| Message ID | 20200727140831.64251-3-tyhicks@linux.microsoft.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Fix keyrings race condition and other key related bugs | expand |
On 7/27/20 7:08 AM, Tyler Hicks wrote: > Measuring keys is currently only supported for asymmetric keys. In the > future, this might change. > > For now, the "func=KEY_CHECK" and "keyrings=" options are only > appropriate when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Make > this clear at policy load so that IMA policy authors don't assume that > these policy language constructs are supported. > > Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy") > Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") > Suggested-by: Nayna Jain <nayna@linux.ibm.com> > Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> > --- > security/integrity/ima/ima_policy.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index c328cfa0fc49..05f012fd3dca 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -1233,7 +1233,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > entry->func = POLICY_CHECK; > else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) > entry->func = KEXEC_CMDLINE; > - else if (strcmp(args[0].from, "KEY_CHECK") == 0) > + else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && > + strcmp(args[0].from, "KEY_CHECK") == 0) > entry->func = KEY_CHECK; > else > result = -EINVAL; > @@ -1290,7 +1291,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > case Opt_keyrings: > ima_log_string(ab, "keyrings", args[0].from); > > - if (entry->keyrings) { > + if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || > + entry->keyrings) { > result = -EINVAL; > break; > } > Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c328cfa0fc49..05f012fd3dca 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1233,7 +1233,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->func = POLICY_CHECK; else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) entry->func = KEXEC_CMDLINE; - else if (strcmp(args[0].from, "KEY_CHECK") == 0) + else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && + strcmp(args[0].from, "KEY_CHECK") == 0) entry->func = KEY_CHECK; else result = -EINVAL; @@ -1290,7 +1291,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) case Opt_keyrings: ima_log_string(ab, "keyrings", args[0].from); - if (entry->keyrings) { + if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || + entry->keyrings) { result = -EINVAL; break; }
Measuring keys is currently only supported for asymmetric keys. In the future, this might change. For now, the "func=KEY_CHECK" and "keyrings=" options are only appropriate when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Make this clear at policy load so that IMA policy authors don't assume that these policy language constructs are supported. Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy") Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") Suggested-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> --- security/integrity/ima/ima_policy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)