The original kexec_load syscall can not verify file signatures. This patch differentiates between the kexec_load and kexec_file_load syscalls. Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 9 +++++++++ security/integrity/ima/ima_policy.c | 2 ++ 3 files changed, 12 insertions(+) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 35fe91aa1fc9..03c9c37ee345 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -233,6 +233,7 @@ int ima_policy_show(struct seq_file *m, void *v); #define IMA_APPRAISE_MODULES 0x08 #define IMA_APPRAISE_FIRMWARE 0x10 #define IMA_APPRAISE_POLICY 0x20 +#define IMA_APPRAISE_KEXEC 0x40 #ifdef CONFIG_IMA_APPRAISE int ima_appraise_measurement(enum ima_hooks func, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 74d0bd7e76d7..754ece08e1c6 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -444,6 +444,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) } return 0; /* We rely on module signature checking */ } + + if (!file && read_id == READING_KEXEC_IMAGE) { + if ((ima_appraise & IMA_APPRAISE_KEXEC) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file syscall.\n"); + return -EACCES; /* INTEGRITY_UNKNOWN */ + } + return 0; + } return 0; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 1bdb5bc57568..3444352caf80 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -443,6 +443,8 @@ static int ima_appraise_flag(enum ima_hooks func) return IMA_APPRAISE_FIRMWARE; else if (func == POLICY_CHECK) return IMA_APPRAISE_POLICY; + else if (func == KEXEC_KERNEL_CHECK) + return IMA_APPRAISE_KEXEC; return 0; } -- 2.7.5