Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-17 17:41:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
db2045f589
linux/security
History
Tyler Hicks db2045f589 ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond 
The KEXEC_CMDLINE hook function only supports the pcr conditional. Make
this clear at policy load so that IMA policy authors don't assume that
other conditionals are supported.

Since KEXEC_CMDLINE's inception, ima_match_rules() has always returned
true on any loaded KEXEC_CMDLINE rule without any consideration for
other conditionals present in the rule. Make it clear that pcr is the
only supported KEXEC_CMDLINE conditional by returning an error during
policy load.

An example of why this is a problem can be explained with the following
rule:

 dont_measure func=KEXEC_CMDLINE obj_type=foo_t

An IMA policy author would have assumed that rule is valid because the
parser accepted it but the result was that measurements for all
KEXEC_CMDLINE operations would be disabled.

Fixes: b0935123a1 ("IMA: Define a new hook to measure the kexec boot command line arguments")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-07-16 21:53:55 -04:00
..
apparmor linux-kselftest-kunit-5.8-rc1 2020-06-09 10:04:47 -07:00
bpf bpf: lsm: Initialize the BPF LSM hooks 2020-03-30 01:34:00 +02:00
integrity ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond 2020-07-16 21:53:55 -04:00
keys Notifications over pipes + Keyring notifications 2020-06-13 09:56:21 -07:00
loadpin proc/sysctl: add shared variables for range check 2019-07-18 17:08:07 -07:00
lockdown Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2020-06-02 17:36:24 -07:00
safesetid security/safesetid: Replace rcu_swap_protected() with rcu_replace_pointer() 2019-10-30 08:45:57 -07:00
selinux selinux/stable-5.8 PR 20200621 2020-06-21 15:41:24 -07:00
smack Notifications over pipes + Keyring notifications 2020-06-13 09:56:21 -07:00
tomoyo treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
yama sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
commoncap.c exec: Compute file based creds only once 2020-05-29 22:00:54 -05:00
device_cgroup.c device_cgroup: Cleanup cgroup eBPF device filter code 2020-04-13 14:41:54 -04:00
inode.c Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
Kconfig bpf: lsm: Initialize the BPF LSM hooks 2020-03-30 01:34:00 +02:00
Kconfig.hardening meminit fix 2019-07-28 12:33:15 -07:00
lsm_audit.c security,lockdown,selinux: implement SELinux lockdown 2019-12-09 17:53:58 -05:00
Makefile device_cgroup: Cleanup cgroup eBPF device filter code 2020-04-13 14:41:54 -04:00
min_addr.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
security.c Add additional LSM hooks for SafeSetID 2020-06-14 11:39:31 -07:00