b/security/integrity/ima/ima_main.c
|
||
|
@@ -480,6 +480,7 @@ static int read_idmap[READING_MAX_ID] = {
|
||
|
int ima_post_read_file(struct file *file, void *buf, loff_t size,
|
||
|
enum kernel_read_file_id read_id)
|
||
|
{
|
||
|
+ bool sig_enforce = is_module_sig_enforced();
|
||
|
enum ima_hooks func;
|
||
|
u32 secid;
|
||
|
|
||
|
@@ -490,7 +491,11 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
- if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
|
||
|
+ /*
|
||
|
+ * If both IMA-appraisal and appended signature verification are
|
||
|
+ * enabled, rely on the appended signature verification.
|
||
|
+ */
|
||
|
+ if (sig_enforce && read_id == READING_MODULE)
|
||
|
return 0;
|
||
|
|
||
|
/* permit signed certs */
|