diff options
Diffstat (limited to 'lockdown-fix-coordination-of-kernel-module-signature-verification.patch')
| -rw-r--r-- | lockdown-fix-coordination-of-kernel-module-signature-verification.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/lockdown-fix-coordination-of-kernel-module-signature-verification.patch b/lockdown-fix-coordination-of-kernel-module-signature-verification.patch new file mode 100644 index 000000000..c600f1437 --- /dev/null +++ b/lockdown-fix-coordination-of-kernel-module-signature-verification.patch @@ -0,0 +1,75 @@ +From patchwork Fri Apr 13 15:27:52 2018 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: lockdown: fix coordination of kernel module signature verification +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +X-Patchwork-Id: 10340277 +Message-Id: <1523633272.3272.30.camel@linux.vnet.ibm.com> +To: David Howells <dhowells@redhat.com> +Cc: Luca Boccassi <bluca@debian.org>, + "Bruno E. O. Meneguele" <bmeneg@redhat.com>, + linux-integrity <linux-integrity@vger.kernel.org>, + linux-security-module <linux-security-module@vger.kernel.org>, + linux-kernel <linux-kernel@vger.kernel.org> +Date: Fri, 13 Apr 2018 11:27:52 -0400 + +If both IMA-appraisal and sig_enforce are enabled, then both signatures +are currently required. If the IMA-appraisal signature verification +fails, it could rely on the appended signature verification; but with the +lockdown patch set, the appended signature verification assumes that if +IMA-appraisal is enabled, it has verified the signature. Basically each +signature verification method would be relying on the other to verify the +kernel module signature. + +This patch addresses the problem of requiring both kernel module signature +verification methods, when both are enabled, by verifying just the +appended signature. + +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +Acked-by: Bruno E. O. Meneguele <bmeneg@redhat.com> +--- + kernel/module.c | 4 +--- + security/integrity/ima/ima_main.c | 7 ++++++- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 9c1709a05037..60861eb7bc4d 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2803,9 +2803,7 @@ static int module_sig_check(struct load_info *info, int flags, + if (sig_enforce) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; +- } +- +- if (can_do_ima_check && is_ima_appraise_enabled()) ++ } else if (can_do_ima_check && is_ima_appraise_enabled()) + return 0; + if (kernel_is_locked_down(reason)) + return -EPERM; +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index 754ece08e1c6..2155b1f316a4 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -480,6 +480,7 @@ static int read_idmap[READING_MAX_ID] = { + int ima_post_read_file(struct file *file, void *buf, loff_t size, + enum kernel_read_file_id read_id) + { ++ bool sig_enforce = is_module_sig_enforced(); + enum ima_hooks func; + u32 secid; + +@@ -490,7 +491,11 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, + return 0; + } + +- if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */ ++ /* ++ * If both IMA-appraisal and appended signature verification are ++ * enabled, rely on the appended signature verification. ++ */ ++ if (sig_enforce && read_id == READING_MODULE) + return 0; + + /* permit signed certs */ |