[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Dave Young
dyoung at redhat.com
Fri Apr 7 06:19:35 UTC 2017
On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > On 04/05/17 at 09:15pm, David Howells wrote:
> > > From: Chun-Yi Lee <joeyli.kernel at gmail.com>
> > >
> > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > through kexec_file systemcall if securelevel has been set.
> > >
> > > This code was showed in Matthew's patch but not in git:
> > > https://lkml.org/lkml/2015/3/13/778
> > >
> > > Cc: Matthew Garrett <mjg59 at srcf.ucam.org>
> > > Signed-off-by: Chun-Yi Lee <jlee at suse.com>
> > > Signed-off-by: David Howells <dhowells at redhat.com>
> > > cc: kexec at lists.infradead.org
> > > ---
> > >
> > > kernel/kexec_file.c | 6 ++++++
> > > 1 file changed, 6 insertions(+)
> > >
> > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > index b118735fea9d..f6937eecd1eb 100644
> > > --- a/kernel/kexec_file.c
> > > +++ b/kernel/kexec_file.c
> > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > > return -EPERM;
> > >
> > > + /* Don't permit images to be loaded into trusted kernels if we're not
> > > + * going to verify the signature on them
> > > + */
> > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > + return -EPERM;
> > > +
> > >
>
> IMA can be used to verify file signatures too, based on the LSM hooks
> in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be
> required.
Mimi, I remember we talked somthing before about the two signature
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..
>
> Mimi
>
>
> > /* Make sure we have a legal set of flags */
> > > if (flags != (flags & KEXEC_FILE_FLAGS))
> > > return -EINVAL;
> > >
> > >
> > > _______________________________________________
> > > kexec mailing list
> > > kexec at lists.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/kexec
> >
> > Acked-by: Dave Young <dyoung at redhat.com>
> >
> > Thanks
> > Dave
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > the body of a message to majordomo at vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list