integrity: invalid kernel parameters feedback

Don't silently ignore unknown or invalid ima_{policy,appraise,hash} and evm
kernel boot command line options.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 0d36259..6ae00fe 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -59,6 +59,9 @@ static int __init evm_set_fixmode(char *str)
 {
        if (strncmp(str, "fix", 3) == 0)
                evm_fixmode = 1;
+       else
+               pr_err("invalid \"%s\" mode", str);
+
        return 0;
 }
 __setup("evm=", evm_set_fixmode);

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 580b771..2193b51 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -33,6 +33,8 @@ static int __init default_appraise_setup(char *str)
                ima_appraise = IMA_APPRAISE_FIX;
        else if (strncmp(str, "enforce", 7) == 0)
                ima_appraise = IMA_APPRAISE_ENFORCE;
+       else
+               pr_err("invalid \"%s\" appraise option", str);
 #endif
        return 1;
 }

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 8a91711..2b22932 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -50,18 +50,23 @@ static int __init hash_setup(char *str)
                return 1;
 
        if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
-               if (strncmp(str, "sha1", 4) == 0)
+               if (strncmp(str, "sha1", 4) == 0) {
                        ima_hash_algo = HASH_ALGO_SHA1;
-               else if (strncmp(str, "md5", 3) == 0)
+               } else if (strncmp(str, "md5", 3) == 0) {
                        ima_hash_algo = HASH_ALGO_MD5;
-               else
+               } else {
+                       pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
+                               str, IMA_TEMPLATE_IMA_NAME);
                        return 1;
+               }
                goto out;
        }
 
        i = match_string(hash_algo_name, HASH_ALGO__LAST, str);
-       if (i < 0)
+       if (i < 0) {
+               pr_err("invalid hash algorithm \"%s\"", str);
                return 1;
+       }
 
        ima_hash_algo = i;
 out:

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fe1df37..3422178 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -241,6 +241,8 @@ static int __init policy_setup(char *str)
                        ima_use_secure_boot = true;
                else if (strcmp(p, "fail_securely") == 0)
                        ima_fail_unverifiable_sigs = true;
+               else
+                       pr_err("policy \"%s\" not found", p);
        }
 
        return 1;