diff options
author | Bruno Meneguele <bmeneg@redhat.com> | 2020-09-04 22:20:20 -0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2020-09-09 20:01:55 -0400 |
commit | e4d7e2df3a0903601bf12eb6ef1f0c8fa1042204 (patch) | |
tree | 47b5cef9ab3a14b5fa00994f531cc4ee865b6ef5 /security | |
parent | 7fe2bb7e7e5cf91d03ff9c35b7b997d088916cbc (diff) | |
download | lwn-e4d7e2df3a0903601bf12eb6ef1f0c8fa1042204.tar.gz lwn-e4d7e2df3a0903601bf12eb6ef1f0c8fa1042204.zip |
ima: limit secure boot feedback scope for appraise
Only emit an unknown/invalid message when setting the IMA appraise mode
to anything other than "enforce", when secureboot is enabled.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
[zohar@linux.ibm.com: updated commit message]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_appraise.c | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 2193b51c2743..4f028f6e8f8d 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -19,22 +19,29 @@ static int __init default_appraise_setup(char *str) { #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM - if (arch_ima_get_secureboot()) { - pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", - str); - return 1; - } + bool sb_state = arch_ima_get_secureboot(); + int appraisal_state = ima_appraise; if (strncmp(str, "off", 3) == 0) - ima_appraise = 0; + appraisal_state = 0; else if (strncmp(str, "log", 3) == 0) - ima_appraise = IMA_APPRAISE_LOG; + appraisal_state = IMA_APPRAISE_LOG; else if (strncmp(str, "fix", 3) == 0) - ima_appraise = IMA_APPRAISE_FIX; + appraisal_state = IMA_APPRAISE_FIX; else if (strncmp(str, "enforce", 7) == 0) - ima_appraise = IMA_APPRAISE_ENFORCE; + appraisal_state = IMA_APPRAISE_ENFORCE; else pr_err("invalid \"%s\" appraise option", str); + + /* If appraisal state was changed, but secure boot is enabled, + * keep its default */ + if (sb_state) { + if (!(appraisal_state & IMA_APPRAISE_ENFORCE)) + pr_info("Secure boot enabled: ignoring ima_appraise=%s option", + str); + } else { + ima_appraise = appraisal_state; + } #endif return 1; } |