From patchwork Sat Jun 22 00:03:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011075 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 77DBE1398 for ; Sat, 22 Jun 2019 00:06:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 660AB28B7B for ; Sat, 22 Jun 2019 00:06:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5708628BB1; Sat, 22 Jun 2019 00:06:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BBCCB28B7B for ; Sat, 22 Jun 2019 00:06:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726237AbfFVAEF (ORCPT ); Fri, 21 Jun 2019 20:04:05 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:51649 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726080AbfFVAEF (ORCPT ); Fri, 21 Jun 2019 20:04:05 -0400 Received: by mail-pg1-f201.google.com with SMTP id i35so3814316pgi.18 for ; Fri, 21 Jun 2019 17:04:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=fMlhT4fwMMt7iRu5SpyzWIM9hHHfi6c27K0OkZeST/w=; b=hR20jTMVzfnPAlv9JegM8qiBiqwD+EZG5g1R1J/R5fWpPtupkfeb0V2LpOIpc0jdTW mycqq1p38Fy3vw8TkmbC0YIbLt9wpmBlciL6BrcObPQiSzfqiFU3dyu1v+uVD9NPubku YvXpeJSNZ5w+NN83LqMzmSvxi6klBdRC7BTfRsFM9EwVfvgkWBLXE3H7wUESGq+6diLu eXBTxDCJ3nQXDBVuf57sSRyG5ivhhzW5qdeGb3qJCsM4Q8hhnrrNtWS0CS+1iKpuYbe/ cZBf4bUSjYxP0n39VZ4jEsha0mjWXHDylnyEs/aSfQ+4FJiQU2n0tZLcyqg/0WC+U9ec gqEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=fMlhT4fwMMt7iRu5SpyzWIM9hHHfi6c27K0OkZeST/w=; b=mef742/n0bYJuaF31qvG2a4cEbQfz+EiNnqf3qZp4gYEuVAgFmnjyrlvok7wW9KeVM nTwqL+O3zEJAO8L3Bi7u0p0oUsim6h8Ci9/6w/7bfR9yhnc4W2ribACgky8exMAJ4y2p kz2EL8djOaVkOrJKWMP9Yl7cvNqmA5ctUWZxngusKyntlQJ/+OR+pDST3bgxgle/mGXs Dp4Tb5NaR7DzCNh/XgH+Zz6wgX7QW/v4VpNlMJBIwzK1NxiVpiEyN9hc5rErGPu835/o PbZpotTBv2Nnd9pyxktngU5lIYyU4pX9hIno/8PzaTJN04Jdy/pIZJNQxptXL0qIp93Q eR7w== X-Gm-Message-State: APjAAAX6xXJZh4lVL1Jp1MLzn5BGgO3PZ993FxgA+J8kwTy41UGO+4u/ lmlsxneNIz5vIUfIqko/F8oKmCl33zZNvm5OcvCUdA== X-Google-Smtp-Source: APXvYqyELKYkW92f3mx5I4vwBY+gIiYVgRoC1bFR+V6tTn4vOIUHzxlUziAbrt07IWpMIPz3KF+zewNiFpYvGlGJVYxx0Q== X-Received: by 2002:a63:4415:: with SMTP id r21mr20620706pga.182.1561161843894; Fri, 21 Jun 2019 17:04:03 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:30 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-2-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 01/29] security: Support early LSMs From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The lockdown module is intended to allow for kernels to be locked down early in boot - sufficiently early that we don't have the ability to kmalloc() yet. Add support for early initialisation of some LSMs, and then add them to the list of names when we do full initialisation later. Early LSMs are initialised in link order and cannot be overridden via boot parameters, and cannot make use of kmalloc() (since the allocator isn't initialised yet). Signed-off-by: Matthew Garrett Acked-by: Kees Cook --- include/asm-generic/vmlinux.lds.h | 8 ++++- include/linux/lsm_hooks.h | 6 ++++ include/linux/security.h | 1 + init/main.c | 1 + security/security.c | 50 ++++++++++++++++++++++++++----- 5 files changed, 57 insertions(+), 9 deletions(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index f8f6f04c4453..e1963352fdb6 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -208,8 +208,13 @@ __start_lsm_info = .; \ KEEP(*(.lsm_info.init)) \ __end_lsm_info = .; +#define EARLY_LSM_TABLE() . = ALIGN(8); \ + __start_early_lsm_info = .; \ + KEEP(*(.early_lsm_info.init)) \ + __end_early_lsm_info = .; #else #define LSM_TABLE() +#define EARLY_LSM_TABLE() #endif #define ___OF_TABLE(cfg, name) _OF_TABLE_##cfg(name) @@ -610,7 +615,8 @@ ACPI_PROBE_TABLE(irqchip) \ ACPI_PROBE_TABLE(timer) \ EARLYCON_TABLE() \ - LSM_TABLE() + LSM_TABLE() \ + EARLY_LSM_TABLE() #define INIT_TEXT \ *(.init.text .init.text.*) \ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index a240a3fc5fc4..66fd1eac7a32 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2085,12 +2085,18 @@ struct lsm_info { }; extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; +extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; #define DEFINE_LSM(lsm) \ static struct lsm_info __lsm_##lsm \ __used __section(.lsm_info.init) \ __aligned(sizeof(unsigned long)) +#define DEFINE_EARLY_LSM(lsm) \ + static struct lsm_info __early_lsm_##lsm \ + __used __section(.early_lsm_info.init) \ + __aligned(sizeof(unsigned long)) + #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* * Assuring the safety of deleting a security module is up to diff --git a/include/linux/security.h b/include/linux/security.h index 49f2685324b0..1bb6fb2f1523 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -194,6 +194,7 @@ int unregister_lsm_notifier(struct notifier_block *nb); /* prototypes */ extern int security_init(void); +extern int early_security_init(void); /* Security operations */ int security_binder_set_context_mgr(struct task_struct *mgr); diff --git a/init/main.c b/init/main.c index 598e278b46f7..f3faeb89c75f 100644 --- a/init/main.c +++ b/init/main.c @@ -563,6 +563,7 @@ asmlinkage __visible void __init start_kernel(void) boot_cpu_init(); page_address_init(); pr_notice("%s", linux_banner); + early_security_init(); setup_arch(&command_line); /* * Set up the the initial canary and entropy after arch diff --git a/security/security.c b/security/security.c index 23cbb1a295a3..487e1f3eb2df 100644 --- a/security/security.c +++ b/security/security.c @@ -37,6 +37,7 @@ /* How many LSMs were built into the kernel? */ #define LSM_COUNT (__end_lsm_info - __start_lsm_info) +#define EARLY_LSM_COUNT (__end_early_lsm_info - __start_early_lsm_info) struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); @@ -281,6 +282,8 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) static void __init lsm_early_cred(struct cred *cred); static void __init lsm_early_task(struct task_struct *task); +static int lsm_append(const char *new, char **result); + static void __init ordered_lsm_init(void) { struct lsm_info **lsm; @@ -327,6 +330,26 @@ static void __init ordered_lsm_init(void) kfree(ordered_lsms); } +int __init early_security_init(void) +{ + int i; + struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + struct lsm_info *lsm; + + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); + i++) + INIT_HLIST_HEAD(&list[i]); + + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { + if (!lsm->enabled) + lsm->enabled = &lsm_enabled_true; + prepare_lsm(lsm); + initialize_lsm(lsm); + } + + return 0; +} + /** * security_init - initializes the security framework * @@ -334,14 +357,18 @@ static void __init ordered_lsm_init(void) */ int __init security_init(void) { - int i; - struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + struct lsm_info *lsm; pr_info("Security Framework initializing\n"); - for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); - i++) - INIT_HLIST_HEAD(&list[i]); + /* + * Append the names of the early LSM modules now that kmalloc() is + * available + */ + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { + if (lsm->enabled) + lsm_append(lsm->name, &lsm_names); + } /* Load LSMs in specified order. */ ordered_lsm_init(); @@ -388,7 +415,7 @@ static bool match_last_lsm(const char *list, const char *lsm) return !strcmp(last, lsm); } -static int lsm_append(char *new, char **result) +static int lsm_append(const char *new, char **result) { char *cp; @@ -426,8 +453,15 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, hooks[i].lsm = lsm; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); } - if (lsm_append(lsm, &lsm_names) < 0) - panic("%s - Cannot get early memory.\n", __func__); + + /* + * Don't try to append during early_security_init(), we'll come back + * and fix this up afterwards. + */ + if (slab_is_available()) { + if (lsm_append(lsm, &lsm_names) < 0) + panic("%s - Cannot get early memory.\n", __func__); + } } int call_lsm_notifier(enum lsm_event event, void *data) From patchwork Sat Jun 22 00:03:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011073 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ADE751398 for ; Sat, 22 Jun 2019 00:06:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9FAF428B7B for ; Sat, 22 Jun 2019 00:06:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 93D5628BB1; Sat, 22 Jun 2019 00:06:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 351D728B7B for ; Sat, 22 Jun 2019 00:06:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726320AbfFVAEH (ORCPT ); Fri, 21 Jun 2019 20:04:07 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:54689 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726231AbfFVAEH (ORCPT ); Fri, 21 Jun 2019 20:04:07 -0400 Received: by mail-qk1-f202.google.com with SMTP id d62so9349127qke.21 for ; Fri, 21 Jun 2019 17:04:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=9daZa8/hqWzZuaGJLkwK103skAzbS3nFdoLOu7tsdHI=; b=Q/D1El3SijlLetTLADKIIte9tNRO98kykcjbvezzo8iX6ULzwvyyXXdR2qZPh+3i26 1WbNkZ6l3vwcaw8ME7qaLeDwp41bwD8t/A4G9dsbhAxAbvpREcXGQ5PqicC98CXO/SXo 8a73xkKgdAoHHhuRTn6JlCmlG9PTKLfbzl/vOxwt9G7grClG0hHLcwxVwxKwvl3J+SEk 3mevF2DkRMytAztapn/3JDjXUkKUTvfId2XjFQ5pLAYBV0Xq7UVfKkb29LQ9TBVy2oCs hz0L+DiU6+PWc2LmT61ysG+fhiMaCTqt+tS+LRej/8oi9MH2EY+0zf/c+80BfhWsCciQ JlTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=9daZa8/hqWzZuaGJLkwK103skAzbS3nFdoLOu7tsdHI=; b=a3FkJrPH6ceQP5qAMIYBCqlxPWfYdfAZ5JKkK5owbLCke+KEHHCPGTcOyZuja2Hn73 0US5upXG9qeuXOQQE9QGsfnuRz2ONLeCRQllDTtvLfDQg/HnfCr4vuxb8YA1j1I8m7O6 4wTvHIpW8xL7FlHBKbB7orh9WbT65qVbL8xh1TSjjzTaUEBsMmMhFcDKGyDI6fgjTjtA z+GQTpiGGP08LBp9+6/f3MJInAmbGtagm0+LLuFwycCT2Uwk1+gpuqKFDU3q6CM+FNIh kZnbKPdNkNNBKqQZXnhgTELs1a/jZt2co59u9ygTvwbqxMvW5Dcngey6Ooor/BBnBBOD +/yA== X-Gm-Message-State: APjAAAUaMkLhUpDQl3wfatneoVu/HRUDlaSp4o/B3m5i2afN4Dv5Lf8a 4b/H98uXGrtPmjHb37FQtgUjmDiCBkMPCBY2luTvDg== X-Google-Smtp-Source: APXvYqwEm732Qi02MQbmz5tHeH6REx4WGkn9c9y7/nSYBQO4mNr3qvTP2Xoo1l1CqZZadwnLtOwC5reFPVHmU9iHyMc2Ng== X-Received: by 2002:a05:6214:222:: with SMTP id j2mr45977128qvt.121.1561161846752; Fri, 21 Jun 2019 17:04:06 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:31 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 02/29] security: Add a "locked down" LSM hook From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Add a mechanism to allow LSMs to make a policy decision around whether kernel functionality that would allow tampering with or examining the runtime state of the kernel should be permitted. Signed-off-by: Matthew Garrett Acked-by: Kees Cook --- include/linux/lsm_hooks.h | 2 ++ include/linux/security.h | 11 +++++++++++ security/security.c | 6 ++++++ 3 files changed, 19 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 66fd1eac7a32..df2aebc99838 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1790,6 +1790,7 @@ union security_list_options { int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux); void (*bpf_prog_free_security)(struct bpf_prog_aux *aux); #endif /* CONFIG_BPF_SYSCALL */ + int (*locked_down)(enum lockdown_reason what); }; struct security_hook_heads { @@ -2027,6 +2028,7 @@ struct security_hook_heads { struct hlist_head bpf_prog_alloc_security; struct hlist_head bpf_prog_free_security; #endif /* CONFIG_BPF_SYSCALL */ + struct hlist_head locked_down; } __randomize_layout; /* diff --git a/include/linux/security.h b/include/linux/security.h index 1bb6fb2f1523..9eaf02e70707 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -76,6 +76,12 @@ enum lsm_event { LSM_POLICY_CHANGE, }; +enum lockdown_reason { + LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_CONFIDENTIALITY_MAX, +}; + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -389,6 +395,7 @@ void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_locked_down(enum lockdown_reason what); #else /* CONFIG_SECURITY */ static inline int call_lsm_notifier(enum lsm_event event, void *data) @@ -1189,6 +1196,10 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 { return -EOPNOTSUPP; } +static inline int security_locked_down(enum lockdown_reason what) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #ifdef CONFIG_SECURITY_NETWORK diff --git a/security/security.c b/security/security.c index 487e1f3eb2df..553f50e9a106 100644 --- a/security/security.c +++ b/security/security.c @@ -2382,3 +2382,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) call_void_hook(bpf_prog_free_security, aux); } #endif /* CONFIG_BPF_SYSCALL */ + +int security_locked_down(enum lockdown_reason what) +{ + return call_int_hook(locked_down, 0, what); +} +EXPORT_SYMBOL(security_locked_down); From patchwork Sat Jun 22 00:03:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011071 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CC4C676 for ; Sat, 22 Jun 2019 00:06:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BCFF428B7B for ; Sat, 22 Jun 2019 00:06:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B157028BB1; Sat, 22 Jun 2019 00:06:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D6F2128B7B for ; Sat, 22 Jun 2019 00:06:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726395AbfFVAEL (ORCPT ); Fri, 21 Jun 2019 20:04:11 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:33597 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726375AbfFVAEK (ORCPT ); Fri, 21 Jun 2019 20:04:10 -0400 Received: by mail-pf1-f201.google.com with SMTP id d190so5327356pfa.0 for ; Fri, 21 Jun 2019 17:04:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=rz/S3BjQBUmzBsikjVksAnjeqg1qo5ZVh4wzPOS64Cs=; b=vTgwMRZUjnyMW3bTlH5Bf/9hkW6BoXrRsU8neGKs4i1gYXphVpbK5d3w/j8FXPSSEg OTUwq7tAYKdNUquJPcJjePB592ZNqHKq0uv7N2vCVr3/nBNCCE3XmrYfASq9b67JBhyj 8T3IVPOQce1CVsNxwHwQHnt8u+Jk8VHLv95nrK2eTLfbTdisUKKr4e8uNztyhg2rbT5w MzTXffsm1+C0q1bgyo3qATl+nh8DFj8blTVKKb5sAT8y9Q3tzR7PNOsUx8MOp85VNJdk Hl1zHUrgdx1QqArHnFEau7OyhDcQj4n4Joq7qkxnZJPkVp8AGWH4GRmh137o6c3Ado/J wLOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=rz/S3BjQBUmzBsikjVksAnjeqg1qo5ZVh4wzPOS64Cs=; b=Eg75dLbMyFp6hgrlPuTzzvcMNYEcjRUOKNzdzTVlmlGI5hjjn+Ch05dqNG3X/TrnQm DwTvN50lv8UEqx+wAkukmmCj77i4lW1X3YYTSx/ncnYB+5UxMQhsySczFd3DbH3fKBBy 9gH4rCpG0JcprygwqoFk7loAA1PFeII95YNkmF6iB+OE9bSkPtLc1gC9kvRiiKTHwhzZ CGFWma5wezfKWmK0wsOdTkJq640rzGMDzUiPr3IgNFYniaZW1wPiT+sH66ZIlgAaG+Bi H7mjPfpOOXDiZhOzzENegO1TWyFcYWNo9lEnndEqtrs6UiKznhx5BwKHbj9fuO1SiZTm GFIw== X-Gm-Message-State: APjAAAUjDiUuuPe7SnjsCkYL0uV7KtRWY3vCCPeY7dkFhSlEQ8omXSMJ LiPTkL9vsqBaff8339k/KYG56zgv9YF02V/2aa4+eA== X-Google-Smtp-Source: APXvYqwPYpHoJQkRbci1+9jUlE8/UqArlGgWMTLpii57RH/+phm8K3Si/7dUOrIfXdNeS3kuCelD5Maet6f7l46JHXDzTw== X-Received: by 2002:a63:2a0f:: with SMTP id q15mr21516061pgq.163.1561161849232; Fri, 21 Jun 2019 17:04:09 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:32 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-4-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 03/29] security: Add a static lockdown policy LSM From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP While existing LSMs can be extended to handle lockdown policy, distributions generally want to be able to apply a straightforward static policy. This patch adds a simple LSM that can be configured to reject either integrity or all lockdown queries, and can be configured at runtime (through securityfs), boot time (via a kernel parameter) or build time (via a kconfig option). Based on initial code by David Howells. Signed-off-by: Matthew Garrett Cc: David Howells Reviewed-by: Kees Cook --- .../admin-guide/kernel-parameters.txt | 9 + include/linux/security.h | 4 + security/Kconfig | 3 +- security/Makefile | 2 + security/lockdown/Kconfig | 47 +++++ security/lockdown/Makefile | 1 + security/lockdown/lockdown.c | 172 ++++++++++++++++++ 7 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 security/lockdown/Kconfig create mode 100644 security/lockdown/Makefile create mode 100644 security/lockdown/lockdown.c diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 2b8ee90bb644..fa336f6cd5bc 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2239,6 +2239,15 @@ lockd.nlm_udpport=M [NFS] Assign UDP port. Format: + lockdown= [SECURITY] + { integrity | confidentiality } + Enable the kernel lockdown feature. If set to + integrity, kernel features that allow userland to + modify the running kernel are disabled. If set to + confidentiality, kernel features that allow userland + to extract confidential information from the kernel + are also disabled. + locktorture.nreaders_stress= [KNL] Set the number of locking read-acquisition kthreads. Defaults to being automatically set based on the diff --git a/include/linux/security.h b/include/linux/security.h index 9eaf02e70707..c808d344ec75 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -76,6 +76,10 @@ enum lsm_event { LSM_POLICY_CHANGE, }; +/* + * If you add to this, remember to extend lockdown_reasons in + * security/lockdown/lockdown.c. + */ enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_INTEGRITY_MAX, diff --git a/security/Kconfig b/security/Kconfig index 1d6463fb1450..c35aa72103df 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -236,12 +236,13 @@ source "security/apparmor/Kconfig" source "security/loadpin/Kconfig" source "security/yama/Kconfig" source "security/safesetid/Kconfig" +source "security/lockdown/Kconfig" source "security/integrity/Kconfig" config LSM string "Ordered list of enabled LSMs" - default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" + default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/Makefile b/security/Makefile index c598b904938f..be1dd9d2cb2f 100644 --- a/security/Makefile +++ b/security/Makefile @@ -11,6 +11,7 @@ subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid +subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown # always enable default capabilities obj-y += commoncap.o @@ -27,6 +28,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig new file mode 100644 index 000000000000..7374ba76d8eb --- /dev/null +++ b/security/lockdown/Kconfig @@ -0,0 +1,47 @@ +config SECURITY_LOCKDOWN_LSM + bool "Basic module for enforcing kernel lockdown" + depends on SECURITY + help + Build support for an LSM that enforces a coarse kernel lockdown + behaviour. + +config SECURITY_LOCKDOWN_LSM_EARLY + bool "Enable lockdown LSM early in init" + depends on SECURITY_LOCKDOWN_LSM + help + Enable the lockdown LSM early in boot. This is necessary in order + to ensure that lockdown enforcement can be carried out on kernel + boot parameters that are otherwise parsed before the security + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. + +choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE + depends on SECURITY_LOCKDOWN_LSM + help + The kernel can be configured to default to differing levels of + lockdown. + +config LOCK_DOWN_KERNEL_FORCE_NONE + bool "None" + help + No lockdown functionality is enabled by default. Lockdown may be + enabled via the kernel commandline or /sys/kernel/security/lockdown. + +config LOCK_DOWN_KERNEL_FORCE_INTEGRITY + bool "Integrity" + help + The kernel runs in integrity mode by default. Features that allow + the kernel to be modified at runtime are disabled. + +config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY + bool "Confidentiality" + help + The kernel runs in confidentiality mode by default. Features that + allow the kernel to be modified at runtime or that permit userland + code to read confidential material held inside the kernel are + disabled. + +endchoice + diff --git a/security/lockdown/Makefile b/security/lockdown/Makefile new file mode 100644 index 000000000000..e3634b9017e7 --- /dev/null +++ b/security/lockdown/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown.o diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c new file mode 100644 index 000000000000..8e39b36b8f33 --- /dev/null +++ b/security/lockdown/lockdown.c @@ -0,0 +1,172 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Lock down the kernel + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include + +static enum lockdown_reason kernel_locked_down; + +static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { + [LOCKDOWN_NONE] = "none", + [LOCKDOWN_INTEGRITY_MAX] = "integrity", + [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", +}; + +static enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_CONFIDENTIALITY_MAX}; + +/* + * Put the kernel into lock-down mode. + */ +static int lock_kernel_down(const char *where, enum lockdown_reason level) +{ + if (kernel_locked_down >= level) + return -EPERM; + + kernel_locked_down = level; + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", + where); + return 0; +} + +static int __init lockdown_param(char *level) +{ + if (!level) + return -EINVAL; + + if (strcmp(level, "integrity") == 0) + lock_kernel_down("command line", LOCKDOWN_INTEGRITY_MAX); + else if (strcmp(level, "confidentiality") == 0) + lock_kernel_down("command line", LOCKDOWN_CONFIDENTIALITY_MAX); + else + return -EINVAL; + + return 0; +} + +early_param("lockdown", lockdown_param); + +/** + * lockdown_is_locked_down - Find out if the kernel is locked down + * @what: Tag to use in notice generated if lockdown is in effect + */ +static int lockdown_is_locked_down(enum lockdown_reason what) +{ + if ((kernel_locked_down >= what)) { + if (lockdown_reasons[what]) + pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", + lockdown_reasons[what]); + return -EPERM; + } + + return 0; +} + +static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), +}; + +static int __init lockdown_lsm_init(void) +{ +#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_INTEGRITY_MAX); +#elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX); +#endif + security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks), + "lockdown"); + return 0; +} + +static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count, + loff_t *ppos) +{ + char temp[80]; + int i, offset=0; + + for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) { + enum lockdown_reason level = lockdown_levels[i]; + + if (lockdown_reasons[level]) { + const char *label = lockdown_reasons[level]; + + if (kernel_locked_down == level) + offset += sprintf(temp+offset, "[%s] ", label); + else + offset += sprintf(temp+offset, "%s ", label); + } + } + + /* Convert the last space to a newline if needed. */ + if (offset > 0) + temp[offset-1] = '\n'; + + return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); +} + +static ssize_t lockdown_write(struct file *file, const char __user *buf, + size_t n, loff_t *ppos) +{ + char *state; + int i, len, err = -EINVAL; + + state = memdup_user_nul(buf, n); + if (IS_ERR(state)) + return PTR_ERR(state); + + len = strlen(state); + if (len && state[len-1] == '\n') { + state[len-1] = '\0'; + len--; + } + + for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) { + enum lockdown_reason level = lockdown_levels[i]; + const char *label = lockdown_reasons[level]; + + if (label && !strcmp(state, label)) + err = lock_kernel_down("securityfs", level); + } + + kfree(state); + return err ? err : n; +} + +static const struct file_operations lockdown_ops = { + .read = lockdown_read, + .write = lockdown_write, +}; + +static int __init lockdown_secfs_init(void) +{ + struct dentry *dentry; + + dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, + &lockdown_ops); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + + return 0; +} + +core_initcall(lockdown_secfs_init); + +#ifdef CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +DEFINE_EARLY_LSM(lockdown) = { +#else +DEFINE_LSM(lockdown) = { +#endif + .name = "lockdown", + .init = lockdown_lsm_init, +}; From patchwork Sat Jun 22 00:03:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010977 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F024276 for ; Sat, 22 Jun 2019 00:04:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DE82A26E3D for ; Sat, 22 Jun 2019 00:04:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CF4CA28BB1; Sat, 22 Jun 2019 00:04:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 55D3E26E3D for ; Sat, 22 Jun 2019 00:04:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726417AbfFVAEN (ORCPT ); Fri, 21 Jun 2019 20:04:13 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:56220 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726412AbfFVAEM (ORCPT ); Fri, 21 Jun 2019 20:04:12 -0400 Received: by mail-pf1-f201.google.com with SMTP id i26so5284297pfo.22 for ; Fri, 21 Jun 2019 17:04:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=xWwvqoly0PlbH3oeDVETCqcyxNm+Yts9aIPiMy6JED0=; b=vLKG7NXbdP5iB0pGbeaWEB/S5uQntOo7aDNOTRJE5FTCqU5mqc1FLcJV5X9DTKhRUF skhH25su+evM+aesFmCqTJGHSxr9PAuHNaWTxTdOZu1cs13K5HlxqZ/Vsx3o/2bXx/No 0C5LtbZv0KOVW2DTNIKFUDaPPbPHV7ouuhcHm5Rb7VSKB58D+SncR0Xpw+xFUzQcV/+S DhX82dzykAkEOBveZ+dKP2HdwUYPf1a46nQNkwXxDMk2hns0a9BLiYEXeFOdphGJ+RWP iP95ZFn4U7U1cVFqsLm5QxNRF31uyeVhEntSAEbWBO/844S4nQR9bRUp4mGqvnPElkq1 tnuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=xWwvqoly0PlbH3oeDVETCqcyxNm+Yts9aIPiMy6JED0=; b=LXH9Qb6y0i28fyaieOvtSrEhL8+aK+xqlynVtDCh3hO9NU13xaFaPznIZq2zSJm+qN UwnE3+gSuHPnAg/nmvgkYXI6UiYtm5mu6o3YVdIpaCclWjkciskI3lndbBtL/G/i3AC9 1rbCw2w2x0V5WlXCAuJukBsQhTBJ96TEcLye3jPJ9MqCsJSBLj8+2n24KCCpMQV+WBqB Lel7IdJ3+MQD1oQg/gKgMX2bANycplZ2R71lzPXQbTyuSrECHER0xSmHpJox07lRgNG5 uAavZOUvz+LNzY0qZ9nLuXXVIO7J4YySzvrA9LeS1YzsLtXq1npJWAf6I6j9+ZL1lHp+ QkfA== X-Gm-Message-State: APjAAAWUxfA/cp+zIb67h4obMkV/jwgBTnDHwVcacw5IKmUJ5tEZhAhC 8v5ncg18H4YEJCLD3u/8eL5Kn68XbEs1GpUA40qNsg== X-Google-Smtp-Source: APXvYqx0mEhlT0ooxRI6ZbcDWX5ttbbUK2UhpRjvoSoGikcOsjmlTxGeN/u7fJgSuhxSgvvZPRyqVv+YDyhrsCuMO0voxQ== X-Received: by 2002:a63:3042:: with SMTP id w63mr13863609pgw.21.1561161851464; Fri, 21 Jun 2019 17:04:11 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:33 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 04/29] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Jessica Yu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.] Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Jessica Yu Reviewed-by: Kees Cook --- include/linux/security.h | 1 + kernel/module.c | 38 +++++++++++++++++++++++++++++------- security/lockdown/lockdown.c | 1 + 3 files changed, 33 insertions(+), 7 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index c808d344ec75..46d85cd63b06 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -82,6 +82,7 @@ enum lsm_event { */ enum lockdown_reason { LOCKDOWN_NONE, + LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/module.c b/kernel/module.c index 0b9aa8ab89f0..6aa681edd660 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2763,8 +2763,9 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, int flags) { - int err = -ENOKEY; + int ret, err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2779,16 +2780,39 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + ret = security_locked_down(LOCKDOWN_MODULE_SIGNATURE); + return ret; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 8e39b36b8f33..25a3a5b0aa9c 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -18,6 +18,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", + [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011069 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3F5231398 for ; Sat, 22 Jun 2019 00:06:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 301E128B7B for ; Sat, 22 Jun 2019 00:06:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 24A0228BB1; Sat, 22 Jun 2019 00:06:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BCCFA28B7B for ; Sat, 22 Jun 2019 00:06:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726498AbfFVAEP (ORCPT ); Fri, 21 Jun 2019 20:04:15 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:47906 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726447AbfFVAEP (ORCPT ); Fri, 21 Jun 2019 20:04:15 -0400 Received: by mail-qk1-f201.google.com with SMTP id x17so9386704qkf.14 for ; Fri, 21 Jun 2019 17:04:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=/+3/eHA+dSCIdfxEbsEJE5ZPu3YcdHs14Y4qiRI8qP0=; b=NHPhigq8H1Po8LVtH5GbIbnsfNJsBGYMYY2gEq3zllF27oLua38Vj9z3wa+okf8okb pWH8iQupEO8ZFxTX+7BkdVwPl9krXRrBOrM2ceSMETStMsli0y5kRfGaoJeyAfmxsGYs o8uSDCGcI305P4/xETNJWHi1axbKmmzz8veJll2OP3L72Jegea7jCAMBcOnplFMrmN+K ytNo4+f9k5qf7ZV83nxVq8Qpj3r4HNyoA67wTs19qVwB1HYRsUq7H7CtagwoBI6KNa8x POTZqxmWt7TQDlbu9VSGvXTAtI7pnzKL+/L/HA38N6Itp3uWcvomSdNGbKbv4ZVcDhbB 7eeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=/+3/eHA+dSCIdfxEbsEJE5ZPu3YcdHs14Y4qiRI8qP0=; b=izYV4PBedM4cNucRn7D9pWUjlcSi3i+70P4QizSHcr2qOcMTBcm2Mdw+Rf2h0fkZEQ svl/18/nSpO18ytOFGimYDQPamx6vjmyL3ERhhYicc0V0jHfJOv6tMURcXE7OGiepZqn PR8icP6yKOupWoHplp1ElkvCQ4nxxm3kQb5lDIrGkZqHZq3wzmLaeQJceTGebg5Ac1Dv Ny2KLdXY0x+/ttbF20heE0Ye+QR7wmiQFdokIVIOvjW60JmUXAkW2EblKjPD4KfBhSkh nmQWDI5rcJzCcdefxtJ8HkkWq2T11BWEfq1cQ3edq62Kd6B0Smkzivj+Wvho7SIeBRMS JdqQ== X-Gm-Message-State: APjAAAVlhoQgwf4LyFvsxTiMAr5tKfUkhMqQe8mmVPTWYovw/6FsEa7l fZP6WEpQIqTNpCMiCZ4p4wFP/BEIpmgJ+GtP3BL/1g== X-Google-Smtp-Source: APXvYqx73LVPKUTT0/Z2o6KTeTT6M6JdkpFVqc84Ol8mGehYEExhBCBNgJGcfHkD+Wx3YMnYmuwtGz8w8+pv3jt43vq5Fg== X-Received: by 2002:a37:a152:: with SMTP id k79mr7772332qke.411.1561161854063; Fri, 21 Jun 2019 17:04:14 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:34 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: x86@kernel.org Reviewed-by: Kees Cook --- drivers/char/mem.c | 6 +++++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..93c02493f0fa 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,6 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + int ret = security_locked_down(LOCKDOWN_DEV_MEM); + + if (ret) + return ret; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } diff --git a/include/linux/security.h b/include/linux/security.h index 46d85cd63b06..200175c8605a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -83,6 +83,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 25a3a5b0aa9c..565c87451f0f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010979 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3918D924 for ; Sat, 22 Jun 2019 00:04:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 290B826E3D for ; Sat, 22 Jun 2019 00:04:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1A76028BB1; Sat, 22 Jun 2019 00:04:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AF81A26E3D for ; Sat, 22 Jun 2019 00:04:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726503AbfFVAES (ORCPT ); Fri, 21 Jun 2019 20:04:18 -0400 Received: from mail-vk1-f202.google.com ([209.85.221.202]:48096 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726520AbfFVAER (ORCPT ); Fri, 21 Jun 2019 20:04:17 -0400 Received: by mail-vk1-f202.google.com with SMTP id a2so3038606vkg.14 for ; Fri, 21 Jun 2019 17:04:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=U/lZ7fD+T6IptDZssnUJlCZR7ScE9UF2AoyQTpT4HbA=; b=XGkLNU5iHH7hzuL0cMZIlVDgMLidEQIz9bIMGPNZmvYRjpXgd47gSC1YjKyllW0b8O n4cqGDaho8/zL2ugLBApVL0GUyu0YEL8OBR7cSVggwR6jMwP8RLdQ6EcnOB0cxkUrnFb TCFyfWFJfKOwNPWdM+oyTiN70K82MbhBazc+Z8WxdR50iyGJwYiDEFeWSlTIE2tIz5dl ckMEc++flsaUac43SpRMBhHvqhPoGsLYPEDC5/adpXWXeYSjKXtNWiJPMerIHawYHUsk VyZWbQoGyNCtK4zeJgDBeLYOPrK6v2onoPFnZJMQWgjLhlqzV4sYI1qdJTfUDSPGkPSt nZUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=U/lZ7fD+T6IptDZssnUJlCZR7ScE9UF2AoyQTpT4HbA=; b=H3vvpu5LQF3c6GLHbVBy9WsQ7Klnlptn6pAMGjky5kCwcZGOPzDi/Ha4ICPS4VWiDs jd8pZ3zEKHH0a6MWAxyZvvpB1Zb82x2GcogBVI9h4M2JdZh6kGPK3wCCd+JmtgGfSMP+ Jm8IA+/2AOCwBgJ/9eamWniUUMtpFn+JiRQU801GxjSimtXOIm3ODUNjrpzmEmKgoLJ8 gVg6IBPiXL/5cIFV7HPdynyowyZNJ8sj7HBhxlvW88ta7ljegzae39IYhNHZVfEh9Xbe fbg1lvEw0/WSuLrkWnZtqi2tbTEyMKM0yeRbZ92AKT5j83on8xICTX5S6/iSfun+lj4X b3SQ== X-Gm-Message-State: APjAAAX7vyb9tP73Lv0DQE4gyclsX9M9YjioRLK/CC5p0vQuDvtUTyS8 rk1mwtozwQtqBO6ACmYPwmPnmih0+fURTn/TyqL/Fw== X-Google-Smtp-Source: APXvYqziUqgtWLgJrBADFFVvyKB2oLgiiIjHdoYuwv326vdxMw4s35iQ24bb3foHcyDzF6GLXkrPi9QxFNM1SCvcd+SeCw== X-Received: by 2002:a1f:728b:: with SMTP id n133mr14793805vkc.84.1561161856703; Fri, 21 Jun 2019 17:04:16 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:35 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 06/29] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Dave Young , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Dave Young cc: kexec@lists.infradead.org Reviewed-by: Kees Cook --- include/linux/security.h | 1 + kernel/kexec.c | 8 ++++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 200175c8605a..00a31ab2e5ba 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -84,6 +84,7 @@ enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, + LOCKDOWN_KEXEC, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..ec3f07a4b1c0 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + result = security_locked_down(LOCKDOWN_KEXEC); + if (result) + return result; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 565c87451f0f..08fcd8116db3 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -20,6 +20,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", + [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010981 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D9FE3924 for ; Sat, 22 Jun 2019 00:04:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CBDE426E3D for ; Sat, 22 Jun 2019 00:04:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C01B528BB1; Sat, 22 Jun 2019 00:04:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6B0B926E3D for ; Sat, 22 Jun 2019 00:04:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726551AbfFVAEU (ORCPT ); Fri, 21 Jun 2019 20:04:20 -0400 Received: from mail-yw1-f74.google.com ([209.85.161.74]:46816 "EHLO mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726550AbfFVAEU (ORCPT ); Fri, 21 Jun 2019 20:04:20 -0400 Received: by mail-yw1-f74.google.com with SMTP id q79so8049404ywg.13 for ; Fri, 21 Jun 2019 17:04:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=YHpf3S+LawhmDVzX+FQxCcCkHwySWAOsiAjcN5bQy70=; b=nnFBb4AQ6PQC9WUZohXByCAVtnekWaVTdN6oouGZ//0ePIiRvSgodwVR27Dg3omm9o xkCtoeLK5m3KZWd7e/iGYtOVqbzDYsB4aZ2F5NPcB//sziR1TMMvpIkfSitcqbtkVVi5 Nb0tvyoriuxSQMP59mzZTCUPGTMdwDQ3qAROu33b0VcrMw8db4r0brWAD662pfhdcBNz Uvcvkp6tM9NNnx559yhcxg577vi7s0VaGv0sSTuClodF7BRnOy4WFaaXk5L/Ok90YO6m TZHmORNhD0xEtJ9lXBO1YCLkH/3JYy2WUnNXtmOEQqwEGvOU46Ny5FQOUZI9Fel2PK0u d/rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=YHpf3S+LawhmDVzX+FQxCcCkHwySWAOsiAjcN5bQy70=; b=ANh9D8ztkMUXOn2CaFBiPfs45hdfgO5X+3oSSaBtZZzCrbXpC+KRUZuvuj2SUIDP8Z HAzYf1sJCdKDuLO4vzAWiEc71E8AYYNh+fwWkDOfNtyKf/jQvANo4A2AbDeh+E6Dv+SR EHF/jZ+icOXyuwBPqjWg5NSy6UaGElux2s0Ab2eq0zj6GbUJpPm2NxpYbEaYq/NPE2NJ y1wAV/lsQ+qu8hbUEOGS9zVNhO1wZUK/isJc0LCno8075B1Jpl9+qwHYkQOwpvhDpuu4 2ll1dc00jv4RGqRuO67X8SbFS7c9rvV5v6gUu39wqgzVLihx7TZdLLPxI4NmORgJSdBN Tt7w== X-Gm-Message-State: APjAAAWN0KZMUc1d+DgQNLBdWPjBfITjCjMPGQOCfwFWe89HQOH+WW3L QimWkWmbaa96Uw/JZ0wd+85ZKBGkf6a2CJzxoSrzFQ== X-Google-Smtp-Source: APXvYqxaKWP4U28G/EHKOmeo7lhj8YJBHAsd4q2DuqNeOquLbCGwAG5TsajEMGXTGM1UKUyTHnefjMXpm/aaKL1c+HSqXQ== X-Received: by 2002:a81:31c5:: with SMTP id x188mr62293902ywx.429.1561161859657; Fri, 21 Jun 2019 17:04:19 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:36 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-8-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 07/29] Copy secure_boot flag in boot params across kexec reboot From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Dave Young , David Howells , Matthew Garrett , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Dave Young Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: kexec@lists.infradead.org Reviewed-by: Kees Cook --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 22f60dd26460..4243359ac509 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -182,6 +182,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; From patchwork Sat Jun 22 00:03:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010983 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 72F6B76 for ; Sat, 22 Jun 2019 00:04:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6309926E3D for ; Sat, 22 Jun 2019 00:04:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5770D28BB1; Sat, 22 Jun 2019 00:04:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD5F326E3D for ; Sat, 22 Jun 2019 00:04:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726597AbfFVAEX (ORCPT ); Fri, 21 Jun 2019 20:04:23 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:55236 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726556AbfFVAEX (ORCPT ); Fri, 21 Jun 2019 20:04:23 -0400 Received: by mail-vs1-f73.google.com with SMTP id 184so2850859vsm.21 for ; Fri, 21 Jun 2019 17:04:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=JmNS4ODZhP4tqRO/RxP5G6pk+LirfBLlUIpOIP1ejs0=; b=LrS/GEtxYSWy5V5lSSSkypawT3ziX+e+iwl5hyWr7WuoG+uOVxg3ENCp/E+0EKQ/m1 wLh2rna6AGXIPRXSE6R9mFGSM76tar1Lnn1Qg4eY9u1OlIftNDOYR3k6BCL3vowUNBia r5TXGSS+gb68I4TajH8scxYIK/5CIGXE08f0ymCeet27fbhkjplLarU36pC4pO6EpVYE Nj5dUxdVfcCbiOc/BRQDB4+Iq90TRNGuiwd3V4BPQCCcbOts4XuOBBpDNmwhRNMeg8Y2 4jjZp5j7lYfmnnYiDbiLk8Du01RGLYO95t6rOYz0U5bTSNGjZiM2kjbQOQuh9KqbVg9w zk/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=JmNS4ODZhP4tqRO/RxP5G6pk+LirfBLlUIpOIP1ejs0=; b=CgEewCXq9N5uD81gwDydymGRyNzel1gFhPCUpO296Uv5FMmeruWzi08K/I3O5z3HWw 9qaWZL6gLif6cGsZmmX8MEAERcrSxfPIqsjNFkHo4u0AajyRL8VMWuuQ44fkz8/aYg31 ngEYS+wbeKl0RZH90fzftiPTyZhFRnNEQcNYo3ULIigwtDRr9fSqApP51TVWfz9ysl59 bpvjkvUvuzUFmyQDAHXOcD1WyDTZ50S+grb/kBGun6YFUUG52tky8mN6VITGpTURifv6 khOSDWSpSKU3/4Uj/UTXwib3cO5k+yGlV4REAEda0wURskl6VSLWYYRmGw2q2N7+bbcw iucg== X-Gm-Message-State: APjAAAXqm1kcCIjP4j3h+YsR8M8/IwT3TzmWStDnv4TVUqgN1NP2826Z UOZuCpn0Yybmpdz0FGL2g0sWnUfAtO+JJEhlASIxtg== X-Google-Smtp-Source: APXvYqwo/PtymngVXtHoT30ArfHxZDBFk0n3Z8uFf75BZcfFo0WVOnqrdayTydmypSbRpZvs+wMC2pa5qpy3kfHvDHaQfg== X-Received: by 2002:ab0:7848:: with SMTP id y8mr54058505uaq.58.1561161862038; Fri, 21 Jun 2019 17:04:22 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:37 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac This is a preparatory patch for kexec_file_load() lockdown. A locked down kernel needs to prevent unsigned kernel images from being loaded with kexec_file_load(). Currently, the only way to force the signature verification is compiling with KEXEC_VERIFY_SIG. This prevents loading usigned images even when the kernel is not locked down at runtime. This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG turns on the signature verification but allows unsigned images to be loaded. KEXEC_SIG_FORCE disallows images without a valid signature. [Modified by David Howells such that: (1) verify_pefile_signature() differentiates between no-signature and sig-didn't-match in its returned errors. (2) kexec fails with EKEYREJECTED if there is a signature for which we have a key, but signature doesn't match - even if in non-forcing mode. (3) kexec fails with EBADMSG or some other error if there is a signature which cannot be parsed - even if in non-forcing mode. (4) kexec fails with ELIBBAD if the PE file cannot be parsed to extract the signature - even if in non-forcing mode. ] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac cc: kexec@lists.infradead.org Reviewed-by: Dave Young --- arch/x86/Kconfig | 20 ++++++++--- crypto/asymmetric_keys/verify_pefile.c | 4 ++- include/linux/kexec.h | 4 +-- kernel/kexec_file.c | 47 ++++++++++++++++++++++---- 4 files changed, 60 insertions(+), 15 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index c1f9b3cf437c..84381dd60760 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2012,20 +2012,30 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE -config KEXEC_VERIFY_SIG +config KEXEC_SIG bool "Verify kernel signature during kexec_file_load() syscall" depends on KEXEC_FILE ---help--- - This option makes kernel signature verification mandatory for - the kexec_file_load() syscall. - In addition to that option, you need to enable signature + This option makes the kexec_file_load() syscall check for a valid + signature of the kernel image. The image can still be loaded without + a valid signature unless you also enable KEXEC_SIG_FORCE, though if + there's a signature that we can check, then it must be valid. + + In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work. +config KEXEC_SIG_FORCE + bool "Require a valid signature in kexec_file_load() syscall" + depends on KEXEC_SIG + ---help--- + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + config KEXEC_BZIMAGE_VERIFY_SIG bool "Enable bzImage signature verification support" - depends on KEXEC_VERIFY_SIG + depends on KEXEC_SIG depends on SIGNED_PE_FILE_VERIFICATION select SYSTEM_TRUSTED_KEYRING ---help--- diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index d178650fd524..4473cea1e877 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, if (!ddir->certs.virtual_address || !ddir->certs.size) { pr_debug("Unsigned PE binary\n"); - return -EKEYREJECTED; + return -ENODATA; } chkaddr(ctx->header_size, ddir->certs.virtual_address, @@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * (*) 0 if at least one signature chain intersects with the keys in the trust * keyring, or: * + * (*) -ENODATA if there is no signature present. + * * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a * chain. * diff --git a/include/linux/kexec.h b/include/linux/kexec.h index b9b1bc5f9669..58b27c7bdc2b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, unsigned long cmdline_len); typedef int (kexec_cleanup_t)(void *loader_data); -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG typedef int (kexec_verify_sig_t)(const char *kernel_buf, unsigned long kernel_len); #endif @@ -134,7 +134,7 @@ struct kexec_file_ops { kexec_probe_t *probe; kexec_load_t *load; kexec_cleanup_t *cleanup; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG kexec_verify_sig_t *verify_sig; #endif }; diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index f1d0e00a3971..eec7e5bb2a08 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG static int kexec_image_verify_sig_default(struct kimage *image, void *buf, unsigned long buf_len) { @@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, unsigned long cmdline_len, unsigned flags) { - int ret = 0; + const char *reason; + int ret; void *ldata; loff_t size; @@ -207,15 +208,47 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, if (ret) goto out; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); - if (ret) { - pr_debug("kernel signature verification failed.\n"); +#else + ret = -ENODATA; +#endif + + switch (ret) { + case 0: + break; + + /* Certain verification errors are non-fatal if we're not + * checking errors, provided we aren't mandating that there + * must be a valid signature. + */ + case -ENODATA: + reason = "kexec of unsigned image"; + goto decide; + case -ENOPKG: + reason = "kexec of image with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "kexec of image with unavailable key"; + decide: + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + pr_notice("%s rejected\n", reason); + goto out; + } + + ret = 0; + break; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + pr_notice("kernel signature verification failed (%d).\n", ret); goto out; } - pr_debug("kernel signature verification successful.\n"); -#endif + /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf, From patchwork Sat Jun 22 00:03:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011067 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8DE051398 for ; Sat, 22 Jun 2019 00:06:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7E7A328B7B for ; Sat, 22 Jun 2019 00:06:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7308928BB1; Sat, 22 Jun 2019 00:06:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 17B1E28B7B for ; Sat, 22 Jun 2019 00:06:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726567AbfFVAGj (ORCPT ); Fri, 21 Jun 2019 20:06:39 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:50182 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726599AbfFVAEZ (ORCPT ); Fri, 21 Jun 2019 20:04:25 -0400 Received: by mail-pf1-f202.google.com with SMTP id h27so5295587pfq.17 for ; Fri, 21 Jun 2019 17:04:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=o4JS6ZsbyHnt4Iukj8bZlTq9cv6XEso1+I/lLyLsbpA=; b=a+jT2ExBtmOGrE2RBwibGRFthL5zBOYgrJWml8uNIPt9rHxq+DfglrA0/Y5pBqU9QQ HpS+WH2bZYzHAFWpqgCYqmXUCwak+27QIHhABd4BbGjacaPht5GkZL4AUiYAZqiFEw4g OWfCM5eDm4KrIttm0QlSi2FmyQ5mMxmZMrAg0PPYAY9jtCypjRtwPzqrvztnH6gGIENN 6gg0DvWo19xJnE3hv2pBXaws7upY4aoCIGqykeQepmFEC2MeVBjac+ouverM2jCUIr0N 76vtr2+s7zaSAuTfMYgT3Eb5U8sq72+KctC6jCs732M5YkTFIz0QsAVT6vMlXfsS6YBn 4DBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=o4JS6ZsbyHnt4Iukj8bZlTq9cv6XEso1+I/lLyLsbpA=; b=WAcbkYdTToYjV5jC1Qc9+Y6DzS+sYwaVy+U6tw9B8o1Iop4nl8mVIepPkC/8/5350g sdVwxvdwa+CUjGRuwVYw7ErVp3qW5WPpW6tTh7QCYvcHQLR96cxznJ/04Nh1kqEnga2N PMEjXZpyiM27cBVdgaqfo4QPz0O6hDpITK2EGPuoPFTR1bpCKsy2gGZwto7qN+CVEbW8 aeiIDZYRTo/tN1/4FthDeyuuFOecuqt1uIgj5oSVA0fCiS/AWHMMNRm+dZZpaF8HPQjz OPz6AwGluZMnZkMVH8oMm/a7MKgGt36TkiH1h1sUEjVBOuiHeOzsJepheNkTDiyhRSHq nuFQ== X-Gm-Message-State: APjAAAXtKJRSqUo89ofKcoAiVVj+O2bYKYd9HfoIqIEUMadraAQSHd4h SLzpmqphsLR8aePwNUUj+sgNS6FHgOynRTZY/1aKVA== X-Google-Smtp-Source: APXvYqw5rFft+vShj1dHsGGITKkOPUFNJ8H0xme43V9+MAij1nj1qBbMAY4uDsOV1ThNNZ0FUlZ3kOxEzhFD4poriXVZqQ== X-Received: by 2002:a63:8c0f:: with SMTP id m15mr1862896pgd.441.1561161864327; Fri, 21 Jun 2019 17:04:24 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:38 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac cc: kexec@lists.infradead.org Reviewed-by: Kees Cook --- kernel/kexec_file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index eec7e5bb2a08..27adb4312b03 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -237,7 +237,10 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = 0; + ret = security_locked_down(LOCKDOWN_KEXEC); + if (ret) + goto out; + break; /* All other errors are fatal, including nomem, unparseable From patchwork Sat Jun 22 00:03:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010985 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3308D76 for ; Sat, 22 Jun 2019 00:04:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 23AA526E3D for ; Sat, 22 Jun 2019 00:04:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 182D628BB1; Sat, 22 Jun 2019 00:04:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 56D6A26E3D for ; Sat, 22 Jun 2019 00:04:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726641AbfFVAE2 (ORCPT ); Fri, 21 Jun 2019 20:04:28 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:43057 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726636AbfFVAE1 (ORCPT ); Fri, 21 Jun 2019 20:04:27 -0400 Received: by mail-pl1-f202.google.com with SMTP id t2so4472959plo.10 for ; Fri, 21 Jun 2019 17:04:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=E1ydClCjIQanqkYubDCe4fTQ8CyYEUPCl76Zws+exX4=; b=Mw1nxxDCj3KPV9UNkkVTuYDyrqaNw9yfe8VMRM7ZPzqyoc628ni6A1ID84X/NQY/eG TjqgdDZ2eclCmQYBtR64hrRsKfdJ0/b2ea/MKIjVjf5Schmnsf9z4DGGkKrP3ZMtf/4Z 5fExcPm/lB+/BHv/goxmhPnXnifnIxGZIkdJL93w+OXXSyC4vIJylekCmcsMP9+JbsT+ gVi97q0IioDlBycYNesWz61vacRTWYh1YbLAOH7R2x6khfBxHVRBC8C//eYSarvexPeG Uo1SHVP2bSJa/A300oItLeqbJObzG1tatKWOxjfQ/shMDZS2UzCNHcLYt+NAQWt6dMzw 3Daw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=E1ydClCjIQanqkYubDCe4fTQ8CyYEUPCl76Zws+exX4=; b=hS/ga13l8uBvIGrGU7t9jRJzFLX6tTV4aN1aIqvi6oD6cMKqJo2Ujb15B67JHNfDhE Nc1a2sYreIwb7EKV/4zlaGjVFQdNv3d8MM7lcEduf23xO9hPlIQAlS9O/cDQzFVCv4Uu gPQQqjjob7VFQLxqJSdWOB/EBJ5pu+uUJZCU99fvsdITS47+8HQzd612x8A/Ga0gCgco AX4VRH8TY5KkwP6rHO7aUItmEJMXbKc4WY/bHvn2o52AGHpmPtMUfP7PJ0qZMXQZaf8X Vjdf4pJ7urkPRVToop+WvCzhJ1NB//6fVto4YmG23BJrZzs3JrS+JJa8MBaBpMzQRVpz q0cQ== X-Gm-Message-State: APjAAAUU5XsC2s4e0IgiQyf9KrvHAqwlJ99BRBbwkQod4wQlO9ac0x1K Lym2brWAkhVvG/b4IAjXXOJx8wLBY8uh816HvqFlNQ== X-Google-Smtp-Source: APXvYqzVsoigFEz9xV2syvjuZK/rAiWYW9AdGJzJFdfPo/qG/n7y42EqV0+KSVGLK/rbmx1Vz0/09WNn5tQlIgfdmqn5eA== X-Received: by 2002:a63:e304:: with SMTP id f4mr20804148pgh.187.1561161866832; Fri, 21 Jun 2019 17:04:26 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:39 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Josh Boyer , David Howells , Matthew Garrett , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org Reviewed-by: Kees Cook --- include/linux/security.h | 1 + kernel/power/hibernate.c | 3 ++- security/lockdown/lockdown.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/security.h b/include/linux/security.h index 00a31ab2e5ba..a051f21a1144 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -85,6 +85,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, + LOCKDOWN_HIBERNATION, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..3a9cb2d3da4a 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include "power.h" @@ -70,7 +71,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION); } /** diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 08fcd8116db3..ce5b3da9bd09 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", + [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010987 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EDC9C924 for ; Sat, 22 Jun 2019 00:04:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF1A226E3D for ; Sat, 22 Jun 2019 00:04:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D37A628BB1; Sat, 22 Jun 2019 00:04:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4265226E3D for ; Sat, 22 Jun 2019 00:04:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726669AbfFVAEb (ORCPT ); Fri, 21 Jun 2019 20:04:31 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:34854 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726665AbfFVAEa (ORCPT ); Fri, 21 Jun 2019 20:04:30 -0400 Received: by mail-qk1-f202.google.com with SMTP id 5so9432245qki.2 for ; Fri, 21 Jun 2019 17:04:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=QR1Fq3MnogoZDxR5LoHcfLT1JRgAByQ+Bas4Z8/9Vdo=; b=cfhgJlRMYlL1ZQu+27acnf30xFuMCjbXTCAainFoeEtW6sZfy4z78AwyGDy66Snw59 pvtbyWjFtVqv2AKhiP7OGS07Od6EaserX0vCQ10ANdg4TLN7ndS3gF8OdAbzxSMsZSjY sgeyCW+DZbTYK5bDNnjil5OmnI6NDxkWpYVsoDss5Tq0elODK37VxHU4y9hCNubVo7H9 D6Jc4/affqcgrEdydVrRLwyNXiUAVcnoLZVmNAKzcNEAxu/tKT5a4J7pWmeE/G0DMrk1 UjiODKe8fvrl0qgaiKwOCtBZVX6C122MMiRCGRrT/OHEGYG0c08Il4sj/O4286/d7H/A e7rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=QR1Fq3MnogoZDxR5LoHcfLT1JRgAByQ+Bas4Z8/9Vdo=; b=kNFoFqLZWtLYYpC2wUdPOgaKYeuXI7+imGL9j54iQRS6wpuDuGmeL7ALDXJQaNqUvE qC/AN/Qx9jBJjxF+jV5ZXl2goWVg7xpbND5ag16Q9TB2E6YMYg6MY97jDZJlAYzddxE5 UD/aOLGUSnmjo5L5EyAihqKfAsbCfLzSr1o1tltiiIk2nFC+bcWZlY52pwK+H4QIxWQQ oKc9Zocrkci0YvnjOru46mA9iIdiBXn2tREX0gNWu5dHlJyAjQTVrbKRB9nC8YmB6LT0 MtaHuspYp/8qE9xtuCOPS2/leybIEFzvPQ7ciJWV7B4PjWADsrr4VAJKIgixbVdDLQsb HmCw== X-Gm-Message-State: APjAAAU9fEekgKwYpzqgNwiuSSX9NglAfs2YRkuG7Juektpj1eOvmgUE mEvIwcYxtVBTF6ceF/OE2oN+xSSOmpNjDmYBHVaCdA== X-Google-Smtp-Source: APXvYqzqeYXV9vwwXpTuqXyUuPT7+AwixwFvcs5ahBxR269UhwHGbFEprjzHgFntrzvSS2eF903JUTvnb8Dc9mAG5s87nw== X-Received: by 2002:a37:a98c:: with SMTP id s134mr109806733qke.176.1561161869518; Fri, 21 Jun 2019 17:04:29 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:40 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 11/29] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Bjorn Helgaas , linux-pci@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Bjorn Helgaas cc: linux-pci@vger.kernel.org Reviewed-by: Kees Cook --- drivers/pci/pci-sysfs.c | 16 ++++++++++++++++ drivers/pci/proc.c | 14 ++++++++++++-- drivers/pci/syscall.c | 4 +++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 5 files changed, 33 insertions(+), 3 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 25794c27c7a4..e1011efb5a31 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -903,6 +903,11 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, unsigned int size = count; loff_t init_off = off; u8 *data = (u8 *) buf; + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (off > dev->cfg_size) return 0; @@ -1165,6 +1170,11 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, int bar = (unsigned long)attr->private; enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1241,6 +1251,12 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 6fa1627ce08d..a72258d70407 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include "pci.h" @@ -115,7 +116,11 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, struct pci_dev *dev = PDE_DATA(ino); int pos = *ppos; int size = dev->cfg_size; - int cnt; + int cnt, ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (pos >= size) return 0; @@ -196,6 +201,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -237,7 +246,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_PCI_ACCESS)) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..31e39558d49d 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -7,6 +7,7 @@ #include #include +#include #include #include #include "pci.h" @@ -90,7 +91,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + security_locked_down(LOCKDOWN_PCI_ACCESS)) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); diff --git a/include/linux/security.h b/include/linux/security.h index a051f21a1144..1b849f10dec6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -86,6 +86,7 @@ enum lockdown_reason { LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, + LOCKDOWN_PCI_ACCESS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index ce5b3da9bd09..e2ee8a16b94c 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -22,6 +22,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", + [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011063 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C39FD186E for ; Sat, 22 Jun 2019 00:06:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B08AF28B7B for ; Sat, 22 Jun 2019 00:06:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A4BE128BB3; Sat, 22 Jun 2019 00:06:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3139C28BAD for ; Sat, 22 Jun 2019 00:06:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726656AbfFVAEh (ORCPT ); Fri, 21 Jun 2019 20:04:37 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:43750 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726697AbfFVAEd (ORCPT ); Fri, 21 Jun 2019 20:04:33 -0400 Received: by mail-pf1-f202.google.com with SMTP id j7so5316680pfn.10 for ; Fri, 21 Jun 2019 17:04:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=KhB8k5EQ6oackeS+pjqoF9TX+2zbJEYkNBGyLQREeww=; b=fpp37vrxC2zzNF4VYXnqpXLxv/GRJVI9czcu5CjPcqPqIYiLaMJlD2Vk/Uwp7TAuhD n8W8D3vPD+8NKZ3to4ocFRbsjD84dm2a22V7a9tan3vAnDLizMLJQHkgJt0aHe5SGXsI 4ecUre6B5AxnZE+Tf2Z1k4s3s82h4dFaNiLPB4pJ66yJsjbx9mkKA8Q/A41O+blCEUPq u0OLJipGcviIsNscneNUdtsGZnCMbcYLcghvwelZ8mrEOqWwO5LcJ5pugOLcew54PeI9 p1iCj0LwWuUUDpV7f4UipuTFmNRpd7DYGG1Qt9G0H0nxcXT/7VuiZkdItcOYIzxoQC+b Datg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=KhB8k5EQ6oackeS+pjqoF9TX+2zbJEYkNBGyLQREeww=; b=C59gcQmkBMJI0Av2tBHX4Zfo6QigVZf8Eh2BiMAdLrx7rVw9EfM7IqRtBFIXWWK3X+ Srjptqsk6yQT0vh7+pN3ANgseUEfO5totrdiAlE+QNOwzpmYQAyTIdc57Wo2Cqo2Vv5b VFBsTAHrDlJU0MagPpoM7ccwo8YJM0+BOGSs9y+BYmZTd4CfkwzshdyK4Gx/z3U+mguX 75jleSALdohRyLZ6EURk67xXZ0L7S56XtGyp7RMDbW6AhxXAqmtz/FW2wntS0f0mXOkE tIHCrGKOZclrQtUqcHd52PydJvgIMLrDP5X8YS+Z4RCLoQIDbb2UsCOVP9qtGkOOI86O 8KcQ== X-Gm-Message-State: APjAAAWItGLXh/PuUrMR9CXCi2HBLLbOEY9SnGDiSzFp4a/q49Ihqdxu AzR6T9Jevrf0/oyUn0NcwNb8rUUAyX67j/LHWOAgHg== X-Google-Smtp-Source: APXvYqyeoN3qECYwlSUWOV5qISEKFpiFf7um1aRObU9/wvILwiDNOLiFr99GCpgElPi0EQ02dPrioEU/FKmIqkY17ONTGA== X-Received: by 2002:a65:64d5:: with SMTP id t21mr21487870pgv.310.1561161872026; Fri, 21 Jun 2019 17:04:32 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:41 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: x86@kernel.org Reviewed-by: Kees Cook --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 1b849f10dec6..60569b7e9465 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -87,6 +87,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index e2ee8a16b94c..895ef3ba1b4c 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011059 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C5FA476 for ; Sat, 22 Jun 2019 00:06:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B62CB28B7B for ; Sat, 22 Jun 2019 00:06:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A4FA628BAD; Sat, 22 Jun 2019 00:06:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 41C5B28BB3 for ; Sat, 22 Jun 2019 00:06:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726702AbfFVAEh (ORCPT ); Fri, 21 Jun 2019 20:04:37 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:51244 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726594AbfFVAEf (ORCPT ); Fri, 21 Jun 2019 20:04:35 -0400 Received: by mail-vs1-f73.google.com with SMTP id b7so2849724vsr.18 for ; Fri, 21 Jun 2019 17:04:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=h2S4TyM7CDyJMzOjQbRR8ZxxuMRjDhoCrTzyxHQF79A=; b=wDF1wRh7YRdkWENFBegReRPWg8Ckd32u7DCN0+IKAyery8b1+s7dI+zT3p8kB6IsBS 5ib5OAxiJgbnyubCe8ihMsjXCVgjsTjfbb1f3vFEpfT5YYOdxv9l2B5NGb/b7nhGNKyK Ibh8t5mZvnavG9IT55dA1L9Uk4eK3afpzt5DPbSJFHyBwYP4ct439OguaEVPITJLKpLE OAMCezhOu1zvy1uc46JxSLEBLHZ5r5I5Bewf9BckvkjTBLbmYQw3EIzELHSaNbnr0Hxn aeE9u8eiAhIPpTR0XzbZL3CmimTaGzMLgzXV576COBT89EzENtfZbTVKlCjDiDg30Yow lbOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=h2S4TyM7CDyJMzOjQbRR8ZxxuMRjDhoCrTzyxHQF79A=; b=OsiSkmFSVT5ZLuY0KxsKkslZp9mnUG6C71kIy/e6bbWOzELkZxkEiJ+TVtcYEnynC9 Yxf69axHbXjWmL/fjgSFG2xq2DYLBHDQ4JtZiSxyWXBfdhhh0BmogZqoun27ND5z5xV1 X11nYwA/yGr1QCkNvXCL78yVlpoQtAj4m1921ZS0Fd0u0gYw4LISUeovV2JHAXnd5Ya8 Bl73DQdZCISvmCaxfP/ktekAnOTYj3hg7SeQoL4L+wpsHMyUGVLHUpYRC5azxen9rWFv Hyzplm52IsN1aig++jkPn/T96CHsNDWOhWMngsd9DMCntSLp/JPVlgMKUYR14+QMHyTG Z6OQ== X-Gm-Message-State: APjAAAX8sxdG6bi5V1IacdKQg+2IY7Ph4tmkpBe2RR51IwjZnBsAeEgD qp7acCou277QDQuBen8IdCFax+jw/CR8X+QB5UAHGw== X-Google-Smtp-Source: APXvYqwS2MgA1SXOj6fV/hh/k0TpKrnXr6zcFgypgeQp/ElwyjlX3xUnkgtDu8Nw/KiSDM52/+plAywMWgkcmWo34zOLNw== X-Received: by 2002:a67:13c3:: with SMTP id 186mr57496678vst.8.1561161874880; Fri, 21 Jun 2019 17:04:34 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:42 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 13/29] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , Thomas Gleixner , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner cc: x86@kernel.org --- arch/x86/kernel/msr.c | 8 ++++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 4588414e2561..131861b4e447 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -39,6 +39,7 @@ #include #include #include +#include #include #include @@ -84,6 +85,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + err = security_locked_down(LOCKDOWN_MSR); + if (err) + return err; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -135,6 +140,9 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + err = security_locked_down(LOCKDOWN_MSR); + if (err) + break; err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; diff --git a/include/linux/security.h b/include/linux/security.h index 60569b7e9465..30bc6f058926 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -88,6 +88,7 @@ enum lockdown_reason { LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, + LOCKDOWN_MSR, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 895ef3ba1b4c..297a065e6261 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -24,6 +24,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", + [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011057 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 40DA01398 for ; Sat, 22 Jun 2019 00:06:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 31CC928B7B for ; Sat, 22 Jun 2019 00:06:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2627528BB1; Sat, 22 Jun 2019 00:06:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C129028B7B for ; Sat, 22 Jun 2019 00:06:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726741AbfFVAEi (ORCPT ); Fri, 21 Jun 2019 20:04:38 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:54323 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726740AbfFVAEi (ORCPT ); Fri, 21 Jun 2019 20:04:38 -0400 Received: by mail-pf1-f202.google.com with SMTP id c17so5302606pfb.21 for ; Fri, 21 Jun 2019 17:04:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=zyyz4Cz4gGHUXuxtWW1WrDh1XJA1NU8T7MmFpiT0rrE=; b=YIv34y8sbA5lbQnK/eli+pwNC0VaL5Zccqe5P08QByeHBjnT4ZCaFF6VNL0237nXRe Y82y2K6IWweiDfz+suVmozJiIJZ4FiWrNiF+czLcZ885+84IldvjGYnCqd6cBVGOB6X2 LIB2ZUGsmvExhTJU+g5rsLSfPaB38pUV78wxFfZqkdvu5Ty0dz1z8kt1VvYSbRJXtjNZ PLQq1u/pklNhYtpNo+/JudN2J6hh+ZEnvhrWfXMwYC7LO2f/KTEcHLdaZib/MbY/cT6M aVlj+/7Xd3xzeZffz22TPbGJZPZ1gHSJhdPrgKyRQrQrSPgPzbAC5RkBFZ9Hz3KfX+B5 eKNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=zyyz4Cz4gGHUXuxtWW1WrDh1XJA1NU8T7MmFpiT0rrE=; b=qr5wlRG1X1bhce5+rbix4V/+I4Bbl4ZsSNjo5krapwCgI5BWZ4ewjywiLOd2ymYlRs GzSy6TFFwZv8MeEezctrVwSEceLX8ivpNCJKIix/ENBujXvLUxGEISIAH9jaTXfLAyRQ G+WCAJ6f+ZPIcMav0imExeprs2vhBs57Y60BT/tIGwKOSdGRD+ow1RlOowg12jdNZEzI orkMxUahJeyd8qirleTvU/XO2AQBcucQ0Ig6gf2LBhCFFXknewvDFk2csKt98oB2giij g+LzFRgAEu2qzYfD7ZY//p4YgQzWUsUqUKzUHCbU55Y5epJUwvPEAz9bHJFcft64OeMT evag== X-Gm-Message-State: APjAAAUBL8p45k8/7iTt0NF+t0eJ33HCGeKhST6a7r2WVoPmIizOXqhS CN8c7+SNGyhMxC6NdGpI3rvU9HQQ1dIHxgsjAMgujw== X-Google-Smtp-Source: APXvYqxrieaEV4JvvipGtYx+FVX4wzWJu+9dkQO98TgTYS8DbVQaONy7gFhmlvKZ4R1EVRlKzulPfnPIGtj1Uc2BV2hMgw== X-Received: by 2002:a63:f817:: with SMTP id n23mr21183139pgh.35.1561161877500; Fri, 21 Jun 2019 17:04:37 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:43 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 14/29] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: linux-acpi@vger.kernel.org Reviewed-by: Kees Cook --- drivers/acpi/custom_method.c | 6 ++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 8 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index aa972dc5cb7e..6e56f9f43492 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -8,6 +8,7 @@ #include #include #include +#include #include "internal.h" @@ -28,6 +29,11 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + int ret; + + ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + if (ret) + return ret; if (!(*ppos)) { /* parse the table header to get the table length */ diff --git a/include/linux/security.h b/include/linux/security.h index 30bc6f058926..cc2b5ee4cadd 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -89,6 +89,7 @@ enum lockdown_reason { LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, LOCKDOWN_MSR, + LOCKDOWN_ACPI_TABLES, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 297a065e6261..1725224f0024 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -25,6 +25,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", + [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010993 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 631BE924 for ; Sat, 22 Jun 2019 00:04:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 56B0926E3D for ; Sat, 22 Jun 2019 00:04:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4AB0828BB1; Sat, 22 Jun 2019 00:04:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F042B26E3D for ; Sat, 22 Jun 2019 00:04:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726817AbfFVAEl (ORCPT ); Fri, 21 Jun 2019 20:04:41 -0400 Received: from mail-qt1-f202.google.com ([209.85.160.202]:40490 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726803AbfFVAEl (ORCPT ); Fri, 21 Jun 2019 20:04:41 -0400 Received: by mail-qt1-f202.google.com with SMTP id z6so9775092qtj.7 for ; Fri, 21 Jun 2019 17:04:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=kMkOq/TdZP2DxC+0jYMlNvaXt/K0jRyWoQ2RXLMuYi0=; b=QRjJLKdNtZo8CP4nTH7hluG2qV1AXyHaeNhLgJ9dx1fDUKb4PKvKgsxZC9qD/JpyOc nDlpqLlNjPK2Fr6/XPB9DFGktNMicEjN1U3rsUDXfXc0qt6uDJ4LiVqBRuB0IEYVTdqC g9pw8gFOb/hrRGu3KsVlrmVHnvI6Fg2+fFpvLxGvsYk9kHFo5degfWEqDha7Y8eH/AMU owop8HB8frx+BdG4M4kFYi15V93p/L6y8OBHHLti5WrGcp5xyaJuzKxcJQQIy7uVl5RI bM63+qZ8cl4gZwKMeJroO8r+Eqm/Y9IaQqorCVln/XP6Sft3X+wUDeJFpOaUTuF1wRyz uPNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=kMkOq/TdZP2DxC+0jYMlNvaXt/K0jRyWoQ2RXLMuYi0=; b=SHHTQZf4o2pn13AgJQw9283Sd1shOfsky33b2cKmLXArScGa6oSJfGpWCgrqKHUGuk 4qm1ngx5DeGVAug8MZmvxVJxG1bZOZoCSh130LCw81KuvDRLf9tSkdDehCdOlEjV+w+u MddWb8cB4UfXkJFB0yXZwaL8X9aWHeV2MMaoaYJdixLN/NYa/V56WbFILOjQUWWVJlLT vvUfBJs0rzHwP+nQgsTFtgTgZAkYf1+YKkpUWICpl2ndZObOzlqW1T09+QlYMizUzz2B L1EtunAdL0pDkSE037d17TukSPZgqWCBcnA0Wee303DSar4sa5rXbgwyxZNaMg84kevP PkZg== X-Gm-Message-State: APjAAAXnmxYOCuZa8yY6TG72vPjk0+F7pGrQf/EJJumQUriyBRgwFNvN 6fQvI6TbVPS6aKxf6KB2FTY/A9vLMAAicD0VIMneDw== X-Google-Smtp-Source: APXvYqyfTelCSA7v0vPY8aBBSkh56jUJFjBxZnlm2jUkbBn4LGuF/pZ/ysDWTqqbVvj8Ybj3gU9B9i2a5Gg4/j2L/hPeGw== X-Received: by 2002:a37:a9c9:: with SMTP id s192mr111878928qke.335.1561161880192; Fri, 21 Jun 2019 17:04:40 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:44 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Josh Boyer , David Howells , Matthew Garrett , Dave Young , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware . Reject the option when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: Dave Young cc: linux-acpi@vger.kernel.org Reviewed-by: Kees Cook --- drivers/acpi/osl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index f29e427d0d1d..60cda8a0f36b 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ #include #include #include +#include #include #include @@ -194,7 +195,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && !security_locked_down(LOCKDOWN_ACPI_TABLES)) return acpi_rsdp; #endif pa = acpi_arch_get_root_pointer(); From patchwork Sat Jun 22 00:03:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011055 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9CD3C1398 for ; Sat, 22 Jun 2019 00:06:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8FC6028B7B for ; Sat, 22 Jun 2019 00:06:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8379228BB1; Sat, 22 Jun 2019 00:06:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 218B628B7B for ; Sat, 22 Jun 2019 00:06:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726648AbfFVAGY (ORCPT ); Fri, 21 Jun 2019 20:06:24 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:33546 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726801AbfFVAEn (ORCPT ); Fri, 21 Jun 2019 20:04:43 -0400 Received: by mail-vs1-f74.google.com with SMTP id x140so2872273vsc.0 for ; Fri, 21 Jun 2019 17:04:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=n33H2caFWJMziV8Vl9fEyuQPirYfKy2HcqzebAjjbEk=; b=QWSAua9g9RwKP0uU2R678HQj1nTTQlk+ccuY/QK3BB9zuEyoAp2MVYhulrYkxknxtp 8CcguRHGvVDf5J0QYKG9GN2mG6EWCobGgzOL2HDjpsFhBVlDO71Hs+o0pLtXh/p3Ed4V N5nM6O7m5g2LG2oUQZP1CsRN/M4x/GGJNW1x6vRcXwslO1ZZEosxSyRhL7850ntFt/Qr 0nB8h31WahXFNIUcWpZ86cgp6VcJyrAzNoEdvFqSnlqNyhwwQTw4mGjPAMnnSJ4bBY5N uVnBjMN4HatYvmQyuAT2EkWPBDPyZag+Wolf4TT6MIZc1eWQtxhPUA57hp8Msm/MWMnW KRIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=n33H2caFWJMziV8Vl9fEyuQPirYfKy2HcqzebAjjbEk=; b=T9ouVSPQf5xqM2gYjKAprESEYLeMebNY8V0JZMm4DEnzuN8tnaCXIpI7sSSTT95L8C pCVk3XbjGXSNoDUte0W+K5TsoxUjWMOF4yMS9kSP1dLccxRwMtKX5hpJDWHQYVM8YZze RcelfvliU8EM+yi0PCNuDCAZoEpAekfrjm42yIYQ/dktLakTjwIHR6CwrBRfGN4QvZN0 6w1rmg5qRQmKaK027gyXnQOQ9AZCAC1/hJ8r4peT8J8dc/mAKGztynUphWaC3GWFRHY6 h5eUmBZiT9k78WYKH1YlVLC/TyGdH+ApqH/V/jJ7i8UGcQhKJGfMtyR+0Xm77D4MyiC1 6fxg== X-Gm-Message-State: APjAAAV+Uh0xOvVaZdpFomzx5b+bzRJ5eajeJawzQZ999KFgO/TtYZgp h/SNgDzu/hlwt+TxEZCbD85kY6JEZZTR2e9WwJ+aug== X-Google-Smtp-Source: APXvYqz+aR99joPErIIEbc2OhbHDT9lUw4o9PwDXDXdQ9wGtV1PBN1Bun/Dpx72Xl1cgY14BcfWe++NbFFwjQPw4r6febw== X-Received: by 2002:a67:7fd8:: with SMTP id a207mr52544296vsd.85.1561161882682; Fri, 21 Jun 2019 17:04:42 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:45 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 16/29] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Linn Crosetto , David Howells , Matthew Garrett , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: linux-acpi@vger.kernel.org Reviewed-by: Kees Cook --- drivers/acpi/tables.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 8fccbe49612a..41d9ccd0e075 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -34,6 +34,7 @@ #include #include #include +#include #include "internal.h" #ifdef CONFIG_ACPI_CUSTOM_DSDT @@ -539,6 +540,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (security_locked_down(LOCKDOWN_ACPI_TABLES)) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); From patchwork Sat Jun 22 00:03:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011051 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F2E3876 for ; Sat, 22 Jun 2019 00:06:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E531C28B7B for ; Sat, 22 Jun 2019 00:06:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D8B7228BB3; Sat, 22 Jun 2019 00:06:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB48428B7B for ; Sat, 22 Jun 2019 00:06:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726838AbfFVAEr (ORCPT ); Fri, 21 Jun 2019 20:04:47 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:45341 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726839AbfFVAEq (ORCPT ); Fri, 21 Jun 2019 20:04:46 -0400 Received: by mail-vs1-f74.google.com with SMTP id v20so2855333vsi.12 for ; Fri, 21 Jun 2019 17:04:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=D0cR1P9fRxl7I0Frc/NTBEIf+XZBbF2jRPFJwWOLz+E=; b=FN6rV7g1wI/cQULj1NeHY25dTFSqkhZVIJO87pMC8h34LSqiJQhwzDrpYiiyO8S5jK 5WuO9AZdivmx/IHth4tUCWQsu6aK1fXCa5IPsW5FyAyGqhS8o7SCfRLNWeyr907mEW59 BAJPQagNPHWoiAygcQ0WsleyxggB3QLnTgAO+0Zr4NToG2qapy/zD98DVHT5+cl8/EFi akZMCzlatqaUHLdwExao4rabh18Lcd6oOW0GtIjJk38zWfTVsXKKAKOuzq3RsSad3pYx ZB4xF7cn+5hEak/ocAoFV8txF3GMIWM+p7k63J35lWdSBGYy+9L8ZWheJ2dRmhfe0fOx k6Gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=D0cR1P9fRxl7I0Frc/NTBEIf+XZBbF2jRPFJwWOLz+E=; b=njt3UL14uAcpAaaL1TZ0kONE4rJTleiju6VQNt2/H23MzhngxnFdTQy+TeLBqT/ZWw 440StxSyMIuMphmSPuZKbks/otJPGwAs5IDt5RMEuah95s+dKqwEkZ6C3C7NAu7LBNTq aWuBSJmT3SuVpgDTr1+8RS39HbJeudrTqUQwakUcSR8RabC7pEfYhrTHRzu0hufrzYNV fS5Z3zEwt7u3XsA3zFn9UMZv+FDGiVix6Zgw/vQdXVk1AX73WgKHd1IYdcvX9Ta0oqrT 4Qm/p9BGMlzRZmAVI/BP8IBXgV87jV5Suh4w2pLcZdqCXZIskMSUJFHg/wWXKVQD2QOd B6fw== X-Gm-Message-State: APjAAAVKSL1gPiB1yJ4kK6T1ic2gfJt+ZYd5w9p9rkhSo9ICYehTxSSy mF0cLAebH7qAyQQHqlWSNwSssxYXmdhdtkeTsIAc7A== X-Google-Smtp-Source: APXvYqw4d96MTv19mVO5YEXSxlhDKP6hJERH9aHPkctv1fha/0XtsJ8LHhcPxfrH3Kta8gdSMFY016WdHwGhe4DrOfdB7Q== X-Received: by 2002:ab0:7618:: with SMTP id o24mr14156916uap.39.1561161885166; Fri, 21 Jun 2019 17:04:45 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:46 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-18-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Dominik Brodowski , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- drivers/pcmcia/cistpl.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c index ac0672b8dfca..379c53610102 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -1578,6 +1579,10 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; + error = security_locked_down(LOCKDOWN_PCMCIA_CIS); + if (error) + return error; + s = to_socket(container_of(kobj, struct device, kobj)); if (off) diff --git a/include/linux/security.h b/include/linux/security.h index cc2b5ee4cadd..03c125b277ca 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -90,6 +90,7 @@ enum lockdown_reason { LOCKDOWN_IOPORT, LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, + LOCKDOWN_PCMCIA_CIS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 1725224f0024..7be3e8fb5847 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -26,6 +26,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", + [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010995 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 77B1B76 for ; Sat, 22 Jun 2019 00:04:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6809926E3D for ; Sat, 22 Jun 2019 00:04:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5BF1728BB1; Sat, 22 Jun 2019 00:04:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DEC3326E3D for ; Sat, 22 Jun 2019 00:04:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726851AbfFVAEt (ORCPT ); Fri, 21 Jun 2019 20:04:49 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:51341 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726853AbfFVAEs (ORCPT ); Fri, 21 Jun 2019 20:04:48 -0400 Received: by mail-pl1-f201.google.com with SMTP id d2so4458194pla.18 for ; Fri, 21 Jun 2019 17:04:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7XUJQ2WWQgV+58iwM6R5lnhVlgjpfti3qggxZNIjvHc=; b=YbOGu6X3QdBGGGe8faHuFUYcFb8svwX0Yxl+CKZAFfrIXqI87gpdCYLkBy1RaGPta6 yrXHUhg6AvScoTY4m1Odo+/d3z9d7LUQVs7GrNeE9mFjrvxC0jFRRG0WFDmeARdHINoL 9EcWj34vMERn+3r+itQyO16RcWcpEpm9Lf6JNPHsvRDe46Q5sI5yk8mvHp3AbTMt9oeY Eovet+DRjjFBtgQyhhJsO/zVZP74OIBcPT7f8KuZ2LtAAHjxLB0tATATujAR/MbaUZZ4 Pm/32Y/fZlVXUWXMUQoLA+3vWhjjyHix9KSTINraPHgkYVJQZgEicVTLVGsYT3pskJn6 egvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7XUJQ2WWQgV+58iwM6R5lnhVlgjpfti3qggxZNIjvHc=; b=qmEfKm+gzxWS/wq3I9OZ/Jf9bOdUxsH3FIyYAleNbEuE6Gz8e+6LiblIe966qpVMIi 8p7nXHXW2mYyZMhd5uguCFSqzhjmm2lQGaNpKyiCWK6LZLzVirGvMGFF9edT2T6FUYPL JMCCQ4yGP98DcfjmhJIE3i9eUzyz3jfKZp6miWQgtob8L+zAAA2AZIQeODAia0etXbcP tPBC+JaMe5P5sWCh070ckJe6ZKwnK2EzUjiBlHm5279fcRQP53lsQ2HUilfLTj27YmXv 9uzCe6hcGoA/u9Ap+NRr+8q3RCcZ8JtclPySf4yYwwnTvQmWl05a8gPBKqhLypop5OqP yajg== X-Gm-Message-State: APjAAAVfv6iVmtvNqozDHtYOKiTZy/u6ROt3u0L0qqtglnpxMTAvW7nY S19isD6r7IcDiVSUEWwSjf5bvLd6fbX0bbWZK4uR0w== X-Google-Smtp-Source: APXvYqwX0BWadWUzKD1pGC6iismXRYFWPwCnDuU+HcsvZA1gPfoXYPu6NOPQ3UQf1f2qQnXsIVTWV1ab1WpwKnLIpbDK9g== X-Received: by 2002:a63:f70b:: with SMTP id x11mr21395458pgh.212.1561161887383; Fri, 21 Jun 2019 17:04:47 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:47 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-19-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 18/29] Lock down TIOCSSERIAL From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Greg Kroah-Hartman , Matthew Garrett , Jiri Slaby , linux-serial@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: Jiri Slaby Cc: linux-serial@vger.kernel.org Reviewed-by: Kees Cook --- drivers/tty/serial/serial_core.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 351843f847c0..a84f231a5df4 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -852,6 +853,10 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; + retval = security_locked_down(LOCKDOWN_TIOCSSERIAL); + if (retval && (change_port || change_irq)) + goto exit; + if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port || diff --git a/include/linux/security.h b/include/linux/security.h index 03c125b277ca..61e3f4a62d16 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -91,6 +91,7 @@ enum lockdown_reason { LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, + LOCKDOWN_TIOCSSERIAL, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 7be3e8fb5847..c89046dc2155 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -27,6 +27,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", + [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011049 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B623F76 for ; Sat, 22 Jun 2019 00:06:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A5C4E28B7B for ; Sat, 22 Jun 2019 00:06:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 99AEB28BB1; Sat, 22 Jun 2019 00:06:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 00FBD28B7B for ; Sat, 22 Jun 2019 00:06:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726243AbfFVAGS (ORCPT ); Fri, 21 Jun 2019 20:06:18 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:37971 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726873AbfFVAEu (ORCPT ); Fri, 21 Jun 2019 20:04:50 -0400 Received: by mail-pg1-f201.google.com with SMTP id 21so4999344pgl.5 for ; Fri, 21 Jun 2019 17:04:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=DcYA884YGcGGdCYTloo9C5D9P2JdZYIZcuEODFPPdyE=; b=FpAHE5nRtiq8twPnU2FiA6jLImIS9YqBG0kkzIsrD6OMZiYkZhbmyWygj1lEcLXZZ+ yhPzB8BSVUrcxee0v1jTxwyQ+nDZsbbYuryXRtruDeoXjlY+p0iYOpq7nKjz9aZ0qq/p /O2JfwU8M+jWw2Z9YuevmCs/eS4sN2vfFq0jaX0aCGRgjNzl5lcYsGj/jofyaP4CDRBt 0bN/jvJwoS9wJWP3S5dhVrX0L2iP0Ds82S3TrvG0hfHn3FJuvD905D7I/fQBcx2+B0Aa 273VlHuxdXiojhQkEa6oLg1y3gOOQCYo8Ldrh1xgfRjUEcXzF02eN6AaKuUrFSY255is 9IxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=DcYA884YGcGGdCYTloo9C5D9P2JdZYIZcuEODFPPdyE=; b=fS0zQFGTn/fVFrCuEmah9cG/OZ7SbMyEVJMtXkf0y4lGqRhC6qfEmeaRORIOAwoPFb TURj7MuxZeWm33mJNhUbYbOijDgeFJqy44ZLVaGKiPWeAfx9rCNxrsWxay4xLpiDXDGu hURs48L4yi8ng7egwgg/WTkaC5piSP4HAdndZ10/l8X/yRlyesXLwsri7AJ/zq4uM27i +Mq01JyrMzIh7hycTEpPsCjD+jPEHPIpoGh0qLfVqHddiQUbM1vQirBkGffLu+0Br+xF YKqzV8BzPWDSsf0hfvpYSlGl1blQpKmvH9LQgTQ+EyUwYKL0+W6vXp6PduN9p5Alczox Cz7w== X-Gm-Message-State: APjAAAWftiPCvbT1Ky1Z1t4/0XZVoEaeawbQtKpsiah//dNnl767jhAl 8hyVLnI1zSPloR4eFoSSoanIuXa1zLkcdxnHSetm2Q== X-Google-Smtp-Source: APXvYqwnynpKqdK3Eq/xy1g7CilbIDHxC9Vh45kR566G/Sw5s9erByxy4tBBT/h8oYqEIaaSCkzkuhqgBVwmIC7LYGatZg== X-Received: by 2002:a63:5152:: with SMTP id r18mr20149468pgl.94.1561161889779; Fri, 21 Jun 2019 17:04:49 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:48 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-20-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alan Cox , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- include/linux/security.h | 1 + kernel/params.c | 27 ++++++++++++++++++++++----- security/lockdown/lockdown.c | 1 + 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 61e3f4a62d16..88064d7f6827 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -92,6 +92,7 @@ enum lockdown_reason { LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, + LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/params.c b/kernel/params.c index ce89f757e6da..f94fe79e331d 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -24,6 +24,7 @@ #include #include #include +#include #ifdef CONFIG_SYSFS /* Protects all built-in parameters, modules use their own param_lock */ @@ -108,13 +109,19 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + security_locked_down(LOCKDOWN_MODULE_PARAMETERS)) + return false; + return true; } static int parse_one(char *param, @@ -144,8 +151,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -553,6 +562,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) (mod)->name +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -565,8 +580,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index c89046dc2155..d03c4c296af7 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -28,6 +28,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", + [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011047 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B64C51398 for ; Sat, 22 Jun 2019 00:06:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A499028BAD for ; Sat, 22 Jun 2019 00:06:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9845028B7B; Sat, 22 Jun 2019 00:06:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1D8EA28B7B for ; Sat, 22 Jun 2019 00:06:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726884AbfFVAEx (ORCPT ); Fri, 21 Jun 2019 20:04:53 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:46950 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726883AbfFVAEx (ORCPT ); Fri, 21 Jun 2019 20:04:53 -0400 Received: by mail-pf1-f201.google.com with SMTP id a125so5316249pfa.13 for ; Fri, 21 Jun 2019 17:04:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=PrHz11Fkohxiw/KAEo+rgP52AAtQBps1BcwB0CKo3qA=; b=JFwCQU3VW6N8fQbj5QygplLOospCB4WZ2mimGCOP6n+WOhSurcQpgYKoX9iw+cZ2K6 lfr0JV9a5FEYabcfgKFD2n6Oe6+2jlR6WwmG5IJWl6TSHGZbMzYhWldPaBoWulWPSt2Q n6nwq8yowPRfRHqRBFYCGiKeHVxfu8hk5JpXAy9ZSyUlF8mKnwxIGeYB/JaeT0mfCdVH jsnv53RcgGR+gNUsAtx76M4TpYdiprXQiVmjKDZ3WUiyWxBtk+IPYE4Tqu3u+i1Sl/Bv 2XAbs7AoszictGZ1JEiOzfUFw9KrUEgZ3ZX1sk/r5opiNHJKIXKeADFd8BG+XePh9aML 4/Mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=PrHz11Fkohxiw/KAEo+rgP52AAtQBps1BcwB0CKo3qA=; b=PY7xZYPsLrF2knEUiZORDv+9/WCCLXY+mCHCHgFTspt+IgjSo9xwfv7CvDVQROqe2N KC5pUKWAF12Y19jrBW7QJb3JiknqJSUfYP0WNXC0lqHXELgmzCHdiI1Zv0DnWrLuBWpK prlA25Mb9A+F9Kn7f+vZPNtfJs5MDP5KtOjOPSYBddYseNH1XEFLeu9dG6zpBFw4b9dL KS45YQPkz7FmXXLnQOKDFcR+cNiS6vvRN4EGsDwK2gGscsN+6PUgKLmLA0HxEHF9wIfB wzNeQoKMfDsgDUPTJM0Hbj9blzgHGaw05qC1hfhDRVYU7qnZ/4rVEZ9xSbF0PJTXagBG 5nEA== X-Gm-Message-State: APjAAAV1eKSmgI+uTjzgGC+RFalq/YsNsBgGVaiMMEc0hRrw23z6G1lP 1wnc4T1QR+nN0wJIOWY7OtwWOSFYg5P1yGYFqy8H2g== X-Google-Smtp-Source: APXvYqxHPrRmaCO3xqjug+sv8qg9vhcJoBN5OdWTZlBjLu//lwEN4PjtXf5eSjG7q2BsNifXC/ydRjwvulqX9FFBZNjGHQ== X-Received: by 2002:a63:6146:: with SMTP id v67mr15959623pgb.116.1561161892042; Fri, 21 Jun 2019 17:04:52 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:49 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 20/29] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Thomas Gleixner , Matthew Garrett , Steven Rostedt , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. This is a runtime check rather than buildtime in order to allow configurations where the same kernel may be run in both locked down or permissive modes depending on local policy. Suggested-by: Thomas Gleixner Signed-off-by: David Howells cc: Thomas Gleixner cc: Steven Rostedt cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org Reviewed-by: Kees Cook Reviewed-by: Thomas Gleixner --- arch/x86/mm/testmmiotrace.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index f6ae6830b341..6b9486baa2e9 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -7,6 +7,7 @@ #include #include #include +#include static unsigned long mmio_address; module_param_hw(mmio_address, ulong, iomem, 0); @@ -114,6 +115,10 @@ static void do_test_bulk_ioremapping(void) static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + int ret = security_locked_down(LOCKDOWN_MMIOTRACE); + + if (ret) + return ret; if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); diff --git a/include/linux/security.h b/include/linux/security.h index 88064d7f6827..c649cb91e762 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -93,6 +93,7 @@ enum lockdown_reason { LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, + LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d03c4c296af7..cd86ed9f4d4b 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -29,6 +29,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", + [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010997 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1E74F76 for ; Sat, 22 Jun 2019 00:04:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0EC4626E3D for ; Sat, 22 Jun 2019 00:04:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0291428BB1; Sat, 22 Jun 2019 00:04:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E0DEE26E3D for ; Sat, 22 Jun 2019 00:04:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726895AbfFVAE4 (ORCPT ); Fri, 21 Jun 2019 20:04:56 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:40094 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726894AbfFVAEz (ORCPT ); Fri, 21 Jun 2019 20:04:55 -0400 Received: by mail-vs1-f74.google.com with SMTP id v9so2864437vsq.7 for ; Fri, 21 Jun 2019 17:04:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=E6ROmks1YP8CwMOFQbw770isN8mKFQ6O3PhJWfaTMq0=; b=cpBykRhdrV9WvWOUQ0h1bdHdihLaySqHs97UUlYGQjYPCfnQENBajs/VWwRncZdWQJ x3qp4dXdCHuLvr0Mp9gBg782SJ3QvOmtlMNNdGpXLWvphNDNK0JImHSRoWKx2+Acm19p g/ua8GzrquOQvXhYsRy0aBLAk5lrgayhBjNpvyBXlqdfAauipEGwI0ELTVNh+Y4hnp/T azc+iqLbvc0ObICwB2E/JKUSQJQEvpYBDmbLnn0W+yOQNMrspXNt9MaRhDRXIAJ1i2kx Ue/EZgQQhMcAruOAHGrXEeDsgIwOVf9cSnt7HPqH6YwJy6llXY6OkWVOn+911ox4eb2F q7KQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=E6ROmks1YP8CwMOFQbw770isN8mKFQ6O3PhJWfaTMq0=; b=o90EYLEBSg3hKSp4fPPl1f3hYZA0TV3kKucVoOZQymzO40LnjDZdou+APGthzj1TNw zmLGpp4AZrJBD8IeNdkAeVrBGPaY8/Xh/oAVffFcp/J4BzjKovsk/zG4ya3JfuJZlBjB zzpmU+xkQqFnZYkeX6CdzZsl7fTB2bZnewLmjwqJqq4ucL0F2rEPZxWO0YpVcKSd6foy IRhn0EPXob33IVHEa1PnSAH7KTz9n8HmhznW+Mfyc+9jKkJ7OJdVcwnLVv+2NUt33Ie8 6Z2jasXjg9OyKdUAqWo0uUM1sNQPfGe7zIPS2At7FlPD5VhDWdVcZLI2WdZuqkNTy5X9 yV1A== X-Gm-Message-State: APjAAAVyFBQs6RPblpJKY/GVDuwoDeDq5CNH4uBG3+Fx/lcFDzTwN6d6 iybFDQF93imvFBTyuqFwF0/bZ03nGX+YF2RGI9t3dg== X-Google-Smtp-Source: APXvYqw+u/Eu3DXZ9kV8rsq9HGa/mUShM0pFU+LKsox84T0C57wKcFXQ5hrwtrEFi/oEfemF3cbnfzDA0KSHSaaITTC+qw== X-Received: by 2002:a1f:8bc4:: with SMTP id n187mr930984vkd.32.1561161894624; Fri, 21 Jun 2019 17:04:54 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:50 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 21/29] Lock down /proc/kcore From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. This is limited to lockdown confidentiality mode and is still permitted in integrity mode. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- fs/proc/kcore.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index d29d869abec1..4e95edb1e282 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -31,6 +31,7 @@ #include #include #include +#include #include #include "internal.h" @@ -545,6 +546,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + int ret = security_locked_down(LOCKDOWN_KCORE); + + if (ret) + return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; diff --git a/include/linux/security.h b/include/linux/security.h index c649cb91e762..3875f6df2ecc 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -95,6 +95,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_KCORE, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index cd86ed9f4d4b..4c9b324dfc55 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -31,6 +31,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", + [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011045 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 60E171398 for ; Sat, 22 Jun 2019 00:06:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 50C4928B7B for ; Sat, 22 Jun 2019 00:06:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4461828BAD; Sat, 22 Jun 2019 00:06:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D63D728BB1 for ; Sat, 22 Jun 2019 00:06:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726617AbfFVAGH (ORCPT ); Fri, 21 Jun 2019 20:06:07 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:51659 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726906AbfFVAE5 (ORCPT ); Fri, 21 Jun 2019 20:04:57 -0400 Received: by mail-pg1-f201.google.com with SMTP id i35so3815541pgi.18 for ; Fri, 21 Jun 2019 17:04:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=vG+Ky1xMciAt56WQw2EjTPdmD541F+3aHNW5aR09cZM=; b=UL4Qk25hc3SNUo5XrSqPPvfC8ObTMPlrZFg4JcxukENDqlnfup3f9RtnrkiwHcxOQy +CX3ihK97Qg38Ne2dRLsC03qRKG63yC8UfLws2djrH8nyLWGoz9EnjOIu7rh8v1Wzyu2 /m5932Iq9XT+iN6P0dpcU6tlmMNrWuQEgFtEdAXz36MufIe2TmZfNtd1Ly1f3GhlLVIF OSk80xD/ELnXzf7ZMFPRQUyPJDpkxWOTnQrNocZhtWH043t2QGiQVvXzAGZB0uyzSd7l nVv1uzBdGuaWozCwN4byv7d/DDbzNdPbmHEM5gcxtro0RsRDzsCA1ioy64MXtW42aBMa GGiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=vG+Ky1xMciAt56WQw2EjTPdmD541F+3aHNW5aR09cZM=; b=RLrf57OjLNzQ83iSjQj534Ev6iEuHKDTn5vfuApQEJYmn5BwLWZRCx6rBJUev/TdGn pzMO82AXQMrtOVLg86+JAJ7aZmMHnSUPkCHNjqmag6RbTVoJrGzSVaWWVMLx+In7DYMS nEu9Pi8n1Hpn/CGx+0tOSQTE/WtxaZHlPL/DLXjVI9SRA4AVUZhfau1sRcVhlS18odhC wBmS+0x6ykD29Tf0gkX0uMPTtnI9XvmvhPXaWIIBTg5r6wWGCKM5CUZWOc9ovnLrQbMP Y+E6T/Yfze7/YnFph3FXd9Q2BgiRPMvxCz4fqm//jBFoaryBw6y0IQ8WBP8j0F0riz3B h/MQ== X-Gm-Message-State: APjAAAVYTInaqKXcY7QyKLds8Y11WhH8d2S3fkgD/4puUV4OoxbkETMe biEzRK99gplyegkvwN+AxnxcSHuAowddXWpGOFWRNQ== X-Google-Smtp-Source: APXvYqw9j0ee4KLPs7be3t2v3Y+G+7aChaH5PGSdJ0kCmluEfWlXs0wvCI8+XwhzwD3dbhB6c+Ee3GhBlLOvdYQe+AiRuA== X-Received: by 2002:a65:50c3:: with SMTP id s3mr20935624pgp.177.1561161897008; Fri, 21 Jun 2019 17:04:57 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:51 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net, Masami Hiramatsu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu Reviewed-by: Kees Cook Acked-by: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 3875f6df2ecc..e6e3e2403474 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -96,6 +96,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 5d5129b05df7..5a76a0f79d48 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "trace_dynevent.h" #include "trace_kprobe_selftest.h" @@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_probe_is_registered(&tk->tp)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 4c9b324dfc55..5a08c17f224d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011039 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4109E924 for ; Sat, 22 Jun 2019 00:06:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 321B528B7B for ; Sat, 22 Jun 2019 00:06:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2695F28BB1; Sat, 22 Jun 2019 00:06:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F23128B7B for ; Sat, 22 Jun 2019 00:06:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726924AbfFVAFB (ORCPT ); Fri, 21 Jun 2019 20:05:01 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:39950 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726916AbfFVAFA (ORCPT ); Fri, 21 Jun 2019 20:05:00 -0400 Received: by mail-pf1-f201.google.com with SMTP id z1so5319332pfb.7 for ; Fri, 21 Jun 2019 17:05:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=lADF/69hujBGq/iJl0D88rT6I3VHPhuR9iVW3LJP1Jc=; b=K2FFJ1aP76BMQ/E5sjviwmlSMKVguU8Jr9csKRbGwRxxh3nWMY6MyYVqtdU1Y5Tfnz kOF1/pHQYbqBdNndYLAjlR/a1h6lC7UO9m1imOdoyh0ZmiimhMR9K+KXByKIbOyAYuTL 8P7pZ5SMACUx1f1dLXQ5MhV4J1xa5/HWxsAb2KzcrRWt0/RWhNIX9vFd+Mfg968LkruV +n7aJru5R/ypJAmgB+dlauue8cjhksN0Q8pYBeX3j2pKv0GmQ3ZP/gXy2miLx12cmXzm YVB7owkrEhwP1oKB7hJyXRS4DC8M71NStLEFOUKFEXIuK9cuRslA5UAuX3LoTN67HRfM 1O7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=lADF/69hujBGq/iJl0D88rT6I3VHPhuR9iVW3LJP1Jc=; b=nA6VCDVr12XkwMdh0STuQAoqI918THva/TV8bMtRAySiesqrYrlD07F2zTgdsby1ts 9bxzGkIqo0abHyrBK8ApMWStfP3u34crG3IucctqM/SoEcYVTxr74XJJZTtC0ZAdFV4X MGEJ5A2K1QLU2t0PRQ30GMDCamIkGf1NryXld+m2y7gyvydSRoOS4rKiIRrqWB0hMzF8 wX7AbGr7vQDi3l4O/OY5VFFv8lCvNgwsBDvLtjPd3YLPForiw1Ya+Pj0yhRemSH1nnuZ wUWGOMAtOaFABJhZhbCaTpKBXw0no1cGoEOIllcy0+RFn8t8HzUH3zkEGnxOoCzl450u QXIQ== X-Gm-Message-State: APjAAAXPCHRI4FCQKpPbZ6L8C9twe8CSCd/coyPykdjgQlADPL9CK+W3 KSPrVaBIc4AEb85IDv1LwsYh9ciPD7FSWnmiC6NBEg== X-Google-Smtp-Source: APXvYqx26XubluRiPF2yLoG9HE9+5mboNjL4ADSV+ZJwFXoINToQgWAE+0lEy7Bqd5a/KReOfJnU7lPdOVbv1JFC0/yfZQ== X-Received: by 2002:a63:545c:: with SMTP id e28mr4246306pgm.374.1561161899618; Fri, 21 Jun 2019 17:04:59 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:52 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann Reviewed-by: Kees Cook Nacked-by: Daniel Borkmann --- include/linux/security.h | 1 + kernel/trace/bpf_trace.c | 20 +++++++++++++++++++- security/lockdown/lockdown.c | 1 + 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/include/linux/security.h b/include/linux/security.h index e6e3e2403474..de0d37b1fe79 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -97,6 +97,7 @@ enum lockdown_reason { LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, + LOCKDOWN_BPF_READ, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index d64c00afceb5..638f9b00a8df 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -137,6 +137,10 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret) + return ret; + ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) memset(dst, 0, size); @@ -156,6 +160,12 @@ static const struct bpf_func_proto bpf_probe_read_proto = { BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, u32, size) { + int ret; + + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret) + return ret; + /* * Ensure we're in user context which is safe for the helper to * run. This helper has no business in a kthread. @@ -205,7 +215,11 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, int fmt_cnt = 0; u64 unsafe_addr; char buf[64]; - int i; + int i, ret; + + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret) + return ret; /* * bpf_check()->check_func_arg()->check_stack_boundary() @@ -534,6 +548,10 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret) + return ret; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 5a08c17f224d..2eea2cc13117 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", + [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011035 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4561776 for ; Sat, 22 Jun 2019 00:06:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 36B8828B7B for ; Sat, 22 Jun 2019 00:06:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2ACE528BB1; Sat, 22 Jun 2019 00:06:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C0A7A28B7B for ; Sat, 22 Jun 2019 00:06:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726944AbfFVAFD (ORCPT ); Fri, 21 Jun 2019 20:05:03 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:38363 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726940AbfFVAFD (ORCPT ); Fri, 21 Jun 2019 20:05:03 -0400 Received: by mail-pl1-f201.google.com with SMTP id s22so4486988plp.5 for ; Fri, 21 Jun 2019 17:05:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=MSE1dfKm6a4U6gWG+XXV/6IbZHfhkaYY6qykZ2fiyyA=; b=fXPdtbJmSfE8Q4WIQs2dmiKmnq4w8wPH44i8xF217pTQ0RnXb0fgs5rTReQYKwAFOt a45BB1kJLiVV3CiZFCq8P6HNcq5NJ8IAQDtyoswUv6yquzD3SntcGwcr/sDfQSxNRQin WqwIhqEP91O8JDsS/3Oczyt3jflEpGI5xj7uHsHdcdy1ULhHWcpsec3ntSNQmASPniis RrTw8AJIj0B/CSkFuSclsom2q4SOUahEDlV4cJL8BPdNDlx6MoY9MejEAssBYRifgYGa qgpysJEVpWPkUa6SA+iZLF4rWnfXt5zObKpaxukLwnpfsCdeUO5ywRflWBnWirymhIcP lHjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=MSE1dfKm6a4U6gWG+XXV/6IbZHfhkaYY6qykZ2fiyyA=; b=mS7eig+RuGdzbOomJRCC2LvENW02Dq29dyThqyKjxhtLHJtdOcfQDQZbh+hi2Ab4Br h+Q4nlffN55QN+t4ryrvrV6z60EbE48HJgFfj21UCA+zTIe63+CBzFiGbWXQ8KH1Isoh suj91E9Qqhd1fOw1cMvpoCby3leIn5tdnzaCjMTdTHINvAcrzufVd/d353VqzUZLkKhl 5Bph0h4re/GiUI/EihIR2OQpnS7UASAAUkSVTXz8B2DfofYsK8mNlim7nR5L4BK0V4YZ 2sx8i4JTo4sWGyH2K8zIhPNXu4eWfWnTr16NWPhLmobWR/8tOkCLW+atsI+m8h5o2oxO nxsg== X-Gm-Message-State: APjAAAVAEY368QzgWUbln0ptt1uvRzJ85uCdaWiGc52Wy8BccUJ7+wyp PO7BkxoAicsgd93bSWYw76pN1fNPSMT3vreNjcQN9A== X-Google-Smtp-Source: APXvYqx/vgH+uSVeXTXtZ2WddOL7rELTwTjq7lwC1RqicEpV8YeZCyFdixYRa+ynnq7Uz2uCgOc618zkH1Wg8Rak2sj7UQ== X-Received: by 2002:a63:e953:: with SMTP id q19mr21349257pgj.313.1561161902178; Fri, 21 Jun 2019 17:05:02 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:53 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 24/29] Lock down perf when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Reviewed-by: Kees Cook --- include/linux/security.h | 1 + kernel/events/core.c | 7 +++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index de0d37b1fe79..53ea85889a48 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -98,6 +98,7 @@ enum lockdown_reason { LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, + LOCKDOWN_PERF, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/events/core.c b/kernel/events/core.c index 72d06e302e99..77f36551756e 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10731,6 +10731,13 @@ SYSCALL_DEFINE5(perf_event_open, return -EINVAL; } + err = security_locked_down(LOCKDOWN_PERF); + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return err; + else + err = 0; + /* Only privileged users can get physical addresses */ if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2eea2cc13117..a7e75c614416 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", + [LOCKDOWN_PERF] = "unsafe use of perf", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11010999 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C2AD8924 for ; Sat, 22 Jun 2019 00:05:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AFC7926E3D for ; Sat, 22 Jun 2019 00:05:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9F3AF28BB1; Sat, 22 Jun 2019 00:05:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F2C3926E3D for ; Sat, 22 Jun 2019 00:05:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726961AbfFVAFG (ORCPT ); Fri, 21 Jun 2019 20:05:06 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:44323 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726955AbfFVAFF (ORCPT ); Fri, 21 Jun 2019 20:05:05 -0400 Received: by mail-pg1-f201.google.com with SMTP id a21so4984382pgh.11 for ; Fri, 21 Jun 2019 17:05:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=TMklhc9+XfiI8L3K2AutSbeZaJ7HLQ2HsXG+mlV/TZs=; b=p7vfmYbicP0O5OJzjFHdr94n1dC4CJO8yX/92U2d2BTbbGPpuy00yXNd9NLehfmCFV 5XqqdDRq+j7IDKg4ECOxaLzyDNdD8IRWnSj4RlJg+fnqujjgDyfVtsIJ9EOZPvHQpXUF rFQ6bRCqsV8oHm1TLKJCR1V5tdwwsJJaH3HL1oCf+hG2ILKmD0gxGnsJmF9ggXD1qJsP dyX+p6/3+RHtCJNz5ZK7L9Ir/FRDlefa1IqIXWmOpCGGurVyGN5/+sfdEvh3UMqC2Utp 4zkAY8boj/uZNoZnDEBzHHNWlw88TuW2EXhkMlcVLRtlhNAVlAt/WOZPPBD7NHwAMiy5 zcpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=TMklhc9+XfiI8L3K2AutSbeZaJ7HLQ2HsXG+mlV/TZs=; b=p5rrpv5lJD04HTucea5qzzB+QUgJaF1d9HgNF/50HglKPZNrEE/uSOWAwZ4z/r5iEE mbN9EnNqYO5jnGqthpBSkN+zAHJl/VEDMGmTZ4LeGv/PCA0KLkogffbfH/z/QwAxM30K yN5KWEjC3HyrBPhJcSfLBk40pvWVKvwOUxYkJ71XIEfW/3QGdJkFnzJ7bHc3h2gk7gKE ousHJ/BQzUSDxydhB/a51Y5Ix39Abt1ycUtwlvdQEtvLQ/GZb7HxpbzYUJiZ0TKDQXaM OeNX7eVbK3UY0f5qIKE1Z+YLYEGIHyqBio6XzGtGtyz5uG1qBpWYQ/Xhg6NkdMuhFZ7l B4JQ== X-Gm-Message-State: APjAAAW0XGf+yjm8qrSqMAQfOk4D6sG/glBasso2SwFXt0zCBbSW4yIt 2+NshuJ+jKFFfW3CF8XSjPKRoFtOMbB2i79EP5+ATw== X-Google-Smtp-Source: APXvYqyiFQ+2Cd5OSyAvJhYhgYOd8VHPKVlHOgHk3dAwEgc6MxZt9cRi1sgqABuTYgGBeTygjlYiJdOudBsv5yQQd+2tYg== X-Received: by 2002:a63:2258:: with SMTP id t24mr12689918pgm.236.1561161904729; Fri, 21 Jun 2019 17:05:04 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:54 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Systems in lockdown mode should block the kexec of untrusted kernels. For x86 and ARM we can ensure that a kernel is trustworthy by validating a PE signature, but this isn't possible on other architectures. On those platforms we can use IMA digital signatures instead. Add a function to determine whether IMA has or will verify signatures for a given event type, and if so permit kexec_file() even if the kernel is otherwise locked down. This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in order to prevent an attacker from loading additional keys at runtime. Signed-off-by: Matthew Garrett Acked-by: Mimi Zohar Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org --- include/linux/ima.h | 9 ++++++ kernel/kexec_file.c | 11 +++++-- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ 5 files changed, 71 insertions(+), 3 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index dc12fbcf484c..c30954acc660 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -132,4 +132,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 27adb4312b03..539d0ca855bc 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -237,8 +237,15 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = security_locked_down(LOCKDOWN_KEXEC); - if (ret) + ret = 0; + + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + security_locked_down(LOCKDOWN_KEXEC)) { + ret = -EPERM; goto out; break; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index d213e835c498..3bc62062cfe8 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -115,6 +115,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 357edd140c09..927fe889201a 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -473,7 +473,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e0cc323f948f..8784449918e2 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1339,3 +1339,53 @@ int ima_policy_show(struct seq_file *m, void *v) return 0; } #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ From patchwork Sat Jun 22 00:03:55 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011029 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 87E8276 for ; Sat, 22 Jun 2019 00:06:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7864F28B7B for ; Sat, 22 Jun 2019 00:06:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6C43128BB3; Sat, 22 Jun 2019 00:06:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C222028BAD for ; Sat, 22 Jun 2019 00:06:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726970AbfFVAFI (ORCPT ); Fri, 21 Jun 2019 20:05:08 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:38405 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726966AbfFVAFI (ORCPT ); Fri, 21 Jun 2019 20:05:08 -0400 Received: by mail-qk1-f202.google.com with SMTP id n190so9429474qkd.5 for ; Fri, 21 Jun 2019 17:05:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=wIFdm0Q0zLXc4coa7Z/96rdyx2imGKaMIfermTsJW8k=; b=JN4RXNvC+8GDr0Gaq4Zi34NQrWj8vWpwZgAP/YoFzEW9MZXyQWtKCMlq8iTiuX6/lV 1+VUeYafIAXQdrdB0tlv0bk6MpHEgr4ukH4/FxX4j7mxwIpwloEP1R8iXREfuTjjemdy T9D4z4d/YpU2PeORir6WqmkCckgi0RrXaGHkBip2AcFXlskACVOIYWF712FCYf7/PKLn rm6MmlktQhwNcay49ymJnXXB1O0STSV4FQeb/wsvYGRG0zyC4/FE/bMqGhP4rHGfjy+V Fu/1gtkKs8OjeMJcq4TpS5ZQ4jmvqujMmVYIMgasrALy1ExKsBDys+FgQgzDsOURrNOl s8mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=wIFdm0Q0zLXc4coa7Z/96rdyx2imGKaMIfermTsJW8k=; b=XZGRhvgXSWu7thvpaxzHAlX0ETfdNsjPXWo0se2MrZXhAxsSyUHzemwZYZe59WGDJM Di/IgrCEL5EpLdpKe+MwXzSzCbs8f5FQpZdF9yN9ajPOoIMLGIKiuOfT2KJCmDNVMep5 3y42/ZzPCrypOKAY9ZOInJHCgCvWusDXLIGVJT42NH+fofQsuUz2HUjiXFTalEIyl6e1 Sls33pGSXbbrU3rsseEev2dHZVCU1YXo9i1cz6PIozEm3mvgYHhl6zQ7tElky3y+13n5 zGDx4XcFliUXvakDcF7szlMAXP11RqEbR6d/XPpVLWiOh0eaevTL/7y9H+AIob2tf8Za DBGw== X-Gm-Message-State: APjAAAXsuYtF6lamXgVx0PP69WPEULaYQq46o6Xnt3T6PrRappzYJpWU BF6luHD82bNxlOv/S4yZwvCDrQdROoT5BHWR1l62TQ== X-Google-Smtp-Source: APXvYqwEb21I6QNDoyZGm6qhPKu1RYvZTnK22plQRnGOOx0tarObnEpgr/qYRKt5PCpyxEezLD7sbLzRW4VH5K5ByYQ+eQ== X-Received: by 2002:a0c:afbd:: with SMTP id s58mr5323597qvc.217.1561161907281; Fri, 21 Jun 2019 17:05:07 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:55 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-27-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 26/29] debugfs: Restrict debugfs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Andy Shevchenko , acpi4asus-user@lists.sourceforge.net, platform-driver-x86@vger.kernel.org, Matthew Garrett , Thomas Gleixner , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow opening of debugfs files that might be used to muck around when the kernel is locked down as various drivers give raw access to hardware through debugfs. Given the effort of auditing all 2000 or so files and manually fixing each one as necessary, I've chosen to apply a heuristic instead. The following changes are made: (1) chmod and chown are disallowed on debugfs objects (though the root dir can be modified by mount and remount, but I'm not worried about that). (2) When the kernel is locked down, only files with the following criteria are permitted to be opened: - The file must have mode 00444 - The file must not have ioctl methods - The file must not have mmap (3) When the kernel is locked down, files may only be opened for reading. Normal device interaction should be done through configfs, sysfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. I would actually prefer to lock down all files by default and have the the files unlocked by the creator. This is tricky to manage correctly, though, as there are 19 creation functions and ~1600 call sites (some of them in loops scanning tables). Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner Signed-off-by: Matthew Garrett --- fs/debugfs/file.c | 30 ++++++++++++++++++++++++++++++ fs/debugfs/inode.c | 32 ++++++++++++++++++++++++++++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 4 files changed, 62 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 4fce1da7db23..f60518f0e3aa 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -19,6 +19,7 @@ #include #include #include +#include #include "internal.h" @@ -136,6 +137,25 @@ void debugfs_file_put(struct dentry *dentry) } EXPORT_SYMBOL_GPL(debugfs_file_put); +/* + * Only permit access to world-readable files when the kernel is locked down. + * We also need to exclude any file that has ways to write or alter it as root + * can bypass the permissions check. + */ +static bool debugfs_is_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) +{ + if ((inode->i_mode & 07777) == 0444 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && + !real_fops->mmap) + return false; + + return security_locked_down(LOCKDOWN_DEBUGFS); +} + static int open_proxy_open(struct inode *inode, struct file *filp) { struct dentry *dentry = F_DENTRY(filp); @@ -147,6 +167,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = debugfs_is_locked_down(inode, filp, real_fops); + if (r) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not clean up after itself at exit? */ @@ -272,6 +297,11 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = debugfs_is_locked_down(inode, filp, real_fops); + if (r) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not cleanup after itself at exit? */ diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index 95b5e78c22b1..a53a4748ebc1 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -23,6 +23,7 @@ #include #include #include +#include #include "internal.h" @@ -32,6 +33,32 @@ static struct vfsmount *debugfs_mount; static int debugfs_mount_count; static bool debugfs_registered; +/* + * Don't allow access attributes to be changed whilst the kernel is locked down + * so that we can use the file mode as part of a heuristic to determine whether + * to lock down individual files. + */ +static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) +{ + int ret = security_locked_down(LOCKDOWN_DEBUGFS); + + if (ret && (ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) + return ret; + return simple_setattr(dentry, ia); +} + +static const struct inode_operations debugfs_file_inode_operations = { + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_dir_inode_operations = { + .lookup = simple_lookup, + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_symlink_inode_operations = { + .get_link = simple_get_link, + .setattr = debugfs_setattr, +}; + static struct inode *debugfs_get_inode(struct super_block *sb) { struct inode *inode = new_inode(sb); @@ -356,6 +383,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, inode->i_mode = mode; inode->i_private = data; + inode->i_op = &debugfs_file_inode_operations; inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); @@ -516,7 +544,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) return failed_creating(dentry); inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; inode->i_fop = &simple_dir_operations; /* directory inodes start off with i_nlink == 2 (for "." entry) */ @@ -611,7 +639,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, return failed_creating(dentry); } inode->i_mode = S_IFLNK | S_IRWXUGO; - inode->i_op = &simple_symlink_inode_operations; + inode->i_op = &debugfs_symlink_inode_operations; inode->i_link = link; d_instantiate(dentry, inode); return end_creating(dentry); diff --git a/include/linux/security.h b/include/linux/security.h index 53ea85889a48..097e4b0ce73f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -94,6 +94,7 @@ enum lockdown_reason { LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, + LOCKDOWN_DEBUGFS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index a7e75c614416..bbcb82985765 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -30,6 +30,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_MMIOTRACE] = "unsafe mmio", + [LOCKDOWN_DEBUGFS] = "debugfs access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", From patchwork Sat Jun 22 00:03:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011027 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 30888924 for ; Sat, 22 Jun 2019 00:06:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2151C28B7B for ; Sat, 22 Jun 2019 00:06:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1600428BB3; Sat, 22 Jun 2019 00:06:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 78F8A28B7B for ; Sat, 22 Jun 2019 00:06:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726445AbfFVAF7 (ORCPT ); Fri, 21 Jun 2019 20:05:59 -0400 Received: from mail-ua1-f73.google.com ([209.85.222.73]:56016 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726977AbfFVAFL (ORCPT ); Fri, 21 Jun 2019 20:05:11 -0400 Received: by mail-ua1-f73.google.com with SMTP id 64so835714uam.22 for ; Fri, 21 Jun 2019 17:05:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=vGiJX2dzGpRjKnSoPZuNXcbny7AXv1yeygEILRT0AgM=; b=M+yvWlVg838ieNk95p+zBJNfOoHWV7pAhQqEfOasMxIjU5AlCrrufTghlxQyJRvIHh /e/mbjb9MlfxgI85vtxi0tFAnxsQcMIELEqigGfx9grIoyftf0D6jJ8K0PeOcBWt12qK 7gopx57BfzdPQvTrAAB/jFXuaJlTZHE1q8sMm9sESMCsBt3eHscb3q+T2qUpNkKr7oNl iOu2GoEo1PAIZHFWr2Qu4UbzshGwTE4ZQCPARy22UpDqfVKMmaBpzg2cE1mOLV5tyiQp 3HpmLVX5YIhLZObEB8OKFCXpMNpBdmcXHX0ObAYluer0m9wf5mbeYqoDV+N/DxbkjWmE F8ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=vGiJX2dzGpRjKnSoPZuNXcbny7AXv1yeygEILRT0AgM=; b=JC33n4Kv0FywFD0iwtHWNpWj+Oc6SYh2EuNqrCiI36M7TOhSAloU/7L+IU/FcxEuZ2 DOO1JVM+7l2z6K39BKRVpCBK6JZ5bHAnmTFYZQYVeXwm2seEnNYHI9HXYYUM7c2d5VI5 tMAGMZZsdjRh0b2JGK2fsj+TRyuy+rLJSIIzghxMrf1kCD50feEzMl8PIMqZhb4XHlF0 B5XYcHAj025/UQwQOiwhBNbiKUuAnxb+yIZDsrNUt17OVl3lOVPtFcCY6fgamW6fehE3 +zIxZHIZrZtwO5CSW18iK4IyPx+mXELLonV6uhWZkntBanp0rM/FDSV74BamerNrR6kL B8HA== X-Gm-Message-State: APjAAAXz6282C6NscwpCf6QBz9sxzyipxkfMGZPwHex7sFJCJ2Y0ms5z Thf5cJKq2fUNzSpfEd+D1ckHJQXJkklHUMX6vAmRRg== X-Google-Smtp-Source: APXvYqw/pvxQaFdDMQtY04lRVC8VYuuM0nEYIOrpUDP5Rh91YLRRYn4he0ZQF4KpanOJ1Qljojzah+bdHObjfpcOKvc2Ew== X-Received: by 2002:a1f:f282:: with SMTP id q124mr10671272vkh.4.1561161909677; Fri, 21 Jun 2019 17:05:09 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:56 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-28-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 27/29] tracefs: Restrict tracefs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Steven Rostedt Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Tracefs may release more information about the kernel than desirable, so restrict it when the kernel is locked down in confidentiality mode by preventing open(). Signed-off-by: Matthew Garrett Cc: Steven Rostedt --- fs/tracefs/inode.c | 43 +++++++++++++++++++++++++++++++++++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 44 insertions(+), 1 deletion(-) diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c index 7098c49f3693..487d41f234f8 100644 --- a/fs/tracefs/inode.c +++ b/fs/tracefs/inode.c @@ -24,6 +24,7 @@ #include #include #include +#include #define TRACEFS_DEFAULT_MODE 0700 @@ -31,6 +32,23 @@ static struct vfsmount *tracefs_mount; static int tracefs_mount_count; static bool tracefs_registered; +static int default_open_file(struct inode *inode, struct file *filp) +{ + struct dentry *dentry = filp->f_path.dentry; + struct file_operations *real_fops; + int ret; + + if (!dentry) + return -EINVAL; + + ret = security_locked_down(LOCKDOWN_TRACEFS); + if (ret) + return ret; + + real_fops = dentry->d_fsdata; + return real_fops->open(inode, filp); +} + static ssize_t default_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos) { @@ -50,6 +68,13 @@ static const struct file_operations tracefs_file_operations = { .llseek = noop_llseek, }; +static const struct file_operations tracefs_proxy_file_operations = { + .read = default_read_file, + .write = default_write_file, + .open = default_open_file, + .llseek = noop_llseek, +}; + static struct tracefs_dir_ops { int (*mkdir)(const char *name); int (*rmdir)(const char *name); @@ -225,6 +250,12 @@ static int tracefs_apply_options(struct super_block *sb) return 0; } +static void tracefs_destroy_inode(struct inode *inode) +{ + if (S_ISREG(inode->i_mode)) + kfree(inode->i_fop); +} + static int tracefs_remount(struct super_block *sb, int *flags, char *data) { int err; @@ -260,6 +291,7 @@ static int tracefs_show_options(struct seq_file *m, struct dentry *root) static const struct super_operations tracefs_super_operations = { .statfs = simple_statfs, + .destroy_inode = tracefs_destroy_inode, .remount_fs = tracefs_remount, .show_options = tracefs_show_options, }; @@ -393,6 +425,7 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode, { struct dentry *dentry; struct inode *inode; + struct file_operations *proxy_fops; if (!(mode & S_IFMT)) mode |= S_IFREG; @@ -406,8 +439,16 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode, if (unlikely(!inode)) return failed_creating(dentry); + proxy_fops = kzalloc(sizeof(struct file_operations), GFP_KERNEL); + if (!proxy_fops) + return failed_creating(dentry); + + dentry->d_fsdata = fops ? (void *)fops : + (void *)&tracefs_file_operations; + memcpy(proxy_fops, dentry->d_fsdata, sizeof(struct file_operations)); + proxy_fops->open = default_open_file; inode->i_mode = mode; - inode->i_fop = fops ? fops : &tracefs_file_operations; + inode->i_fop = proxy_fops; inode->i_private = data; d_instantiate(dentry, inode); fsnotify_create(dentry->d_parent->d_inode, dentry); diff --git a/include/linux/security.h b/include/linux/security.h index 097e4b0ce73f..438dc0892b96 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -100,6 +100,7 @@ enum lockdown_reason { LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, LOCKDOWN_PERF, + LOCKDOWN_TRACEFS, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index bbcb82985765..98f9ee0026d5 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -36,6 +36,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", [LOCKDOWN_PERF] = "unsafe use of perf", + [LOCKDOWN_TRACEFS] = "use of tracefs", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Sat Jun 22 00:03:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011025 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5177A924 for ; Sat, 22 Jun 2019 00:05:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 43E5A28B7B for ; Sat, 22 Jun 2019 00:05:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3741E28BB1; Sat, 22 Jun 2019 00:05:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA7ED28B7B for ; Sat, 22 Jun 2019 00:05:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726313AbfFVAF4 (ORCPT ); Fri, 21 Jun 2019 20:05:56 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:53207 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726996AbfFVAFN (ORCPT ); Fri, 21 Jun 2019 20:05:13 -0400 Received: by mail-pf1-f201.google.com with SMTP id a20so5301361pfn.19 for ; Fri, 21 Jun 2019 17:05:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=RH4r7kndiMZuzkloO60/eV46GQCIwbbHWtivaOQNx8E=; b=AlJqBCOH77JCstgkPmGAZLgRUSD9zvatMOj3hlS41EdO8GggJp6HBONVpx/jhauvgq 8AJYbxCo4G0bCR/ZL4FQ8B8+IWJY2WfIJ1YRwYg5JXFKA/gXZcRwW59UyJpziaVKPJMD w/V/JtAWur3tBIDTeoEHR7ZUYTOlGArmeV75OKSfGB53kteVVkiD50m114i64uhrcDHW kKiF2N+0rp0kEs0/V6xldaibUNauG2QYFkENtyXQ2vJG3z/F6Xg3uIhwM6tlnXlcDucd /iycXpCPysDjGuvfZjg6xm7UFHlgNwKHAPLDV5kfEXLPXmjXQ7Mys9GnXKhb3JR5lTB6 04eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=RH4r7kndiMZuzkloO60/eV46GQCIwbbHWtivaOQNx8E=; b=iNsys647dDJpSOj2H3b7W9BC/t6BCiAlD6MvxZOAPQprAdwlaLcJqq9zLKNsR1PVwZ Nxc8l0Mfb9bqOj6Cs5SIR/WwmwSxckO0jm8cz8vHPknIZc/3rsGuPEcq85A9uOSbnfG6 navSprSxGx9WiGMcSCQUzMqf/IJ5SVKQY7Ozw+dmT50J5jDtRs9Aqmi447fPsv6mURJx 9nNV57RilkF7HxUUKLGwju/ZmBi6gckY78xLRbqdZvFRVFYNPZTtfUPxJRE8I7dEnA9p n8o243SScsVnjIhFi9A0InFeo8R+amSbXtj7flpaldom1T1o8Olkzb3K32dLFwwdA/cU zehQ== X-Gm-Message-State: APjAAAVZAs8I48c6Bh1k2xIO/CRnfuc/grddvDWnfXLrZFa2jTmShaLO IUESmhNi1EkeMAnAloqQYPdcuq6LWbpiyAcXK1/tCQ== X-Google-Smtp-Source: APXvYqyVHJVn9d0VYeGJ4jqknCWJTY1KI/Z/06tozEDcOyTsuENI6t9yu2qMQUxyG2gPRdwFuoh5T585JPCvavnyfPVFAQ== X-Received: by 2002:a63:1d5:: with SMTP id 204mr21711270pgb.207.1561161912148; Fri, 21 Jun 2019 17:05:12 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:57 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-29-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Ard Biesheuvel , linux-efi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. Signed-off-by: Matthew Garrett Cc: Ard Biesheuvel Cc: linux-efi@vger.kernel.org Reviewed-by: Kees Cook Acked-by: Ard Biesheuvel --- drivers/firmware/efi/efi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 55b77c576c42..9f92a013ab27 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -31,6 +31,7 @@ #include #include #include +#include #include @@ -242,6 +243,11 @@ static void generic_ops_unregister(void) static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; static int __init efivar_ssdt_setup(char *str) { + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; + if (strlen(str) < sizeof(efivar_ssdt)) memcpy(efivar_ssdt, str, strlen(str)); else From patchwork Sat Jun 22 00:03:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11011001 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 50B9676 for ; Sat, 22 Jun 2019 00:05:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 41F5026E3D for ; Sat, 22 Jun 2019 00:05:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 356B628BB1; Sat, 22 Jun 2019 00:05:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D3D0C26E3D for ; Sat, 22 Jun 2019 00:05:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727026AbfFVAFQ (ORCPT ); Fri, 21 Jun 2019 20:05:16 -0400 Received: from mail-yb1-f201.google.com ([209.85.219.201]:33345 "EHLO mail-yb1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727015AbfFVAFP (ORCPT ); Fri, 21 Jun 2019 20:05:15 -0400 Received: by mail-yb1-f201.google.com with SMTP id r142so7500241ybc.0 for ; Fri, 21 Jun 2019 17:05:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=fQS0pxsoBetP2Nwdi98OVtp/cm2t8DN7nKB4q9h9T/o=; b=q06PmHHAEtmmhXeJ3zAcK/RQZC6ZOveSxcl6UVi4p4GE4munOy8zjRT6zd5POah6m8 qUUGJT6DOt1SF18EDdympILS6nRbXGXb3RoIhCMm/FJICtGrII721ONnz4vNcVZoP3Nu hiBh1dO7UkO1UVwF7JVcG0M8U6LUF7EAdCFqvrUGuxFqqF2cNBcbR+bwQPjgdsvzuYOb SD2HjQOo2EMZX0FY8ScuXYx2/5Tbldc/k5ukwSjy+86A6zZ1Xx7vF235sNZkl9Zjspqg BR8l3GCC4UH309ET+8MSJ4q0v7EDB51cTRUQo97fEIsDvlr5RsmrLleDNXJVE2xEbdzF aw0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=fQS0pxsoBetP2Nwdi98OVtp/cm2t8DN7nKB4q9h9T/o=; b=SPZmS3Djs7sVtd3T8eZ/ZmGG+IjlOzEUnnOXi4UXUaVcGf4xKDJmCe7jPH2i+QnFcr IdYzHux5Fl+/dqMcAVBCURlCLUbYlMv847rNMp7G7VGbPyDhnXGAr+S2XM8x2+/25EQ3 rkFxfuRGZ6IOqgQyEj8XGXGzUA0ul53rsZkQbANxQ66/9kUq4a3gbsMA1LJZZ630ftzx G+hNVEoqvFNvPLwMyBSFcPfl6osatvcvITT4c1Ju7+xzuX7f/w9KDdbXewYK1wzuFZ9i nyoIxZS5pKavingBjFfet/ud5qsvawH0CeG/XpLzW+5TTX1giXbU4MrdOEc28YGRyEGg aXDA== X-Gm-Message-State: APjAAAVzeClaekP6DLsQFUH2qhdINsZfEKEIKiG6RwqJ1TRaF5BAQKi5 h+0bARXGp1EoyyVl5W+kq+NlNIDUuv2/Gn4GER5bBg== X-Google-Smtp-Source: APXvYqx0rJT/xsCfnjxZK3RmGHU80HzrJAKBuZfKmF8O1USWU2O+1jjIPs2JgaewKUvGu1xDrRZPouAlEqHIaNui4XSXmg== X-Received: by 2002:a81:a8e:: with SMTP id 136mr50270319ywk.301.1561161914742; Fri, 21 Jun 2019 17:05:14 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:58 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-30-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 29/29] lockdown: Print current->comm in restriction messages From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: : is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- security/lockdown/lockdown.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 98f9ee0026d5..9ca6f442fbc7 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -83,8 +83,8 @@ static int lockdown_is_locked_down(enum lockdown_reason what) { if ((kernel_locked_down >= what)) { if (lockdown_reasons[what]) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - lockdown_reasons[what]); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, lockdown_reasons[what]); return -EPERM; }