Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set
From: Mimi Zohar
Date: Thu Oct 26 2017 - 10:18:06 EST
On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:
> Hi Mimi,
>
> Thank you for reviewing.
>
> On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > > From: Chun-Yi Lee <joeyli.kernel@xxxxxxxxx>
> > >
> > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > through kexec_file systemcall if securelevel has been set.
> >
> > The patch title and description needs to be updated to refer to
> > lockdown, not securelevel.
> >
> > As previously mentioned the last time these patches were posted, this
> > leaves out testing to see if the integrity subsystem is enabled.
> >
> > Commit 503ceaef8e2e "ima: define a set of appraisal rules requiring
> > file signatures" was upstreamed. ÂAn additional patch could force
> > these rules to be added to the custom policy, if lockdown is enabled.
> > ÂThis and other patches in this series could then check to see if
> > is_ima_appraise_enabled() is true.
> >
> > Mimi
> >
>
> I have updated the patch title and description, and I also added
> is_ima_appraise_enabled() as the following. Is it good to you?
Yes, that works. ÂThanks! ÂRemember is_ima_appraise_enabled() is
dependent on the "ima: require secure_boot rules in lockdown mode"
patch -Âhttp://kernsec.org/pipermail/linux-security-module-archive/201
7-October/003910.html.
The IMA "secure_boot" policy can be specified on the boot command line
as ima_policy="secure_boot". ÂIt requires kernel modules, firmware,
kexec kernel image and the IMA custom policy to be signed. ÂIn
lockdown mode, these rules are enabled by default and added to the
custom policy.
> On the other hand, I am not good on IMA. I have traced the code path
> in kimage_file_prepare_segments(). Looks that the READING_KEXEC_IMAGE
> doesn't show in selinux_kernel_read_file(). Where is the exact code
> in IMA for checking the signature when loading crash kernel file?
kernel_read_file_from_fd() calls the security_kernel_read_file() and
security_kernel_post_read_file() hooks, which call ima_read_file() and
ima_post_read_file() respectively.
Mimi