Commit e4d7e2df authored by Bruno Meneguele's avatar Bruno Meneguele Committed by Mimi Zohar
Browse files

ima: limit secure boot feedback scope for appraise 



Only emit an unknown/invalid message when setting the IMA appraise mode
to anything other than "enforce", when secureboot is enabled.

Signed-off-by: default avatarBruno Meneguele <bmeneg@redhat.com>
[zohar@linux.ibm.com: updated commit message]
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 7fe2bb7e

security/integrity/ima/ima_appraise.c

+16 −9
Original line number Diff line number Diff line
@@ -19,22 +19,29 @@ 
static int __init default_appraise_setup(char *str)

{

#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM

	if (arch_ima_get_secureboot()) {

		pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option",

			str);

		return 1;

	}

	bool sb_state = arch_ima_get_secureboot();

	int appraisal_state = ima_appraise;



	if (strncmp(str, "off", 3) == 0)

		ima_appraise = 0;

		appraisal_state = 0;

	else if (strncmp(str, "log", 3) == 0)

		ima_appraise = IMA_APPRAISE_LOG;

		appraisal_state = IMA_APPRAISE_LOG;

	else if (strncmp(str, "fix", 3) == 0)

		ima_appraise = IMA_APPRAISE_FIX;

		appraisal_state = IMA_APPRAISE_FIX;

	else if (strncmp(str, "enforce", 7) == 0)

		ima_appraise = IMA_APPRAISE_ENFORCE;

		appraisal_state = IMA_APPRAISE_ENFORCE;

	else

		pr_err("invalid \"%s\" appraise option", str);



	/* If appraisal state was changed, but secure boot is enabled,

	 * keep its default */

	if (sb_state) {

		if (!(appraisal_state & IMA_APPRAISE_ENFORCE))

			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",

				str);

	} else {

		ima_appraise = appraisal_state;

	}

#endif

	return 1;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE