[PATCH v2 11/11] ima: Support additional conditionals in the KEXEC_CMDLINE hook function

Lakshmi Ramasubramanian nramas at linux.microsoft.com
Sun Jun 28 00:03:11 UTC 2020


On 6/26/20 3:39 PM, Tyler Hicks wrote:
> Take the properties of the kexec kernel's inode and the current task
> ownership into consideration when matching a KEXEC_CMDLINE operation to
> the rules in the IMA policy. This allows for some uniformity when
> writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK,
> and KEXEC_CMDLINE operations.
> 
> Prior to this patch, it was not possible to write a set of rules like
> this:
> 
>   dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
>   dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
>   dont_measure func=KEXEC_CMDLINE obj_type=foo_t
>   measure func=KEXEC_KERNEL_CHECK
>   measure func=KEXEC_INITRAMFS_CHECK
>   measure func=KEXEC_CMDLINE
> 
> The inode information associated with the kernel being loaded by a
> kexec_kernel_load(2) syscall can now be included in the decision to
> measure or not
> 
> Additonally, the uid, euid, and subj_* conditionals can also now be
> used in KEXEC_CMDLINE rules. There was no technical reason as to why
> those conditionals weren't being considered previously other than
> ima_match_rules() didn't have a valid inode to use so it immediately
> bailed out for KEXEC_CMDLINE operations rather than going through the
> full list of conditional comparisons.
> 
> Signed-off-by: Tyler Hicks <tyhicks at linux.microsoft.com>
> Cc: Eric Biederman <ebiederm at xmission.com>
> Cc: kexec at lists.infradead.org
> ---
> 
> * v2
>    - Moved the inode parameter of process_buffer_measurement() to be the
>      first parameter so that it more closely matches process_masurement()
> 
>   include/linux/ima.h                          |  4 ++--
>   kernel/kexec_file.c                          |  2 +-
>   security/integrity/ima/ima.h                 |  2 +-
>   security/integrity/ima/ima_api.c             |  2 +-
>   security/integrity/ima/ima_appraise.c        |  2 +-
>   security/integrity/ima/ima_asymmetric_keys.c |  2 +-
>   security/integrity/ima/ima_main.c            | 23 +++++++++++++++-----
>   security/integrity/ima/ima_policy.c          | 17 +++++----------
>   security/integrity/ima/ima_queue_keys.c      |  2 +-
>   9 files changed, 31 insertions(+), 25 deletions(-)
> 

Reviewed-by: Lakshmi Ramasubramanian <nramas at linux.microsoft.com>



More information about the Linux-security-module-archive mailing list