[PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback)

[PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Mimi Zohar <hidden> · 2018-05-29
[PATCH v4 1/8] security: define new LSM hook named security_kernel_load_data · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 1/8] security: define new LSM hook named security_kernel_load_data · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-04
[PATCH v4 2/8] kexec: add call to LSM hook in original kexec_load syscall · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 2/8] kexec: add call to LSM hook in original kexec_load syscall · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-04
[PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · Mimi Zohar <hidden> · 2018-06-01
Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · Mimi Zohar <hidden> · 2018-06-01
[PATCH v4 4/8] firmware: add call to LSM hook before firmware sysfs fallback · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 4/8] firmware: add call to LSM hook before firmware sysfs fallback · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
[PATCH v4 6/8] ima: add build time policy · Mimi Zohar <hidden> · 2018-05-29
[RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · Mimi Zohar <hidden> · 2018-05-29
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · Kees Cook <hidden> · 2018-06-05
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · Ard Biesheuvel <hidden> · 2018-06-06
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-06
[PATCH v4 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module · Paul Moore <paul@paul-moore.com> · 2018-05-29
Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module · Paul Moore <paul@paul-moore.com> · 2018-05-30
[PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-05-31
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Paul Moore <paul@paul-moore.com> · 2018-06-01
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Jessica Yu <jeyu@kernel.org> · 2018-06-04
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Kees Cook <hidden> · 2018-06-05
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-06-05
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Kees Cook <hidden> · 2018-06-05
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-06-05
Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-05-29
[PATCH v4 3/8] ima: based on policy require signed kexec kernel images · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Mimi Zohar <hidden> · 2018-06-04
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-04
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Mimi Zohar <hidden> · 2018-06-04
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Kees Cook <hidden> · 2018-06-04
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-05
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Kees Cook <hidden> · 2018-06-05
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-05
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Kees Cook <hidden> · 2018-06-05
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Mimi Zohar <hidden> · 2018-06-05

From: Mimi Zohar <hidden>
Date: 2018-06-01 22:40:18
Also in: kexec, linux-integrity, lkml

On Fri, 2018-06-01 at 20:21 +0200, Luis R. Rodriguez wrote:

On Tue, May 29, 2018 at 02:01:57PM -0400, Mimi Zohar wrote:

quoted

Luis, is the security_kernel_post_read_file LSM hook in
firmware_loading_store() still needed after this patch?  Should it be
calling security_kernel_load_data() instead?

That's up to Kees to decide as he added that hook, and knows
what LSMs may be doing with it. From my perspective it is confusing
to have that hook there so I think it could be removed now.

Kees?

Commit?6593d92 ("firmware_class: perform new LSM checks") references
two methods of loading firmware -??filesystem-found firmware and
demand-loaded blobs. ?I assume this call in firmware_loading_store()
is the demand-loaded blobs. ?Does that method still exist? ?Is it
still being used?

  Luis

quoted

---

With an IMA policy requiring signed firmware, this patch prevents
the sysfs fallback method of loading firmware.

Signed-off-by: Mimi Zohar <redacted>
Cc: Luis R. Rodriguez <redacted>
Cc: David Howells <dhowells@redhat.com>
Cc: Matthew Garrett <redacted>
---
 security/integrity/ima/ima_main.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index a565d46084c2..4a87f78098c8 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c

@@ -475,8 +475,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
 
 	if (!file && read_id == READING_FIRMWARE) {
 		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
-		    (ima_appraise & IMA_APPRAISE_ENFORCE))
+		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+			pr_err("Prevent firmware loading_store.\n");
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
+		}
 		return 0;
 	}

@@ -520,6 +522,12 @@ int ima_load_data(enum kernel_load_data_id id)
 			pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
 		}
+		break;
+	case LOADING_FIRMWARE:
+		if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
+			pr_err("Prevent firmware sysfs fallback loading.\n");
+			return -EACCES;	/* INTEGRITY_UNKNOWN */
+		}
 	default:
 		break;
 	}

-- 
2.7.5

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help