ima: limit secure boot feedback scope for appraise

Only emit an unknown/invalid message when setting the IMA appraise mode to anything other than "enforce", when secureboot is enabled. Signed-off-by: Bruno Meneguele <[email protected]> [[email protected]: updated commit message] Signed-off-by: Mimi Zohar <[email protected]>
josf · Sep 10, 2020 · e4d7e2d · e4d7e2d
1 parent 7fe2bb7
commit e4d7e2d
Showing 1 changed file with 16 additions and 9 deletions.
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
@@ -19,22 +19,29 @@
 static int __init default_appraise_setup(char *str)
 {
 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
-	if (arch_ima_get_secureboot()) {
-		pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option",
-			str);
-		return 1;
-	}
+	bool sb_state = arch_ima_get_secureboot();
+	int appraisal_state = ima_appraise;
 
 	if (strncmp(str, "off", 3) == 0)
-		ima_appraise = 0;
+		appraisal_state = 0;
 	else if (strncmp(str, "log", 3) == 0)
-		ima_appraise = IMA_APPRAISE_LOG;
+		appraisal_state = IMA_APPRAISE_LOG;
 	else if (strncmp(str, "fix", 3) == 0)
-		ima_appraise = IMA_APPRAISE_FIX;
+		appraisal_state = IMA_APPRAISE_FIX;
 	else if (strncmp(str, "enforce", 7) == 0)
-		ima_appraise = IMA_APPRAISE_ENFORCE;
+		appraisal_state = IMA_APPRAISE_ENFORCE;
 	else
 		pr_err("invalid \"%s\" appraise option", str);
+
+	/* If appraisal state was changed, but secure boot is enabled,
+	 * keep its default */
+	if (sb_state) {
+		if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
+			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
+				str);
+	} else {
+		ima_appraise = appraisal_state;
+	}
 #endif
 	return 1;
 }