From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Mon, 18 Feb 2019 12:44:58 +0000 (+0000)
Subject: ima: require secure_boot rules in lockdown mode
X-Git-Tag: archive/raspbian/5.2.17-1+rpi1^2~58
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ad2ca771b112424fdb84168098239cbb49478ddd;p=linux.git

ima: require secure_boot rules in lockdown mode

Require the "secure_boot" rules, whether or not it is specified
on the boot command line, for both the builtin and custom policies
in secure boot lockdown mode.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0003-ima-require-secure_boot-rules-in-lockdown-mode.patch
---

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 7b53f2ca58e..045f381ef41 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -554,6 +554,7 @@ static int __init ima_init_arch_policy(void)
 void __init ima_init_policy(void)
 {
 	int build_appraise_entries, arch_entries;
+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
 
 	/* if !ima_policy, we load NO default rules */
 	if (ima_policy)
@@ -591,7 +592,7 @@ void __init ima_init_policy(void)
 	 * Insert the builtin "secure_boot" policy rules requiring file
 	 * signatures, prior to other appraise rules.
 	 */
-	if (ima_use_secure_boot)
+	if (ima_use_secure_boot || kernel_locked_down)
 		add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),
 			  IMA_DEFAULT_POLICY);