Hi Jiri, Thank you for thinking about IMA.
On Thu, 2019-02-28 at 15:11 -0800, Matthew Garrett wrote: > From: Jiri Bohac <jbo...@suse.cz> > > When KEXEC_SIG is not enabled, kernel should not load images through > kexec_file systemcall if the kernel is locked down unless IMA can be used > to validate the image. This patch is a partial solution, but it doesn't take into account the architecture specific or custom policies. Mimi > [Modified by David Howells to fit with modifications to the previous patch > and to return -EPERM if the kernel is locked down for consistency with > other lockdowns] > > Signed-off-by: Jiri Bohac <jbo...@suse.cz> > Signed-off-by: David Howells <dhowe...@redhat.com> > Reviewed-by: Jiri Bohac <jbo...@suse.cz> > Cc: Matthew Garrett <mj...@srcf.ucam.org> > cc: Chun-Yi Lee <j...@suse.com> > cc: ke...@lists.infradead.org > --- > include/linux/ima.h | 6 ++++++ > kernel/kexec_file.c | 8 ++++++++ > 2 files changed, 14 insertions(+) > > diff --git a/include/linux/ima.h b/include/linux/ima.h > index b5e16b8c50b7..b35ed0725a05 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -127,4 +127,10 @@ static inline int ima_inode_removexattr(struct dentry > *dentry, > return 0; > } > #endif /* CONFIG_IMA_APPRAISE */ > + > +static inline bool is_ima_kexec_appraise_enabled(void) > +{ > + return IS_ENABLED(CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS); > +} > + > #endif /* _LINUX_IMA_H */ > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index 67f3a866eabe..b4e938dff4be 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -239,6 +239,14 @@ kimage_file_prepare_segments(struct kimage *image, int > kernel_fd, int initrd_fd, > } > > ret = 0; > + if (is_ima_kexec_appraise_enabled()) > + break; > + > + if (kernel_is_locked_down(reason)) { > + ret = -EPERM; > + goto out; > + } > + > break; > > /* All other errors are fatal, including nomem, unparseable