On Fri, Jul 10, 2020 at 04:25:16PM -0300, Bruno Meneguele wrote: > On Fri, Jul 10, 2020 at 02:54:48PM -0400, Mimi Zohar wrote: > > On Fri, 2020-07-10 at 15:34 -0300, Bruno Meneguele wrote: > > > On Fri, Jul 10, 2020 at 03:03:38PM -0300, Bruno Meneguele wrote: > > > > On Fri, Jul 10, 2020 at 01:23:24PM -0400, Mimi Zohar wrote: > > > > > On Thu, 2020-07-09 at 13:46 -0300, Bruno Meneguele wrote: > > > > > > APPRAISE_BOOTPARAM has been marked as dependent on !ARCH_POLICY in compile > > > > > > time, enforcing the appraisal whenever the kernel had the arch policy option > > > > > > enabled. > > > > > > > > > > > However it breaks systems where the option is set but the system didn't > > > > > > boot in a "secure boot" platform. In this scenario, anytime an appraisal > > > > > > policy (i.e. ima_policy=appraisal_tcb) is used it will be forced, without > > > > > > giving the user the opportunity to label the filesystem, before enforcing > > > > > > integrity. > > > > > > > > > > > > Considering the ARCH_POLICY is only effective when secure boot is actually > > > > > > enabled this patch remove the compile time dependency and move it to a > > > > > > runtime decision, based on the secure boot state of that platform. > > > > > > > > > > Perhaps we could simplify this patch description a bit? > > > > > > > > > > The IMA_APPRAISE_BOOTPARAM config allows enabling different > > > > > "ima_appraise=" modes - log, fix, enforce - at run time, but not when > > > > > IMA architecture specific policies are enabled. This prevents > > > > > properly labeling the filesystem on systems where secure boot is > > > > > supported, but not enabled on the platform. Only when secure boot is > > > > > enabled, should these IMA appraise modes be disabled. > > > > > > > > > > This patch removes the compile time dependency and makes it a runtime > > > > > decision, based on the secure boot state of that platform. > > > > > > > > > > > > > Sounds good to me. > > > > > > > > > <snip> > > > > > > > > > > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > > > > > > index a9649b04b9f1..884de471b38a 100644 > > > > > > --- a/security/integrity/ima/ima_appraise.c > > > > > > +++ b/security/integrity/ima/ima_appraise.c > > > > > > @@ -19,6 +19,11 @@ > > > > > > static int __init default_appraise_setup(c > > > > > > > > > > > har *str) > > > > > > { > > > > > > #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM > > > > > > + if (arch_ima_get_secureboot()) { > > > > > > + pr_info("appraise boot param ignored: secure boot enabled"); > > > > > > > > > > Instead of a generic statement, is it possible to include the actual > > > > > option being denied? Perhaps something like: "Secure boot enabled, > > > > > ignoring %s boot command line option" > > > > > > > > > > Mimi > > > > > > > > > > > > > Yes, sure. > > > > > > > > > > Btw, would it make sense to first make sure we have a valid "str" > > > option and not something random to print? > > > > > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > > > index a9649b04b9f1..1f1175531d3e 100644 > > > --- a/security/integrity/ima/ima_appraise.c > > > +++ b/security/integrity/ima/ima_appraise.c > > > @@ -25,6 +25,16 @@ static int __init default_appraise_setup(char *str) > > > ima_appraise = IMA_APPRAISE_LOG; > > > else if (strncmp(str, "fix", 3) == 0) > > > ima_appraise = IMA_APPRAISE_FIX; > > > + else > > > + pr_info("invalid \"%s\" appraise option"); > > > + > > > + if (arch_ima_get_secureboot()) { > > > + if (!is_ima_appraise_enabled()) { > > > + pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", > > > + str); > > > + ima_appraise = IMA_APPRAISE_ENFORCE; > > > + } > > > + } > > > > Providing feedback is probably a good idea. However, the > > "arch_ima_get_secureboot" test can't come after setting > > "ima_appraise." > > > > Sorry, but I'm not sure if I got the reason to why it can't be done > after: would it be basically to prevent any further processing about > ima_appraise as a matter of security principle? Or maybe to keep the > dependency between secureboot and bootparam truly strict? > > Or are there something else I'm missing? > I'm going to send a v6 with the pr_info() placed in the beginning directly printing 'str', thus we can have the actual issue solved. Then later I send another patches to handle the other cases of limiting 'str' printing and also giving the user a feedback about invalid ima_appraise= options. So we can discuss further on that. Thanks Mimi. > > Mimi > > > > > #endif > > > return 1; > > > } > > > > > > > > > The "else" there I think would make sense as well, at least to give the > > > user some feedback about a possible mispelling of him (as a separate > > > patch). > > > > > > And "if(!is_ima_appraise_enabled())" would avoid to print anything about > > > "ignoring the option" to the user in case he explicitly set "enforce", > > > which we know there isn't any real effect but is allowed and shown in > > > kernel-parameters.txt. > > > > > > > Thanks! > > > > > > > > > > + return 1; > > > > > > + } > > > > > > + > > > > > > if (strncmp(str, "off", 3) == 0) > > > > > > ima_appraise = 0; > > > > > > else if (strncmp(str, "log", 3) == 0) > > > > > > > > > > > > > -- > > > > bmeneg > > > > PGP Key: http://bmeneg.com/pubkey.txt > > > > > > > > > > > > > -- > bmeneg > PGP Key: http://bmeneg.com/pubkey.txt -- bmeneg PGP Key: http://bmeneg.com/pubkey.txt
Attachment:
signature.asc
Description: PGP signature