diff options
| author | Ming Liu <liu.ming50@gmail.com> | 2021-04-08 20:38:14 +0200 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2021-04-12 07:07:11 -0700 |
| commit | 076e75d5cc1fe7b43af8dcd10d8b2b18af422c84 (patch) | |
| tree | 87b360346c5fd05ba23b8ecedbbb9096e3e4d1d4 | |
| parent | 269cd6a9a2ac11c563cbfd808e276f05b4a1d130 (diff) | |
| download | meta-security-076e75d5cc1fe7b43af8dcd10d8b2b18af422c84.tar.gz | |
initramfs-framework-ima: introduce IMA_FORCE
Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.
This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel arguments, it will easily bypass rootfs
authenticity checks.
Signed-off-by: Sergio Prado <sergio.prado@toradex.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb | 5 | ||||
| -rw-r--r-- | meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima | 9 |
2 files changed, 12 insertions, 2 deletions
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 77f6f7c..6471c53 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb | |||
| @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 | |||
| 14 | # to this recipe can just point towards one of its own files. | 14 | # to this recipe can just point towards one of its own files. |
| 15 | IMA_POLICY ?= "ima-policy-hashed" | 15 | IMA_POLICY ?= "ima-policy-hashed" |
| 16 | 16 | ||
| 17 | # Force proceed IMA procedure even 'no_ima' boot parameter is available. | ||
| 18 | IMA_FORCE ?= "false" | ||
| 19 | |||
| 17 | SRC_URI = " file://ima" | 20 | SRC_URI = " file://ima" |
| 18 | 21 | ||
| 19 | inherit features_check | 22 | inherit features_check |
| @@ -23,6 +26,8 @@ do_install () { | |||
| 23 | install -d ${D}/${sysconfdir}/ima | 26 | install -d ${D}/${sysconfdir}/ima |
| 24 | install -d ${D}/init.d | 27 | install -d ${D}/init.d |
| 25 | install ${WORKDIR}/ima ${D}/init.d/20-ima | 28 | install ${WORKDIR}/ima ${D}/init.d/20-ima |
| 29 | |||
| 30 | sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima | ||
| 26 | } | 31 | } |
| 27 | 32 | ||
| 28 | FILES_${PN} = "/init.d ${sysconfdir}" | 33 | FILES_${PN} = "/init.d ${sysconfdir}" |
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index cff26a3..8971494 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima | |||
| @@ -2,11 +2,16 @@ | |||
| 2 | # | 2 | # |
| 3 | # Loads IMA policy into the kernel. | 3 | # Loads IMA policy into the kernel. |
| 4 | 4 | ||
| 5 | force_ima=@@FORCE_IMA@@ | ||
| 6 | |||
| 5 | ima_enabled() { | 7 | ima_enabled() { |
| 6 | if [ "$bootparam_no_ima" = "true" ]; then | 8 | if [ "$force_ima" = "true" ]; then |
| 9 | return 0 | ||
| 10 | elif [ "$bootparam_no_ima" = "true" ]; then | ||
| 7 | return 1 | 11 | return 1 |
| 12 | else | ||
| 13 | return 0 | ||
| 8 | fi | 14 | fi |
| 9 | return 0 | ||
| 10 | } | 15 | } |
| 11 | 16 | ||
| 12 | ima_run() { | 17 | ima_run() { |