| Message ID | 20190622000358.19895-20-matthewgarrett@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Lockdown as an LSM | expand |
On Fri, Jun 21, 2019 at 05:03:48PM -0700, Matthew Garrett wrote: > From: David Howells <dhowells@redhat.com> > > Provided an annotation for module parameters that specify hardware > parameters (such as io ports, iomem addresses, irqs, dma channels, fixed > dma buffers and other types). > > Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> > Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > Signed-off-by: Matthew Garrett <mjg59@google.com> > --- > include/linux/security.h | 1 + > kernel/params.c | 27 ++++++++++++++++++++++----- > security/lockdown/lockdown.c | 1 + > 3 files changed, 24 insertions(+), 5 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index 61e3f4a62d16..88064d7f6827 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -92,6 +92,7 @@ enum lockdown_reason { > LOCKDOWN_ACPI_TABLES, > LOCKDOWN_PCMCIA_CIS, > LOCKDOWN_TIOCSSERIAL, > + LOCKDOWN_MODULE_PARAMETERS, > LOCKDOWN_INTEGRITY_MAX, > LOCKDOWN_CONFIDENTIALITY_MAX, > }; > diff --git a/kernel/params.c b/kernel/params.c > index ce89f757e6da..f94fe79e331d 100644 > --- a/kernel/params.c > +++ b/kernel/params.c > @@ -24,6 +24,7 @@ > #include <linux/err.h> > #include <linux/slab.h> > #include <linux/ctype.h> > +#include <linux/security.h> > > #ifdef CONFIG_SYSFS > /* Protects all built-in parameters, modules use their own param_lock */ > @@ -108,13 +109,19 @@ bool parameq(const char *a, const char *b) > return parameqn(a, b, strlen(a)+1); > } > > -static void param_check_unsafe(const struct kernel_param *kp) > +static bool param_check_unsafe(const struct kernel_param *kp, > + const char *doing) > { > if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { > pr_notice("Setting dangerous option %s - tainting kernel\n", > kp->name); > add_taint(TAINT_USER, LOCKDEP_STILL_OK); > } > + > + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && > + security_locked_down(LOCKDOWN_MODULE_PARAMETERS)) > + return false; > + return true; > } > > static int parse_one(char *param, > @@ -144,8 +151,10 @@ static int parse_one(char *param, > pr_debug("handling %s with %p\n", param, > params[i].ops->set); > kernel_param_lock(params[i].mod); > - param_check_unsafe(¶ms[i]); > - err = params[i].ops->set(val, ¶ms[i]); > + if (param_check_unsafe(¶ms[i], doing)) > + err = params[i].ops->set(val, ¶ms[i]); > + else > + err = -EPERM; > kernel_param_unlock(params[i].mod); > return err; > } > @@ -553,6 +562,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, > return count; > } > > +#ifdef CONFIG_MODULES > +#define mod_name(mod) (mod)->name > +#else > +#define mod_name(mod) "unknown" > +#endif > + > /* sysfs always hands a nul-terminated string in buf. We rely on that. */ > static ssize_t param_attr_store(struct module_attribute *mattr, > struct module_kobject *mk, > @@ -565,8 +580,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, > return -EPERM; > > kernel_param_lock(mk->mod); > - param_check_unsafe(attribute->param); > - err = attribute->param->ops->set(buf, attribute->param); > + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) > + err = attribute->param->ops->set(buf, attribute->param); > + else > + err = -EPERM; > kernel_param_unlock(mk->mod); > if (!err) > return len; > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > index c89046dc2155..d03c4c296af7 100644 > --- a/security/lockdown/lockdown.c > +++ b/security/lockdown/lockdown.c > @@ -28,6 +28,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", > [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", > [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", > + [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", > [LOCKDOWN_INTEGRITY_MAX] = "integrity", > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", > }; > -- > 2.22.0.410.gd8fdbe21b5-goog >
Matthew Garrett <matthewgarrett@google.com> writes: > From: David Howells <dhowells@redhat.com> > > Provided an annotation for module parameters that specify hardware > parameters (such as io ports, iomem addresses, irqs, dma channels, fixed > dma buffers and other types). > > Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> > Signed-off-by: David Howells <dhowells@redhat.com> > Signed-off-by: Matthew Garrett <mjg59@google.com> > --- > include/linux/security.h | 1 + > kernel/params.c | 27 ++++++++++++++++++++++----- > security/lockdown/lockdown.c | 1 + > 3 files changed, 24 insertions(+), 5 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index 61e3f4a62d16..88064d7f6827 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -92,6 +92,7 @@ enum lockdown_reason { > LOCKDOWN_ACPI_TABLES, > LOCKDOWN_PCMCIA_CIS, > LOCKDOWN_TIOCSSERIAL, > + LOCKDOWN_MODULE_PARAMETERS, > LOCKDOWN_INTEGRITY_MAX, > LOCKDOWN_CONFIDENTIALITY_MAX, > }; > diff --git a/kernel/params.c b/kernel/params.c > index ce89f757e6da..f94fe79e331d 100644 > --- a/kernel/params.c > +++ b/kernel/params.c > @@ -24,6 +24,7 @@ > #include <linux/err.h> > #include <linux/slab.h> > #include <linux/ctype.h> > +#include <linux/security.h> > > #ifdef CONFIG_SYSFS > /* Protects all built-in parameters, modules use their own param_lock */ > @@ -108,13 +109,19 @@ bool parameq(const char *a, const char *b) > return parameqn(a, b, strlen(a)+1); > } > > -static void param_check_unsafe(const struct kernel_param *kp) > +static bool param_check_unsafe(const struct kernel_param *kp, > + const char *doing) > { > if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { > pr_notice("Setting dangerous option %s - tainting kernel\n", > kp->name); > add_taint(TAINT_USER, LOCKDEP_STILL_OK); > } > + > + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && > + security_locked_down(LOCKDOWN_MODULE_PARAMETERS)) > + return false; > + return true; > } Should this test occur before tainting the kernel? Regards, Daniel > > static int parse_one(char *param, > @@ -144,8 +151,10 @@ static int parse_one(char *param, > pr_debug("handling %s with %p\n", param, > params[i].ops->set); > kernel_param_lock(params[i].mod); > - param_check_unsafe(¶ms[i]); > - err = params[i].ops->set(val, ¶ms[i]); > + if (param_check_unsafe(¶ms[i], doing)) > + err = params[i].ops->set(val, ¶ms[i]); > + else > + err = -EPERM; > kernel_param_unlock(params[i].mod); > return err; > } > @@ -553,6 +562,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, > return count; > } > > +#ifdef CONFIG_MODULES > +#define mod_name(mod) (mod)->name > +#else > +#define mod_name(mod) "unknown" > +#endif > + > /* sysfs always hands a nul-terminated string in buf. We rely on that. */ > static ssize_t param_attr_store(struct module_attribute *mattr, > struct module_kobject *mk, > @@ -565,8 +580,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, > return -EPERM; > > kernel_param_lock(mk->mod); > - param_check_unsafe(attribute->param); > - err = attribute->param->ops->set(buf, attribute->param); > + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) > + err = attribute->param->ops->set(buf, attribute->param); > + else > + err = -EPERM; > kernel_param_unlock(mk->mod); > if (!err) > return len; > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > index c89046dc2155..d03c4c296af7 100644 > --- a/security/lockdown/lockdown.c > +++ b/security/lockdown/lockdown.c > @@ -28,6 +28,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", > [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", > [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", > + [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", > [LOCKDOWN_INTEGRITY_MAX] = "integrity", > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", > }; > -- > 2.22.0.410.gd8fdbe21b5-goog
On Wed, Jun 26, 2019 at 6:49 PM Daniel Axtens <dja@axtens.net> wrote: > > Matthew Garrett <matthewgarrett@google.com> writes: > > + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && > > + security_locked_down(LOCKDOWN_MODULE_PARAMETERS)) > > + return false; > > + return true; > > } > > Should this test occur before tainting the kernel? Seems reasonable.
diff --git a/include/linux/security.h b/include/linux/security.h index 61e3f4a62d16..88064d7f6827 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -92,6 +92,7 @@ enum lockdown_reason { LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, + LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/params.c b/kernel/params.c index ce89f757e6da..f94fe79e331d 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -24,6 +24,7 @@ #include <linux/err.h> #include <linux/slab.h> #include <linux/ctype.h> +#include <linux/security.h> #ifdef CONFIG_SYSFS /* Protects all built-in parameters, modules use their own param_lock */ @@ -108,13 +109,19 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + security_locked_down(LOCKDOWN_MODULE_PARAMETERS)) + return false; + return true; } static int parse_one(char *param, @@ -144,8 +151,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -553,6 +562,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) (mod)->name +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -565,8 +580,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index c89046dc2155..d03c4c296af7 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -28,6 +28,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", + [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", };