ima: require secure_boot rules in lockdown mode

Require the "secure_boot" rules, whether or not it is specified
on the boot command line, for both the builtin and custom policies
in secure boot lockdown mode.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0003-ima-require-secure_boot-rules-in-lockdown-mode.patch

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 7b53f2ca58e285f75c21286e7e405f118117fe7b..045f381ef41fdb4fff50d9962f571e794cbbd17f 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -554,6 +554,7 @@ static int __init ima_init_arch_policy(void)
 void __init ima_init_policy(void)
 {
        int build_appraise_entries, arch_entries;
+       bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
 
        /* if !ima_policy, we load NO default rules */
        if (ima_policy)
@@ -591,7 +592,7 @@ void __init ima_init_policy(void)
         * Insert the builtin "secure_boot" policy rules requiring file
         * signatures, prior to other appraise rules.
         */
-       if (ima_use_secure_boot)
+       if (ima_use_secure_boot || kernel_locked_down)
                add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
                          IMA_DEFAULT_POLICY);