From: Jiri Bohac <jbo...@suse.cz>
When KEXEC_SIG is not enabled, kernel should not load images through
kexec_file systemcall if the kernel is locked down unless IMA can be used
to validate the image.
[Modified by David Howells to fit with modifications to the previous patch
and to return -EPERM if the kernel is locked down for consistency with
other lockdowns]
Signed-off-by: Jiri Bohac <jbo...@suse.cz>
Signed-off-by: David Howells <dhowe...@redhat.com>
Reviewed-by: Jiri Bohac <jbo...@suse.cz>
Cc: Matthew Garrett <mj...@srcf.ucam.org>
cc: Chun-Yi Lee <j...@suse.com>
cc: ke...@lists.infradead.org
---
include/linux/ima.h | 6 ++++++
kernel/kexec_file.c | 8 ++++++++
2 files changed, 14 insertions(+)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index b5e16b8c50b7..b35ed0725a05 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -127,4 +127,10 @@ static inline int ima_inode_removexattr(struct dentry
*dentry,
return 0;
}
#endif /* CONFIG_IMA_APPRAISE */
+
+static inline bool is_ima_kexec_appraise_enabled(void)
+{
+ return IS_ENABLED(CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS);
+}
+
#endif /* _LINUX_IMA_H */
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 67f3a866eabe..b4e938dff4be 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -239,6 +239,14 @@ kimage_file_prepare_segments(struct kimage *image, int
kernel_fd, int initrd_fd,
}
ret = 0;
+ if (is_ima_kexec_appraise_enabled())
+ break;
+
+ if (kernel_is_locked_down(reason)) {
+ ret = -EPERM;
+ goto out;
+ }
+
break;
/* All other errors are fatal, including nomem, unparseable
--
2.21.0.352.gf09ad66450-goog
