Quoting Mimi Zohar (zohar@xxxxxxxxxxxxxxxxxx): > This patch addresses the fuse privileged mounted filesystems in > environments which are unwilling to accept the risk of trusting the > signature verification and want to always fail safe, but are for example > using a pre-built kernel. > > This patch defines a new builtin policy named "fail_securely", which can > be specified on the boot command line as an argument to "ima_policy=". > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> > Cc: Miklos Szeredi <miklos@xxxxxxxxxx> > Cc: Seth Forshee <seth.forshee@xxxxxxxxxxxxx> > Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> > Cc: Dongsu Park <dongsu@xxxxxxxxxx> > Cc: Alban Crequy <alban@xxxxxxxxxx> > Cc: Serge E. Hallyn <serge@xxxxxxxxxx> Acked-by: Serge Hallyn <serge@xxxxxxxxxx> but, > > --- > Changelog v3: > - Rename the builtin policy name > > Changelog v2: > - address the fail safe environement > > Documentation/admin-guide/kernel-parameters.txt | 8 +++++++- > security/integrity/ima/ima_appraise.c | 11 ++++++----- > security/integrity/ima/ima_main.c | 3 ++- > security/integrity/ima/ima_policy.c | 5 +++++ > security/integrity/integrity.h | 1 + > 5 files changed, 21 insertions(+), 7 deletions(-) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 1d1d53f85ddd..2cc17dc7ab84 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -1525,7 +1525,8 @@ > > ima_policy= [IMA] > The builtin policies to load during IMA setup. > - Format: "tcb | appraise_tcb | secure_boot" > + Format: "tcb | appraise_tcb | secure_boot | > + fail_securely" > > The "tcb" policy measures all programs exec'd, files > mmap'd for exec, and all files opened with the read > @@ -1540,6 +1541,11 @@ > of files (eg. kexec kernel image, kernel modules, > firmware, policy, etc) based on file signatures. > > + The "fail_securely" policy forces file signature > + verification failure also on privileged mounted > + filesystems with the SB_I_UNVERIFIABLE_SIGNATURE > + flag. > + > ima_tcb [IMA] Deprecated. Use ima_policy= instead. > Load a policy which meets the needs of the Trusted > Computing Base. This means IMA will measure all > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index 4bafb397ee91..3034935e1eb3 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func, > out: > /* > * File signatures on some filesystems can not be properly verified. > - * On these filesytems, that are mounted by an untrusted mounter, > - * fail the file signature verification. > + * On these filesytems, that are mounted by an untrusted mounter or How about "When such filesystems are mounted by an untrusted mounter or on a system not willing to accept such a risk, ..." ? (also filesytems is misspelled :) > + * for systems not willing to accept the risk, fail the file signature > + * verification. > */
