Thread (82 messages) 82 messages, 17 authors, 2017-05-02

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

From: Mimi Zohar <hidden>
Date: 2017-04-07 07:46:46
Also in: kexec, linux-efi, lkml

On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote:
Mimi Zohar [off-list ref] wrote:
quoted
quoted
quoted
+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+		return -EPERM;
+
 
IMA can be used to verify file signatures too, based on the LSM hooks
in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be
required.
Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?
Not quite, since as Dave pointed out, IMA is policy driven. ?As a
policy is installed, we could set a flag.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help