Patch "ima: Fail rule parsing when asymmetric key measurement isn't supportable" has been added to the 5.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 26 Oct 2020 01:09:59 -0400

This is a note to let you know that I've just added the patch titled

    ima: Fail rule parsing when asymmetric key measurement isn't supportable

to the 5.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ima-fail-rule-parsing-when-asymmetric-key-measuremen.patch
and it can be found in the queue-5.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a69fe54047c5ed76deb82fda3a17ebdc89139782
Author: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx>
Date:   Tue Aug 11 14:26:21 2020 -0500

    ima: Fail rule parsing when asymmetric key measurement isn't supportable
    
    [ Upstream commit 48ce1ddce16b0d1e3ff948da40a0d5125a4ee1a0 ]
    
    Measuring keys is currently only supported for asymmetric keys. In the
    future, this might change.
    
    For now, the "func=KEY_CHECK" and "keyrings=" options are only
    appropriate when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Make
    this clear at policy load so that IMA policy authors don't assume that
    these policy language constructs are supported.
    
    Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
    Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys")
    Suggested-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
    Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx>
    Reviewed-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>
    Reviewed-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
    Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 9354e7cf4a09f..4a7a4b6bf79b2 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1233,7 +1233,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 				entry->func = POLICY_CHECK;
 			else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
 				entry->func = KEXEC_CMDLINE;
-			else if (strcmp(args[0].from, "KEY_CHECK") == 0)
+			else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
+				 strcmp(args[0].from, "KEY_CHECK") == 0)
 				entry->func = KEY_CHECK;
 			else
 				result = -EINVAL;
@@ -1290,7 +1291,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 		case Opt_keyrings:
 			ima_log_string(ab, "keyrings", args[0].from);
 
-			if (entry->keyrings) {
+			if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) ||
+			    entry->keyrings) {
 				result = -EINVAL;
 				break;
 			}






