summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorBruno Meneguele <bmeneg@redhat.com>2020-09-04 22:40:58 +0300
committerMimi Zohar <zohar@linux.ibm.com>2020-09-09 05:03:50 +0300
commit7fe2bb7e7e5cf91d03ff9c35b7b997d088916cbc (patch)
tree168c14e992c4182c23eb0cc81867bedea79dcaff /security
parent4afb28ab03d5d811b369af4472f3941557928569 (diff)
downloadlinux-7fe2bb7e7e5cf91d03ff9c35b7b997d088916cbc.tar.xz
integrity: invalid kernel parameters feedback
Don't silently ignore unknown or invalid ima_{policy,appraise,hash} and evm kernel boot command line options. Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/evm/evm_main.c3
-rw-r--r--security/integrity/ima/ima_appraise.c2
-rw-r--r--security/integrity/ima/ima_main.c13
-rw-r--r--security/integrity/ima/ima_policy.c2
4 files changed, 16 insertions, 4 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 0d36259b690d..6ae00fee1d34 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -59,6 +59,9 @@ static int __init evm_set_fixmode(char *str)
{
if (strncmp(str, "fix", 3) == 0)
evm_fixmode = 1;
+ else
+ pr_err("invalid \"%s\" mode", str);
+
return 0;
}
__setup("evm=", evm_set_fixmode);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 580b771e3458..2193b51c2743 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -33,6 +33,8 @@ static int __init default_appraise_setup(char *str)
ima_appraise = IMA_APPRAISE_FIX;
else if (strncmp(str, "enforce", 7) == 0)
ima_appraise = IMA_APPRAISE_ENFORCE;
+ else
+ pr_err("invalid \"%s\" appraise option", str);
#endif
return 1;
}
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 8a91711ca79b..2b22932b140d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -50,18 +50,23 @@ static int __init hash_setup(char *str)
return 1;
if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
- if (strncmp(str, "sha1", 4) == 0)
+ if (strncmp(str, "sha1", 4) == 0) {
ima_hash_algo = HASH_ALGO_SHA1;
- else if (strncmp(str, "md5", 3) == 0)
+ } else if (strncmp(str, "md5", 3) == 0) {
ima_hash_algo = HASH_ALGO_MD5;
- else
+ } else {
+ pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
+ str, IMA_TEMPLATE_IMA_NAME);
return 1;
+ }
goto out;
}
i = match_string(hash_algo_name, HASH_ALGO__LAST, str);
- if (i < 0)
+ if (i < 0) {
+ pr_err("invalid hash algorithm \"%s\"", str);
return 1;
+ }
ima_hash_algo = i;
out:
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fe1df373c113..34221789c092 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -241,6 +241,8 @@ static int __init policy_setup(char *str)
ima_use_secure_boot = true;
else if (strcmp(p, "fail_securely") == 0)
ima_fail_unverifiable_sigs = true;
+ else
+ pr_err("policy \"%s\" not found", p);
}
return 1;