diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2018-02-21 11:36:32 -0500 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2018-03-23 06:31:37 -0400 |
commit | 9e67028e76514a8ee279d7d006dfb8069b5115ab (patch) | |
tree | 9827bd28b629bf69db447666494194d118d58e25 /security/integrity/ima/ima_appraise.c | |
parent | a9a4935d44b58c858a81393694bc232a96cdcbd4 (diff) | |
download | linux-9e67028e76514a8ee279d7d006dfb8069b5115ab.tar.gz linux-9e67028e76514a8ee279d7d006dfb8069b5115ab.tar.bz2 linux-9e67028e76514a8ee279d7d006dfb8069b5115ab.zip |
ima: fail signature verification based on policy
This patch addresses the fuse privileged mounted filesystems in
environments which are unwilling to accept the risk of trusting the
signature verification and want to always fail safe, but are for example
using a pre-built kernel.
This patch defines a new builtin policy named "fail_securely", which can
be specified on the boot command line as an argument to "ima_policy=".
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Dongsu Park <dongsu@kinvolk.io>
Cc: Alban Crequy <alban@kinvolk.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'security/integrity/ima/ima_appraise.c')
-rw-r--r-- | security/integrity/ima/ima_appraise.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 4bafb397ee91..0c5f94b7b9c3 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func, out: /* * File signatures on some filesystems can not be properly verified. - * On these filesytems, that are mounted by an untrusted mounter, - * fail the file signature verification. + * When such filesystems are mounted by an untrusted mounter or on a + * system not willing to accept such a risk, fail the file signature + * verification. */ - if ((inode->i_sb->s_iflags & - (SB_I_IMA_UNVERIFIABLE_SIGNATURE | SB_I_UNTRUSTED_MOUNTER)) == - (SB_I_IMA_UNVERIFIABLE_SIGNATURE | SB_I_UNTRUSTED_MOUNTER)) { + if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && + ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) || + (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) { status = INTEGRITY_FAIL; cause = "unverifiable-signature"; integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, |