From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Wed, 8 Nov 2017 15:11:32 +0000
Subject: [03/29] ima: require secure_boot rules in lockdown mode
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=29c55d71a8185208c7962843a29c9a84ae27b2b0

Require the "secure_boot" rules, whether or not it is specified
on the boot command line, for both the builtin and custom policies
in secure boot lockdown mode.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Adjust context to apply after commits 6f0911a666d1
 "ima: fix updating the ima_appraise flag" and ef96837b0de4
 "ima: add build time policy"]
---
 security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 10 deletions(-)

Index: linux/security/integrity/ima/ima_policy.c
===================================================================
--- linux.orig/security/integrity/ima/ima_policy.c
+++ linux/security/integrity/ima/ima_policy.c
@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_ho
  */
 void __init ima_init_policy(void)
 {
-	int i, measure_entries, appraise_entries, secure_boot_entries;
+	int i;
+	int measure_entries = 0;
+	int appraise_entries = 0;
+	int secure_boot_entries = 0;
+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
 
 	/* if !ima_policy set entries = 0 so we load NO default rules */
-	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
-	appraise_entries = ima_use_appraise_tcb ?
-			 ARRAY_SIZE(default_appraise_rules) : 0;
-	secure_boot_entries = ima_use_secure_boot ?
-			ARRAY_SIZE(secure_boot_rules) : 0;
+	if (ima_policy)
+		measure_entries = ARRAY_SIZE(dont_measure_rules);
+
+	if (ima_use_appraise_tcb)
+		appraise_entries = ARRAY_SIZE(default_appraise_rules);
+
+	if (ima_use_secure_boot || kernel_locked_down)
+		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
 
 	for (i = 0; i < measure_entries; i++)
 		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
@@ -510,11 +517,24 @@ void __init ima_init_policy(void)
 	/*
 	 * Insert the builtin "secure_boot" policy rules requiring file
 	 * signatures, prior to any other appraise rules.
+	 * In secure boot lock-down mode, also require these appraise
+	 * rules for custom policies.
 	 */
 	for (i = 0; i < secure_boot_entries; i++) {
+		struct ima_rule_entry *entry;
+
+		/* Include for builtin policies */
 		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
 		temp_ima_appraise |=
 		    ima_appraise_flag(secure_boot_rules[i].func);
+
+		/* Include for custom policies */
+		if (kernel_locked_down) {
+			entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
+					GFP_KERNEL);
+			if (entry)
+				list_add_tail(&entry->list, &ima_policy_rules);
+		}
 	}
 
 	/*