From: Greg Kroah-Hartman Date: Mon, 10 Aug 2020 13:55:22 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.139~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=884afb9e98c7afbd8eb268fe0f016a3365f9ca8c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch --- diff --git a/queue-5.4/ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch b/queue-5.4/ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch new file mode 100644 index 00000000000..044d5bfafa6 --- /dev/null +++ b/queue-5.4/ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch @@ -0,0 +1,86 @@ +From 311aa6aafea446c2f954cc19d66425bfed8c4b0b Mon Sep 17 00:00:00 2001 +From: Bruno Meneguele +Date: Mon, 13 Jul 2020 13:48:30 -0300 +Subject: ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bruno Meneguele + +commit 311aa6aafea446c2f954cc19d66425bfed8c4b0b upstream. + +The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise=" +modes - log, fix, enforce - at run time, but not when IMA architecture +specific policies are enabled.  This prevents properly labeling the +filesystem on systems where secure boot is supported, but not enabled on the +platform.  Only when secure boot is actually enabled should these IMA +appraise modes be disabled. + +This patch removes the compile time dependency and makes it a runtime +decision, based on the secure boot state of that platform. + +Test results as follows: + +-> x86-64 with secure boot enabled + +[ 0.015637] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix +[ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=fix boot parameter option + +-> powerpc with secure boot disabled + +[ 0.000000] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix +[ 0.000000] Secure boot mode disabled + +-> Running the system without secure boot and with both options set: + +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_ARCH_POLICY=y + +Audit prompts "missing-hash" but still allow execution and, consequently, +filesystem labeling: + +type=INTEGRITY_DATA msg=audit(07/09/2020 12:30:27.778:1691) : pid=4976 +uid=root auid=root ses=2 +subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data +cause=missing-hash comm=bash name=/usr/bin/evmctl dev="dm-0" ino=493150 +res=no + +Cc: stable@vger.kernel.org +Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86") +Signed-off-by: Bruno Meneguele +Cc: stable@vger.kernel.org # 5.0 +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/Kconfig | 2 +- + security/integrity/ima/ima_appraise.c | 6 ++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -227,7 +227,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS + + config IMA_APPRAISE_BOOTPARAM + bool "ima_appraise boot parameter" +- depends on IMA_APPRAISE && !IMA_ARCH_POLICY ++ depends on IMA_APPRAISE + default y + help + This option enables the different "ima_appraise=" modes +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -18,6 +18,12 @@ + static int __init default_appraise_setup(char *str) + { + #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM ++ if (arch_ima_get_secureboot()) { ++ pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", ++ str); ++ return 1; ++ } ++ + if (strncmp(str, "off", 3) == 0) + ima_appraise = 0; + else if (strncmp(str, "log", 3) == 0) diff --git a/queue-5.4/series b/queue-5.4/series index 1e5174384a5..42151e2fd4d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -63,3 +63,4 @@ openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch revert-vxlan-fix-tos-value-before-xmit.patch selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch tcp-apply-a-floor-of-1-for-rtt-samples-from-tcp-timestamps.patch +ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch