diff options
author | Bruno Meneguele <bmeneg@redhat.com> | 2020-09-04 21:40:58 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2020-09-09 04:03:50 +0200 |
commit | 7fe2bb7e7e5cf91d03ff9c35b7b997d088916cbc (patch) | |
tree | 168c14e992c4182c23eb0cc81867bedea79dcaff /security/integrity | |
parent | ima: add check for enforced appraise option (diff) | |
download | linux-7fe2bb7e7e5cf91d03ff9c35b7b997d088916cbc.tar.xz linux-7fe2bb7e7e5cf91d03ff9c35b7b997d088916cbc.zip |
integrity: invalid kernel parameters feedback
Don't silently ignore unknown or invalid ima_{policy,appraise,hash} and evm
kernel boot command line options.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/evm/evm_main.c | 3 | ||||
-rw-r--r-- | security/integrity/ima/ima_appraise.c | 2 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 13 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 2 |
4 files changed, 16 insertions, 4 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 0d36259b690d..6ae00fee1d34 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -59,6 +59,9 @@ static int __init evm_set_fixmode(char *str) { if (strncmp(str, "fix", 3) == 0) evm_fixmode = 1; + else + pr_err("invalid \"%s\" mode", str); + return 0; } __setup("evm=", evm_set_fixmode); diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 580b771e3458..2193b51c2743 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -33,6 +33,8 @@ static int __init default_appraise_setup(char *str) ima_appraise = IMA_APPRAISE_FIX; else if (strncmp(str, "enforce", 7) == 0) ima_appraise = IMA_APPRAISE_ENFORCE; + else + pr_err("invalid \"%s\" appraise option", str); #endif return 1; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 8a91711ca79b..2b22932b140d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -50,18 +50,23 @@ static int __init hash_setup(char *str) return 1; if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { - if (strncmp(str, "sha1", 4) == 0) + if (strncmp(str, "sha1", 4) == 0) { ima_hash_algo = HASH_ALGO_SHA1; - else if (strncmp(str, "md5", 3) == 0) + } else if (strncmp(str, "md5", 3) == 0) { ima_hash_algo = HASH_ALGO_MD5; - else + } else { + pr_err("invalid hash algorithm \"%s\" for template \"%s\"", + str, IMA_TEMPLATE_IMA_NAME); return 1; + } goto out; } i = match_string(hash_algo_name, HASH_ALGO__LAST, str); - if (i < 0) + if (i < 0) { + pr_err("invalid hash algorithm \"%s\"", str); return 1; + } ima_hash_algo = i; out: diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fe1df373c113..34221789c092 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -241,6 +241,8 @@ static int __init policy_setup(char *str) ima_use_secure_boot = true; else if (strcmp(p, "fail_securely") == 0) ima_fail_unverifiable_sigs = true; + else + pr_err("policy \"%s\" not found", p); } return 1; |