From: Greg Kroah-Hartman Date: Mon, 10 Aug 2020 13:55:52 +0000 (+0200) Subject: 5.8-stable patches X-Git-Tag: v4.19.139~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e1dc81c1f851575375214ab06b172b65bc1c2a3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.8-stable patches added patches: ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch --- diff --git a/queue-5.8/ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch b/queue-5.8/ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch new file mode 100644 index 00000000000..eaffa79478e --- /dev/null +++ b/queue-5.8/ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch @@ -0,0 +1,86 @@ +From 311aa6aafea446c2f954cc19d66425bfed8c4b0b Mon Sep 17 00:00:00 2001 +From: Bruno Meneguele +Date: Mon, 13 Jul 2020 13:48:30 -0300 +Subject: ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bruno Meneguele + +commit 311aa6aafea446c2f954cc19d66425bfed8c4b0b upstream. + +The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise=" +modes - log, fix, enforce - at run time, but not when IMA architecture +specific policies are enabled.  This prevents properly labeling the +filesystem on systems where secure boot is supported, but not enabled on the +platform.  Only when secure boot is actually enabled should these IMA +appraise modes be disabled. + +This patch removes the compile time dependency and makes it a runtime +decision, based on the secure boot state of that platform. + +Test results as follows: + +-> x86-64 with secure boot enabled + +[ 0.015637] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix +[ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=fix boot parameter option + +-> powerpc with secure boot disabled + +[ 0.000000] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix +[ 0.000000] Secure boot mode disabled + +-> Running the system without secure boot and with both options set: + +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_ARCH_POLICY=y + +Audit prompts "missing-hash" but still allow execution and, consequently, +filesystem labeling: + +type=INTEGRITY_DATA msg=audit(07/09/2020 12:30:27.778:1691) : pid=4976 +uid=root auid=root ses=2 +subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data +cause=missing-hash comm=bash name=/usr/bin/evmctl dev="dm-0" ino=493150 +res=no + +Cc: stable@vger.kernel.org +Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86") +Signed-off-by: Bruno Meneguele +Cc: stable@vger.kernel.org # 5.0 +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/Kconfig | 2 +- + security/integrity/ima/ima_appraise.c | 6 ++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS + + config IMA_APPRAISE_BOOTPARAM + bool "ima_appraise boot parameter" +- depends on IMA_APPRAISE && !IMA_ARCH_POLICY ++ depends on IMA_APPRAISE + default y + help + This option enables the different "ima_appraise=" modes +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -19,6 +19,12 @@ + static int __init default_appraise_setup(char *str) + { + #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM ++ if (arch_ima_get_secureboot()) { ++ pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", ++ str); ++ return 1; ++ } ++ + if (strncmp(str, "off", 3) == 0) + ima_appraise = 0; + else if (strncmp(str, "log", 3) == 0) diff --git a/queue-5.8/series b/queue-5.8/series index e3ac4974192..68a1e0036e3 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -32,3 +32,4 @@ xattr-break-delegations-in-set-remove-xattr.patch revert-powerpc-kasan-fix-shadow-pages-allocation-failure.patch powerpc-kasan-fix-shadow-pages-allocation-failure.patch pci-tegra-revert-tegra124-raw_violation_fixup.patch +ima-move-appraise_bootparam-dependency-on-arch_policy-to-runtime.patch