Re: [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

[Bruno Meneguele <bmeneg@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 3572 bytes --]

On Mon, Jun 22, 2020 at 03:28:13PM -0400, Mimi Zohar wrote:
> On Mon, 2020-06-22 at 14:27 -0300, Bruno Meneguele wrote:
> > IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
> > compile time, enforcing the appraisal whenever the kernel had the arch
> > policy option enabled.
> > 
> > However it breaks systems where the option is actually set but the system
> > wasn't booted in a "secure boot" platform. In this scenario, anytime the
> > an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
> > forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
> > to actually measure system's files.
> > 
> > This patch remove this compile time dependency and move it to a runtime
> > decision, based on the arch policy loading failure/success.
> > 
> > Cc: stable@vger.kernel.org
> > Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
> > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> > ---
> > changes from v1:
> > 	- removed "ima:" prefix from pr_info() message
> > 
> >  security/integrity/ima/Kconfig      | 2 +-
> >  security/integrity/ima/ima_policy.c | 8 ++++++--
> >  2 files changed, 7 insertions(+), 3 deletions(-)
> > 
> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > index edde88dbe576..62dc11a5af01 100644
> > --- a/security/integrity/ima/Kconfig
> > +++ b/security/integrity/ima/Kconfig
> > @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
> >  
> >  config IMA_APPRAISE_BOOTPARAM
> >  	bool "ima_appraise boot parameter"
> > -	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> > +	depends on IMA_APPRAISE
> >  	default y
> >  	help
> >  	  This option enables the different "ima_appraise=" modes
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index e493063a3c34..c876617d4210 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -733,11 +733,15 @@ void __init ima_init_policy(void)
> >  	 * (Highest priority)
> >  	 */
> >  	arch_entries = ima_init_arch_policy();
> > -	if (!arch_entries)
> > +	if (!arch_entries) {
> >  		pr_info("No architecture policies found\n");
> > -	else
> > +	} else {
> > +		/* Force appraisal, preventing runtime xattr changes */
> > +		pr_info("setting IMA appraisal to enforced\n");
> > +		ima_appraise = IMA_APPRAISE_ENFORCE;
> >  		add_rules(arch_policy_entry, arch_entries,
> >  			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> > +	}
> >  
> >  	/*
> >  	 * Insert the builtin "secure_boot" policy rules requiring file
> 
> CONFIG_IMA_APPRAISE_BOOTPARAM controls the "ima_appraise" mode bits.  
> The mode bits are or'ed with the MODULES, FIRMWARE, POLICY, and KEXEC
> bits, which have already been set in ima_init_arch_policy().
> 

Sorry for missing this part! Of course I should've spoted that just my
following ima_appraise down the code.

> From ima.h:
> /* Appraise integrity measurements */
> #define IMA_APPRAISE_ENFORCE    0x01
> #define IMA_APPRAISE_FIX        0x02
> #define IMA_APPRAISE_LOG        0x04
> #define IMA_APPRAISE_MODULES    0x08
> #define IMA_APPRAISE_FIRMWARE   0x10
> #define IMA_APPRAISE_POLICY     0x20
> #define IMA_APPRAISE_KEXEC      0x40
> 
> As Nayna pointed out, only when an architecture specific "secure boot"
> policy is loaded, is this applicable. 

Yes, will come up with patch covering only this case.

Thanks Mimi!

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]