From patchwork Thu Feb 28 21:28:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10833743 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CCC5E139A for ; Thu, 28 Feb 2019 21:28:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9B19228A4C for ; Thu, 28 Feb 2019 21:28:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 86A8E2894D; Thu, 28 Feb 2019 21:28:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC5E42FBA7 for ; Thu, 28 Feb 2019 21:28:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729626AbfB1V2z (ORCPT ); Thu, 28 Feb 2019 16:28:55 -0500 Received: from mail-it1-f172.google.com ([209.85.166.172]:56108 "EHLO mail-it1-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726203AbfB1V2z (ORCPT ); Thu, 28 Feb 2019 16:28:55 -0500 Received: by mail-it1-f172.google.com with SMTP id z131so16991339itf.5 for ; Thu, 28 Feb 2019 13:28:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=lo/JvVTQE4I5wGCfn1vSplMk3xnMhXABB2NqHLEsaQA=; b=U6XmUlHDnLJfCGWgF07dSdGO071uAEjd33/xkwWOT1c9407Jc1lDOhN4sQ7d5YMebu ewTrnSzJsbd0J8Fem0bcH/R68GjBUeknJY5aeeMG0jdeoAAFGI/lgkpXFBSRegmI+mI+ XI7k9cy2L1gx+tpq/F6cnzvq031ciUz9nEsyVf2XEmUrGlbUOHSxBkfBl6QLsGtz1NpG YAepPzkkDEdwsUgM+E1S3siWB1JIiho67SCv1AZJTfotaSEUzpJuG0xei77+d9kdTKa5 yfqnPi49ta4thwL6FCHOXP3iMKuj5Zaq8ue2P7AqaQL3WlVO89kdOxyC6L+eO+kOam6/ IQhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=lo/JvVTQE4I5wGCfn1vSplMk3xnMhXABB2NqHLEsaQA=; b=g2o+HoLsqn0M9VZE518vFkgOwY4thgTTKmn868r2P1XQhN4p6w0c4197quDl/NjaWu 7h6NnDKod+G0SiYjCYq1mOdapAMvSjYZ9sjmFQSaFmRLC0FLag1+cwwcP5mTndezRmYk Pqf/3yw2BnAdQn8As1cyv2zr28/Jlm1arvngmhmFQtX2UUDhP0fFQaimuzyDwvMVuEU8 TdMa1hbmcwmTgdYQVCW3xFsu0WQvl8E4oQtqB6wsbIAVnoWLL9tWDLMGeGmHn1aWDRd6 hVEbe6uMIzj6COCe4FmodjbpCKXPu+lYhpPXK2r2e+RdhE4N1fMDBZ7a461JZak7BJjw xjNA== X-Gm-Message-State: APjAAAX23DAp6Wlne1zaNp6d4m0QEH0RNLkYq9SGg548tlcNl3/TAoAj Q8VyAf+bJ7xoN0btu+T4HPfGTb73z9FfnvPMzGwbAA== X-Google-Smtp-Source: APXvYqwD47PgS6b+dGFhb1JFZ0sJhyWMuqb0pbU6TVL+b55jKYrpCep8BdWenTEZY9FYWHif14xL3FhKNvrONMRKyYg= X-Received: by 2002:a24:7908:: with SMTP id z8mr1381172itc.16.1551389333486; Thu, 28 Feb 2019 13:28:53 -0800 (PST) MIME-Version: 1.0 From: Matthew Garrett Date: Thu, 28 Feb 2019 13:28:42 -0800 Message-ID: Subject: [PULL REQUEST] Lock down patches To: jmorris@namei.org Cc: LSM List , Linux Kernel Mailing List , David Howells Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Hi James, David is low on cycles at the moment, so I'm taking over for this time round. This patchset introduces an optional kernel lockdown feature, intended to strengthen the boundary between UID 0 and the kernel. When enabled and active (by enabling the config option and passing the "lockdown" option on the kernel command line), various pieces of kernel functionality are restricted. Applications that rely on low-level access to either hardware or the kernel may cease working as a result - therefore this should not be enabled without appropriate evaluation beforehand. The majority of mainstream distributions have been carrying variants of this patchset for many years now, so there's value in providing a unified upstream implementation to reduce the delta. This PR probably doesn't meet every distribution requirement, but gets us much closer to not requiring external patches. This PR is mostly the same as the previous attempt, but with the following changes: 1) The integration between EFI secure boot and the lockdown state has been removed 2) A new CONFIG_KERNEL_LOCK_DOWN_FORCE kconfig option has been added, which will always enable lockdown regardless of the kernel command line 3) The integration with IMA has been dropped for now. Requiring the use of the IMA secure boot policy when lockdown is enabled isn't practical for most distributions at the moment, as there's still not a great deal of infrastructure for shipping packages with appropriate IMA signatures, and it makes it complicated for end users to manage custom IMA policies. The following changes since commit a3b22b9f11d9fbc48b0291ea92259a5a810e9438: Linux 5.0-rc7 (2019-02-17 18:46:40 -0800) are available in the Git repository at: https://github.com/mjg59/linux lock_down for you to fetch changes up to 43e004ecae91bf9159b8e91cd1d613e58b8f63f8: lockdown: Print current->comm in restriction messages (2019-02-28 11:19:23 -0800) ---------------------------------------------------------------- Dave Young (1): Copy secure_boot flag in boot params across kexec reboot David Howells (12): Add the ability to lock down access to the running kernel image Enforce module signatures if the kernel is locked down Prohibit PCMCIA CIS storage when the kernel is locked down Lock down TIOCSSERIAL Lock down module params that specify hardware parameters (eg. ioport) x86/mmiotrace: Lock down the testmmiotrace module Lock down /proc/kcore Lock down kprobes bpf: Restrict kernel image access functions when the kernel is locked down Lock down perf debugfs: Restrict debugfs when the kernel is locked down lockdown: Print current->comm in restriction messages Jiri Bohac (2): kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE kexec_file: Restrict at runtime if the kernel is locked down Josh Boyer (2): hibernate: Disable when the kernel is locked down acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down Kyle McMartin (1): Add a SysRq option to lift kernel lockdown Linn Crosetto (2): acpi: Disable ACPI table override if the kernel is locked down acpi: Disable APEI error injection if the kernel is locked down Matthew Garrett (7): Restrict /dev/{mem,kmem,port} when the kernel is locked down kexec_load: Disable at runtime if the kernel is locked down uswsusp: Disable when the kernel is locked down PCI: Lock down BAR access when the kernel is locked down x86: Lock down IO port access when the kernel is locked down x86/msr: Restrict MSR access when the kernel is locked down ACPI: Limit access to custom_method when the kernel is locked down arch/x86/Kconfig | 20 ++++++++++++----- arch/x86/include/asm/setup.h | 2 ++ arch/x86/kernel/ioport.c | 6 ++++-- arch/x86/kernel/kexec-bzimage64.c | 1 + arch/x86/kernel/msr.c | 10 +++++++++ arch/x86/mm/testmmiotrace.c | 3 +++ crypto/asymmetric_keys/verify_pefile.c | 4 +++- drivers/acpi/apei/einj.c | 3 +++ drivers/acpi/custom_method.c | 3 +++ drivers/acpi/osl.c | 2 +- drivers/acpi/tables.c | 5 +++++ drivers/char/mem.c | 2 ++ drivers/input/misc/uinput.c | 1 + drivers/pci/pci-sysfs.c | 9 ++++++++ drivers/pci/proc.c | 9 +++++++- drivers/pci/syscall.c | 3 ++- drivers/pcmcia/cistpl.c | 3 +++ drivers/tty/serial/serial_core.c | 6 ++++++ drivers/tty/sysrq.c | 19 +++++++++++------ fs/debugfs/file.c | 28 ++++++++++++++++++++++++ fs/debugfs/inode.c | 30 ++++++++++++++++++++++++-- fs/proc/kcore.c | 2 ++ include/linux/ima.h | 6 ++++++ include/linux/input.h | 5 +++++ include/linux/kernel.h | 17 +++++++++++++++ include/linux/kexec.h | 4 ++-- include/linux/security.h | 9 +++++++- include/linux/sysrq.h | 8 ++++++- kernel/bpf/syscall.c | 3 +++ kernel/debug/kdb/kdb_main.c | 2 +- kernel/events/core.c | 5 +++++ kernel/kexec.c | 7 ++++++ kernel/kexec_file.c | 56 ++++++++++++++++++++++++++++++++++++++++++------ kernel/kprobes.c | 3 +++ kernel/module.c | 56 ++++++++++++++++++++++++++++++++++++------------ kernel/params.c | 26 ++++++++++++++++++----- kernel/power/hibernate.c | 2 +- kernel/power/user.c | 3 +++ security/Kconfig | 24 +++++++++++++++++++++ security/Makefile | 3 +++ security/lock_down.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 41 files changed, 466 insertions(+), 50 deletions(-) create mode 100644 security/lock_down.c reviewed-by: lines so I'm just trying to sort that out. From patchwork Thu Feb 28 23:11:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834281 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 758F5180E for ; Thu, 28 Feb 2019 23:14:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 697972FC45 for ; Thu, 28 Feb 2019 23:14:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5DE5D2FC4C; Thu, 28 Feb 2019 23:14:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 92F152FC45 for ; Thu, 28 Feb 2019 23:14:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727851AbfB1XOz (ORCPT ); Thu, 28 Feb 2019 18:14:55 -0500 Received: from mail-vk1-f202.google.com ([209.85.221.202]:36184 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733243AbfB1XMK (ORCPT ); Thu, 28 Feb 2019 18:12:10 -0500 Received: by mail-vk1-f202.google.com with SMTP id b202so2385951vke.3 for ; Thu, 28 Feb 2019 15:12:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=u73jCkXFL2POTTvMCMv7ZqTMPf3k7bn3erx/FRu/gvg=; b=DhqiYB7/IgCZhHokMGwEPZN3MIO8R4HHu5DYfbHin7ulYqs/pJ8f7Kox/3EQtvB5JN nuClAFlDF/tuvYf67Td2TajM6kxGscMrUOpxLEUmwzU3R5rrTlde1XlGo+SI4Giwzrpd j0T/Phz0j/cq6zBRu97/KCyywO3VJ7j0NN6QK8o3/MBUPSIJNLsOHTN0vcQkGDuAz/kj A7OHMxgMYu04yGsRWDfFdcfNtt8vqnkDBlVUV4YtkkuDcSXlkRGa/b8tVoLEitXLMwIR tq9wOcXju3I6yRKHombXWlXhgDew5lKdcpg1fS4iLkcMzyrTbcE4E6NR5bOh/dPieJyB bhjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=u73jCkXFL2POTTvMCMv7ZqTMPf3k7bn3erx/FRu/gvg=; b=NZMZPVzoi6iYFxT3yZ6DzTQ35hv1hf4qHXP4r2nC48w005lTl2XRSEqJi47fbnPIOn k284ID1M7S1G11hPpk8x39S0h6oQr73zjeQovqHY0R1rYiR4i+8BLY7TDFvPCTHyrYhU 3huWS80ubGmUisxtZ3O4qGXGVlTYH/bihlYvu3HNDhage1Zbby5HG8KrD9YzwS5ouTM9 Nmu7v8QpqWck8HkUCYpkqHcztSlH6ap48CaDV++ZvYoHGq0SJVqL7RuaUrYvxPjwqeNV M867OPOP8h/q+Tn/LqIb7hW++WTwfArdMnKv2TzpoCLoQhdazrqAshfmqxM9rfZ99LGi 1xiw== X-Gm-Message-State: APjAAAWXBnsh/DvLgBEJNb2gPX57ReBDzNri5TG5eE++pBLSq0CSi7Mc qmK4tb3IKbycM4Lg9xYqfeLkKZmeYKf15uE2Sraa4w== X-Google-Smtp-Source: APXvYqxbizDTWHIJWvmeyZIMML2jW2j9hUEwhF/1kpHqJj1fbAvnQJLPZNN20FEwC/tp1r9OcRxzkgnDOmF8g3DX0+H60w== X-Received: by 2002:ab0:6504:: with SMTP id w4mr1162980uam.4.1551395529236; Thu, 28 Feb 2019 15:12:09 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:38 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-2-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 02/27] Add a SysRq option to lift kernel lockdown From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Kyle McMartin Make an option to provide a sysrq key that will lift the kernel lockdown, thereby allowing the running kernel image to be accessed and modified. On x86 this is triggered with SysRq+x, but this key may not be available on all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h. Since this macro must be defined in an arch to be able to use this facility for that arch, the Kconfig option is restricted to arches that support it. Signed-off-by: Kyle McMartin Signed-off-by: David Howells cc: x86@kernel.org --- arch/x86/include/asm/setup.h | 2 ++ drivers/input/misc/uinput.c | 1 + drivers/tty/sysrq.c | 19 ++++++++++----- include/linux/input.h | 5 ++++ include/linux/sysrq.h | 8 +++++- kernel/debug/kdb/kdb_main.c | 2 +- security/Kconfig | 9 +++++++ security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++ 8 files changed, 85 insertions(+), 8 deletions(-) diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h index ed8ec011a9fd..8daf633a5347 100644 --- a/arch/x86/include/asm/setup.h +++ b/arch/x86/include/asm/setup.h @@ -9,6 +9,8 @@ #include #include +#define LOCKDOWN_LIFT_KEY 'x' + #ifdef __i386__ #include diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 26ec603fe220..a73e92490286 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -366,6 +366,7 @@ static int uinput_create_device(struct uinput_device *udev) dev->flush = uinput_dev_flush; } + dev->flags |= INPUTDEV_FLAGS_SYNTHETIC; dev->event = uinput_dev_event; input_set_drvdata(udev->dev, udev); diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c index 1f03078ec352..0a05d336008e 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c @@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { /* x: May be registered on mips for TLB dump */ /* x: May be registered on ppc/powerpc for xmon */ /* x: May be registered on sparc64 for global PMU dump */ + /* x: May be registered on x86_64 for disabling secure boot */ NULL, /* x */ /* y: May be registered on sparc64 for global register dump */ NULL, /* y */ @@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) sysrq_key_table[i] = op_p; } -void __handle_sysrq(int key, bool check_mask) +void __handle_sysrq(int key, unsigned int from) { struct sysrq_key_op *op_p; int orig_log_level; @@ -543,11 +544,15 @@ void __handle_sysrq(int key, bool check_mask) op_p = __sysrq_get_key_op(key); if (op_p) { + /* Ban synthetic events from some sysrq functionality */ + if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && + op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) + printk("This sysrq operation is disabled from userspace.\n"); /* * Should we check for enabled operations (/proc/sysrq-trigger * should not) and is the invoked operation enabled? */ - if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { + if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { pr_cont("%s\n", op_p->action_msg); console_loglevel = orig_log_level; op_p->handler(key); @@ -579,7 +584,7 @@ void __handle_sysrq(int key, bool check_mask) void handle_sysrq(int key) { if (sysrq_on()) - __handle_sysrq(key, true); + __handle_sysrq(key, SYSRQ_FROM_KERNEL); } EXPORT_SYMBOL(handle_sysrq); @@ -659,7 +664,7 @@ static void sysrq_do_reset(struct timer_list *t) static void sysrq_handle_reset_request(struct sysrq_state *state) { if (state->reset_requested) - __handle_sysrq(sysrq_xlate[KEY_B], false); + __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL); if (sysrq_reset_downtime_ms) mod_timer(&state->keyreset_timer, @@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, default: if (sysrq->active && value && value != 2) { + int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ? + SYSRQ_FROM_SYNTHETIC : 0; sysrq->need_reinject = false; - __handle_sysrq(sysrq_xlate[code], true); + __handle_sysrq(sysrq_xlate[code], from); } break; } @@ -1096,7 +1103,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, if (get_user(c, buf)) return -EFAULT; - __handle_sysrq(c, false); + __handle_sysrq(c, SYSRQ_FROM_PROC); } return count; diff --git a/include/linux/input.h b/include/linux/input.h index 7c7516eb7d76..38cd0ea72c37 100644 --- a/include/linux/input.h +++ b/include/linux/input.h @@ -42,6 +42,7 @@ struct input_value { * @phys: physical path to the device in the system hierarchy * @uniq: unique identification code for the device (if device has it) * @id: id of the device (struct input_id) + * @flags: input device flags (SYNTHETIC, etc.) * @propbit: bitmap of device properties and quirks * @evbit: bitmap of types of events supported by the device (EV_KEY, * EV_REL, etc.) @@ -124,6 +125,8 @@ struct input_dev { const char *uniq; struct input_id id; + unsigned int flags; + unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)]; unsigned long evbit[BITS_TO_LONGS(EV_CNT)]; @@ -190,6 +193,8 @@ struct input_dev { }; #define to_input_dev(d) container_of(d, struct input_dev, dev) +#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001 + /* * Verify that we are in sync with input_device_id mod_devicetable.h #defines */ diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h index 8c71874e8485..7de1f08b60a9 100644 --- a/include/linux/sysrq.h +++ b/include/linux/sysrq.h @@ -29,6 +29,8 @@ #define SYSRQ_ENABLE_BOOT 0x0080 #define SYSRQ_ENABLE_RTNICE 0x0100 +#define SYSRQ_DISABLE_USERSPACE 0x00010000 + struct sysrq_key_op { void (*handler)(int); char *help_msg; @@ -43,8 +45,12 @@ struct sysrq_key_op { * are available -- else NULL's). */ +#define SYSRQ_FROM_KERNEL 0x0001 +#define SYSRQ_FROM_PROC 0x0002 +#define SYSRQ_FROM_SYNTHETIC 0x0004 + void handle_sysrq(int key); -void __handle_sysrq(int key, bool check_mask); +void __handle_sysrq(int key, unsigned int from); int register_sysrq_key(int key, struct sysrq_key_op *op); int unregister_sysrq_key(int key, struct sysrq_key_op *op); struct sysrq_key_op *__sysrq_get_key_op(int key); diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c index 82a3b32a7cfc..efee1abf5e8e 100644 --- a/kernel/debug/kdb/kdb_main.c +++ b/kernel/debug/kdb/kdb_main.c @@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv) return KDB_ARGCOUNT; kdb_trap_printk++; - __handle_sysrq(*argv[1], check_mask); + __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0); kdb_trap_printk--; return 0; diff --git a/security/Kconfig b/security/Kconfig index c2aff0006de2..afaf6fa17c9a 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -245,6 +245,15 @@ config LOCK_DOWN_KERNEL_FORCE help Enable the kernel lock down functionality automatically at boot. +config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ + bool "Allow the kernel lockdown to be lifted by SysRq" + depends on LOCK_DOWN_KERNEL + depends on MAGIC_SYSRQ + depends on X86 + help + Allow the lockdown on a kernel to be lifted, by pressing a SysRq key + combination on a wired keyboard. + source "security/selinux/Kconfig" source "security/smack/Kconfig" source "security/tomoyo/Kconfig" diff --git a/security/lock_down.c b/security/lock_down.c index 13a8228c1034..cfbc2c39712b 100644 --- a/security/lock_down.c +++ b/security/lock_down.c @@ -11,8 +11,14 @@ #include #include +#include +#include +#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ +static __read_mostly bool kernel_locked_down; +#else static __ro_after_init bool kernel_locked_down; +#endif /* * Put the kernel into lock-down mode. @@ -57,3 +63,44 @@ bool __kernel_is_locked_down(const char *what, bool first) return kernel_locked_down; } EXPORT_SYMBOL(__kernel_is_locked_down); + +#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ + +/* + * Take the kernel out of lockdown mode. + */ +static void lift_kernel_lockdown(void) +{ + pr_notice("Lifting lockdown\n"); + kernel_locked_down = false; +} + +/* + * Allow lockdown to be lifted by pressing something like SysRq+x (and not by + * echoing the appropriate letter into the sysrq-trigger file). + */ +static void sysrq_handle_lockdown_lift(int key) +{ + if (kernel_locked_down) + lift_kernel_lockdown(); +} + +static struct sysrq_key_op lockdown_lift_sysrq_op = { + .handler = sysrq_handle_lockdown_lift, + .help_msg = "unSB(x)", + .action_msg = "Disabling Secure Boot restrictions", + .enable_mask = SYSRQ_DISABLE_USERSPACE, +}; + +static int __init lockdown_lift_sysrq(void) +{ + if (kernel_locked_down) { + lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY; + register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op); + } + return 0; +} + +late_initcall(lockdown_lift_sysrq); + +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ From patchwork Thu Feb 28 23:11:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834231 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 534A4139A for ; Thu, 28 Feb 2019 23:12:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 40F062FC3B for ; Thu, 28 Feb 2019 23:12:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 31EF92FC45; Thu, 28 Feb 2019 23:12:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9A2ED2FC3B for ; Thu, 28 Feb 2019 23:12:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387507AbfB1XMN (ORCPT ); Thu, 28 Feb 2019 18:12:13 -0500 Received: from mail-pg1-f201.google.com ([209.85.215.201]:39495 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387476AbfB1XMN (ORCPT ); Thu, 28 Feb 2019 18:12:13 -0500 Received: by mail-pg1-f201.google.com with SMTP id 202so16152936pgb.6 for ; Thu, 28 Feb 2019 15:12:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=QtKsyYHiwCWU5yiWJciggoAD1nlqNR9ctuqeDCsYWKI=; b=rzfnYNTLJA1ZeFACBysiRXmHvQrizAgydUJTNEp1PKJ8dFuZNs5aYF6JbQjMRRcRYN oHDRL39qxkz+uZfepJbEY4U9l0frA6ZXMkZa0M0Xe4EQ0oYnw9XB6AmoBQTqqc4ZTwaJ veSnNaJ4T17FTfFup/RE83ghYUXl6JZvfzdRz8hWeMfN8swjSixWObHc8Dc64zFCo8b9 8uMbyjrYaKXIvsfxU5pr6KjJKfIj7pjXybNjMlogwX/2HfuslhAuluVTjvOXUmTJBfMe fcbiINkIL2McwoDvK4XpTKTShrAb9mASZmYeH7C3XrRC9coYp5oJ2WbZLv3IOEcuys0z DPtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=QtKsyYHiwCWU5yiWJciggoAD1nlqNR9ctuqeDCsYWKI=; b=NticleZKNS1QbnrZ6tFUG3M+kkdNOP+sIZ4WCVThP9pt27tf0iXDIS3Ascf40IM+ih 91AgiS7n49qbAU68pgg+MxYoIaTNV4Ikq4dwkFrZInxPZ+XSqTXVLgMb3O1re2uBwI+I TpdJ8kchzuH03ipS26+azmEAKA4Pkt6XcrhdR0MJpv6W/x8szDjj7RwO098zUdHhbk+4 2MhyOXj7BrUosrnGcRJC3qy0OyUz5oL68WwFjRt2hzLHp9Usorgx+H/HEI2Hu6K6QHKG K1hT2XMm+h889rZ1fuJJeyRaFqAD2X8QT6ts/nMIPGX4qQcDYIfTJQZsMQ+5XLLtShEZ K3WA== X-Gm-Message-State: AHQUAuancHnGoWDMXcUa3YaLeILg7vLqf0c5vmuFF6aTDD6zsQjsKzDg I3EGQ1MV3wuG1YM/2gQZEXzjKOAMDskRErxcssY2tw== X-Google-Smtp-Source: APXvYqxTdLxxvHRUxrP6dBjOqmshkQpbu3yKcYUfKStvLjNRtJ1u9wNINweXDLZgeOP8DXPUtfKeahlCufSsmmEwMAmy6A== X-Received: by 2002:a62:ac0f:: with SMTP id v15mr973328pfe.148.1551395531818; Thu, 28 Feb 2019 15:12:11 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:39 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 03/27] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify or that IMA can validate the file. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If IMA will have validated the image, return 0 (okay). (c) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. Signed-off-by: David Howells Reviewed-by: Jiri Bohac cc: "Lee, Chun-Yi" cc: James Morris --- kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 13 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 2ad1b5239910..afa5489be39f 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -64,6 +64,7 @@ #include #include #include +#include #include #include "module-internal.h" @@ -2765,10 +2766,12 @@ static inline void kmemleak_load_module(const struct module *mod, #endif #ifdef CONFIG_MODULE_SIG -static int module_sig_check(struct load_info *info, int flags) +static int module_sig_check(struct load_info *info, int flags, + bool can_do_ima_check) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2783,19 +2786,46 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + if (can_do_ima_check && is_ima_appraise_enabled()) + return 0; + if (kernel_is_locked_down(reason)) + return -EPERM; + return 0; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ -static int module_sig_check(struct load_info *info, int flags) +static int module_sig_check(struct load_info *info, int flags, + bool can_do_ima_check) { return 0; } @@ -3658,7 +3688,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, /* Allocate and load the module: note that size of section 0 is always zero, and we rely on this for optional sections. */ static int load_module(struct load_info *info, const char __user *uargs, - int flags) + int flags, bool can_do_ima_check) { struct module *mod; long err = 0; @@ -3677,7 +3707,7 @@ static int load_module(struct load_info *info, const char __user *uargs, goto free_copy; } - err = module_sig_check(info, flags); + err = module_sig_check(info, flags, can_do_ima_check); if (err) goto free_copy; @@ -3872,7 +3902,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, if (err) return err; - return load_module(&info, uargs, 0); + return load_module(&info, uargs, 0, false); } SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) @@ -3899,7 +3929,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) info.hdr = hdr; info.len = size; - return load_module(&info, uargs, flags); + return load_module(&info, uargs, flags, true); } static inline int within(unsigned long addr, void *start, unsigned long size) From patchwork Thu Feb 28 23:11:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834277 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 17E11139A for ; Thu, 28 Feb 2019 23:14:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 06DA62FC2B for ; Thu, 28 Feb 2019 23:14:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EF55A2FC46; Thu, 28 Feb 2019 23:14:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9C57A2FC2B for ; Thu, 28 Feb 2019 23:14:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387569AbfB1XMU (ORCPT ); Thu, 28 Feb 2019 18:12:20 -0500 Received: from mail-io1-f73.google.com ([209.85.166.73]:49654 "EHLO mail-io1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387536AbfB1XMP (ORCPT ); Thu, 28 Feb 2019 18:12:15 -0500 Received: by mail-io1-f73.google.com with SMTP id m15so16830415ioc.16 for ; Thu, 28 Feb 2019 15:12:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=aUJ3gj1BGh2zGHelWKN3pyJi6By6RKX30KpBOEKPul4=; b=uFAiskDh5YOvPl+wLevkVOmLyB0rP5MpnZCwM5Cdq4JbKPDNdETsQoQQhPf44rumnx yNlTriZ8CWScxgbvk4IB7DqScGbaOvpuB9L1cBnyzWQskOvnTuuoraiinQfXTSMTy1xK jixUYPfxULbl+s9sUtiE/4Xb+9e4TYMC1uE+yIxfeGXyY2f8NT/vgORFnrnfLeqOoU9s 91bvSj38oHYjHIb8foGtyfqIIOJ/JiBNjAs/+iMgoo9ibZ/94HCKueJVY6hP9gqd+cR/ 8snLOK7GWDKJDb8dpA+mbKRkvOp3sxs434DJE+P7LAeUT9q3NVcvaOMgXaImVFNhK0ex OAbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=aUJ3gj1BGh2zGHelWKN3pyJi6By6RKX30KpBOEKPul4=; b=ZKEd1DSbuunEFNVnV8MSiTedR19QnrgIHKxCmIYTT7o+Dvyh4Vr5TlMaFqEay5QazF Ej2aifps5aGETLNxDt8MpxshuaAEA45dzK3l6g8j3nF0Y0CidaiXTpnBh5f5DZd4N6VX lG22EFJvpbAZMXZgLI4F931P8zAppbrdBL1uYQhiKnh26j33Zj3YTmKzzphvrhJVWqT4 OD7OV0eJthuIn9uo/ZM9hcbRK+vPa2JpcMgQg4Lv1R+qqepaz98oLK8SIpYfJGeFZu7a lZ/6N9vqXz2nENmdp9jI/t07TsIgrq8LtQuEE9gX9akv7YPHnl9MNTWRQFmwOtPmbTJJ hDNA== X-Gm-Message-State: AHQUAuZZvo0DphUVy7BBQk47giPmaBFPMUur/UUAx250rvNxT6/B532n +3k6XmrfCxDtWpfWMwBO2qRRndYL7n7y7CISTshPFw== X-Google-Smtp-Source: AHgI3IZPFemQA10IWAIM85WA3Wk2ejfMHY2C8xWBh3ONcvIJaQsycaliSv/+gptRE7B0MQeSX9bkI0OqVPh1zwISRO0EzQ== X-Received: by 2002:a24:78cb:: with SMTP id p194mr1458351itc.7.1551395534361; Thu, 28 Feb 2019 15:12:14 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:40 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-4-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 04/27] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" --- drivers/char/mem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..0a2f2e75d5f4 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port")) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } From patchwork Thu Feb 28 23:11:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834233 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C4887180E for ; Thu, 28 Feb 2019 23:12:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B56542FC3B for ; Thu, 28 Feb 2019 23:12:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A9CDB2FC45; Thu, 28 Feb 2019 23:12:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 288D42FC3B for ; Thu, 28 Feb 2019 23:12:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387559AbfB1XMU (ORCPT ); Thu, 28 Feb 2019 18:12:20 -0500 Received: from mail-it1-f202.google.com ([209.85.166.202]:53258 "EHLO mail-it1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733299AbfB1XMR (ORCPT ); Thu, 28 Feb 2019 18:12:17 -0500 Received: by mail-it1-f202.google.com with SMTP id 190so8361586itv.3 for ; Thu, 28 Feb 2019 15:12:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=omvW46xVRIJwG7a8uUzxR/RTr/Sb5wtOc00auoVaOTc=; b=CVqaNZmT/Vxo3WpAM7ktoGnUP7Q/3Hx0MG5cQwh9S0SE/J5yZCEog/cy4qgT/Top4V JXL0JlsqLvMEz/iuxg9miOURifPBUNIQQdqd9DTk3jboMiFD9Gpm/Ty0DATFBMCHLzRo sEhvOu0cPA+j4usH1UVgAzYuFmmZL06a4OtYjRRkz7aP02dz/gjQeceXfVe2rNvRvCbl 8vikkPt5QQ30X9wvHV4nVfVjc2wo8Dqodx/3jyVJJg43fapTWHgQN66blfpaeOlUDjhm jdXuEbPrRkArOWpORujX/IXd7Lzboi/jDh2JE9Lsmv68uH0PM8X910TxaHaE8OOepXOq K9qA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=omvW46xVRIJwG7a8uUzxR/RTr/Sb5wtOc00auoVaOTc=; b=h3pMZwEsiqfMzf+M05zvyfKIajH/hFYczzfMKC+6fcVVwa6tfr01IVZn0BwUVWZ1T2 2N7YVCPJih7692wiW5aiGwwF20MfCSKbtXC6EWOjwIE0VaZrxA8dEh8EipKMbTUvu8pV z6RtLN+rqcwnEoQjh8QIyM8ecXt9A1K9o4dR2r3AkrTR3p5ElVGWBVfsFN5/OqucWRpq gzA3zt5ukryWPDt+NLu2YVXGL3/AQ16+o6IGqtAvBvhfM5obdH0tgeFicnzInRAAqE3L ziO9a/0G7SdwXSBD1BHcfSf2rEdseb5taC+XowjWj2dyd3dfWX+tPScQz+t4Jr+E3gnJ 8NFA== X-Gm-Message-State: AHQUAua1gZ61MhxEJeF0mYN9tAatuzm812mLVYsyoZxO+nPlMtzQtn0t vvXS6yN+EQ8ZGDh06TtS2dMaO7s1jzigmg81y5U56A== X-Google-Smtp-Source: APXvYqxN++346xVExb88s90l6mAGuPKjGUD+3tiMTwdRvtYnnzM8Y5Op2dnO142zdc5PVmmMAcM77+lQIwSp+hj5CTq8/Q== X-Received: by 2002:a24:16cf:: with SMTP id a198mr1544187ita.0.1551395536713; Thu, 28 Feb 2019 15:12:16 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:41 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 05/27] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Dave Young Reviewed-by: "Lee, Chun-Yi" Reviewed-by: James Morris cc: kexec@lists.infradead.org --- kernel/kexec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..8ea0ce31271f 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,13 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down("kexec of unsigned images")) + return -EPERM; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. From patchwork Thu Feb 28 23:11:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834279 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0DE79139A for ; Thu, 28 Feb 2019 23:14:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F273A2FC2B for ; Thu, 28 Feb 2019 23:14:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E6D562FC46; Thu, 28 Feb 2019 23:14:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93B112FC2B for ; Thu, 28 Feb 2019 23:14:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728536AbfB1XOf (ORCPT ); Thu, 28 Feb 2019 18:14:35 -0500 Received: from mail-qk1-f202.google.com ([209.85.222.202]:36602 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387478AbfB1XMU (ORCPT ); Thu, 28 Feb 2019 18:12:20 -0500 Received: by mail-qk1-f202.google.com with SMTP id b11so10501490qka.3 for ; Thu, 28 Feb 2019 15:12:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=uJSG4DfOm5wajFhd/fVp5JjZRZbJ1ZIYh8VYeWgqjpg=; b=Ruw+AyiSDZ47njZAbBZaRrEZ+ClOByQdbrxyjiK4O6ppfEXb7Rv+WzMs/RrJ5O4jP1 Dxm84G0NNsq1mR4oERWpXqSQIwujmDFAg4+h1xhzJIbfgxaH+XF1dRNP1najZMpc9C8A oBR1ZpNcbBgKGNf28Y2pyslDbDtAOg22nwGrQL1DIK/pgPL3UQPCZXBANWv9RpkTdcPF MQzsINxIhVkOmpux2VNHTvttTgDm5gtPSXr/aKGHeAt39PqSSTpfm3X3Q/Ws2gjhGAJR ztwjrhFoQiueFYKCmLth5vaunhFITzN6MdkANN3RuG8EZVqWK0Q1+k/3Yq6bOo5ojyZC VLyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=uJSG4DfOm5wajFhd/fVp5JjZRZbJ1ZIYh8VYeWgqjpg=; b=ai4DsIAaGyjO/1MYvfakIN2Qlu3N8zYMLxFFpQ0PdgFtsnwxVcghxSsiBkGJpyd8xk 4RLWS6dd2TmL/3h45Za7iArGpjDJGLdkrot5nKIp7kJ33NNBHBZcLXUuSVxoxq/F4xRO tG5jBiGMBDgUvuhkR3kNHLNYzIE05v7TciqjivSF39wBdY4RcPAWxG6yWswPE0E/0qgG dBGnXTgHiLsMFrXBUhK7kkuv7WTfnm5tb1K3ylM/rjTAt9jqzJOjPzgzc40KylycqWJU cKN3OLdx6CdzHfmUkILMeMUjaJTxYr4M9jAjxNbYlpjQwL2Jy2v3Fwamu/EIeE+61PYX JCfg== X-Gm-Message-State: APjAAAUMKGk51y01ZdQnKAeknDYyIv30ElHJ2dkNVxNdqjrGpmQUquQG PQEJ6idL/Fm9jPQ+2giVZnM+STj//FWWIyuvp3F5lw== X-Google-Smtp-Source: APXvYqzfQKeEcAbnraohBadiJQXH1phr5qwXa6NhpSZOwRC0UMZMDCIv1gIs7WF6+nytf5B7sWkQz5s81QdNS935XYJSOA== X-Received: by 2002:a0c:b8a3:: with SMTP id y35mr1037792qvf.25.1551395539553; Thu, 28 Feb 2019 15:12:19 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:42 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Dave Young Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: kexec@lists.infradead.org --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 53917a3ebf94..58301a11f6da 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -182,6 +182,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; From patchwork Thu Feb 28 23:11:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834235 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 67682180E for ; Thu, 28 Feb 2019 23:12:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5766F2FC3B for ; Thu, 28 Feb 2019 23:12:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4C03D2FC45; Thu, 28 Feb 2019 23:12:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9E5C42FC3B for ; Thu, 28 Feb 2019 23:12:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387527AbfB1XMY (ORCPT ); Thu, 28 Feb 2019 18:12:24 -0500 Received: from mail-qk1-f201.google.com ([209.85.222.201]:36604 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387619AbfB1XMX (ORCPT ); Thu, 28 Feb 2019 18:12:23 -0500 Received: by mail-qk1-f201.google.com with SMTP id b11so10501557qka.3 for ; Thu, 28 Feb 2019 15:12:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=S5u50ou6dLla6blYKl9fHyc7svwyBxHkPxLMCzeyAEs=; b=vacZwQqGEp3ylZYtfKbzDAvzH6q8iWcOmQf/YfNzzgpnrWTZt9W1I2AS+9TGuBDBEl VV9gCnae6QsKxfO6iYMu8Ra2JEkhVSV/wz7K3kd8rVuat3kvwk95orvzlUpblJmAlwT+ ab4BWJg1bWXYZr0nZgrsqZ/6Qrn7NvKyRRXrvNePu8x2TFPRkksINMEor1PXlEPQSdjO o93SDyp8GVxNW1JnnqizY35wBjF2dTb0tDpZtdJtCTa43mzROuBVRPyTAd61NIzZ+v8i FAtdktJWfGWsg8UiamglKTkFos7nlKMdvdWHPtMSP2k2vdxRRDWuM8aYsk0JiwSD7vJW TSrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=S5u50ou6dLla6blYKl9fHyc7svwyBxHkPxLMCzeyAEs=; b=kZYK+o1bShJRnNubWCZPePT5f0J1/qchX/oQn30i9ettpn6S8myd4XwcIwUWUa3+cr PzcgkQKhoLiOfKSDVrMnxtLymE1ZwVdWWf0c36NZMhWMo/X+YIjxGXOgd5kvzlm6sLaE M8HiLv6B501esSyHvbi9CP3poQTurEbnR4eiAek8oF13tFyXBGKtfzIm65aoocopnekY 5uF3EpFJ5LY7nMJNb2b6sbpFw8vNHZLPavuCyi1cjhLa9dhlfafjLXeZceuAmjkT3kYb w1hCYi9jrMTlxp+g+0CQb3A7aaDMdUcbU81Q0uCe5YPMW5vUzUQHbawOEzStt/mQTGxZ 4TcA== X-Gm-Message-State: APjAAAUbSEYzYBHGDFqlaK0qwDcducPladDh4YLJs9xavTNgqjznd8nU t1LehaOm+Gyj4+WHbO7e33u28cmhmY/PU+97u4qhMA== X-Google-Smtp-Source: APXvYqy51W/BZ3X5mYccqp5lVKNTiVG1/HR55C7q8BMxPHgC03iuGkCYOFNeuU8qK1i243zEQ5eaOQ5SbeFs5lZzdW3/4g== X-Received: by 2002:a05:6214:1048:: with SMTP id l8mr1032741qvr.46.1551395542083; Thu, 28 Feb 2019 15:12:22 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:43 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 07/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac This is a preparatory patch for kexec_file_load() lockdown. A locked down kernel needs to prevent unsigned kernel images from being loaded with kexec_file_load(). Currently, the only way to force the signature verification is compiling with KEXEC_VERIFY_SIG. This prevents loading usigned images even when the kernel is not locked down at runtime. This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG turns on the signature verification but allows unsigned images to be loaded. KEXEC_SIG_FORCE disallows images without a valid signature. [Modified by David Howells such that: (1) verify_pefile_signature() differentiates between no-signature and sig-didn't-match in its returned errors. (2) kexec fails with EKEYREJECTED and logs an appropriate message if signature checking is enforced and an signature is not found, uses unsupported crypto or has no matching key. (3) kexec fails with EKEYREJECTED if there is a signature for which we have a key, but signature doesn't match - even if in non-forcing mode. (4) kexec fails with EBADMSG or some other error if there is a signature which cannot be parsed - even if in non-forcing mode. (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract the signature - even if in non-forcing mode. ] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Reviewed-by: Jiri Bohac cc: Matthew Garrett cc: Chun-Yi Lee cc: kexec@lists.infradead.org --- arch/x86/Kconfig | 20 ++++++++--- crypto/asymmetric_keys/verify_pefile.c | 4 ++- include/linux/kexec.h | 4 +-- kernel/kexec_file.c | 48 ++++++++++++++++++++++---- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 68261430fe6e..710f77a0caef 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2016,20 +2016,30 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE -config KEXEC_VERIFY_SIG +config KEXEC_SIG bool "Verify kernel signature during kexec_file_load() syscall" depends on KEXEC_FILE ---help--- - This option makes kernel signature verification mandatory for - the kexec_file_load() syscall. - In addition to that option, you need to enable signature + This option makes the kexec_file_load() syscall check for a valid + signature of the kernel image. The image can still be loaded without + a valid signature unless you also enable KEXEC_SIG_FORCE, though if + there's a signature that we can check, then it must be valid. + + In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work. +config KEXEC_SIG_FORCE + bool "Require a valid signature in kexec_file_load() syscall" + depends on KEXEC_SIG + ---help--- + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + config KEXEC_BZIMAGE_VERIFY_SIG bool "Enable bzImage signature verification support" - depends on KEXEC_VERIFY_SIG + depends on KEXEC_SIG depends on SIGNED_PE_FILE_VERIFICATION select SYSTEM_TRUSTED_KEYRING ---help--- diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index d178650fd524..4473cea1e877 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, if (!ddir->certs.virtual_address || !ddir->certs.size) { pr_debug("Unsigned PE binary\n"); - return -EKEYREJECTED; + return -ENODATA; } chkaddr(ctx->header_size, ddir->certs.virtual_address, @@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * (*) 0 if at least one signature chain intersects with the keys in the trust * keyring, or: * + * (*) -ENODATA if there is no signature present. + * * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a * chain. * diff --git a/include/linux/kexec.h b/include/linux/kexec.h index b9b1bc5f9669..58b27c7bdc2b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, unsigned long cmdline_len); typedef int (kexec_cleanup_t)(void *loader_data); -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG typedef int (kexec_verify_sig_t)(const char *kernel_buf, unsigned long kernel_len); #endif @@ -134,7 +134,7 @@ struct kexec_file_ops { kexec_probe_t *probe; kexec_load_t *load; kexec_cleanup_t *cleanup; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG kexec_verify_sig_t *verify_sig; #endif }; diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index f1d0e00a3971..67f3a866eabe 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG static int kexec_image_verify_sig_default(struct kimage *image, void *buf, unsigned long buf_len) { @@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, unsigned long cmdline_len, unsigned flags) { - int ret = 0; + const char *reason; + int ret; void *ldata; loff_t size; @@ -207,15 +208,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, if (ret) goto out; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); - if (ret) { - pr_debug("kernel signature verification failed.\n"); +#else + ret = -ENODATA; +#endif + + switch (ret) { + case 0: + break; + + /* Certain verification errors are non-fatal if we're not + * checking errors, provided we aren't mandating that there + * must be a valid signature. + */ + case -ENODATA: + reason = "kexec of unsigned image"; + goto decide; + case -ENOPKG: + reason = "kexec of image with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "kexec of image with unavailable key"; + decide: + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + pr_notice("%s rejected\n", reason); + ret = -EKEYREJECTED; + goto out; + } + + ret = 0; + break; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + pr_notice("kernel signature verification failed (%d).\n", ret); goto out; } - pr_debug("kernel signature verification successful.\n"); -#endif + /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf, From patchwork Thu Feb 28 23:11:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834275 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EEBFE180E for ; Thu, 28 Feb 2019 23:14:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF2C82FC2B for ; Thu, 28 Feb 2019 23:14:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D3B262FC46; Thu, 28 Feb 2019 23:14:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73A572FC2B for ; Thu, 28 Feb 2019 23:14:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727952AbfB1XO3 (ORCPT ); Thu, 28 Feb 2019 18:14:29 -0500 Received: from mail-qt1-f202.google.com ([209.85.160.202]:47903 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387660AbfB1XM0 (ORCPT ); Thu, 28 Feb 2019 18:12:26 -0500 Received: by mail-qt1-f202.google.com with SMTP id m34so20213338qtb.14 for ; Thu, 28 Feb 2019 15:12:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=tidnH0SwpTHfWgiR4IAR+/7Oaon7P2ll4DVIIUwAK1A=; b=igrS5HgB6YoQ6TPI8HVmjgJSBGpxMZDjnongg0RDlIULoSoIBEWheX+KyE784QzsOc UIRZuYFKM7JHDXbOddtqKM80DdSv7MPgMll/F1ZFqrW1Pp2ZlBLUHK9RLz4by0hYv1z/ aSdRD9d1RIke2hei05b9KoVmbaSVc/qb6h6f9T3Zyd/MZt+xEdiF0o4izzAiknNAP4EM 8qHLUMmsAJQ/o6uDLspeXOcce9hPfZ+qB9KYGarrFSWP/SZcwpgOM1ZgWckg0K+oQjoL XFXPNP2bpa/FRZ6857TPx1ZtwNTVQLoiEw0KoHdBQvdKwNM0TS1tpJKGx0Pt2cN72RI2 Fnow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=tidnH0SwpTHfWgiR4IAR+/7Oaon7P2ll4DVIIUwAK1A=; b=Qr/Rpht+fzE1sndWG9AlYmIzfjWvKOQ4pP4tbfEpHZd9AtS6K9YntXdL7vW2I2Jn4k H4xOwHd5+cdDLlmfUW/ERbwnVC0vcS29ENwcDDCC4YpEdCcRJBYkUrsW9Sq/kxHhYKT3 zpiXPyR0Jij/PqJ6GwF2NUX7rjxwKafMN6xOnFo+uK4SRKXXFxdku/wjUQxih9U5/p9+ dl2uvWDyNSrloMNuA3ncIXAn/b1RgPnFvwmBdx7t9my2seuVEuE8GiOwuYzp40+OkyX+ BOnZyFq9S+RTrsrY2Ff6Zmtf0Orxb2Kcwzo6pkTSw//Es1lx3Y6O+G+hJlt06IMYntF7 lXvA== X-Gm-Message-State: APjAAAVdqqbsRwllp6iSxhyE61UJr0TygYLJRjBX1PfbxNWkIsYgO9a9 8EV4Zzh2SN4SJbop598T8un7it1JTQC5DN88dWRslA== X-Google-Smtp-Source: APXvYqxxh4UKFzo0o0AatfkgMLGjfdiyDrhWhba8RfpyN7BBOY9rHrdV/RINtiBM3Olzir4oUoZC+bWEwdQSMny+julvFw== X-Received: by 2002:ac8:2539:: with SMTP id 54mr1091576qtm.45.1551395544912; Thu, 28 Feb 2019 15:12:24 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:44 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-8-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 08/27] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down unless IMA can be used to validate the image. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Reviewed-by: Jiri Bohac Cc: Matthew Garrett cc: Chun-Yi Lee cc: kexec@lists.infradead.org --- include/linux/ima.h | 6 ++++++ kernel/kexec_file.c | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/include/linux/ima.h b/include/linux/ima.h index b5e16b8c50b7..b35ed0725a05 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -127,4 +127,10 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +static inline bool is_ima_kexec_appraise_enabled(void) +{ + return IS_ENABLED(CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS); +} + #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 67f3a866eabe..b4e938dff4be 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -239,6 +239,14 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, } ret = 0; + if (is_ima_kexec_appraise_enabled()) + break; + + if (kernel_is_locked_down(reason)) { + ret = -EPERM; + goto out; + } + break; /* All other errors are fatal, including nomem, unparseable From patchwork Thu Feb 28 23:11:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834273 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 04393180E for ; Thu, 28 Feb 2019 23:14:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E8F642FC2B for ; Thu, 28 Feb 2019 23:14:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DC9122FC46; Thu, 28 Feb 2019 23:14:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5B97B2FC2B for ; Thu, 28 Feb 2019 23:14:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727864AbfB1XM3 (ORCPT ); Thu, 28 Feb 2019 18:12:29 -0500 Received: from mail-pf1-f202.google.com ([209.85.210.202]:47043 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387689AbfB1XM2 (ORCPT ); Thu, 28 Feb 2019 18:12:28 -0500 Received: by mail-pf1-f202.google.com with SMTP id j10so13843074pfn.13 for ; Thu, 28 Feb 2019 15:12:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=5zx9SlvOWbOM3aQxwWawliOAIMYFC517bf1Wue1q92g=; b=gPF6Q7LOzQP1CW6ypT8jIjswLBrVEyj1YiXGn66YsKob18h+lmUAvhQmwfVgJasMXT 9x4raDkz+8Fxvj94kTef6TVvnZ9H9fqHReWufNibRyMSmpX7JmCVLtf7lyEiSibybIxl q86MYyzxplgzA/p9/FwFC9RxMDd4MqtBnlAt3cTMTftdZzX9ZX1yVIezxHmEIYeRBouI FTi1OYE4Y8cwANVb4Hqjj6gXhvn4iSkyE7qJ+qRVIEd5dYe5XT+4aObm1ljMwYmgLeel JyhfL2kM1GIRPR4jEZzllZztae7DaxOQdH5OB2k3SEnXNTNmChiAh5KvdsK/L/QGhSs8 V6oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=5zx9SlvOWbOM3aQxwWawliOAIMYFC517bf1Wue1q92g=; b=nDXCGw8AtnAcvSJR1NIpMf5jlxGNchd4fYGt/hWUqChsuEnMCxHZkkb8YK6Lji40Ss Isw/J69nnLluf1icELzSZ/G7IvDr1QWCZamevM4e0OIBRGy5SCN3HiDlkK1bQ6hH3iQE g6FyZT3eTjDs31YtS2Y6u+PJBwUat+fAeFDxP6gANt7ePluENb4mElAUMWaP95e6g/vZ ZdQhFDmoWyaVOh3useq13pcNAlLn2BMIOw9gOZb03lS9cBxhd9cbZg0reiGsFq2gShGM /N8PWVieSghEA24uG7yxTEf4gZnif64rmxz0+CWUIpgWnz62Gk/RXxkP94Xfr3bkxyvH BjKg== X-Gm-Message-State: AHQUAuagwZQk3pbVn0+5Bw5ZebDHFY15rRdWNStqZJ/a9+TwbrxYgSBR nPWQ6pSv3OO5e0qSledIlDEnjHL5WGfmrtrvX+kOJQ== X-Google-Smtp-Source: AHgI3IYHFAzilMiF+RwK36ywhmsTVHUeEVlPErGx/+wmznl47NQPW7l0VhhJ6mpmNAd/Pdnyn3J0nHF3BJbnFw4Cr9VuyA== X-Received: by 2002:a62:15cd:: with SMTP id 196mr960512pfv.105.1551395547687; Thu, 28 Feb 2019 15:12:27 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:45 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 09/27] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: linux-pm@vger.kernel.org --- kernel/power/hibernate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..802795becb88 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); } /** From patchwork Thu Feb 28 23:11:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834271 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ACE81139A for ; Thu, 28 Feb 2019 23:14:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9C44E2FC2B for ; Thu, 28 Feb 2019 23:14:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9024B2FC46; Thu, 28 Feb 2019 23:14:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4151E2FC2B for ; Thu, 28 Feb 2019 23:14:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727861AbfB1XOU (ORCPT ); Thu, 28 Feb 2019 18:14:20 -0500 Received: from mail-qk1-f202.google.com ([209.85.222.202]:44307 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387732AbfB1XMb (ORCPT ); Thu, 28 Feb 2019 18:12:31 -0500 Received: by mail-qk1-f202.google.com with SMTP id o2so1040242qkb.11 for ; Thu, 28 Feb 2019 15:12:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=F6zxXD+nTPfsZfQbyiR2ANcc9A38R04iH+muysUyqZY=; b=rqy8vjp1yaqAU5BNxNa+MvsSVvcaRzr5lInb84HYbk4bKsE1qZ5Kdhh6iwvWec6VQI Np0PGekQ4lc9JNlPa7Kxi8g+sTyR9WDN0BAB8LElq4VRXg9ZSpNOYJGbXDOvllPDroQN 2j/vGXeZFSbT3AqFzebVnIlnUd30MR+dw+CcWu+lHBkdhWoN9G+2jK/jxwszpTlaMq7b ScY+uB4+r5cbc4LO3RDnYKxygYSd7sH/q5w5hlbyufWWwC06HjE/XFwuCWyA4ATNAV7N Xz45Z+siZGWFacREImKXDG2LLH2L8raULbzyeoCyNOUfh6xq5Qa6YtY8SD3ll41nWY2V FJGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=F6zxXD+nTPfsZfQbyiR2ANcc9A38R04iH+muysUyqZY=; b=Cb31KZ/Hd9caacw81Y0p0lPWjMLatU4EKDXN0a92NEM4MKSUXcF0K5avNx6ukJQ58o mx5kjAbJ2H5leo0yjYaYTsVp7Xa9kUPEMhqjDviWTiEPIsZtxmjaY041u9agtkN37uq5 nVoiOUnsBqZAHczHCYwnsjRaj5glYHyEMjMGtlX8bydqWQn3Kz/B1BczXcUqCoOH11c3 fLFdAl9+8MW+sisuaT2G1rBZiPbYV0O799xnNmfol8BEgPdxRF9Iwi5QFnrPsSiRSJ+j 26XCtCcgXqe8lzQHEL3rQYfslegmrH3WXNcKoDfl0q9+Ohpewv6M1qRmF/Ktxth62n3K 810w== X-Gm-Message-State: APjAAAVhcLgeurWzoBO90X2zvlcsKcgCH5D66ipdzKBoQ/UwbxswnSKM SbLIO2+RTpshxGwXeAIEqzG9cEiolnoaOEvuHAJ30g== X-Google-Smtp-Source: APXvYqzQpfa57TSK8bbnGQUeo2CjRL0Deo0vZcTr3Ki5Q9LwxiBCVwYNCWwOLgKVHp85Cd+X48GXglBT5kx+zg6IcAYxFw== X-Received: by 2002:ac8:1b68:: with SMTP id p37mr1177129qtk.50.1551395550264; Thu, 28 Feb 2019 15:12:30 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:46 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 10/27] uswsusp: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" Reviewed-by: James Morris cc: linux-pm@vger.kernel.org --- kernel/power/user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c index 2d8b60a3c86b..0305d513c274 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) if (!hibernation_available()) return -EPERM; + if (kernel_is_locked_down("/dev/snapshot")) + return -EPERM; + lock_system_sleep(); if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { From patchwork Thu Feb 28 23:11:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834237 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1ABB5139A for ; Thu, 28 Feb 2019 23:12:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 094932FC41 for ; Thu, 28 Feb 2019 23:12:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EE20F2FC3B; Thu, 28 Feb 2019 23:12:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CDE522FC3B for ; Thu, 28 Feb 2019 23:12:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387619AbfB1XMd (ORCPT ); Thu, 28 Feb 2019 18:12:33 -0500 Received: from mail-pf1-f202.google.com ([209.85.210.202]:38015 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387766AbfB1XMd (ORCPT ); Thu, 28 Feb 2019 18:12:33 -0500 Received: by mail-pf1-f202.google.com with SMTP id d5so1297141pfo.5 for ; Thu, 28 Feb 2019 15:12:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=1iAkG3SYFFYNE2aS5Uy/nPaL9mRV8qNg8EUrtDxONjY=; b=uuxcthmJNDGwdJv5YpH6uELSKb27+zpDpVvWg4XUCi1qsYzIbaO/WzbJbI+FgFxYhX dE7U/DyEntkC0oMXihkOtsUYnqczFs5zCG7GTKBTHGNGyWTpKm1VUAqOofwik/d813qQ 7VdLvbS/fIlHFvB4aqFgXFYFlNMbXyWCmI8WS6VxtPJ22aLyi84bOTFoHZGlcDDCjs/f oO0rWxy+g0QrufGhvSnM6CFXDpQZ03yp4cB07nQnZh5nhmK7jVs+7cm3oWaNZMLmX6oJ OxDq66oYZhm7uLm4/9uHd1kiLBAx9QV9Oi+Ug6tLh+5Mj8A07cFYfrMZtLK5d2xYxN5x ETpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=1iAkG3SYFFYNE2aS5Uy/nPaL9mRV8qNg8EUrtDxONjY=; b=GB8L+WwiQBgFovDqEUdHFLyWqC+1VxkvluGNqDDKjv6C5vjCZTBn/ZuXx6Z9nl2Ye2 4CppVamn9xrff1BAp882gOMVqCKr0U8MZLnuI1UDQqR645jXkAkHaXTGJxQ9CQYRDA6z 0Yopi2nLuRBPtL0FmSNiqlb5bmab4fu+IztkFecWe2TqQ8Rkjsmb+vqCfTxOcklsNYxl IR98h5x/8KzvvG5ixuxh5awnrG8eQBjXR34RXidFGBVHA1J2g1f9XRXQ7AMwuVisJMuc PlTSdcFpj2uGG1p1KDrFXM54LC07MPpAVfMNCN/wg+tXdosbucSr682QkB/PxRdWRjVw CA6g== X-Gm-Message-State: APjAAAX8VCcwFAfMhvdo3Y1PFjQnsqTK7SzWA6ZBYCCmvbJp8wCrFckl lKuLnOycWeikXeBUNZ1eK+95oaJF7mKl9YaIFvT5DA== X-Google-Smtp-Source: APXvYqxAbpqSdYwQtV399CqmoPDFoqEoZZNTH4jRNtVv0TtSWcEXqkpl9CGuRySxRH0c2gqIp23VtCLK006xVbMvMGRfgg== X-Received: by 2002:a17:902:b682:: with SMTP id c2mr652302pls.107.1551395552587; Thu, 28 Feb 2019 15:12:32 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:47 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 11/27] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Bjorn Helgaas Reviewed-by: "Lee, Chun-Yi" cc: linux-pci@vger.kernel.org --- drivers/pci/pci-sysfs.c | 9 +++++++++ drivers/pci/proc.c | 9 ++++++++- drivers/pci/syscall.c | 3 ++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 9ecfe13157c0..40c14574fcf8 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { @@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 6fa1627ce08d..1549cdd0710e 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, int size = dev->cfg_size; int cnt; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (pos >= size) return 0; if (nbytes >= size) @@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..b8a08d3166a1 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); From patchwork Thu Feb 28 23:11:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834239 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8E131139A for ; Thu, 28 Feb 2019 23:12:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7DB902FC3B for ; Thu, 28 Feb 2019 23:12:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 716482FC45; Thu, 28 Feb 2019 23:12:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD37E2FC3B for ; Thu, 28 Feb 2019 23:12:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387768AbfB1XMf (ORCPT ); Thu, 28 Feb 2019 18:12:35 -0500 Received: from mail-pl1-f201.google.com ([209.85.214.201]:46618 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727654AbfB1XMf (ORCPT ); Thu, 28 Feb 2019 18:12:35 -0500 Received: by mail-pl1-f201.google.com with SMTP id 59so16192920plc.13 for ; Thu, 28 Feb 2019 15:12:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Wtblv7CT5Upf5j4F9ZDp7ozjiqhluHRrt49GDLKpkfY=; b=GC2PYmS9jR6nrnqlMzH2aZd92rT/QgV0RAhZ9ntx1vuRcVG6IiFngBTZeNuw6bzV6u f1pYzZ5m8GDX7LMG6N7JOdwb7tlBpa71/HnuLlEM5zohtke23Lfg98b3gWZ808IkMshv +u7wbW4DFyB5r+jTTvUf1akuE0xU5IU9EuYQ6XotCTFddmLeVB1/G8piCZ8dLMfsVsP4 yR1UimMKwYlWQvulSSd57CUFEeFvJ8gAjhzdOW2iajytFiwvnYtyfS2qQN8xEhE7G6Zr IEWt45+L5WvUWk35DQMLxlvFcW5hT5hehluPIQpjuQCysapZ21ZzdDgcj5ZteEuwXysG FdzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Wtblv7CT5Upf5j4F9ZDp7ozjiqhluHRrt49GDLKpkfY=; b=PWk3eKXjbHurjcl+lguhMDKu/yjgbBhQkqPcmT1Uk+Z3pK50J4SwuykzChDqIY7G5a xxOwBwzKmnV7VL7kFSTi7Ox3dTyMD3MYat01WukqmfHkCOVjQEs6mi01pTJ1sAtOThai zajHClMGfrd8Gux1/sLl9zLyX5uO1wLty/Kn2wrxZX/M/U5706QWO8wlYJ2ycJ0FKLxb wlHrPVrpa2gL8DC1Ph9msIezNFpS0dweJHRauG6PYchZMbk8x+QvAfyj8UD7nsjO+iHK XvHgH8sty8ccPCrpRTvsRPTelV2EYU6dmii5iVp6sEXv+Z+hF7k9hqIpZdkgq6MFemoI KACA== X-Gm-Message-State: APjAAAVz8lq2q7lHAVHVombldyDvw0aEJ1ID50nGUt6tjv9YXAmun7TR nes8vrY/lgjL5wc3wl0QN1BdAorPKHDhXfFciBJBzw== X-Google-Smtp-Source: APXvYqzrGA7dIkJjpqwmFqWlyr4b6N/5jE4dyLWuDOrDg08GA7j64lKrGinC5H0wOfNXX1Q2F3Gb7VxNeHL5AryL7HAfWQ== X-Received: by 2002:a17:902:2dc3:: with SMTP id p61mr671197plb.108.1551395554796; Thu, 28 Feb 2019 15:12:34 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:48 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 12/27] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Thomas Gleixner Reviewed-by: "Lee, Chun-Yi" cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..abc702a6ae9c 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm"))) return -EPERM; /* @@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("iopl")) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | From patchwork Thu Feb 28 23:11:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834269 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C75B8180E for ; Thu, 28 Feb 2019 23:14:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B7D86288E0 for ; Thu, 28 Feb 2019 23:14:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id ABF1A2897C; Thu, 28 Feb 2019 23:14:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 520F8288E0 for ; Thu, 28 Feb 2019 23:14:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387802AbfB1XMj (ORCPT ); Thu, 28 Feb 2019 18:12:39 -0500 Received: from mail-qt1-f202.google.com ([209.85.160.202]:43578 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387828AbfB1XMj (ORCPT ); Thu, 28 Feb 2019 18:12:39 -0500 Received: by mail-qt1-f202.google.com with SMTP id m37so20070146qte.10 for ; Thu, 28 Feb 2019 15:12:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=VhmO31ASaR5AbbhJWKJOBB028OwydePZqKoH4vU4z54=; b=VxgH7GKWv5U4pP/baW0EyNSMJWfYR8gz/BNo9nVnFnEbb7Wbl++IfRu+fPTJW+sC+t abIrkqtE/EIbIUcTRr00QmRoWKgu6q69FQ2LLvQPHXNRek+QGxuYUXxmcjQvTQ+NZnm/ xyWgVAEFG4KKloh3LwEDipU9xFX9B/8XIFCDbJ9pQHU9bvru88IxfktsGmYgZxc8nE1k F6u5QdZr+olLTyOkzOs2Wpa26v6gRZ/WJRWB3zElt/pKkmJQs6kA3UsNRuJxcKJbeEpO +26QhH7uKevD/pI+FR64cPIcixbS0Q8nN5JMztze+qS2V1T3dkpySufI0b05e0UCmT87 Khhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=VhmO31ASaR5AbbhJWKJOBB028OwydePZqKoH4vU4z54=; b=P+vHTCmC6wFIPOw8rlz+j/uB+achBN9FXFD2lhs+qNySnEg4rjtPQZYj9wrCO5Eas/ ung7Xt0YZcB8lwCB9m7QLP6rzxv3BtC+A1ybn200LUorNbikooFTGRq8rxsvC4JZsmRe 610Ap8yaYWWocuVoamTy2HEX2r7LNB4cOLFF2s9kHslXAajbisO0jHivaonxt+U7InWv 8hg19sD+MstjQLCYuu1V4VmDYrg+rVMo7D8NaWTD3YfhaUVhHdb/fU5WnEVHEy0a2zJO LF8tO67XU4bb9+7MqeGMAlHsjAcurk9vcDNuvnwRfspWD2J+insT7X70GniFFl+zJ3Zl aCQg== X-Gm-Message-State: APjAAAVePaixaw+DtDUDLR8kL/EsRnC2R0ymgQvxJOwp6yPQggSRR3Be Eyc9i70x9QJdfQ2ynf+0mIJutf1T8bCUqxjk/ELHkg== X-Google-Smtp-Source: APXvYqwE+a/HZDk/gA/G8rVtk8wnZBlVTQ2ZhFr0hyf1V4T3NaXl8KqqxOcmV3++fmWncM37Zw7w9b2jhx2y0c15fmxNkQ== X-Received: by 2002:a0c:af6c:: with SMTP id j41mr1093756qvc.29.1551395557856; Thu, 28 Feb 2019 15:12:37 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:49 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 13/27] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. MSR accesses are logged for the purposes of building up a whitelist as per Alan Cox's suggestion. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner Reviewed-by: "Lee, Chun-Yi" cc: x86@kernel.org --- arch/x86/kernel/msr.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 4588414e2561..f5a2cf07972f 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + if (kernel_is_locked_down("Direct MSR access")) { + pr_info("Direct access to MSR %x\n", reg); + return -EPERM; + } + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + if (kernel_is_locked_down("Direct MSR access")) { + pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */ + err = -EPERM; + break; + } err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; From patchwork Thu Feb 28 23:11:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834267 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 00DB3180E for ; Thu, 28 Feb 2019 23:14:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E5B9D288E0 for ; Thu, 28 Feb 2019 23:14:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DA1992897C; Thu, 28 Feb 2019 23:14:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 88CA6288E0 for ; Thu, 28 Feb 2019 23:14:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387861AbfB1XMm (ORCPT ); Thu, 28 Feb 2019 18:12:42 -0500 Received: from mail-oi1-f201.google.com ([209.85.167.201]:46418 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387481AbfB1XMm (ORCPT ); Thu, 28 Feb 2019 18:12:42 -0500 Received: by mail-oi1-f201.google.com with SMTP id v138so9728902oie.13 for ; Thu, 28 Feb 2019 15:12:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=mp70BzDzYljwrYd25Lt2UYdTDnlpZHVvwxSHppwzPMQ=; b=d9mbo5KRuX/RDzSfaF9z9U/JVALls/m/pz/TIR77Q8r3FIN9dJSFVDfe7as12j9CYg qdZsexqPqnAnxNUev6Df6+SU06uOFjwvNupM5qThkzxUC15WeMpr/ddVBIPpUk/sshgT Yi5w8NjP8cW20UyrwtFhz2TyseSwRojDZ/w/dlGj8GGMfifKP/4bOXm+K2rOU8mgi9Cq APHC6H3pa3BlkFIFnpQhlTRcgtn6Jp9jwLbfbnead8KChCcHOpGUiD4PlmqMesuMwi2j FXGWgUQvqdOBu7336UXlYA4jKK7YzGfa7nW2nwCbZbMRZw9MYFvHqpRhaK7UJesHPJJz QcdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=mp70BzDzYljwrYd25Lt2UYdTDnlpZHVvwxSHppwzPMQ=; b=TapbBYi17YQr8cl+JDt7Va8+HdDVX1Y6CLkHbSd/mBXx2kTFFBEIwyWGVm9V02nR0V bdKSeputAiiCXSwj1v1xlJiQHkhdMe91/u7awLiciRkbZ716A+yKAhCr+AK6IwET5K0O beyH9/IfSf6z7QkbwjJ3PQ2iKDg9HZg5qkBwTycSv5x7PFZcbYQjmUPeaSdAyHrg1ND8 Ka6AWTtMpC2oZWP1khVH7rMIfM+k+feSEWNSwOBzUt5N2valepJh6kRzap3bEVLYkh0T c+t9rsnOP4o5Cu4T0/+mUIaEZRFljY6clYtB5rTjycDfUBmVCz7t0uPKJ8LH7fcgQTyP 9UoQ== X-Gm-Message-State: AHQUAuZl17NjbVPYxyDXgwLMx3GmtZ9y9aKQfYXKDA99QxYmm6JLPc87 vbw2fgXmLqQA5vCG9l57L44k+lLE4vZUaX3INjarmA== X-Google-Smtp-Source: AHgI3Ia5usj8LcdFU5Loh4aKXUNg08MNR91CW+JW/r9yGIg2PlSZhi9WN17w46ruHiIg35AKXfCS9vIsXAqcsDrlO7E+sQ== X-Received: by 2002:aca:4b97:: with SMTP id y145mr1322685oia.19.1551395561327; Thu, 28 Feb 2019 15:12:41 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:50 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: linux-acpi@vger.kernel.org --- drivers/acpi/custom_method.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index 4451877f83b6..ac8a90dc7096 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + if (kernel_is_locked_down("ACPI custom methods")) + return -EPERM; + if (!(*ppos)) { /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) From patchwork Thu Feb 28 23:11:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834265 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4F66C139A for ; Thu, 28 Feb 2019 23:14:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3FFA6288E0 for ; Thu, 28 Feb 2019 23:14:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 341872897C; Thu, 28 Feb 2019 23:14:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 29568288E0 for ; Thu, 28 Feb 2019 23:14:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387898AbfB1XMp (ORCPT ); Thu, 28 Feb 2019 18:12:45 -0500 Received: from mail-qk1-f202.google.com ([209.85.222.202]:49706 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387872AbfB1XMo (ORCPT ); Thu, 28 Feb 2019 18:12:44 -0500 Received: by mail-qk1-f202.google.com with SMTP id s65so17276179qke.16 for ; Thu, 28 Feb 2019 15:12:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Wqh1XdjrR2tvM3s7JD9p7Uz2t1LkZeFbYNWqPw8a2Aw=; b=ageJCM95rFFnT+xvmUfxE0iJAoV+n+N8mVj52V+6FViQT9B9gThHA1Dux7SYXzh757 vW07/zc36SNBzPb7yLPanIUYV4txRFnWY0HPa7vFyNMXwygb4ma3/2VaqKtguwXLB31c y06GyPMa0kjPa0dfBTGkO9WB9kGU17MGsLsGAikRv9+zuPf6l0bwgJteKFBghHOSdTSa Cg1u9+NdHPJs5Dn7cbi8GBKy6ZVzmXduON7YW2/CgSjFUDVFeGCDQGM8IYb5cvXHY2sL Ov+LWR6ufzXIr7NqMCosbz/hUJc8Glr4TF325/gs0oBJI6BvEmgB/3gxy+DCW95Tg4/2 TtUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Wqh1XdjrR2tvM3s7JD9p7Uz2t1LkZeFbYNWqPw8a2Aw=; b=EOM842K0ABJ9FD1mWwc3i99OgTsqBQ8FLoKWcnOEe6OQGvQJ0UhwQa/a0FbwbjyOVp UfK086Hc0gMbB5b56+xtoJt721pQIg+zQnlaIOwUUOy6s0yi6tL7WHL0e2Buk6s+EZni 7ocHIy5YMcr8RQjWPxKPq+EgZrZB918iVn55aXh2kkZYHUXNjrDyVNAfwz9893DVM9Ln onoS/ipvIUjDBB6umOZUzFEx1hqZ9+ZSa2/HZufthqrsq0jMde5zpi1Vf99qNO50W42b u1ly1nGrhA09Lv9UvTpV74QoUMjbhJoLiceo6q48CkTeYsCxE8gjqBzczwI+VqjZS/4o owfQ== X-Gm-Message-State: APjAAAUPQwNvmKD1w9zT39jDq9xUoDqHl9sGFUNMPCbMxIkr1LVgm30i DmYVpQ5V1ctvWOK0GAL4YguCv6usUeKltsFzkb65Rw== X-Google-Smtp-Source: APXvYqzMYtXMIbPpyBJ53LzazIQ0J3J476+ftoTfkkRnqsTBZKh5DwMy7w3f+Yq4e1XEX0j8l3KXmtYFbsoIiTcS9h7BtA== X-Received: by 2002:a0c:869d:: with SMTP id 29mr1097176qvf.34.1551395564025; Thu, 28 Feb 2019 15:12:44 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:51 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware . Reject the option when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: Dave Young cc: linux-acpi@vger.kernel.org --- drivers/acpi/osl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index f29e427d0d1d..3e44cef7a0cd 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -194,7 +194,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) return acpi_rsdp; #endif pa = acpi_arch_get_root_pointer(); From patchwork Thu Feb 28 23:11:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834263 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 77036180E for ; Thu, 28 Feb 2019 23:14:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 69B53288E0 for ; Thu, 28 Feb 2019 23:14:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5E0202897C; Thu, 28 Feb 2019 23:14:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 076A3288E0 for ; Thu, 28 Feb 2019 23:14:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733270AbfB1XMr (ORCPT ); Thu, 28 Feb 2019 18:12:47 -0500 Received: from mail-io1-f74.google.com ([209.85.166.74]:52785 "EHLO mail-io1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387909AbfB1XMr (ORCPT ); Thu, 28 Feb 2019 18:12:47 -0500 Received: by mail-io1-f74.google.com with SMTP id s18so17159551ioe.19 for ; Thu, 28 Feb 2019 15:12:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=lPxhHuM5mKH0BPh+9uIH/O2ZNSFUoc0j+pAFXqN/7ag=; b=YuQBXUQbPIWoFplIAUppYybOIHWam8OtfTUAEL8bWFQuH+gK2Lg+nhgjgeyFIg2APu TTsAV6Y4XCcERjl0cOTXY3F0VQ2dTEB6bqnuC/JnNexIojSPRlpvVlXsDf0bVCtPRVA7 yA2PxzrOGbz8bmR43HPwD1Bwp0zb9EagvFpRZS02lKXbannLoupS2Xn7Ze03YF5yOD+s UnTk4Q6ltWm5xg8SYuv56VVEqetoFmedWsteo7Yue+vOt3YMnj49JzcOC0xXxyE87ZE0 LF4vT+KZK9iqZSukgefDut2lWdcm4jIqnlIRtwYZhHrH6/16pJu/FioGP5KT7tQKjwIu D+9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=lPxhHuM5mKH0BPh+9uIH/O2ZNSFUoc0j+pAFXqN/7ag=; b=aFZhzeWqhG3S86ZecFjiZr5VTCzjfLHy5dXlpiqOmXUOeW/H73j2lDGmFNFrbOfmaU NWVvkxi2T/XVCz3HnHsHqtFX4nV2lRgCnc433oqqGfwpwzhcDV/tf8V4j9jL8DKN4sPv oKXuc5DNVTWzCS1BIrkKzo7wlAQ7RHtkUlZpnIY2j592tFNz/LOp7fdrS4hazsizKLmU TWQMq3hDcenKt+UfTXP7OsL8/3rvSqA+9M0QddYICmiAgB9eptOepVBm+H5qO6JKQ4gh lxwiY8lyWHw5qQZdZvMbS5Y291t+Hh1I3sSEMjxHRq9Po8IEbTGGSwFpwgfnzahV05Cm cDog== X-Gm-Message-State: APjAAAUxBr43c93lhv6qKtNTQaiLnYr/j6PfDYqGokI5JqfSu32/osVW x18Ahm/wR1mv7kHUtYutVDr0aLIyGqN1sSBVHSJTmw== X-Google-Smtp-Source: APXvYqw/dP5WRuat6ZNl267sXVMJqXcQjrhZTwUPtbCyU8pLXCcB0hj52Wg3y81HpdKwFbntVrWw0q+IOZp1vztH68w+oQ== X-Received: by 2002:a24:1a17:: with SMTP id 23mr1520953iti.9.1551395566409; Thu, 28 Feb 2019 15:12:46 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:52 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When securelevel is set, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 48eabb6c2d4f..f3b4117cd8f3 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override")) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); From patchwork Thu Feb 28 23:11:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834261 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 773C11880 for ; Thu, 28 Feb 2019 23:14:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 642BD288E0 for ; Thu, 28 Feb 2019 23:14:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 573AB2897C; Thu, 28 Feb 2019 23:14:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB313288E0 for ; Thu, 28 Feb 2019 23:14:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387952AbfB1XMt (ORCPT ); Thu, 28 Feb 2019 18:12:49 -0500 Received: from mail-pl1-f202.google.com ([209.85.214.202]:54959 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387937AbfB1XMt (ORCPT ); Thu, 28 Feb 2019 18:12:49 -0500 Received: by mail-pl1-f202.google.com with SMTP id j95so16159517plb.21 for ; Thu, 28 Feb 2019 15:12:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=0c4DnPm/cx2jzTzIvXsNGvNdz/XPR522PUMTkwR1KuQ=; b=uyKcSgkoAKvFlpnGAcowfxwKxFJXbTANnMFv51NpWe1AQ9/g7xJ6nr0sF8jaUuyoul uheLayLR/gi5715AElFU1bWdzgUWltb5IZ0nXAomZakOxNSpH+KCAecD8F8akvxCHdlC 62ZkceTDBnB2i4cqSDOvE/aLMZ7zRpKy25snYHxLAmT9nWEi2kONGe2/F3wKJWB6g3W+ uXs1Q/e78G7v51pN6kV0j+y1Q0Wb6SDhobx6DQmfNW5yielNATjHv2sEohO/V+QpdFRN H7o5fhkzSZxYHkWXpUYVUApxgbUEgszPFqoPnDXUK9xPMae+MagL9xmcTnvSB+X1Dn9t U0aQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=0c4DnPm/cx2jzTzIvXsNGvNdz/XPR522PUMTkwR1KuQ=; b=kMCvTOz7/87OLe6/SsJvVyUqIyi/ScgSucR3/TftSQne4ypGTo8xJ7wcTijUaIDWsT H6wJhTs8jCP5w0LS+cT0W5CHKCHxaYwsOz08YPT+M82Glq57xbZENSFS3EXYnyeRVEKO 3H7rxF9UCR8iFKx676fOXJR++ChAdzVuSxaaunMk/ZF5sIE4rhuDtIpLNqB88zT963g+ fH5mHbA1nVfhhSs0McuQgbX1WXbSJGOwWUOqhFFzwTMVnOa/+qsRsGC5DkTbp5tXWqIm Gi7hgPLKgF0iSBFGYuOfOvjaeUnXhpVmONVjJbbQGMgFo5i7CEiMeUaqXV/8EuraEPqP rjmA== X-Gm-Message-State: AHQUAubagw4yov1TIV3XIO5rKcUtEq8o3/OIQSgQisfV4MVOYMHYKoF6 waRZ+N6vEuVuHbp0gZkPqGbUb8Y97rSDK7YUjGOrIA== X-Google-Smtp-Source: APXvYqzzwt9UewHcrRVj6+HEeD5KRfke8EwJHrMZ3x/xl5bWeZh/LV7ynXZIZ1SmpY4ZfYIcAJ/6gy/8Lm/ElX7bMzL/fA== X-Received: by 2002:a62:121a:: with SMTP id a26mr972694pfj.47.1551395568702; Thu, 28 Feb 2019 15:12:48 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:53 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto ACPI provides an error injection mechanism, EINJ, for debugging and testing the ACPI Platform Error Interface (APEI) and other RAS features. If supported by the firmware, ACPI specification 5.0 and later provide for a way to specify a physical memory address to which to inject the error. Injecting errors through EINJ can produce errors which to the platform are indistinguishable from real hardware errors. This can have undesirable side-effects, such as causing the platform to mark hardware as needing replacement. While it does not provide a method to load unauthenticated privileged code, the effect of these errors may persist across reboots and affect trust in the underlying hardware, so disable error injection through EINJ if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: linux-acpi@vger.kernel.org --- drivers/acpi/apei/einj.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c index fcccbfdbdd1a..9fe6bbab2e7d 100644 --- a/drivers/acpi/apei/einj.c +++ b/drivers/acpi/apei/einj.c @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, int rc; u64 base_addr, size; + if (kernel_is_locked_down("ACPI error injection")) + return -EPERM; + /* If user manually set "flags", make sure it is legal */ if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) From patchwork Thu Feb 28 23:11:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834241 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 01161180E for ; Thu, 28 Feb 2019 23:12:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E4C8A2FC3B for ; Thu, 28 Feb 2019 23:12:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D963D2FC45; Thu, 28 Feb 2019 23:12:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0E0292FC3B for ; Thu, 28 Feb 2019 23:12:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388017AbfB1XMx (ORCPT ); Thu, 28 Feb 2019 18:12:53 -0500 Received: from mail-vk1-f201.google.com ([209.85.221.201]:40667 "EHLO mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387993AbfB1XMw (ORCPT ); Thu, 28 Feb 2019 18:12:52 -0500 Received: by mail-vk1-f201.google.com with SMTP id s143so11244183vke.7 for ; Thu, 28 Feb 2019 15:12:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Z211FiTElcD3CjDX6rl7HqMiBwionirC+FEZdLCWzco=; b=HzIVR3i8V/+98alctTtA7gEK4hLlZxu2Z5vBER34X6K1Ynqobi7o0Nmru4vCoXuERU Z8/v+mXxw+eOl0qxEVdS1sLwPAyUrWXR2MBX377cOjr8lqmPnLWFcrALX5dmzvEszAsq OQUINSsez5jKlD5cszNoUeRFbEfmqxcAB3z/1tAa6v7i9iToKStcvl5LKpRbGlEgT3CC MPvV8kXEKrq7oz4JgbnJziyLBr6ltu4D3Q98NnU57HoxAl1rtpx4IflpsbcI33y483Hm 3QJVsFQ/tZtZAz9HB1JxcaQ5JzWBD2zf7eTMRfGycacEjGOg2WFPfjaeioTVPh58HuHX MNSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Z211FiTElcD3CjDX6rl7HqMiBwionirC+FEZdLCWzco=; b=aLU0ZisulKah72cFBLkJwE6hzD/yHBGwaHpF0ERzcaXB1R2vK/UJ+uCSObV1cTBwmp aKaa7t2L3idutBl6M7js/sshdHdx5JHzNWx3UXb1840bhejHzPTQT57YIE2YiVLf2+Cb 5xJHYaI9E7PJx33VJMrIRjq0NXqljpbDg5p8mLoZ8EsCXQhaA/5Ytnh/s8BGBUXmx4co Uk5cM0dc9VX7xKBm/Cuq1pSonDrHcRWzrwyaQWReLVNZPdvyaEcDcvUdKJVmJkGQJcVK x1SK33UcB4YM9e5vpJPE9J8Jum1cfgzIDkpr7uC1A1P4TY9E1kqxuh+Bbk8cQe1+fP2M lUhg== X-Gm-Message-State: APjAAAXhkc6BEq8l8JFzQp0DGjgfx43Ly02qawxtb+4knAPxY/XQV9ML lGCclnn387YKwR/6vHYCcfi2ElZPk6mXIHIUwT1mJA== X-Google-Smtp-Source: APXvYqymJnMwoBdBo2NT2lteH4kP+TDr8bkEoN35nObwRtoOLjzs9jvV7ELP34iPO+nsEkvESt5zhCKSvCh4McMdH2Lxcg== X-Received: by 2002:a1f:94c6:: with SMTP id w189mr1463770vkd.6.1551395571429; Thu, 28 Feb 2019 15:12:51 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:54 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-18-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 18/27] Prohibit PCMCIA CIS storage when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski Signed-off-by: David Howells cc: linux-pcmcia@lists.infradead.org --- drivers/pcmcia/cistpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c index ac0672b8dfca..8adf092d0e18 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; + if (kernel_is_locked_down("Direct PCMCIA CIS storage")) + return -EPERM; + s = to_socket(container_of(kobj, struct device, kobj)); if (off) From patchwork Thu Feb 28 23:11:55 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834259 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1E8CC1880 for ; Thu, 28 Feb 2019 23:13:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F612288E0 for ; Thu, 28 Feb 2019 23:13:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 03C162897C; Thu, 28 Feb 2019 23:13:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A47B8288E0 for ; Thu, 28 Feb 2019 23:13:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387487AbfB1XM6 (ORCPT ); Thu, 28 Feb 2019 18:12:58 -0500 Received: from mail-qt1-f202.google.com ([209.85.160.202]:45051 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388021AbfB1XMy (ORCPT ); Thu, 28 Feb 2019 18:12:54 -0500 Received: by mail-qt1-f202.google.com with SMTP id c9so19960664qte.11 for ; Thu, 28 Feb 2019 15:12:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=IP8fctA6K8NN5G061Fb911uxfYbe+tQq7t68cSfEm4c=; b=mQlkbUme7tUstIHNnk9Zjy+vZsDymO3M/+KQz36FFl4PseyptXPSkOtBCU+VpzfEzc w3Im01jnFe+xZbYmKjScHPbl0D5aFAz9aJX9QND+3DJ+4w2AyWglVW9aSPYzyZWM4Xov VNMUMd1Hty/C/yllcYOxa1rarjilo90btm0agwUTN1xuIFhQmzbKupvAihcV0+yUYUmP 5SRr3bC9Lxy14IGMFYgXruziHJfDmPzF+qG4swTP01x4n/j6MX/s8cEo5REfTmpcTorT i380vbq3qlJJdw2Ya002CR0tq2AQicmhOuN88v8S4QRFAmpsoW5lTOuK+Et7XBt2D3XH dQDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=IP8fctA6K8NN5G061Fb911uxfYbe+tQq7t68cSfEm4c=; b=YhCQYiKy96O1Y0qE7Yd45KH0nG7/XlFpVEWKWHHxxfeVcOqjl1ZNnar8k3YNsvXTr/ Eer9b+wprt11fMUJeJoUNCbM30IlfulkZm2hoIg2L/OFqwRuL56p8WYeNT+4WeSF9xU7 X1qXDXwhPrkBdEgUQS9ogXWkChD1WGSGARh6Uy8x86EelPvRIvvWeWljDOffvaK0csFM U99NbGy+EqXrFvi64EGme+h2IQxdpEGVMMt04/ZR89wHJx8qAYNrJ8Bq5xRhnUuhYbeQ ootZDsgsoB9ZhM2HZT4M+aIExKPnEZ5yet9UHpy3xEXOd2Bb9NDCRun8SFnFCAadE2Mq jpfA== X-Gm-Message-State: APjAAAVXXUlnMont956FkrQ6qv/Mf3/AEaRQY/SHW8fGQe8brFFeIqS1 CPwdABWBtAzgGt5CQjT7i3Vl6z3nVg++3mJrFhK31A== X-Google-Smtp-Source: APXvYqy6lnQP7cNTqUdwNAkXY6NJVBfXyJNp6Vjb7dh42LsutuwHpIVZFbrkYoaWwoRivdgkehMjZnjCLN5L07N/suMS5g== X-Received: by 2002:ac8:1973:: with SMTP id g48mr1130734qtk.58.1551395574099; Thu, 28 Feb 2019 15:12:54 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:55 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-19-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 19/27] Lock down TIOCSSERIAL From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells cc: Jiri Slaby --- drivers/tty/serial/serial_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 556f50aa1b58..627e859ae25a 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -852,6 +852,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; + if ((change_port || change_irq) && + kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { + retval = -EPERM; + goto exit; + } + if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port || From patchwork Thu Feb 28 23:11:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834257 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 994B1139A for ; Thu, 28 Feb 2019 23:13:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 89F79288E0 for ; Thu, 28 Feb 2019 23:13:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7DCEB2897C; Thu, 28 Feb 2019 23:13:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D2FCB2892E for ; Thu, 28 Feb 2019 23:13:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388046AbfB1XM6 (ORCPT ); Thu, 28 Feb 2019 18:12:58 -0500 Received: from mail-io1-f74.google.com ([209.85.166.74]:36248 "EHLO mail-io1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388044AbfB1XM5 (ORCPT ); Thu, 28 Feb 2019 18:12:57 -0500 Received: by mail-io1-f74.google.com with SMTP id v3so17184077iol.3 for ; Thu, 28 Feb 2019 15:12:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=8KM4GPF8H/ZA8qZu4X13d5O4g08OSMJQgTj+Sn30UNM=; b=Z1+rvothKUqR2tRl+zH/aPd+au+70MAgtzcgA3i6y553uX+/QzIYSKO8X1D+XAkhO1 0cl1XIShXKMwqyV6SVOjdEECCNLnNp+Z+xJ+RdtzV7mU2UBm1BwrIw7MdCFoZGEPgTyo 9wjPyw6bEZD8qzrKYAL4ox04cDYhyezdGMVSzQSkQgBzEUNhcY/tY/qjGleZanIupMtu /RE567QzdS2BRSNaNuv19QZraWcbeTaKiX/lUHm8VfdT/iyEnAQ/QeymKlMFvz5QzdmQ 3y7uAMlcmrGK7Cd9rmYXZVD5vZxSWp/JwAVzW5gt5Xku7HymwCegv48ovK72haVv4bgM wxgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=8KM4GPF8H/ZA8qZu4X13d5O4g08OSMJQgTj+Sn30UNM=; b=tQtVPuzN4duDB1VUgcyvm8i8RwFzRgmkYT+ILivvlPXzZHEbGKvhRdKBxZuGZ5RPHE R0jInrha/uV7DZE3pMcB7RNwLrWcv6ADSXJRH9s+nM6MJQ8EylQhnuMxSVPTWKHtLeuI 4bpPhmgGjRUzu+zYiUhsOQS4BDO4OOsRiAY2i21K8HyHj6QzYh2rlzgVL4yU8dB8fsib DP4N2oLwjkP/kw62J+LWNeEJ/bdN5YFs90RRdn5jYeShQMqGFgn8fPNRMHs3VpWPZY6L bAdg4kcW7vAmpcoMsKjOD+CsqglkJOb3eHOJDjECbAj/8ZK1VaMYs/FN3c27Fk5Hy2t1 /dhw== X-Gm-Message-State: AHQUAuZkDh7IqRGlLG+ZeG5TH6y/eGRDqd+zAgP/lHsJpQsrqTKYK2mV 4myCTycCZX9aQR5EyrD9jpJ136XmxEB5+5zHNCK53w== X-Google-Smtp-Source: APXvYqyYIIPpi6LMvPSKodYDlF1Q3NR9zGkxdJ+I+B3eh9JF55kOsrbcWMzonXnT5HJXudG42GD3brjdc1roSdr3TYkjjw== X-Received: by 2002:a24:612:: with SMTP id 18mr1507443itv.7.1551395576756; Thu, 28 Feb 2019 15:12:56 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:56 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-20-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 20/27] Lock down module params that specify hardware parameters (eg. ioport) From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells --- kernel/params.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/kernel/params.c b/kernel/params.c index ce89f757e6da..8ac751c938f8 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) + return false; + return true; } static int parse_one(char *param, @@ -144,8 +150,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) (mod)->name +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; From patchwork Thu Feb 28 23:11:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834255 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2B384180E for ; Thu, 28 Feb 2019 23:13:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 11B14288E0 for ; Thu, 28 Feb 2019 23:13:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 03FA128A22; Thu, 28 Feb 2019 23:13:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8341D288E0 for ; Thu, 28 Feb 2019 23:13:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731039AbfB1XNt (ORCPT ); Thu, 28 Feb 2019 18:13:49 -0500 Received: from mail-pg1-f202.google.com ([209.85.215.202]:35642 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388057AbfB1XM7 (ORCPT ); Thu, 28 Feb 2019 18:12:59 -0500 Received: by mail-pg1-f202.google.com with SMTP id y8so16176287pgk.2 for ; Thu, 28 Feb 2019 15:12:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=pGMKAmmDh5CXWuiQ7W09QK/FwS2bHkIIbTbOhTQuPUY=; b=IpVUN+LnDhNCnYgH87Yti/gH8YcHfd3eB0nigEUV7nIBR7yUCtn8GYobBEJYY1+3Jx D9t+k05834I29T2Sf2A6lVcrFiWh46QBO1J+cKI7uCvU+ydhut+eHS5Cb1YsqAWa9PWQ NYkfFRn5xgKOIfEsrVIeLj0A42O3PtwH/A5BZlTGMBfZD6jfRKafOCLNwSTK7nLrDQ3u JhnooqXvCTwySTQBTHWZv0usxXx7UZeGT+4fKRkEUMQT8hZwSiW5HzoqQLFGdytfBpFV S1y8NrZqwCjD1xrR+mT1C5LbDhSJL0i5O7UDf0QHQylgwFBKVxjlHqQCV13OPaCKcShT lzCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=pGMKAmmDh5CXWuiQ7W09QK/FwS2bHkIIbTbOhTQuPUY=; b=dXkYT+zB3AUeyrOgb4vWFDWvQ+6e2z0Jr+U6XZkQ1mH9M31SgZe2iGAS8CcxsKhVhm 1LI5cfpcWh55B1iiBXTNkw1RlN+jMyDkLyFySYhW+8g4iyIYBFPdtpHvTmCZznjVfYiD htB6yBJVsFJbkOOSvLU4/E64tsYKZn8OFolIbVkBWFATbFlaDJP2R7LqSDo4bXOhcvas yDOZGLHMc81dx3DB0KfBTGuiQz+S4zgKoU35Btzp4vbPz0NsVqn3TCry6/M6wFPbLwTY n8cGCQLAt0knbpDHK9NvZAK364GmoXYGuYo3tdMtGBm5yv8wtlJ6xHr+xpuHPILMwBpv sU8w== X-Gm-Message-State: APjAAAUTWs22YMosXdbEtT82yAZd5M7IwyS8xUPilIhF/e8S978fXRnn 3eE5GP5YjqE4kJUAvtmfS4iSiIUiQCqWxKD+PtuhCg== X-Google-Smtp-Source: AHgI3IbdRsmVD4cLGmyor1MNc5tkjRGqx/qg/fddoUfCqLYQ0pZsImsOab5wV8/apSee3hsgNQESH3ULN0YMTwdETvbmSA== X-Received: by 2002:a62:2e05:: with SMTP id u5mr960236pfu.137.1551395578986; Thu, 28 Feb 2019 15:12:58 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:57 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 21/27] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. Suggested-by: Thomas Gleixner Signed-off-by: David Howells cc: Steven Rostedt cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org --- arch/x86/mm/testmmiotrace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index f6ae6830b341..bbaad357f5d7 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -115,6 +115,9 @@ static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + if (kernel_is_locked_down("MMIO trace testing")) + return -EPERM; + if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); From patchwork Thu Feb 28 23:11:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834253 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2AAE3180E for ; Thu, 28 Feb 2019 23:13:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1ADE32FC41 for ; Thu, 28 Feb 2019 23:13:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0F0022FC46; Thu, 28 Feb 2019 23:13:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B93A72FC41 for ; Thu, 28 Feb 2019 23:13:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730822AbfB1XNo (ORCPT ); Thu, 28 Feb 2019 18:13:44 -0500 Received: from mail-pf1-f201.google.com ([209.85.210.201]:43344 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388087AbfB1XNC (ORCPT ); Thu, 28 Feb 2019 18:13:02 -0500 Received: by mail-pf1-f201.google.com with SMTP id 19so16279474pfo.10 for ; Thu, 28 Feb 2019 15:13:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=1Fd13wAoeAlJDZDMn5wRTcmN7nj+iFwc6tEPzGSBE4U=; b=h2dQs5JSnAG5Wy4W0iJMttDO7lKtCKoinJmTMo41kH6xI6qAI/Rq9vmuNe3Ff+fio5 LuvzOvPbhTpyh34gr9zrOE5mA1Y5t0ifI7DWi4CcqVkoc8uMRf9HfZV8LAEXrmOcPxJD HPzwxav8T+gSYUt7jFe2FK6xBbwCBCxFQ8o7gYEQ3UklvUjo3FtFW+yxeESQH9iowvh1 97xDBgCWJvCFr9mig2BOszoMYCp/5BCz6gIE+Hss9v4IdxSkmMYoZOSBOW/RDtxVP0jD 7PU+J/oherZ/xNZSWdJ8dLmULlg5bDB3PE1jpql9FajhQLT0wu4uFj6RoxqsbWteM0Vk CSvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=1Fd13wAoeAlJDZDMn5wRTcmN7nj+iFwc6tEPzGSBE4U=; b=fQvxYYnMX76EAsosLuTGrsF0o41qEmxetY6wxraYQznOQjZ2mh75W8oHYWFgfq3gk5 nM9aBWnZ9FrJr2dTu1ff9Sj/I6or2PwEcPuNn9H36PHWAUltVvb/rTgGIY8IeUPV2B6u fuvwEeKqiEr5wGAJbh9z5U+sTRD/+BzKKqGSRWCGJTKvV5GiAf1RpDySxUZh0G6eErFN 6Uf3zh17KyKs/x/SH4uMteVVgxkS7kVUDqU0xjdEH+kIOOiSETrBTICjydlviL4deeP7 9iBN9qEHd1BwJblEc815S/Ei0EHRuHxkPz8bBoxEHMkYmLmlIRscq0U5Qt67JbuzJHwv um+g== X-Gm-Message-State: AHQUAuaA+LMGvCqE3I8WAqsYtoyPKxmQjl2cyNBSASr7WGBuyhINTjM5 qDgt9Odt/anqiD478dHa4Ez7ILOJilDbLokzu/TSNw== X-Google-Smtp-Source: AHgI3IbPb2bAkGu7mbtq3dNBtqEavh+uoz2l0tI4DokDL5Yk3RfeUuSVrpg8fxfLlyNRX+BVqb6qkCQm79o4/aJYuKCGxA== X-Received: by 2002:aa7:8699:: with SMTP id d25mr975489pfo.22.1551395581516; Thu, 28 Feb 2019 15:13:01 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:58 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 22/27] Lock down /proc/kcore From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. Signed-off-by: David Howells Reviewed-by: James Morris --- fs/proc/kcore.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index bbcc185062bb..d50ebfbf3dbb 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/proc/kcore")) + return -EPERM; if (!capable(CAP_SYS_RAWIO)) return -EPERM; From patchwork Thu Feb 28 23:11:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834243 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E51D4180E for ; Thu, 28 Feb 2019 23:13:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D3A182FC3B for ; Thu, 28 Feb 2019 23:13:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C31222FC45; Thu, 28 Feb 2019 23:13:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 798482FC3B for ; Thu, 28 Feb 2019 23:13:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388084AbfB1XNF (ORCPT ); Thu, 28 Feb 2019 18:13:05 -0500 Received: from mail-oi1-f202.google.com ([209.85.167.202]:52890 "EHLO mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388131AbfB1XNF (ORCPT ); Thu, 28 Feb 2019 18:13:05 -0500 Received: by mail-oi1-f202.google.com with SMTP id s18so9738942oie.19 for ; Thu, 28 Feb 2019 15:13:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=JIwaSFIgIpUk1i3h4qdR8xZajEtDlWkjNkGrpJU0gjI=; b=pnhNMoj3vEwEZFQ80G+9zkZNjLXJb/86amfRx9ym9v/+3EvPEut4iVIgscYdJFc90A m1w294KRxnq5r8gj97JIKxU8ZiLkOhVJ+LOPc1fd5QYFG6kBaWFAzWtKXVwW/Hcr2YO9 J9VFWbp5K1QXuhedJNxRRssZWy5rpc5C2jFMdB7Ush+pn9Fr+onFXwGStQLqZWQa7J6L dqXhrvzgWTvII4B1PXZ7eDgVj0KLKO8Bs4KPuhGuvYQ3Iw9T5L4ghAkGdJypAihkcdfm Pb8S9wc8LVS8ofuhm0G15AUrOGnogvi0xzmLh6CA+WGqMZj7p+NBNgzDatgZy5pqTbvl 8uMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=JIwaSFIgIpUk1i3h4qdR8xZajEtDlWkjNkGrpJU0gjI=; b=KDEQ3YwaHSkPGGxhtQMxmKiPHNogyO0XvTe9t3qUycVNuIrqDpIdIdH9jIoL0yQipn eM2LGXgpC83mk7j5b6UF7hz/pOx+guaFdEJQC/E/a0oDQw/T48I3M7X0uIU5EgwtiLZd RvYnloy3t3zf7sRbIzxxWwWT9gVlecxUEULQztjaN6Kw+PWwqQDw+xS0VVVlYbiu+5sH kGt80/iN4JuVEU72cjmi3NQIZQ/htjJaGoAyVzBAUzyBKW5uP/4nHDfhkRsrCzrOyMqX L9hEn8Mg2qCGKlDqzERjoC9EVICJEO/0gZR8lqtv7g4PDNlKXucKURxnmIHex3zZwjEs Ilvg== X-Gm-Message-State: APjAAAXtJbSQzNw9GRImMVgJGYtDOvgSekJirY7G83x++346aT21d8sj Zr64H3Uc1tCfzMMyCHebDRks2mCv6FFIIJXWOubw8Q== X-Google-Smtp-Source: APXvYqyTAQpBWJqJBvnFjzipwZ1yX7nxGIsNthCKsjRm6tRMc3jq4nOkuFbUCwM1avNqR/85HT7iEU7SeMicoTGP0rwGYQ== X-Received: by 2002:a05:6830:8b:: with SMTP id a11mr1298882oto.33.1551395584234; Thu, 28 Feb 2019 15:13:04 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:59 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 23/27] Lock down kprobes From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the creation of kprobes when the kernel is locked down by preventing their registration. This prevents kprobes from being used to access kernel memory, either to make modifications or to steal crypto data. Reported-by: Alexei Starovoitov Signed-off-by: David Howells --- kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index f4ddfdd2d07e..6f66cca8e2c6 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; + if (kernel_is_locked_down("Use of kprobes")) + return -EPERM; + /* Adjust probe address from symbol */ addr = kprobe_addr(p); if (IS_ERR(addr)) From patchwork Thu Feb 28 23:12:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834251 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8355C139A for ; Thu, 28 Feb 2019 23:13:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 71F7B2FC45 for ; Thu, 28 Feb 2019 23:13:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 630912FC41; Thu, 28 Feb 2019 23:13:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 50DCD2FC41 for ; Thu, 28 Feb 2019 23:13:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731073AbfB1XNg (ORCPT ); Thu, 28 Feb 2019 18:13:36 -0500 Received: from mail-oi1-f202.google.com ([209.85.167.202]:48998 "EHLO mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388151AbfB1XNH (ORCPT ); Thu, 28 Feb 2019 18:13:07 -0500 Received: by mail-oi1-f202.google.com with SMTP id p65so9044140oib.15 for ; Thu, 28 Feb 2019 15:13:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=587I7do7VgxQ57ltQWC5RYKCBbhcordnhHm7PVPlrfA=; b=sbWK4YE0HC80ETP/khZWToJ0cY/+JZs2pKZzeqO1jHXpQLJR84Q1N85z026hYQyuB3 LeV0T57ywlzszxahT2vl/qZUIVwhBikEiOeJ0MbD+DOwdCmXusrvPnZMVNg6l1tievGR f8FKwhIb0yArv5Q4zkGy69wseUmP6EnDPUmydSvSYXVyM8Bs5Db1sLbsk66kaL63Nr7U 4GZ4DhjEzgipUCGH8blHScAGTgIWf+FjggAhdKmeUbv42UA1ivgbihlAxXVyeRj75ZSu b+bLBp03z512RhDnhKfLybHJrLmLP+GTVdf3MJquifWC4bLlksxJ84N5WGRpdTmRqUGQ J1MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=587I7do7VgxQ57ltQWC5RYKCBbhcordnhHm7PVPlrfA=; b=VSOTkgCeQBSvUF5tE0egM0bSchMpZDgHUlFduL4hepzY2+R10J4qyYMiBdlwEvNYnP 5WHRtdU36wLXJe2H+L8dNKJJaYm///9XXtChuhCJRB/SOgPnGN/7jCvVBBLfMfVrvwVg TUDnqEno0XzFgpob+J0mRcbfZdgV/m/SvoSZnpY9w87h84Ir1wHniCpzejRLm1vt5p4s DhTjsJ67L2tcUo4ytYIYCG/A0zRFwckC/sNhON8UO3epGDY5HA03x5dVTrKfRHejUJHZ 2FmLVfBLyuEo2/LJTZOeBIr7BHBo0ZuG3Zry63bC0V3H12snQQtDrliUM5BLpa9xCOVo 8VOg== X-Gm-Message-State: APjAAAUWpZM5P11dK0Wf41fgBpCRkLbjPjuykYE5BynTrA2e6zWn5yxF XuKmY6Iq5bkWtBN9k2M2riB4hkF8sVvp3XFOaQbjqA== X-Google-Smtp-Source: APXvYqzOiv/mL97RdQqgTV+SouP3a/ir0Fmjes/HKCMDAbGlipGiqFHPSNi7JMtsJsXvmAuEhbuhiYDZK3zdSUUKm7AtYA== X-Received: by 2002:a9d:6c58:: with SMTP id g24mr1304166otq.10.1551395586760; Thu, 28 Feb 2019 15:13:06 -0800 (PST) Date: Thu, 28 Feb 2019 15:12:00 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 24/27] bpf: Restrict kernel image access functions when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Completely prohibit the use of BPF when the kernel is locked down. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov --- kernel/bpf/syscall.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 8577bb7f8be6..e78dbe5473c9 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2593,6 +2593,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) return -EPERM; + if (kernel_is_locked_down("BPF")) + return -EPERM; + err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); if (err) return err; From patchwork Thu Feb 28 23:12:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834249 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C3A34139A for ; Thu, 28 Feb 2019 23:13:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B246F2FC41 for ; Thu, 28 Feb 2019 23:13:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A69E92FC46; Thu, 28 Feb 2019 23:13:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6143A2FC41 for ; Thu, 28 Feb 2019 23:13:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728082AbfB1XNf (ORCPT ); Thu, 28 Feb 2019 18:13:35 -0500 Received: from mail-pg1-f202.google.com ([209.85.215.202]:45635 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388170AbfB1XNJ (ORCPT ); Thu, 28 Feb 2019 18:13:09 -0500 Received: by mail-pg1-f202.google.com with SMTP id 17so16142084pgw.12 for ; Thu, 28 Feb 2019 15:13:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Qg2yYq0hUq63hRGHhOba+WbLOFuIxBMUvDVZS8FGVBM=; b=ghzhVGL+EOOW50MsKqzFSDoDeqFyzfz4F+A809BdsxK5XLGujWuwUg7l6VN5hQdmOM vMnjgNtaM+yQpXyqcLTH9z1qhAcx9BdIaol/AXsZ6OTJgZURU7X3X9bofYed0AzAvIe3 iOjhqa7KuPAk5HzkCcMo7pZctQbBYZonfIywEB4+Gx8GydwAwweihTpX6Q2pWv9Ys26O WuwnROqSZR2utNxjtQ862ffDx3/OrT6h3myNDaQ/A5MohGfCiAWL01m9zhDgk916WZ3a O3T7FTCp9VhHNKTCm+XK6YwJKPurLXup01ex8uwUJdV3j/f9UxuS9hCM4tl/A3NX4p7t Eu3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Qg2yYq0hUq63hRGHhOba+WbLOFuIxBMUvDVZS8FGVBM=; b=l2jzI9yj3BUb6GYaUFJbj6uODUZGhRDaUdhm5MTiotGiGZMgosb/MEq4zrGI/MTfjB oaYcaUgQBhzoOj8S1zKU0eXFmjA5Zkjn4PRHpqJJ9APw8MKuRme7TnjAZsPpQzzDeWwE /UIbbAhyqoa3vafSpjL39VQx3r8bUAdeWOKFncYmQKN18kslPtEgzhobQbRuHYKZtqcO i3KMTwObXNsAFgEaQ4wsvn93bqD+pgyc1R59i+Jd84xlGqxANC8FoC5x8+Tt1gqNzMJZ WaCfpsoMIkBUdtuqOxomyYsj7nMiP3x8J+mw4YMGAAtL0C5KaSimk1irX53L8F3AWrbP P4rg== X-Gm-Message-State: AHQUAuYKYxsUEmjD/0rYdvd1rv42PvIj1UOoiQdwWPSpgqvv9MUnljfZ T8vGwH4RcWSJdJ4dNMUiNyAfQlIjCQ2+NR76ZDMJlQ== X-Google-Smtp-Source: APXvYqzBqqwYEj+Y8BGFwz1Y2XBzaxPlC+fblom95C6AwBCpJ8V+4s+ZQmJYnnh4F1w8vPqKp/sZq5+3o2SXE8HUmTa4mQ== X-Received: by 2002:a62:b60e:: with SMTP id j14mr975653pff.77.1551395589203; Thu, 28 Feb 2019 15:13:09 -0800 (PST) Date: Thu, 28 Feb 2019 15:12:01 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 25/27] Lock down perf From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells --- kernel/events/core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index 26d6edab051a..4265ce43bca4 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10477,6 +10477,11 @@ SYSCALL_DEFINE5(perf_event_open, return -EINVAL; } + if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) && + kernel_is_locked_down("PERF_SAMPLE_REGS_INTR")) + /* REGS_INTR can leak data, lockdown must prevent this */ + return -EPERM; + /* Only privileged users can get physical addresses */ if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) From patchwork Thu Feb 28 23:12:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834245 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 00BB3139A for ; Thu, 28 Feb 2019 23:13:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E3CE42FC45 for ; Thu, 28 Feb 2019 23:13:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D55BB2FC41; Thu, 28 Feb 2019 23:13:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 408292FC41 for ; Thu, 28 Feb 2019 23:13:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727866AbfB1XNQ (ORCPT ); Thu, 28 Feb 2019 18:13:16 -0500 Received: from mail-vk1-f202.google.com ([209.85.221.202]:43409 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727918AbfB1XNN (ORCPT ); Thu, 28 Feb 2019 18:13:13 -0500 Received: by mail-vk1-f202.google.com with SMTP id 200so11251788vkc.10 for ; Thu, 28 Feb 2019 15:13:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7QkbDbP+GRZ/V9Qo/5i0BV7SDpKyUCe2HSzEnDWi3YA=; b=coFq3/fIru9D6Fig7A/JpcQ1gRCvDXvV1SBzoJ08Z7pUVNaE/eg97pPE6fy1/JmyaI une17srv6r+snGUw8Ii/fNqHmagi4YGZ7HT3Z1hA4qnCBmmVyMwOI//oCicaSoVc4OpK ahc06gBt8NOW012Fc9rwysWvOCab0uL4MTdqPqv2vuLmis0g493iN2nuNkCCcMPxhy2I 77C/Xm0vPGh0CVF1j+FLUg665yibqiPGjQmhSUuR3vSLBnAsZStSQeX0FPQshIlWKGXU BW0E0QxWhLWjHWjl+Bk2Ew+6t4xcUxxX+rSClIIB2Vnd9sj8hE7qcGbsQJy8feQHQEsn 8zKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7QkbDbP+GRZ/V9Qo/5i0BV7SDpKyUCe2HSzEnDWi3YA=; b=tGECsK7tvqfdBvMiQhBynWH+YmSr6PW6uPCjPxi9Od5Z8BSoZY8Ppm4ZRZFoTl9Gr1 w9vrGQWBW0EOhMIwz4V9BCyOe0kpxijQFWx2XlhZRfd0taIJzV09RpELkd2emDfVDQNt lRnZlUsThaTIKNUmqSZ2i1kNqU7lWgIwnXhQCsf4eJoMM1NJRixShixpuoDIcSBOyLoA MU8hixSStzcjTzQZSQyk4SvzihYojnobGxNvWbVGviF/To8PYIqpe/dgQvP1YppQYP2Y /l9CZy1HrIRkUGYZR1PXZ9sDWHVLTbxh/7zUQgqX655rf+MJTEKy6huDVqUQbjINZPYL EqXA== X-Gm-Message-State: APjAAAVxdQMOKnRZScfSM7wlVQ6CK8a+p8orUmoeoD7PQ71wdPvfLUeh l0Ct1G1cB+DeLvbVtmolKLs0Mm66MITcdX6L5OLZeg== X-Google-Smtp-Source: APXvYqwoa8hsrMMot9xkDTWUoyKrMlyMNXznKcqu7n3bNohP78Ohocl5H3wIGl3IDf6D+hL1mUASf3iT/ogmJGVfMwpYjg== X-Received: by 2002:a9f:35c4:: with SMTP id u4mr1142458uad.23.1551395592133; Thu, 28 Feb 2019 15:13:12 -0800 (PST) Date: Thu, 28 Feb 2019 15:12:02 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 26/27] debugfs: Restrict debugfs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow opening of debugfs files that might be used to muck around when the kernel is locked down as various drivers give raw access to hardware through debugfs. Given the effort of auditing all 2000 or so files and manually fixing each one as necessary, I've chosen to apply a heuristic instead. The following changes are made: (1) chmod and chown are disallowed on debugfs objects (though the root dir can be modified by mount and remount, but I'm not worried about that). (2) When the kernel is locked down, only files with the following criteria are permitted to be opened: - The file must have mode 00444 - The file must not have ioctl methods - The file must not have mmap (3) When the kernel is locked down, files may only be opened for reading. Normal device interaction should be done through configfs, sysfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. I would actually prefer to lock down all files by default and have the the files unlocked by the creator. This is tricky to manage correctly, though, as there are 19 creation functions and ~1600 call sites (some of them in loops scanning tables). Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner --- fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++ fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 4fce1da7db23..c33042c1eff3 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry) } EXPORT_SYMBOL_GPL(debugfs_file_put); +/* + * Only permit access to world-readable files when the kernel is locked down. + * We also need to exclude any file that has ways to write or alter it as root + * can bypass the permissions check. + */ +static bool debugfs_is_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) +{ + if ((inode->i_mode & 07777) == 0444 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && + !real_fops->mmap) + return false; + + return kernel_is_locked_down("debugfs"); +} + static int open_proxy_open(struct inode *inode, struct file *filp) { struct dentry *dentry = F_DENTRY(filp); @@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = -EPERM; + if (debugfs_is_locked_down(inode, filp, real_fops)) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not clean up after itself at exit? */ @@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + r = -EPERM; + if (debugfs_is_locked_down(inode, filp, real_fops)) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not cleanup after itself at exit? */ diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index 29c68c5d44d5..3a62dbfd3840 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount; static int debugfs_mount_count; static bool debugfs_registered; +/* + * Don't allow access attributes to be changed whilst the kernel is locked down + * so that we can use the file mode as part of a heuristic to determine whether + * to lock down individual files. + */ +static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) +{ + if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) && + kernel_is_locked_down("debugfs")) + return -EPERM; + return simple_setattr(dentry, ia); +} + +static const struct inode_operations debugfs_file_inode_operations = { + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_dir_inode_operations = { + .lookup = simple_lookup, + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_symlink_inode_operations = { + .get_link = simple_get_link, + .setattr = debugfs_setattr, +}; + static struct inode *debugfs_get_inode(struct super_block *sb) { struct inode *inode = new_inode(sb); @@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, inode->i_mode = mode; inode->i_private = data; + inode->i_op = &debugfs_file_inode_operations; inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); @@ -516,7 +542,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) return failed_creating(dentry); inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; inode->i_fop = &simple_dir_operations; /* directory inodes start off with i_nlink == 2 (for "." entry) */ @@ -611,7 +637,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, return failed_creating(dentry); } inode->i_mode = S_IFLNK | S_IRWXUGO; - inode->i_op = &simple_symlink_inode_operations; + inode->i_op = &debugfs_symlink_inode_operations; inode->i_link = link; d_instantiate(dentry, inode); return end_creating(dentry); From patchwork Thu Feb 28 23:12:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834247 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 371991880 for ; Thu, 28 Feb 2019 23:13:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2887B2FC41 for ; Thu, 28 Feb 2019 23:13:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1CAA52FC45; Thu, 28 Feb 2019 23:13:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C6C842FC46 for ; Thu, 28 Feb 2019 23:13:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387950AbfB1XNQ (ORCPT ); Thu, 28 Feb 2019 18:13:16 -0500 Received: from mail-it1-f201.google.com ([209.85.166.201]:43549 "EHLO mail-it1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727866AbfB1XNP (ORCPT ); Thu, 28 Feb 2019 18:13:15 -0500 Received: by mail-it1-f201.google.com with SMTP id w200so9784304itc.8 for ; Thu, 28 Feb 2019 15:13:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7o31AusohNb959PRfakB/D1YmTnIqZCzH/ljQnTAp4Y=; b=oMSabQYSh5BEnjbYGEt+9TN7Xn+nTrX7vyeNAkn7Hg7wqae8z2ha9ZxQUgPwIa4uOT D9EqfjspaqUQMQD9DR0P64E7c6/9e5DTMbgrejyEbgKt8/B2ED1B2AfeToabME/vKcJS F1s2URj9svBxho3mIVh7eI2Hh0m1OzlMX3SwFyWICfJ3RBuyZUo5kQC+PhEEiHyqWCVK 92QW9m+UzGGHovCtmYgAEoRQsDilDe/a2lqHWWKbGmKCrI+VFgd8IOQR7iOqB+vAN4fb P3tFWNnSXJ2+GjPS14Xl0ue2sairI2sv5DUJIqT1o7fqRGM1PNkKwcYFw//QEsu3B8ib iT6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7o31AusohNb959PRfakB/D1YmTnIqZCzH/ljQnTAp4Y=; b=Eeccvzz9a3TvgwPZOFTgImB9wjXZF9SAWxN0p0dShffSNTimcXYhYpgy7kdcKJ067u BS6N0rs19oOcVubHuaTl4uq6tCD8yqzpWni5XRhf/To9SFpgFh1FoSOf8D6WkAHm6+31 R/+K+ugK6cGQztsIF7nlCnYyDpNTou6uAr2Q0KPyef7gbk66QmdQ2POL07PpBl77OYz7 c8+JSLzffJa9V1ZBAtThtXdfNSG99cvDi/sPjNUhFfr7sxRFSop+h9JyuRbXVi1+4pE8 aMR8A2mtXwWMDstscEvLDXsUvP4O96YuMTdiFq9ZM8MOJro0YfHAKX9blT0RKm5ZbfGG z7Eg== X-Gm-Message-State: APjAAAVOHBHEF+Ju7Ulxa2qXqOa6W1Q1hanlOZGLKofHZJ3J0AnuasDn u7317QNjlw2IfLxBqsL8gvyWn8ugt024prqfGd5jRw== X-Google-Smtp-Source: APXvYqz85FIjQCIycs1HBz9ec4dvIvyrWTRZIyhimnBeV4YZuCRUEi0ZSjJmX6p4cWT4jfxZgD/dNItVttOpZKRT+49geA== X-Received: by 2002:a24:5dc9:: with SMTP id w192mr1465559ita.33.1551395594739; Thu, 28 Feb 2019 15:13:14 -0800 (PST) Date: Thu, 28 Feb 2019 15:12:03 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-27-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 27/27] lockdown: Print current->comm in restriction messages From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: : is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells --- security/lock_down.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/lock_down.c b/security/lock_down.c index cfbc2c39712b..5243b55b3c1f 100644 --- a/security/lock_down.c +++ b/security/lock_down.c @@ -58,8 +58,8 @@ void __init init_lockdown(void) bool __kernel_is_locked_down(const char *what, bool first) { if (what && first && kernel_locked_down) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - what); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, what); return kernel_locked_down; } EXPORT_SYMBOL(__kernel_is_locked_down);