Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set
From: joeyli
Date: Thu Oct 26 2017 - 03:43:00 EST
Hi Mimi,
Thank you for reviewing.
On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > From: Chun-Yi Lee <joeyli.kernel@xxxxxxxxx>
> >
> > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > through kexec_file systemcall if securelevel has been set.
>
> The patch title and description needs to be updated to refer to
> lockdown, not securelevel.
>
> As previously mentioned the last time these patches were posted, this
> leaves out testing to see if the integrity subsystem is enabled.
>
> Commit 503ceaef8e2e "ima: define a set of appraisal rules requiring
> file signatures" was upstreamed. An additional patch could force
> these rules to be added to the custom policy, if lockdown is enabled.
> This and other patches in this series could then check to see if
> is_ima_appraise_enabled() is true.
>
> Mimi
>
I have updated the patch title and description, and I also added
is_ima_appraise_enabled() as the following. Is it good to you?
On the other hand, I am not good on IMA. I have traced the code path
in kimage_file_prepare_segments(). Looks that the READING_KEXEC_IMAGE
doesn't show in selinux_kernel_read_file(). Where is the exact code
in IMA for checking the signature when loading crash kernel file?
Thanks a lot!
Joey Lee
---