On Mon, 2020-06-22 at 14:27 -0300, Bruno Meneguele wrote:
> IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
> compile time, enforcing the appraisal whenever the kernel had the arch
> policy option enabled.
>
> However it breaks systems where the option is actually set but the system
> wasn't booted in a "secure boot" platform. In this scenario, anytime the
> an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
> forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
> to actually measure system's files.
>
> This patch remove this compile time dependency and move it to a runtime
> decision, based on the arch policy loading failure/success.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
> Signed-off-by: Bruno Meneguele <bmeneg@xxxxxxxxxx>
> ---
> changes from v1:
> - removed "ima:" prefix from pr_info() message
>
> security/integrity/ima/Kconfig | 2 +-
> security/integrity/ima/ima_policy.c | 8 ++++++--
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index edde88dbe576..62dc11a5af01 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
>
> config IMA_APPRAISE_BOOTPARAM
> bool "ima_appraise boot parameter"
> - depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> + depends on IMA_APPRAISE
> default y
> help
> This option enables the different "ima_appraise=" modes
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e493063a3c34..c876617d4210 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -733,11 +733,15 @@ void __init ima_init_policy(void)
> * (Highest priority)
> */
> arch_entries = ima_init_arch_policy();
> - if (!arch_entries)
> + if (!arch_entries) {
> pr_info("No architecture policies found\n");
> - else
> + } else {
> + /* Force appraisal, preventing runtime xattr changes */
> + pr_info("setting IMA appraisal to enforced\n");
> + ima_appraise = IMA_APPRAISE_ENFORCE;
> add_rules(arch_policy_entry, arch_entries,
> IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> + }
>
> /*
> * Insert the builtin "secure_boot" policy rules requiring file
CONFIG_IMA_APPRAISE_BOOTPARAM controls the "ima_appraise" mode bits.
The mode bits are or'ed with the MODULES, FIRMWARE, POLICY, and KEXEC
bits, which have already been set in ima_init_arch_policy().
>From ima.h:
/* Appraise integrity measurements */
#define IMA_APPRAISE_ENFORCE 0x01
#define IMA_APPRAISE_FIX 0x02
#define IMA_APPRAISE_LOG 0x04
#define IMA_APPRAISE_MODULES 0x08
#define IMA_APPRAISE_FIRMWARE 0x10
#define IMA_APPRAISE_POLICY 0x20
#define IMA_APPRAISE_KEXEC 0x40
As Nayna pointed out, only when an architecture specific "secure boot"
policy is loaded, is this applicable.
Mimi
