Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: - kstrdup() return value fix from Eric Biggers - Add new security_load_data hook to differentiate security checking of kernel-loaded binaries in the case of there being no associated file descriptor, from Mimi Zohar. - Add ability to IMA to specify a policy at build-time, rather than just via command line params or by loading a custom policy, from Mimi. - Allow IMA and LSMs to prevent sysfs firmware load fallback (e.g. if using signed firmware), from Mimi. - Allow IMA to deny loading of kexec kernel images, as they cannot be measured by IMA, from Mimi. * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: security: check for kstrdup() failure in lsm_append() security: export security_kernel_load_data function ima: based on policy warn about loading firmware (pre-allocated buffer) module: replace the existing LSM hook in init_module ima: add build time policy ima: based on policy require signed firmware (sysfs fallback) firmware: add call to LSM hook before firmware sysfs fallback ima: based on policy require signed kexec kernel images kexec: add call to LSM hook in original kexec_load syscall security: define new LSM hook named security_kernel_load_data MAINTAINERS: remove the outdated "LINUX SECURITY MODULE (LSM) FRAMEWORK" entry
This commit is contained in:
Linus Torvalds
@@ -429,16 +429,14 @@ void ima_post_path_mknod(struct dentry *dentry)
|
||||
*/
|
||||
int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
|
||||
{
|
||||
bool sig_enforce = is_module_sig_enforced();
|
||||
|
||||
if (!file && read_id == READING_MODULE) {
|
||||
if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
|
||||
(ima_appraise & IMA_APPRAISE_ENFORCE)) {
|
||||
pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
|
||||
return -EACCES; /* INTEGRITY_UNKNOWN */
|
||||
}
|
||||
return 0; /* We rely on module signature checking */
|
||||
}
|
||||
/*
|
||||
* READING_FIRMWARE_PREALLOC_BUFFER
|
||||
*
|
||||
* Do devices using pre-allocated memory run the risk of the
|
||||
* firmware being accessible to the device prior to the completion
|
||||
* of IMA's signature verification any more than when using two
|
||||
* buffers?
|
||||
*/
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -472,14 +470,13 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
|
||||
|
||||
if (!file && read_id == READING_FIRMWARE) {
|
||||
if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
|
||||
(ima_appraise & IMA_APPRAISE_ENFORCE))
|
||||
(ima_appraise & IMA_APPRAISE_ENFORCE)) {
|
||||
pr_err("Prevent firmware loading_store.\n");
|
||||
return -EACCES; /* INTEGRITY_UNKNOWN */
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
|
||||
return 0;
|
||||
|
||||
/* permit signed certs */
|
||||
if (!file && read_id == READING_X509_CERTIFICATE)
|
||||
return 0;
|
||||
@@ -496,6 +493,49 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
|
||||
MAY_READ, func);
|
||||
}
|
||||
|
||||
/**
|
||||
* ima_load_data - appraise decision based on policy
|
||||
* @id: kernel load data caller identifier
|
||||
*
|
||||
* Callers of this LSM hook can not measure, appraise, or audit the
|
||||
* data provided by userspace. Enforce policy rules requring a file
|
||||
* signature (eg. kexec'ed kernel image).
|
||||
*
|
||||
* For permission return 0, otherwise return -EACCES.
|
||||
*/
|
||||
int ima_load_data(enum kernel_load_data_id id)
|
||||
{
|
||||
bool sig_enforce;
|
||||
|
||||
if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
|
||||
return 0;
|
||||
|
||||
switch (id) {
|
||||
case LOADING_KEXEC_IMAGE:
|
||||
if (ima_appraise & IMA_APPRAISE_KEXEC) {
|
||||
pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
|
||||
return -EACCES; /* INTEGRITY_UNKNOWN */
|
||||
}
|
||||
break;
|
||||
case LOADING_FIRMWARE:
|
||||
if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
|
||||
pr_err("Prevent firmware sysfs fallback loading.\n");
|
||||
return -EACCES; /* INTEGRITY_UNKNOWN */
|
||||
}
|
||||
break;
|
||||
case LOADING_MODULE:
|
||||
sig_enforce = is_module_sig_enforced();
|
||||
|
||||
if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
|
||||
pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
|
||||
return -EACCES; /* INTEGRITY_UNKNOWN */
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int __init init_ima(void)
|
||||
{
|
||||
int error;
|
||||
|
||||
Reference in New Issue
Block a user