ima: based on policy require signed kexec kernel images The original kexec_load syscall can not verify file signatures, nor can the kexec image be measured. Based on policy, deny the kexec_load syscall. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>

commit: 16c267aac86b463b1fcccd43c89f4c8e5c5c86fa [log] [tgz]
author: Mimi Zohar <zohar@linux.vnet.ibm.com> Fri Jul 13 14:05:58 2018 -0400
committer: James Morris <james.morris@microsoft.com> Mon Jul 16 12:31:57 2018 -0700
tree: 550e6fcb00d732a3c018b3258302f8ffd61a4379
parent: a210fd32a46bae6d05b43860fe3b47732501d63b [diff] [blame]
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index cdcc9a7..d5b4958 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c

@@ -448,6 +448,8 @@ static int ima_appraise_flag(enum ima_hooks func)
 		return IMA_APPRAISE_FIRMWARE;
 	else if (func == POLICY_CHECK)
 		return IMA_APPRAISE_POLICY;
+	else if (func == KEXEC_KERNEL_CHECK)
+		return IMA_APPRAISE_KEXEC;
 	return 0;
 }
commit	16c267aac86b463b1fcccd43c89f4c8e5c5c86fa	[log] [tgz]
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	Fri Jul 13 14:05:58 2018 -0400
committer	James Morris <james.morris@microsoft.com>	Mon Jul 16 12:31:57 2018 -0700
tree	550e6fcb00d732a3c018b3258302f8ffd61a4379
parent	a210fd32a46bae6d05b43860fe3b47732501d63b [diff] [blame]