From 558b523d46289f111d53d7c42211069063be5985 Mon Sep 17 00:00:00 2001 From: Scott Wood Date: Tue, 23 Apr 2019 17:48:07 -0500 Subject: x86/ima: Check EFI_RUNTIME_SERVICES before using Checking efi_enabled(EFI_BOOT) is not sufficient to ensure that EFI runtime services are available, e.g. if efi=noruntime is used. Without this, I get an oops on a PREEMPT_RT kernel where efi=noruntime is the default. Fixes: 399574c64eaf94e8 ("x86/ima: retry detecting secure boot mode") Cc: stable@vger.kernel.org (linux-5.0) Signed-off-by: Scott Wood Signed-off-by: Mimi Zohar --- arch/x86/kernel/ima_arch.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c index 85de790583f9..64b973f0e985 100644 --- a/arch/x86/kernel/ima_arch.c +++ b/arch/x86/kernel/ima_arch.c @@ -18,6 +18,11 @@ static enum efi_secureboot_mode get_sb_mode(void) size = sizeof(secboot); + if (!efi_enabled(EFI_RUNTIME_SERVICES)) { + pr_info("ima: secureboot mode unknown, no efi\n"); + return efi_secureboot_mode_unknown; + } + /* Get variable contents into buffer */ status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid, NULL, &size, &secboot); -- cgit v1.2.3 From f40019475bbbe9b455e7fd4385fcf13896c492ca Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Wed, 15 May 2019 08:18:07 +0200 Subject: ima: fix wrong signed policy requirement when not appraising Kernel booted just with ima_policy=tcb (not with ima_policy=appraise_tcb) shouldn't require signed policy. Regression found with LTP test ima_policy.sh. Fixes: c52657d93b05 ("ima: refactor ima_init_policy()") Cc: stable@vger.kernel.org (linux-5.0) Signed-off-by: Petr Vorel Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e0cc323f948f..0f6fe53cef09 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_entry *entries, int count, list_add_tail(&entry->list, &ima_policy_rules); } - if (entries[i].action == APPRAISE) + if (entries[i].action == APPRAISE) { temp_ima_appraise |= ima_appraise_flag(entries[i].func); - if (entries[i].func == POLICY_CHECK) - temp_ima_appraise |= IMA_APPRAISE_POLICY; + if (entries[i].func == POLICY_CHECK) + temp_ima_appraise |= IMA_APPRAISE_POLICY; + } } } -- cgit v1.2.3 From 221be106d75c1b511973301542f47d6000d0b63e Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Wed, 29 May 2019 15:30:33 +0200 Subject: evm: check hash algorithm passed to init_desc() This patch prevents memory access beyond the evm_tfm array by checking the validity of the index (hash algorithm) passed to init_desc(). The hash algorithm can be arbitrarily set if the security.ima xattr type is not EVM_XATTR_HMAC. Fixes: 5feeb61183dde ("evm: Allow non-SHA1 digital signatures") Signed-off-by: Roberto Sassu Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_crypto.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index e11564eb645b..82a38e801ee4 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo) tfm = &hmac_tfm; algo = evm_hmac; } else { + if (hash_algo >= HASH_ALGO__LAST) + return ERR_PTR(-EINVAL); + tfm = &evm_tfm[hash_algo]; algo = hash_algo_name[hash_algo]; } -- cgit v1.2.3 From 8cdc23a3d9ec0944000ad43bad588e36afdc38cd Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Wed, 29 May 2019 15:30:35 +0200 Subject: ima: show rules with IMA_INMASK correctly Show the '^' character when a policy rule has flag IMA_INMASK. Fixes: 80eae209d63ac ("IMA: allow reading back the current IMA policy") Signed-off-by: Roberto Sassu Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 0f6fe53cef09..1cc822a59054 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1147,10 +1147,10 @@ enum { }; static const char *const mask_tokens[] = { - "MAY_EXEC", - "MAY_WRITE", - "MAY_READ", - "MAY_APPEND" + "^MAY_EXEC", + "^MAY_WRITE", + "^MAY_READ", + "^MAY_APPEND" }; #define __ima_hook_stringify(str) (#str), @@ -1210,6 +1210,7 @@ int ima_policy_show(struct seq_file *m, void *v) struct ima_rule_entry *entry = v; int i; char tbuf[64] = {0,}; + int offset = 0; rcu_read_lock(); @@ -1233,15 +1234,17 @@ int ima_policy_show(struct seq_file *m, void *v) if (entry->flags & IMA_FUNC) policy_func_show(m, entry->func); - if (entry->flags & IMA_MASK) { + if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { + if (entry->flags & IMA_MASK) + offset = 1; if (entry->mask & MAY_EXEC) - seq_printf(m, pt(Opt_mask), mt(mask_exec)); + seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); if (entry->mask & MAY_WRITE) - seq_printf(m, pt(Opt_mask), mt(mask_write)); + seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); if (entry->mask & MAY_READ) - seq_printf(m, pt(Opt_mask), mt(mask_read)); + seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); if (entry->mask & MAY_APPEND) - seq_printf(m, pt(Opt_mask), mt(mask_append)); + seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); seq_puts(m, " "); } -- cgit v1.2.3