Message ID | 20180725233200.761-5-erichte@linux.vnet.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Add support for architecture-specific IMA policies | expand |
Hi Eric, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on integrity/next-integrity] [also build test WARNING on next-20180727] [cannot apply to v4.18-rc6] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Eric-Richter/ima-add-support-for-arch-specific-policies/20180728-072442 base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity smatch warnings: security/integrity/ima/ima_policy.c:522 ima_init_arch_policy() error: potential null dereference 'arch_policy_entry'. (kcalloc returns null) vim +/arch_policy_entry +522 security/integrity/ima/ima_policy.c b4c0791e Nayna Jain 2018-07-25 484 b4c0791e Nayna Jain 2018-07-25 485 /* b4c0791e Nayna Jain 2018-07-25 486 * ima_init_arch_policy - convert arch policy strings to rules b4c0791e Nayna Jain 2018-07-25 487 * b4c0791e Nayna Jain 2018-07-25 488 * Return number of arch specific rules. b4c0791e Nayna Jain 2018-07-25 489 */ b4c0791e Nayna Jain 2018-07-25 490 static int __init ima_init_arch_policy(void) b4c0791e Nayna Jain 2018-07-25 491 { b4c0791e Nayna Jain 2018-07-25 492 const char * const *arch_rules; b4c0791e Nayna Jain 2018-07-25 493 const char * const *rules; b4c0791e Nayna Jain 2018-07-25 494 int arch_entries = 0; b4c0791e Nayna Jain 2018-07-25 495 int i = 0; b4c0791e Nayna Jain 2018-07-25 496 b4c0791e Nayna Jain 2018-07-25 497 arch_rules = arch_get_ima_policy(); b4c0791e Nayna Jain 2018-07-25 498 if (!arch_rules) { b4c0791e Nayna Jain 2018-07-25 499 pr_info("No architecture policy rules.\n"); b4c0791e Nayna Jain 2018-07-25 500 return arch_entries; b4c0791e Nayna Jain 2018-07-25 501 } b4c0791e Nayna Jain 2018-07-25 502 b4c0791e Nayna Jain 2018-07-25 503 /* Get number of rules */ b4c0791e Nayna Jain 2018-07-25 504 for (rules = arch_rules; *rules != NULL; rules++) b4c0791e Nayna Jain 2018-07-25 505 arch_entries++; b4c0791e Nayna Jain 2018-07-25 506 b4c0791e Nayna Jain 2018-07-25 507 arch_policy_rules = kcalloc(arch_entries + 1, b4c0791e Nayna Jain 2018-07-25 508 sizeof(*arch_policy_rules), GFP_KERNEL); b4c0791e Nayna Jain 2018-07-25 509 if (!arch_policy_rules) b4c0791e Nayna Jain 2018-07-25 510 return 0; b4c0791e Nayna Jain 2018-07-25 511 b4c0791e Nayna Jain 2018-07-25 512 arch_policy_entry = kcalloc(arch_entries + 1, b4c0791e Nayna Jain 2018-07-25 513 sizeof(*arch_policy_entry), GFP_KERNEL); b4c0791e Nayna Jain 2018-07-25 514 b4c0791e Nayna Jain 2018-07-25 515 /* Convert arch policy string rules to struct ima_rule_entry format */ b4c0791e Nayna Jain 2018-07-25 516 for (rules = arch_rules, i = 0; *rules != NULL; rules++) { b4c0791e Nayna Jain 2018-07-25 517 char rule[255]; b4c0791e Nayna Jain 2018-07-25 518 int result; b4c0791e Nayna Jain 2018-07-25 519 b4c0791e Nayna Jain 2018-07-25 520 result = strlcpy(rule, *rules, sizeof(rule)); b4c0791e Nayna Jain 2018-07-25 521 b4c0791e Nayna Jain 2018-07-25 @522 INIT_LIST_HEAD(&arch_policy_entry[i].list); b4c0791e Nayna Jain 2018-07-25 523 result = ima_parse_rule(rule, &arch_policy_entry[i]); b4c0791e Nayna Jain 2018-07-25 524 if (result) { b4c0791e Nayna Jain 2018-07-25 525 pr_warn("Skipping unknown architecture policy rule: %s\n", rule); b4c0791e Nayna Jain 2018-07-25 526 memset(&arch_policy_entry[i], 0, b4c0791e Nayna Jain 2018-07-25 527 sizeof(*arch_policy_entry)); b4c0791e Nayna Jain 2018-07-25 528 continue; b4c0791e Nayna Jain 2018-07-25 529 } b4c0791e Nayna Jain 2018-07-25 530 arch_policy_rules[i] = &arch_policy_entry[i]; b4c0791e Nayna Jain 2018-07-25 531 i++; b4c0791e Nayna Jain 2018-07-25 532 } b4c0791e Nayna Jain 2018-07-25 533 return i; b4c0791e Nayna Jain 2018-07-25 534 } b4c0791e Nayna Jain 2018-07-25 535 :::::: The code at line 522 was first introduced by commit :::::: b4c0791e0facd968a3e0502a8a544390025a9a38 ima: add support for arch specific policies :::::: TO: Nayna Jain <nayna@linux.vnet.ibm.com> :::::: CC: 0day robot <lkp@intel.com> --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 02d6f5cf4e7..f3e1d76ed9b 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -149,3 +149,5 @@ ifeq ($(CONFIG_X86_64),y) obj-$(CONFIG_MMCONF_FAM10H) += mmconf-fam10h_64.o obj-y += vsmp_64.o endif + +obj-$(CONFIG_IMA_ARCH_POLICY) += ima_arch.o diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c new file mode 100644 index 00000000000..5eb10e29db0 --- /dev/null +++ b/arch/x86/kernel/ima_arch.c @@ -0,0 +1,27 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (C) 2018 IBM Corporation + */ +#include <linux/efi.h> +#include <linux/ima.h> + +extern struct boot_params boot_params; + +/* arch rules for audit and user mode */ +static const char * const sb_arch_rules[] = { +#ifdef CONFIG_KEXEC_VERIFY_SIG + "appraise func=KEXEC_ORIG_KERNEL_CHECK appraise_type=imasig", +#else + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", +#endif /* CONFIG_KEXEC_VERIFY_SIG */ + "measure func=KEXEC_KERNEL_CHECK", + NULL +}; + +const char * const *arch_get_ima_policy(void) +{ + if (efi_enabled(EFI_BOOT) && + (boot_params.secure_boot == efi_secureboot_mode_enabled)) + return sb_arch_rules; + return NULL; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index 7fd272f0b1f..495fa290b14 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -30,10 +30,14 @@ extern void ima_post_path_mknod(struct dentry *dentry); extern void ima_add_kexec_buffer(struct kimage *image); #endif +#if defined(CONFIG_IMA_ARCH_POLICY) && defined(CONFIG_X86) +extern const char * const *arch_get_ima_policy(void); +#else static inline const char * const *arch_get_ima_policy(void) { return NULL; } +#endif #else static inline int ima_bprm_check(struct linux_binprm *bprm) @@ -77,6 +81,10 @@ static inline void ima_post_path_mknod(struct dentry *dentry) return; } +static inline const char * const *arch_get_ima_policy(void) +{ + return NULL; +} #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 13b446328dd..18de132bbda 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -157,6 +157,14 @@ config IMA_APPRAISE <http://linux-ima.sourceforge.net> If unsure, say N. +config IMA_ARCH_POLICY + bool "Enable loading an IMA architecture specific policy" + depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS + default n + help + This option enables loading an IMA architecture specific policy + based on run time secure boot flags. + config IMA_APPRAISE_BUILD_POLICY bool "IMA build time configured policy rules" depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
This patch implements an example arch-specific IMA policy for x86 to enable measurement and appraisal of any kernel images loaded for kexec, and disables the kexec_load syscall. To avoid conflicting with the existing CONFIG_KERNEL_VERIFY_SIG option, the policy only "appraises" the target image on kexec_load. Without this, the target kexec image would have to be verified by both the above option as well as by IMA appraisal. Since signature verification for kexec_load is not possible via appraisal (or VERIFY_SIG), this results in a failure and thus effectively prevents the kexec_load syscall from succeeding when set. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> --- arch/x86/kernel/Makefile | 2 ++ arch/x86/kernel/ima_arch.c | 27 +++++++++++++++++++++++++++ include/linux/ima.h | 8 ++++++++ security/integrity/ima/Kconfig | 8 ++++++++ 4 files changed, 45 insertions(+) create mode 100644 arch/x86/kernel/ima_arch.c