From patchwork Tue Mar 26 18:27:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871989 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A4DBC17E0 for ; Tue, 26 Mar 2019 18:30:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8F56D28C46 for ; Tue, 26 Mar 2019 18:30:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 837A128C5E; Tue, 26 Mar 2019 18:30:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9B02928C46 for ; Tue, 26 Mar 2019 18:30:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732061AbfCZS17 (ORCPT ); Tue, 26 Mar 2019 14:27:59 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:53746 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732554AbfCZS17 (ORCPT ); Tue, 26 Mar 2019 14:27:59 -0400 Received: by mail-pg1-f201.google.com with SMTP id f7so104527pgi.20 for ; Tue, 26 Mar 2019 11:27:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=z0heVlIJ2WOboYO239ZlPpbeGlyknUedDglqO7JseJY=; b=qpR+NIwT8Gcrwrm/TqQT6GJ/IkgWV3CJP/nJ3JtlKRmAcIwsd49/d524LAr+EliXmw Luz0y9TJViOMtQg6hk/JewnaKHYwm0Um1y6t4QYmJgTQjmFNcj/MayT0yAMLzzSPEVnd leBXn3j8MSROSTbRoVVKkY+e8M8tKRE2UgyB9c9SK9tnlSHRIyVuZ0BDshxhky5c0sey a8nKkl3pGDLkuSHk96aB0XTYzcCzsNu3WaAutlPYwyeFbArJZ0ii9UjeGJeHHHw50GKC /80XEsiVFScnL2Zow0kofc5Az05USCfMPJyE3g2uy7GM7ZoftDYTxYDC7aA7Ma9B/5S3 IHaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=z0heVlIJ2WOboYO239ZlPpbeGlyknUedDglqO7JseJY=; b=sI0TtFxYiIrxJzZrOsou0ZRFkdOrmERQcKUadyZqHbWToPXDLuA1YeAxIWFwBJg5sf o5xsvYXxtBK/0ELOx4hk21TWyxrKwbbvyv8H59r3/wDA8mqzcxz0HHju9LNQlVnpzuzc hZGv3WePiLjbMW2SWcdCJeWuk86pLewePhsKznv85x/18TD0KGrt8KS4ZP9a4Iy0mO/a du5BLOybTFdl8FXdTCrsHev3omfmqWN/EKxWB7q95AbHJ1oGCOF3At74zSJzzlSACc+X bpOFxWMjVJtft4HPIf7a8+/m6EsJ8L/cLg29FOdL0QwtrP/RSOEMpURMVrb8jQ9rA2L2 HCIA== X-Gm-Message-State: APjAAAX8/safrya7leJEdkxQr0YLpeNJWconOUpDVsxQ4EFFGQWmOqUq DWpOItkEPVQZn5yVsEbPQIXWPuhVW9c4WI/1ukgC9g== X-Google-Smtp-Source: APXvYqzBqWJTBIDaoorokWZU9klUcr5ee1hPeO3KvlYm/BIcoNSti6Bf78ubqcUFXKUiDU9mLchOup4y/vlIFW4OQrSdAA== X-Received: by 2002:a63:6c01:: with SMTP id h1mr30191165pgc.330.1553624878066; Tue, 26 Mar 2019 11:27:58 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:17 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-2-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 01/25] Add the ability to lock down access to the running kernel image From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provide a single call to allow kernel code to determine whether the system should be locked down, thereby disallowing various accesses that might allow the running kernel image to be changed including the loading of modules that aren't validly signed with a key we recognise, fiddling with MSR registers and disallowing hibernation. Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- Documentation/ABI/testing/lockdown | 19 +++ .../admin-guide/kernel-parameters.txt | 9 ++ include/linux/kernel.h | 28 ++++ include/linux/security.h | 9 +- init/main.c | 1 + security/Kconfig | 39 +++++ security/Makefile | 3 + security/lock_down.c | 147 ++++++++++++++++++ 8 files changed, 254 insertions(+), 1 deletion(-) create mode 100644 Documentation/ABI/testing/lockdown create mode 100644 security/lock_down.c diff --git a/Documentation/ABI/testing/lockdown b/Documentation/ABI/testing/lockdown new file mode 100644 index 000000000000..5bd51e20917a --- /dev/null +++ b/Documentation/ABI/testing/lockdown @@ -0,0 +1,19 @@ +What: security/lockdown +Date: March 2019 +Contact: Matthew Garrett +Description: + If CONFIG_LOCK_DOWN_KERNEL is enabled, the kernel can be + moved to a more locked down state at runtime by writing to + this attribute. Valid values are: + + integrity: + The kernel will disable functionality that allows + userland to modify the running kernel image, other + than through the loading or execution of appropriately + signed objects. + + confidentiality: + The kernel will disable all functionality disabled by + the integrity mode, but additionally will disable + features that potentially permit userland to obtain + confidential information stored within the kernel. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 91c0251fdb86..594d268d92ba 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2213,6 +2213,15 @@ lockd.nlm_udpport=M [NFS] Assign UDP port. Format: + lockdown= [SECURITY] + { integrity | confidentiality } + Enable the kernel lockdown feature. If set to + integrity, kernel features that allow userland to + modify the running kernel are disabled. If set to + confidentiality, kernel features that allow userland + to extract confidential information from the kernel + are also disabled. + locktorture.nreaders_stress= [KNL] Set the number of locking read-acquisition kthreads. Defaults to being automatically set based on the diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 8f0e68e250a7..30cf695719d5 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -340,6 +340,34 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) { } #endif +enum lockdown_level { + LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY, + LOCKDOWN_CONFIDENTIALITY, + LOCKDOWN_MAX, +}; + +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern bool __kernel_is_locked_down(const char *what, + enum lockdown_level level, + bool first); +#else +static inline bool __kernel_is_locked_down(const char *what, + enum lockdown_level level, + bool first) +{ + return false; +} +#endif + +#define kernel_is_locked_down(what, level) \ + ({ \ + static bool message_given; \ + bool locked_down = __kernel_is_locked_down(what, level, !message_given); \ + message_given = true; \ + locked_down; \ + }) + /* Internal, do not use. */ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); diff --git a/include/linux/security.h b/include/linux/security.h index 13537a49ae97..b290946341a4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1798,5 +1798,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux) #endif /* CONFIG_SECURITY */ #endif /* CONFIG_BPF_SYSCALL */ -#endif /* ! __LINUX_SECURITY_H */ +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern void __init init_lockdown(void); +#else +static inline void __init init_lockdown(void) +{ +} +#endif +#endif /* ! __LINUX_SECURITY_H */ diff --git a/init/main.c b/init/main.c index e2e80ca3165a..4c6cca9681c7 100644 --- a/init/main.c +++ b/init/main.c @@ -555,6 +555,7 @@ asmlinkage __visible void __init start_kernel(void) boot_cpu_init(); page_address_init(); pr_notice("%s", linux_banner); + init_lockdown(); setup_arch(&command_line); /* * Set up the the initial canary and entropy after arch diff --git a/security/Kconfig b/security/Kconfig index 1d6463fb1450..593ff231eac6 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -229,6 +229,45 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). +config LOCK_DOWN_KERNEL + bool "Allow the kernel to be 'locked down'" + help + Allow the kernel to be locked down. If lockdown support is enabled + and activated, the kernel will impose additional restrictions + intended to prevent uid 0 from being able to modify the running + kernel. This may break userland applications that rely on low-level + access to hardware. + +choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE + depends on LOCK_DOWN_KERNEL + help + The kernel can be configured to default to differing levels of + lockdown. + +config LOCK_DOWN_KERNEL_FORCE_NONE + bool "None" + help + No lockdown functionality is enabled by default. Lockdown may be + enabled via the kernel commandline or /sys/kernel/security/lockdown. + +config LOCK_DOWN_KERNEL_FORCE_INTEGRITY + bool "Integrity" + help + The kernel runs in integrity mode by default. Features that allow + the kernel to be modified at runtime are disabled. + +config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY + bool "Confidentiality" + help + The kernel runs in confidentiality mode by default. Features that + allow the kernel to be modified at runtime or that permit userland + code to read confidential material held inside the kernel are + disabled. + +endchoice + source "security/selinux/Kconfig" source "security/smack/Kconfig" source "security/tomoyo/Kconfig" diff --git a/security/Makefile b/security/Makefile index c598b904938f..5ff090149c88 100644 --- a/security/Makefile +++ b/security/Makefile @@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity obj-$(CONFIG_INTEGRITY) += integrity/ + +# Allow the kernel to be locked down +obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o diff --git a/security/lock_down.c b/security/lock_down.c new file mode 100644 index 000000000000..0f9ef4c30aa8 --- /dev/null +++ b/security/lock_down.c @@ -0,0 +1,147 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Lock down the kernel + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include + +static enum lockdown_level kernel_locked_down; + +char *lockdown_levels[LOCKDOWN_MAX] = {"none", "integrity", "confidentiality"}; + +/* + * Put the kernel into lock-down mode. + */ +static int lock_kernel_down(const char *where, enum lockdown_level level) +{ + if (kernel_locked_down >= level) + return -EPERM; + + kernel_locked_down = level; + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", + where); + return 0; +} + +static int __init lockdown_param(char *level) +{ + if (!level) + return -EINVAL; + + if (strcmp(level, "integrity") == 0) + lock_kernel_down("command line", LOCKDOWN_INTEGRITY); + else if (strcmp(level, "confidentiality") == 0) + lock_kernel_down("command line", LOCKDOWN_CONFIDENTIALITY); + else + return -EINVAL; + + return 0; +} + +early_param("lockdown", lockdown_param); + +/* + * This must be called before arch setup code in order to ensure that the + * appropriate default can be applied without being overridden by the command + * line option. + */ +void __init init_lockdown(void) +{ +#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_INTEGRITY); +#elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY); +#endif +} + +/** + * kernel_is_locked_down - Find out if the kernel is locked down + * @what: Tag to use in notice generated if lockdown is in effect + */ +bool __kernel_is_locked_down(const char *what, enum lockdown_level level, + bool first) +{ + if ((kernel_locked_down >= level) && what && first) + pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", + what); + return (kernel_locked_down >= level); +} +EXPORT_SYMBOL(__kernel_is_locked_down); + +static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count, + loff_t *ppos) +{ + char temp[80]; + int i, offset=0; + + for (i = LOCKDOWN_NONE; i < LOCKDOWN_MAX; i++) { + if (lockdown_levels[i]) { + const char *label = lockdown_levels[i]; + + if (kernel_locked_down == i) + offset += sprintf(temp+offset, "[%s] ", label); + else + offset += sprintf(temp+offset, "%s ", label); + } + } + + /* Convert the last space to a newline if needed. */ + if (offset > 0) + temp[offset-1] = '\n'; + + return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); +} + +static ssize_t lockdown_write(struct file *file, const char __user *buf, + size_t n, loff_t *ppos) +{ + char *state; + int i, len, err = 0; + + state = memdup_user_nul(buf, n); + if (IS_ERR(state)) + return PTR_ERR(state); + + len = strlen(state); + if (state[len-1] == '\n') { + state[len-1] = '\0'; + len--; + } + + for (i = 0; i < LOCKDOWN_MAX; i++) { + const char *label = lockdown_levels[i]; + + if (label && len == strlen(label) && !strncmp(state, label, len)) + err = lock_kernel_down("securityfs", i); + } + + kfree(state); + return err ? err : n; +} + +static const struct file_operations lockdown_ops = { + .read = lockdown_read, + .write = lockdown_write, +}; + +static int __init lockdown_secfs_init(void) +{ + struct dentry *dentry; + + dentry = securityfs_create_file("lockdown", 0660, NULL, NULL, + &lockdown_ops); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + + return 0; +} + +core_initcall(lockdown_secfs_init); From patchwork Tue Mar 26 18:27:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 242CA13B5 for ; Tue, 26 Mar 2019 18:28:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F52928DD7 for ; Tue, 26 Mar 2019 18:28:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0359A28DF9; Tue, 26 Mar 2019 18:28:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9122B28DD7 for ; Tue, 26 Mar 2019 18:28:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732577AbfCZS2E (ORCPT ); Tue, 26 Mar 2019 14:28:04 -0400 Received: from mail-ot1-f74.google.com ([209.85.210.74]:55892 "EHLO mail-ot1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732564AbfCZS2B (ORCPT ); Tue, 26 Mar 2019 14:28:01 -0400 Received: by mail-ot1-f74.google.com with SMTP id d38so8834789otb.22 for ; Tue, 26 Mar 2019 11:28:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=fNnpo8lLzymZARu5UXrve26AL2A88YZO9HZRbBxOnPc=; b=bA3dmIiFcHRvOdKWWJyyAWFxpd0/eSw3KHIROhS1I9yokwsCzfmKaqf2p2y68VqWW/ vlpoVkko2s4T0hcqSYMOU+Pcj9KiiFB8r4MVvv23Z4PL1HYmVD0aMOI1DyIsqALq8Pb+ xMGOgj4XAA7JK6szCyO/HvwnUME6L00WvEEIuexfwS454lE90GHCMLcOXzmPyOuuGij5 Ecg3v1tSGWh7r3dyYdfuMXae9MtbkUTDYLO4ipHww1JcpLUO7xwp8vIc9kcixNO56mIh IoUbHw0PRwuDn3ud9o3XyiRofhdf9MR73HyKVnqYfuvGbIALzJx0UJ57RtLp+OwxaJrp RduA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=fNnpo8lLzymZARu5UXrve26AL2A88YZO9HZRbBxOnPc=; b=KKvBg4+c9c3rcEcfIjA5v6TgJqPX1VaWxWyoIwPFOqZ6sknsaqfheyt4IgzNMFPtqL qr3aiIeavMwydgsHxg2aRqT6QS2rJJaFeLH8pUcvvYToujGzjyBYY9QkdsDFHGr6VMDJ 5e/lbcKuc1vgjkygaOjQEA3kIPSpO+u5jE2PoN1lAJmux9B60o9FbX7EcKSY0887DPnY zNzsaI6vWP/0x9vLB33GcEThNeSJPu4aOV0toBVyxEFbr/0ljCIyfvCM1TNfFcGItIDy 28nxH1ga/O7UOlP40bz1/S+ac5mJeTkPOHTLFF3N6PxPLufOqxXc6bk1ZRCcT/JX1XT5 diVQ== X-Gm-Message-State: APjAAAVCNsKCvwS6e9F9wC+t0UmJzxsX3Y/zf476C+OoBPrz/5RiqLmz EgP+TVOIpXJbuqKx6iVyg+N3WUTzMtjPWyEkAIvg2w== X-Google-Smtp-Source: APXvYqxK5etbNZOafsOtIe3ObV0QXWQIHk+fUQNdgAx8FlSaBS+KmOAPLWPk31D+F29XECjttdxMIxlQUKAsFpz/tE3e+g== X-Received: by 2002:aca:dd0b:: with SMTP id u11mr16650482oig.24.1553624880468; Tue, 26 Mar 2019 11:28:00 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:18 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 02/25] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Jessica Yu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.] Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Jessica Yu --- kernel/module.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 2ad1b5239910..deea9d2763f8 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2767,8 +2767,9 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, int flags) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2783,16 +2784,40 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) + return -EPERM; + return 0; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) From patchwork Tue Mar 26 18:27:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871987 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ACB361669 for ; Tue, 26 Mar 2019 18:30:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9857928C46 for ; Tue, 26 Mar 2019 18:30:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8C88028C53; Tue, 26 Mar 2019 18:30:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3921028C46 for ; Tue, 26 Mar 2019 18:30:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732564AbfCZS2E (ORCPT ); Tue, 26 Mar 2019 14:28:04 -0400 Received: from mail-vk1-f201.google.com ([209.85.221.201]:55189 "EHLO mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732576AbfCZS2D (ORCPT ); Tue, 26 Mar 2019 14:28:03 -0400 Received: by mail-vk1-f201.google.com with SMTP id r132so697089vke.21 for ; Tue, 26 Mar 2019 11:28:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=J/O8uCPgOG3C0ZxSZ9IB3rxgWx3qFX62jDUsj+e+998=; b=K5sdA5I1sE//tLsvi5folYzvaOlJGge5wGHbTEfX+aWT54ddING0zVnNuLoD1bBwcg gjLVM6znIYvwcHeqwhtIEdbJyxbTy/EpYVnEckV1FU6h0uQvnInhH4CntIcrPrCNHgeh whtma18ma5ixu+z6D26uRzegoUdRlr6DfiOP6EDSld30DWglteeG7X8fivQOp/ibvREf 4x0xKRoTsrL3BKW37+UZt9+d4vmcP3Ook/9PmuK0x4K1R2Eg5LJ04AJSMZvXgxhZmgVD 7MhxCVABNsu2vAapO5xiGnKBb3C2ysBlByJmzKLoxts1P6Ukapc3hjKsUO70BZZ91uAz ncuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=J/O8uCPgOG3C0ZxSZ9IB3rxgWx3qFX62jDUsj+e+998=; b=dEscqOAasCoq9bYcKNFKPzBZW8yqGV3k8pRyD1SHrdCAoHNPGk1I7CJo0Wqz14XEQs 81ZtRAwYEjfmYTlV6vA3IqhzIIU5YlyUOc+OS3lXwNLiTaLqrbJypiuMo141gni/ufum j/Z+RKWaViIFvaJpjazcKe7Z3dUIXAEioqH8z3GUS1TgxmeoN9GXqLHhBkjrMLOgm83n RZzA42M7gXz8Rjy0zqTOREqFAgmqjOa88F8LUktc1qrEsIqCs/uGzt+SIfK793Ua8kPT mrvzX6fLHYVwLEr76hZCganqMdaGSahyQOzpyPHvUeU4+eOLCTvx2sxi3RqAQC0tLxHd 9rbw== X-Gm-Message-State: APjAAAUKW9defobvP2LNXAS85Fkm1q/DATZG4uYruh8KGmStS795XuEp KkP+E8Dq8na/J4oDglCE4xGAjfJG8asbTyLyD03KxA== X-Google-Smtp-Source: APXvYqzjIT3j6D/3W+JJCtNIBBhklG4H27OmJuFi+A4uUlowWE/PlFjW1Ck18pWgkexJ4RTQcQWsikYrws3GECQHMeiRxg== X-Received: by 2002:a67:fa52:: with SMTP id j18mr10694005vsq.118.1553624882922; Tue, 26 Mar 2019 11:28:02 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:19 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-4-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 03/25] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: x86@kernel.org --- drivers/char/mem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..67b85939b1bd 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port", LOCKDOWN_INTEGRITY)) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } From patchwork Tue Mar 26 18:27:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871985 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 081EC1669 for ; Tue, 26 Mar 2019 18:30:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6F6628C46 for ; Tue, 26 Mar 2019 18:30:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D877628C53; Tue, 26 Mar 2019 18:30:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7962B28C46 for ; Tue, 26 Mar 2019 18:30:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732249AbfCZSa0 (ORCPT ); Tue, 26 Mar 2019 14:30:26 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:36123 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732592AbfCZS2G (ORCPT ); Tue, 26 Mar 2019 14:28:06 -0400 Received: by mail-vs1-f74.google.com with SMTP id l4so1796649vsq.3 for ; Tue, 26 Mar 2019 11:28:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=LW7lq5jkExR1NuLSqDh6tdSVxounhx+I412qfIcDAFY=; b=q/9vwQqeELW8VlIFBstln+nSZdV89CEKrwLeAoPYLE0WmwDflbjM9zmZfkKzmVHUCm BRnYfeAzcXfVP3XdbekpJi4zOfVDDYynZcWlYJti/6+3PxXoHiybysEqPwNAyOwkVt5z 6L1AOH9G3bHZuwcCpB3xab+jt0vlMwC1dvuwiaHH84kZPIiYvnVXeABd6keKeimDoNiQ UxsPfKdmLHQpyQPhNC7Sa2RQjxS3K2H2JEzrv6rj/nis1F03CbK2WTnLlqiaDqM6GC0e cx56GL8Ws9KW2dbhz2y9dpGYjqfK4CjEmLkgl8xLX7USn7CY0pmxMYV1pgX6tmm3D3dT gMFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=LW7lq5jkExR1NuLSqDh6tdSVxounhx+I412qfIcDAFY=; b=tdRC0cOP3olZ3Z6Tcovgf0C2kWYviMeYWJxClmzVZO+l9VZ4mivqDAAc6MoPWbHEQW RX6OnemxZuXh4+sMfCSC8LFqAg2yJRyExh89oMtPu4OnHdaaptWM93J2M77E1bNGd417 TlSA/OjJ5c49lUkzdC3ziWZY1rr3IV4MyUE1zlaNV3DJqjc7yEPTrgSh3+iVnSa2UAgR coqhNpXA7dxwARE8n78rAdL0eM2FngUh41EhPY6YVqOEyXu2CLnop9BREEFjffUS52jX wyXxLqdslJ7gbHc4qNR9GfuuWoiWNJzUnDgN56PPGO0t/B+kwozkfczzeCahkBBhXyhA ti4Q== X-Gm-Message-State: APjAAAXXDLSmvWcfTW5Ni9evJuOQl+NL/CKMUuZGQgddxe+5dQlkELgI 10r2xAc7y8vVE12R4crjx+/hbfEe0UH1Z8eC8a7Rgw== X-Google-Smtp-Source: APXvYqyA91v3/8afrN3palsHlyZwOfxxJU/6gpXp8Dz1dELvFCw4kA9b2STRODD028ObSqqbRbJywu9/c/Poz5yc+WFrRA== X-Received: by 2002:a1f:a18e:: with SMTP id k136mr7884472vke.88.1553624885547; Tue, 26 Mar 2019 11:28:05 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:20 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 04/25] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Dave Young , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Dave Young cc: kexec@lists.infradead.org --- kernel/kexec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..57047acc9a36 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down("kexec of unsigned images", + LOCKDOWN_INTEGRITY)) + return -EPERM; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. From patchwork Tue Mar 26 18:27:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871931 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CA0DB13B5 for ; Tue, 26 Mar 2019 18:28:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B6DB728DD7 for ; Tue, 26 Mar 2019 18:28:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AB4F128DF9; Tue, 26 Mar 2019 18:28:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 556E728DD7 for ; Tue, 26 Mar 2019 18:28:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732614AbfCZS2J (ORCPT ); Tue, 26 Mar 2019 14:28:09 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:33598 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732608AbfCZS2J (ORCPT ); Tue, 26 Mar 2019 14:28:09 -0400 Received: by mail-vs1-f74.google.com with SMTP id r17so3899412vsk.0 for ; Tue, 26 Mar 2019 11:28:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ZxYq8cG2sFhGgbw0k3aUDfwIzpbQidarvZYq7w9bkW0=; b=XKxuTIw96/3+PO2e8Ya9M0C6H/BRKjbA7yCgb6ScDY71OKQu5O1qKynqYWdRZD1PkT 6X/9B1zYux3mu1aFjig8XS7q3DMLwHqMmXUvoGtAgZTiVqAXOPlB39jvB0b2LcsukNoL pPWqayoIdW9Nge+E83siRCq3NRELl3ui1CHNEgvGTxCphitA1+OlZJQrBFj2IxpBsuI7 OqL6q+lDn6kFhRlnMVUGjoMx6N8teAVHCUvVXD+VM8jpkzW3SOP0RUjD2LSxBoRDE4M5 OP99Uwtyx2pNjnZ+DqkkO4GZpT9A9MLxfN2L8AWVWnyv+Fsq/32fW8wpw4Kzu4Khwxel 8K+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ZxYq8cG2sFhGgbw0k3aUDfwIzpbQidarvZYq7w9bkW0=; b=aMgJPP12PT0nQ4RT7EYcAR2CGRTl5T3IJJv9wxsKfxXQtUZufEDwhF4w+JcXYAJ2MG EoiHZIuaj55buNylOuRVcxSKfTsxllNG4bph9cxvm7sTmAdtRWCLtrHygFOqcJcX6vRP 8otEyEqhHf+lfvOcNeUEkK8b8+/rxArClmu2aUymalNuGsa/DaOuiRtB0pYG3zIDV0d3 Q3Zf5jq3UgyCv/UWAhI59D7LXau4zL2bQfeaSX6v91RiMd1Mnofq21Jv0ncoiznquqhU c+oU8ctGRzRSMFtzC4xi9ma+qEpw+ltk+XdrYo1xh77HZYdVflkhjqFcsuPgD8x3JAVP UVnw== X-Gm-Message-State: APjAAAV62L/TJ/aF3A7lbbhhhEvgZFx3ltvHp8JotCls3A+9SaUaEVW5 BJU/Sis9phIMIKFmkCIhXdwC4R9tIf+1zkGXmH88Fw== X-Google-Smtp-Source: APXvYqxlissl0NjOJ+77xdIz+6/F0YGZJeXa8wrNGBsNkoGBnW975xjqFKfU2vra4AZjmcWWJ9+pVUMa08cHnkbiVaF4kQ== X-Received: by 2002:a67:f3c3:: with SMTP id j3mr10831580vsn.206.1553624888095; Tue, 26 Mar 2019 11:28:08 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:21 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 05/25] Copy secure_boot flag in boot params across kexec reboot From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Dave Young , Matthew Garrett , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Dave Young Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: kexec@lists.infradead.org --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 278cd07228dd..d49554b948fd 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; From patchwork Tue Mar 26 18:27:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871933 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 02EC21669 for ; Tue, 26 Mar 2019 18:28:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E05E228DD7 for ; Tue, 26 Mar 2019 18:28:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D4AB028DF9; Tue, 26 Mar 2019 18:28:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2E4D328DD7 for ; Tue, 26 Mar 2019 18:28:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732610AbfCZS2M (ORCPT ); Tue, 26 Mar 2019 14:28:12 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:37994 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732624AbfCZS2L (ORCPT ); Tue, 26 Mar 2019 14:28:11 -0400 Received: by mail-ot1-f73.google.com with SMTP id u18so8868762otq.5 for ; Tue, 26 Mar 2019 11:28:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=DR3rBb2V8Dk77n+84nIF0+Znm0UqE9/8zaxdQ5CO2lo=; b=qYJW/xs+nLDcVGGTYVEVD05T/qerxpSxu5bGyCDyqRIN2PQcO/8rizPMkEG5e9Q/K0 SFoDzqGhV+38csuM69grnxhhFT4BiwC+wwvUHZrsP2a+ElcfMDnOkJdguaVu2IjpjD0s 4wPlkPUTr2mESbl6ovuAdSF4bYbUZGmG7/erzjPE1iAdak1g83oCJZUEO6DVBhoUeB9z cw9AEgwlYCfHOS4TfzcHpZ+K9aDyCNS0FK2N4LaxlfjnZiVI0S8KvIXG+PGcu3zB6ILk JFIPhAeLRMIB8hYAG10DKu4KsQCQcgb5ie1C+bK/xLY0vr2tSMWjeAQxgrNQBlYjpf4B HH6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=DR3rBb2V8Dk77n+84nIF0+Znm0UqE9/8zaxdQ5CO2lo=; b=aiaW3cTqTzPdQQjuUNIL9oVqIQd0PXWCCzze9dkDHZI2JQz3vf2lVdpEYkQhCwaoy9 Ae7Xz4g6aHgE4w/yQloLhZ11RlCso54lyeuBvzdsru2lvtp1EACdi76dZ39pbHEfXa3x uf5sYOvYmkr003UUDRVU2Ke9hE2anwcU0Jk4ePkyoPGd8bQA8ASQpNjSuMA3CSWENZyR ndjH8zVx5IBos5OQPnqYsbppQ/7PMNyT+ya9vLJD/kSF5yeSwzXCSNdVwXPjhuc043Qv uAleUDc6lBkvNagNdzSCiA2bDUc0mHUwzg0yzzERg+Elz0Fmc0aOcLwKEMJ5vuWVGsQb +UQw== X-Gm-Message-State: APjAAAX/zI5sFOKsECelK0FtzzT7jwEqPoD2KNTE0E1D2EzeDc5DE0gn vVmPG1HKCT36pSEIsrE12V44Rut3yUIm0/oi3XwJeg== X-Google-Smtp-Source: APXvYqw4gd1ZERpUGHBC5v8fMRulSwVLUw0V07pXZdOQJYCMHhe2tsQoihJIKx5WNOGpIu0Wee6WW9kbDcKmvL2X64t7og== X-Received: by 2002:a9d:76cb:: with SMTP id p11mr8330720otl.248.1553624890542; Tue, 26 Mar 2019 11:28:10 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:22 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Jiri Bohac , Matthew Garrett , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac This is a preparatory patch for kexec_file_load() lockdown. A locked down kernel needs to prevent unsigned kernel images from being loaded with kexec_file_load(). Currently, the only way to force the signature verification is compiling with KEXEC_VERIFY_SIG. This prevents loading usigned images even when the kernel is not locked down at runtime. This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG turns on the signature verification but allows unsigned images to be loaded. KEXEC_SIG_FORCE disallows images without a valid signature. [Modified by David Howells such that: (1) verify_pefile_signature() differentiates between no-signature and sig-didn't-match in its returned errors. (2) kexec fails with EKEYREJECTED and logs an appropriate message if signature checking is enforced and an signature is not found, uses unsupported crypto or has no matching key. (3) kexec fails with EKEYREJECTED if there is a signature for which we have a key, but signature doesn't match - even if in non-forcing mode. (4) kexec fails with EBADMSG or some other error if there is a signature which cannot be parsed - even if in non-forcing mode. (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract the signature - even if in non-forcing mode. ] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac cc: kexec@lists.infradead.org --- arch/x86/Kconfig | 20 ++++++++--- crypto/asymmetric_keys/verify_pefile.c | 4 ++- include/linux/kexec.h | 4 +-- kernel/kexec_file.c | 48 ++++++++++++++++++++++---- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 4b4a7f32b68e..735d04a4b18f 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2016,20 +2016,30 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE -config KEXEC_VERIFY_SIG +config KEXEC_SIG bool "Verify kernel signature during kexec_file_load() syscall" depends on KEXEC_FILE ---help--- - This option makes kernel signature verification mandatory for - the kexec_file_load() syscall. - In addition to that option, you need to enable signature + This option makes the kexec_file_load() syscall check for a valid + signature of the kernel image. The image can still be loaded without + a valid signature unless you also enable KEXEC_SIG_FORCE, though if + there's a signature that we can check, then it must be valid. + + In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work. +config KEXEC_SIG_FORCE + bool "Require a valid signature in kexec_file_load() syscall" + depends on KEXEC_SIG + ---help--- + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + config KEXEC_BZIMAGE_VERIFY_SIG bool "Enable bzImage signature verification support" - depends on KEXEC_VERIFY_SIG + depends on KEXEC_SIG depends on SIGNED_PE_FILE_VERIFICATION select SYSTEM_TRUSTED_KEYRING ---help--- diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index d178650fd524..4473cea1e877 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, if (!ddir->certs.virtual_address || !ddir->certs.size) { pr_debug("Unsigned PE binary\n"); - return -EKEYREJECTED; + return -ENODATA; } chkaddr(ctx->header_size, ddir->certs.virtual_address, @@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * (*) 0 if at least one signature chain intersects with the keys in the trust * keyring, or: * + * (*) -ENODATA if there is no signature present. + * * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a * chain. * diff --git a/include/linux/kexec.h b/include/linux/kexec.h index b9b1bc5f9669..58b27c7bdc2b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, unsigned long cmdline_len); typedef int (kexec_cleanup_t)(void *loader_data); -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG typedef int (kexec_verify_sig_t)(const char *kernel_buf, unsigned long kernel_len); #endif @@ -134,7 +134,7 @@ struct kexec_file_ops { kexec_probe_t *probe; kexec_load_t *load; kexec_cleanup_t *cleanup; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG kexec_verify_sig_t *verify_sig; #endif }; diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index f1d0e00a3971..67f3a866eabe 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG static int kexec_image_verify_sig_default(struct kimage *image, void *buf, unsigned long buf_len) { @@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, unsigned long cmdline_len, unsigned flags) { - int ret = 0; + const char *reason; + int ret; void *ldata; loff_t size; @@ -207,15 +208,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, if (ret) goto out; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); - if (ret) { - pr_debug("kernel signature verification failed.\n"); +#else + ret = -ENODATA; +#endif + + switch (ret) { + case 0: + break; + + /* Certain verification errors are non-fatal if we're not + * checking errors, provided we aren't mandating that there + * must be a valid signature. + */ + case -ENODATA: + reason = "kexec of unsigned image"; + goto decide; + case -ENOPKG: + reason = "kexec of image with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "kexec of image with unavailable key"; + decide: + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + pr_notice("%s rejected\n", reason); + ret = -EKEYREJECTED; + goto out; + } + + ret = 0; + break; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + pr_notice("kernel signature verification failed (%d).\n", ret); goto out; } - pr_debug("kernel signature verification successful.\n"); -#endif + /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf, From patchwork Tue Mar 26 18:27:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871981 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 034E417E0 for ; Tue, 26 Mar 2019 18:30:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E54D428C50 for ; Tue, 26 Mar 2019 18:30:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D98E428C5E; Tue, 26 Mar 2019 18:30:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 80C5D28C50 for ; Tue, 26 Mar 2019 18:30:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732651AbfCZS2Q (ORCPT ); Tue, 26 Mar 2019 14:28:16 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:54034 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732639AbfCZS2N (ORCPT ); Tue, 26 Mar 2019 14:28:13 -0400 Received: by mail-pl1-f202.google.com with SMTP id t1so2647036plo.20 for ; Tue, 26 Mar 2019 11:28:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=iaaF5/aYD/K1PTKwNLEWQdX8WLqLGYfc09hndKsTKvo=; b=l//G//2sHdyapUFBKmU1Oe0w93NOV++WkMVLG4McMk+SBsjMEM+vwC89tGHOeX4bX3 iLq2kDF27llh4VMpGE2JN5mQSXFfsQXQ6lDhYGtVWKn+8k364eUUUUFwWmvoQAg6NLmf GHIbF9CfAVLYRRoFqCFAY1gOfCMug1s/siggmuBq1Znm3Cu8YRUYsq7EpMo/6j7VjBef lCBHnMX9WL8pjUdPRK6ORN67KC8xL61mOXGev20Lw8Mkp0N+UiHfZzP3hC5VMfvpsnuf ki1fbB3JpuJVLdbavBWsVnzqyTLpzCb7ODNS0Q+LbzEj0FoHeMceWgWYlYk7kiTux4VE KGoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=iaaF5/aYD/K1PTKwNLEWQdX8WLqLGYfc09hndKsTKvo=; b=J0BUMI4lbtImaZjt73xORlmiSV30NRD/tl8cE2X+fC5775SP+oVV+5XMrWmRbVr0v9 rnBbdjO1O3X4oVyPlB+ixDqI5dUHOXaAypJYWZCSBdCUCEO2f6BTJ2hdlO1ecB7q7UI3 YjTFVjdtVXmmJIFhvt5vMQXtgYKuJ4eLGjDKD+xReHmlcUmmNzTXKo8EMtXxulOHZ3HW djhIPP0YtKMlU7AavXuiFTMWzsLlOXxBhW+pA4U06nS9wPFV/kyyYaPkm2/M714/6Qcb BM1kvQe9t4MLp9+JwtzVbAXB3FZCOT62N/gUoOQ+6uQPePAmEQdHOz1iolbq8tW5ZiBA t+Iw== X-Gm-Message-State: APjAAAVsVqhFkVvzcPFCWTfwn8+ONRfUE9ep3t10XM5FrFACKIGjvCwc vuTOJX4QUGdKy8VZyv1VZCavX0DkJ7kI/GrLP66Tdw== X-Google-Smtp-Source: APXvYqx/+tjzXSZCjrL8Cln0/kVVOU3RI7T0H+0YpsU3UDmguRWm19jB1kNMcF+CVt78WKXvE7FVTtk8kfMkEo40fzSgPQ== X-Received: by 2002:a63:2747:: with SMTP id n68mr29116516pgn.317.1553624892782; Tue, 26 Mar 2019 11:28:12 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:23 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-8-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Jiri Bohac , Matthew Garrett , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac cc: kexec@lists.infradead.org --- kernel/kexec_file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 67f3a866eabe..a1cc37c8b43b 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -239,6 +239,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, } ret = 0; + + if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) { + ret = -EPERM; + goto out; + } + break; /* All other errors are fatal, including nomem, unparseable From patchwork Tue Mar 26 18:27:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871983 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5812117E0 for ; Tue, 26 Mar 2019 18:30:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 49CE428C50 for ; Tue, 26 Mar 2019 18:30:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3CF6628C46; Tue, 26 Mar 2019 18:30:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D4E4628C46 for ; Tue, 26 Mar 2019 18:30:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732681AbfCZSaH (ORCPT ); Tue, 26 Mar 2019 14:30:07 -0400 Received: from mail-yw1-f73.google.com ([209.85.161.73]:34931 "EHLO mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732641AbfCZS2Q (ORCPT ); Tue, 26 Mar 2019 14:28:16 -0400 Received: by mail-yw1-f73.google.com with SMTP id w6so19949021ywd.2 for ; Tue, 26 Mar 2019 11:28:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=hd/qJI5pj21wdEXiN1GwGQHBvVWEtmSPOfLn12fiaFf2w7nNYsYJpe9u8ow9/Re1Kb FvKsZkCo/b0GsFfWFuz7eAQFgkAyaD1YtMu/MyusFUzAhdYBGkZWIj1S+E8fN9DnaUae L8FwSMa5O7X9SlCg7DEGpzVPkBfeq+h0Wz6MqDxvDPB424xtQc9WmiNTOO+jUGewUNHD lpCXH7AOi+wpEp3OI9bXgjF1sBIcv8UIJnzzt+rmTvkH36pdxeTNEvndnDJ1OpSY/cAA rOexpy+QRByAQot5nHETdAlDEtaJ3PrSaljT6cRrg+ws0ERdZzfzb5mmKZf2MqHgiBKm t7vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=DQlmAxVHIJ9nWHK03g5vFpdz1rXYtXW+fyg1faPTZwWq7FBSuTNTMKdzKwLVsJWhPE eAHMLULZkRMzLSHsbQqrfMyqLIXCxv9HjVgRFVFFJrCrDaI0YaZz9NW132R35+/7yycB iH/r7EzKSPr9QoSjdHsP0h6+hqWgIYS7BHQg34QGfYKsvoWi5V8kPIpINq9ZXyHd3uvy mSc6EYMmSyoyDiFDNvjqCMHSPYU/DerQok6LLyDLRn8h2sL8B5R/tEI878qVBbVMpwx2 k6DaJG4JaiMmuGlyOFxVb+aZXQJUiP8KwWM7Dy+/MJ3o+6ZMAyizTah95sLlp5TCq/Sv vqtg== X-Gm-Message-State: APjAAAXZLF8E/pc/c4HHIH98hTQ6UEhEUIBegPHLzFq2cQxbzV2lB5w+ j2h8K9maCKM1nbJ71BX7ax8n6q6k185QfkU5mqZgDQ== X-Google-Smtp-Source: APXvYqz53lg90CRAmq2n9UPcuRM+Zbwo5prjfkTYkHVgr5i0xCngmc0ofLZBkRfHjvHhL+zyIQ3AzU157vWcCX9jyM6hWw== X-Received: by 2002:a81:3c90:: with SMTP id j138mr27011505ywa.276.1553624895457; Tue, 26 Mar 2019 11:28:15 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:24 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 08/25] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Josh Boyer , Matthew Garrett , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org --- kernel/power/hibernate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..928b198cfa26 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,8 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation", + LOCKDOWN_INTEGRITY); } /** From patchwork Tue Mar 26 18:27:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871979 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D45841669 for ; Tue, 26 Mar 2019 18:30:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C733C271E6 for ; Tue, 26 Mar 2019 18:30:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BB8D528C50; Tue, 26 Mar 2019 18:30:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 67EEF271E6 for ; Tue, 26 Mar 2019 18:30:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732672AbfCZS2T (ORCPT ); Tue, 26 Mar 2019 14:28:19 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:36995 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732661AbfCZS2T (ORCPT ); Tue, 26 Mar 2019 14:28:19 -0400 Received: by mail-qt1-f201.google.com with SMTP id f89so14452336qtb.4 for ; Tue, 26 Mar 2019 11:28:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=UWUYbOZniscPzPib57I8cPwH1j1zNPSziYufzU02lOY=; b=Oz9kzY7d3lv55fVkI6Kb0Gzd3zJwJVSAVP1ulUaw9XyfUgwUTFQ69SW1TpPJkSkz4I 8NUL2BguYiSmd8NFIwTgZKd7UB7lU8F2hm+SV82c1BpjE00Nve3eEAV5dCvYM6U0Adft 8cHrLisTQIpYkEfVr7pSsB7vKPAWYQArSJSuLNv7EWxW+QmxHN7LZdgApdkQI107/Ow2 GZ3GQday6ZqELcHEK3ZUIq2VgMJhr6I6/cma2bxfcIUaCW826/CfZVTmkThJ3vczr5og R+xZyn2RY8eloJabWhb+3U23suPmtoBLFDiFAW2oz2cFDyDctnrk/MCbULdQ+P4rFbUa 32UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=UWUYbOZniscPzPib57I8cPwH1j1zNPSziYufzU02lOY=; b=j+8Fd9C+yFnK7ryZrkIOvIgqHJs8muRktFflnfK+aPOOSNOQBAT1wzKlCxcQPq1DQM K0J7Brt2/6Xp1fD7M+mDdgfb2l/KxrdZ5XktKoQQoFsNg7Ymg4cYmTcnnQIXH2Yrl3rN nalw00sPglDWlTm7QyLQelEUvK0KjSeuRIv96GUKa51Yijk4Y27DhQOe05BkDcOH37Lj Fix/LUvHQMV9t3ov8RNUmI0Ze+gBEJq7yYfSnvfIJdLI2EzPnSvKxt4u45jqfYvVR50l d2u+/XkPxWMsMRGs+iy3I83dtqEZ27lD/h8ggKU8AuDqoC2Sd5fQqXDg/RYutxbAJYJA XAWg== X-Gm-Message-State: APjAAAXya7s3FEyKeje+gmVMr1agT8giVGh3TUM1+41D7WhBsG45l6IR uiZrvxwOjG+vniMOubk5XKWCiJy+rMUCwRS9q6rEiA== X-Google-Smtp-Source: APXvYqy8T5iMSU8bRAJDeiOYdZ+vf7wI+oEKQds8Wx9UYe7VIOiL7DRxsniEJLG6jiM0ADBnIZ62Ujuch6uEFVoBA5UeiQ== X-Received: by 2002:ac8:1091:: with SMTP id a17mr25977158qtj.135.1553624898035; Tue, 26 Mar 2019 11:28:18 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:25 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 09/25] uswsusp: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , linux-pm@vger.kernel.org, pavel@ucw.cz, rjw@rjwysocki.net Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel is locked down. Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: linux-pm@vger.kernel.org Cc: pavel@ucw.cz Cc: rjw@rjwysocki.net --- kernel/power/user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c index 2d8b60a3c86b..99e13fd13237 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) if (!hibernation_available()) return -EPERM; + if (kernel_is_locked_down("/dev/snapshot", LOCKDOWN_INTEGRITY)) + return -EPERM; + lock_system_sleep(); if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { From patchwork Tue Mar 26 18:27:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871939 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2C27013B5 for ; Tue, 26 Mar 2019 18:28:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1950E28DD7 for ; Tue, 26 Mar 2019 18:28:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0E33728E33; Tue, 26 Mar 2019 18:28:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8352128DD7 for ; Tue, 26 Mar 2019 18:28:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732682AbfCZS2W (ORCPT ); Tue, 26 Mar 2019 14:28:22 -0400 Received: from mail-ua1-f73.google.com ([209.85.222.73]:33791 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732681AbfCZS2V (ORCPT ); Tue, 26 Mar 2019 14:28:21 -0400 Received: by mail-ua1-f73.google.com with SMTP id h6so1622915uab.0 for ; Tue, 26 Mar 2019 11:28:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=; b=Yz7oOrcDdKUM0oYpsGth5oCv8+Sc+iqvbZ8HKnhPKCnBF9rUHCL9szQCMAPU1PE8KZ V5oNz+OBCLawb6XGwCVNO/3W7ZIGW6CJqa38iNh+smM0l3Mf3WI096uUxVztD+vMlcy8 withllnQOAKuH6gF0+c6jcTe8VCipjbIFvdZQ3SG7qlyXzoR+Tduukj9v5gmr817WjTN 9qDDUFYKJxhZTZ6Uwfhk7qeYMwY0kNDGpr/Xub4PUqKY1bIS3otzcyj76HMmWPO1Cupi V7GyBI5YYjxdJUAmUSXaa8vzKtz1GNVChjlfHcl09ljj04vfopWnPSjdHPO8UC5ktyD4 6Vaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=; b=ET1cmGu5LmL2GQdYA0trgNBgSaYQdGqFkLxCg/zxENkBI6Qy7Lvsv7L3tFE7lrGjP0 2WlZCHsIdboDxEiiuer6gqH7KvTiROIzJKnWSyHBLnHa9Lt1IsWIqsxSH9c4YIx86+Ad hXpN8qMs1qvog35B/8GEBaduXK8V1MqG59c3EnIIjpy3N/AOo4Kih7+c86RdfGdKExRp ZAiIRMnFVze/VvlgcwLKI0TMF73UKUIMgqpYc680fi4nDLRk6Td/qVF9CnAisoOFXlYs hLr4rJmf9imErYEnqtCHkBjFZFdZQnbaNJlkFtZEtA71bHLGSe9TFFRT/wlxF2+CsoLd 30pw== X-Gm-Message-State: APjAAAVNKkWqjddcak0TJxgkwvRaW4369AoD4zxHe6cE0vh9tr5LTlWY lif2pp9era8ChYnLoz9KoCFXGycMp2BakTYZKY64Lw== X-Google-Smtp-Source: APXvYqxJT/ULfLCwvV7wSB2GAtE6Vz8ph2N7xnq6Ot24PIma7JsvCCcrM8TBMNJZ/wPOc6HUu0fWwieS5ffY5o8z3DZmWA== X-Received: by 2002:a1f:a4d:: with SMTP id 74mr14878315vkk.13.1553624900606; Tue, 26 Mar 2019 11:28:20 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:26 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Bjorn Helgaas , linux-pci@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Bjorn Helgaas cc: linux-pci@vger.kernel.org --- drivers/pci/pci-sysfs.c | 9 +++++++++ drivers/pci/proc.c | 9 ++++++++- drivers/pci/syscall.c | 3 ++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 9ecfe13157c0..59d02088945e 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { @@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 6fa1627ce08d..85769f222b6d 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, int size = dev->cfg_size; int cnt; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (pos >= size) return 0; if (nbytes >= size) @@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..0669cb09e792 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); From patchwork Tue Mar 26 18:27:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871977 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 50F5517E0 for ; Tue, 26 Mar 2019 18:30:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3D0DB271E6 for ; Tue, 26 Mar 2019 18:30:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 304AD28C82; Tue, 26 Mar 2019 18:30:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CEC6828C47 for ; Tue, 26 Mar 2019 18:30:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732674AbfCZSaB (ORCPT ); Tue, 26 Mar 2019 14:30:01 -0400 Received: from mail-ot1-f74.google.com ([209.85.210.74]:48758 "EHLO mail-ot1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732697AbfCZS2X (ORCPT ); Tue, 26 Mar 2019 14:28:23 -0400 Received: by mail-ot1-f74.google.com with SMTP id 70so2669608otn.15 for ; Tue, 26 Mar 2019 11:28:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=; b=VOLB9NJTyx8dN7/6UA5I87VxSg+nwZPoTxN2KDQgkrTv2236J9Olmq+quOI2nLXRXN 1xZDat5ybiq8T8oFTM7wVNVjTnSSmmqUmWVdAzkBVYQT/TNuUFG4cfNZOz6XbbMduPQN jGPrQ3p3Du3K2KpWCoNs+2PsG7NrMg3SnaWygYmUHgW9YFvQSRfr9JLEjftvt4jqdqxx kl7nzHXM2jDxvwdZWc4ku65yfo6VoMaCqe6rocAivPH8R4QqQzivdbAJiP0R5QfdFmN4 /LCq63e0gersazqqSl1O5radgSWZS9ZX8q4kkMVsn1u/MQc+a0q8rH9IU5wU2naCScPL uQow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=; b=h2taR0iwG/3fyCRa+QUST31ejjWN5qs+jTbQ1mj/6hIDiOuX1mWim266JzHcii75jr zaV0G8ybnYKtVFr4e+Aq7ZM8MVczdEO6Rzui2zIMSZw+vd2E7IXOUz9FbTq2YQtiENdL 6EoaHJBmFy1iRCFk0I7UZO6O5Kyx1gbMNo/B9jFStZ2Bdi5UDgCPEC2jzjqfW/rqXtgf HisP6abr16vahfKtzmtYbBsoMLCXKm/EricZ7Ou2Pqb7DPSt+PzgvEiidlXnUsHz3LZo M6ZrrYh6ntLHtAT3YcF/0zWB/KwCVmOQnO51oZJyknss3DIPzDODA/PFB+5QGGEx0TQT 74iA== X-Gm-Message-State: APjAAAWlkw2rZTfqXr07MAzQvzpkRb7SYfSItVLPoPJLh7KiVxMMGsa1 d5Kfu3wzuG8tdgVnzGXOGvVOdIWCwRWgPdAlM3f06A== X-Google-Smtp-Source: APXvYqya4Q8mCNGenT/N6+mKmThPwv3Vw/5eFEF/hr0CHDhgdoiFSSgysKJ1Dj8ievmiAFsBB5YGdTZL+MPpKiKtZGiROg== X-Received: by 2002:aca:7592:: with SMTP id q140mr16468631oic.152.1553624902883; Tue, 26 Mar 2019 11:28:22 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:27 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 11/25] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: x86@kernel.org Reviewed-by: Andy Lutomirski --- arch/x86/kernel/ioport.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..febbd7eb847c 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm", LOCKDOWN_INTEGRITY))) return -EPERM; /* @@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("iopl", LOCKDOWN_INTEGRITY)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | From patchwork Tue Mar 26 18:27:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871943 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0746413B5 for ; Tue, 26 Mar 2019 18:28:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E4C2728DD7 for ; Tue, 26 Mar 2019 18:28:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D6F9928E33; Tue, 26 Mar 2019 18:28:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7488B28DD7 for ; Tue, 26 Mar 2019 18:28:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732728AbfCZS21 (ORCPT ); Tue, 26 Mar 2019 14:28:27 -0400 Received: from mail-yw1-f73.google.com ([209.85.161.73]:42268 "EHLO mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732696AbfCZS20 (ORCPT ); Tue, 26 Mar 2019 14:28:26 -0400 Received: by mail-yw1-f73.google.com with SMTP id c74so19779203ywc.9 for ; Tue, 26 Mar 2019 11:28:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=; b=QSA3jV9BWatdGl7hVSyhHwxLAxTneVkVg14uAJ/VF/6Frih2P7oXfTEv9kMP9G6XvB HEOGTc5uUxEQVWGmCh16CeR2IwnyK1KEWe+pwfhYfgXyj7bxXTdw9tKhsEjRGPG6ArGf qjggUxIgwpRtfAPv2l9cbaEcSWEgwDoxZkkEkMYKJh+bakWOkmpkPFLrGS1LnsvYGQuo Wh2GSZNqJwd+KUkfQlegDvzkqx/b3gLT9LlY1/YbcrJdfresNx4cOhRBgKV40TW1CyVL y8hFknGmWJARHvfiwFgL/XqzMwUY7qIZmWfCXy3Y6k4nk5qc1EVpbSGWzm9iUJ2bhVMd QkwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=; b=ZzBlkSK5jhGA52f7VBW2HOv1jewp5oddkslLqzsvKYFL7C/XfcKkiz3eSY8S7e+/tF o/BnaeeGzjBXizub464W6o7ts7enAp+rjV96aIZl2yw7eBmQ3/0ixXg150Hpw9w+He7k 3CwPg23jmB3VRYrU0nSRYTkY/QHXm/ad45kq0SDth8ZmpnlAe9O3SQdUbuuFZL5WVI0+ 7xmdmYY/WoCGDdVM0wF5X3NPZXN/O2DV0yREKKvtao2X1VuwiNs+HPCLDPxOeQRVQKfJ tRvnbEbk/cGZjqclQB0Ik6aRd++FSuZUVbiouJQBb0IiP7rmCV22tv3zv7dJMGSeFrUu lgig== X-Gm-Message-State: APjAAAVXRPlhv2+A94O7BzhPTV2YHz17j7dz/sUHnnKcgPQIoZnymW+h kt2CKUQWJ0H1DUJcNu1gac06c9GFWwCZ2gjVjfWnDg== X-Google-Smtp-Source: APXvYqwzBhCfjCntQfOahXU56F0snMQq9ElS1KJwPE0d2nevxhWZdfF4MEC3IHuSvBuLMVlduS6O46rzOWmCP057ftS/gA== X-Received: by 2002:a25:1d04:: with SMTP id d4mr2412901ybd.517.1553624905627; Tue, 26 Mar 2019 11:28:25 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:28 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 12/25] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook , Thomas Gleixner , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner cc: x86@kernel.org --- arch/x86/kernel/msr.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 4588414e2561..731be1be52b6 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + if (kernel_is_locked_down("Direct MSR access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -135,6 +138,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + if (kernel_is_locked_down("Direct MSR access", + LOCKDOWN_INTEGRITY)) { + err = -EPERM; + break; + } err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; From patchwork Tue Mar 26 18:27:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871973 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8A9D713B5 for ; Tue, 26 Mar 2019 18:29:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 75346271E6 for ; Tue, 26 Mar 2019 18:29:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6957928C47; Tue, 26 Mar 2019 18:29:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0DFBC271E6 for ; Tue, 26 Mar 2019 18:29:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732596AbfCZS3u (ORCPT ); Tue, 26 Mar 2019 14:29:50 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:33918 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732733AbfCZS22 (ORCPT ); Tue, 26 Mar 2019 14:28:28 -0400 Received: by mail-pf1-f201.google.com with SMTP id j1so1115696pff.1 for ; Tue, 26 Mar 2019 11:28:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=aQw0KGeWmvPzPQJC9aCiMXHo5RCdIiAFpbvhdBtqfOA=; b=DIlec5t0clil2K3z1mQdY8Ozo7PzlyiRXYNLrqoik42GWf+SWRdQxm0hFn3CDu6CT7 z3l23Zj/4mmAJvQOjaNVvuhjtGBp3PSUL8NIDYIfVFqPmo7Y6tVU4WhqiKb0j0Ovyq4/ uP4N0qPuQ8UBSpbd8J1/FCclbdWKoOxyfSchUBo9pr+auLEflx/O9jYxyHyO2OntwoNa zDIVBPCnINJDBVVQo1xUe9xiaiS1lQhbv4c8ylFNhZNGEiesp70hGeaXM6fmeK6Oi71x UTtqtlH3qdj+vmoGt8YCUW/DXotr4XE7NM7x+YRhhoncOOODmnhhmeTokf2EM59RBNWL 7Shw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=aQw0KGeWmvPzPQJC9aCiMXHo5RCdIiAFpbvhdBtqfOA=; b=tfCft1qrA1UgM5mi+GfuXO9sYgfMy0TLE5kgbpV3AGit97ttwq3uQHlZgZpiD7aP9u u74WXqP52hsHIyMJI7jsqJUlumZWoJq8nzssD8C1fcoduXOLPh6yVeHQPc/1t7B2Z/xQ RJ++3UTC3lfYmOEXmDv5/bZj67FHxE5ryumBKa+BGp1bCh8V8A6bfK3VJV/VzeXxP5qg 93ZSQqCJsfYh5vkV066KYffIfvKZwSL09XNOBfKM+nr5oIGkq2ZaCktjXIB594r11+8O WSX1fFgyZIB3PC4zL764pC7mNv1TywejxGitZB1WrDtGLxVQVwmStMwEuTGf9a1NMhhg INNg== X-Gm-Message-State: APjAAAU1I1aLDkQ5HV9c+VDmBRvoKmIyGFO8UGwYdTVTliu35qKwsHUl Dt7fjc2ubNIab+HdtyZkjkNTnyWi5UjlUEOPLnitTA== X-Google-Smtp-Source: APXvYqwMAG8zXNmY8SYtlr6zSMiao5parpM7h46gp9u2mGxgCIj6BeGnsuRx9l4mNv99r59blJSOQTYpZpUTUH4Dvq+5gw== X-Received: by 2002:a63:f80f:: with SMTP id n15mr30302790pgh.283.1553624907693; Tue, 26 Mar 2019 11:28:27 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:29 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 13/25] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: linux-acpi@vger.kernel.org --- drivers/acpi/custom_method.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index 4451877f83b6..37de3cd84493 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + if (kernel_is_locked_down("ACPI custom methods", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (!(*ppos)) { /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) From patchwork Tue Mar 26 18:27:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871969 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 536C71669 for ; Tue, 26 Mar 2019 18:29:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4692128C47 for ; Tue, 26 Mar 2019 18:29:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3AC6628C53; Tue, 26 Mar 2019 18:29:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D11B028C47 for ; Tue, 26 Mar 2019 18:29:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732754AbfCZS2c (ORCPT ); Tue, 26 Mar 2019 14:28:32 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:48758 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732750AbfCZS2a (ORCPT ); Tue, 26 Mar 2019 14:28:30 -0400 Received: by mail-ot1-f73.google.com with SMTP id 70so2669728otn.15 for ; Tue, 26 Mar 2019 11:28:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=B6VKNJoBZyOp9UQCoOkYqDvTMA68uU6nV4VivW8ayKY=; b=h4V4spb546fgqSWgS1MCnVIdB5xf8zwauormzGFZ9wdZZR11ercKvrV9vGQBG2eaHy U5yAE9dWDJ8cLyFUTI6F6itG/zRVsHLE7RipWoTzwm3Euye6oips8veg3p0JE412stCi NA7uUXxXILc7TDlsvqcna7OqX/NcA45fCDGPS/y4ARKGku0QdHk5dnOgh3o+dQEsVIa4 70hb3FA8v3id5jV97bWtqjs/I7rVHqEdOkqe/GO66TDQ+GugNPfTcMdJKuvBVptU8XAN pXCcH/lTNqrDznbqQwAn+vWVf2zZb+yYoZ6C8xcYDV/S4TC8M3X2z2kIVCyt6ShkjatS 1KOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=B6VKNJoBZyOp9UQCoOkYqDvTMA68uU6nV4VivW8ayKY=; b=pYL/p3YRrZEYa78F3sZIxXlb/DqcQfmj/0eJEwp/RKmMIi9FVRy2ddA751UkW6Hcqp 0j6WlCB1NZiCjdPp3yXuVe8QkuScdOLHkr7tlI6uzmuK4DlDq8lS6MzVK2YnufNeBdER skLhuNhQIxAj7MZUa2aJ2dqlBJXdnJws6Ngu7LA4gnoB4Fdiiuerw/OiNOYixiZ4cj2f riiSGlWH4qMcB7jafkKEzwyfrJqcbCgu2NCl2XRniFCA/aNGnsql1wxymDfaRi9k8EQ2 r4Ck73Y47WENq8gQPqrGBQYkfrsGHe1vM6b5nPALwdTbo7z3cRW3RkPw9Oa/HATwkTba JgQw== X-Gm-Message-State: APjAAAWXPl3oglGhgUJrblWcBKhWvZE8QeU50bXMQW3BegCMGbynBFNO gc25kVELkvclHiQZptc/dB0kuUzUNrkPl9RsbccSLQ== X-Google-Smtp-Source: APXvYqyQy3Ly/I0+luq4SXBdXDDkmt0+oEhQUaMxXkgB8GNCQOuYQkqhB2oSrkQXziMzg96uVFB1sRh7FJkFmnGB+uM52Q== X-Received: by 2002:aca:54d2:: with SMTP id i201mr8572038oib.29.1553624910134; Tue, 26 Mar 2019 11:28:30 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:30 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Josh Boyer , Matthew Garrett , Dave Young , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware . Reject the option when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: Dave Young cc: linux-acpi@vger.kernel.org --- drivers/acpi/osl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index f29e427d0d1d..cd5bba7b8eb3 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -194,7 +194,8 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification", + LOCKDOWN_INTEGRITY)) return acpi_rsdp; #endif pa = acpi_arch_get_root_pointer(); From patchwork Tue Mar 26 18:27:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871971 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 476DF1669 for ; Tue, 26 Mar 2019 18:29:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3B31628C46 for ; Tue, 26 Mar 2019 18:29:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2FA7128C50; Tue, 26 Mar 2019 18:29:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1250E28C46 for ; Tue, 26 Mar 2019 18:29:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732782AbfCZS3j (ORCPT ); Tue, 26 Mar 2019 14:29:39 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:38139 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732761AbfCZS2d (ORCPT ); Tue, 26 Mar 2019 14:28:33 -0400 Received: by mail-pl1-f202.google.com with SMTP id 4so2647404plb.5 for ; Tue, 26 Mar 2019 11:28:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=AxYQmILSdFg0+F/o39f/WfXSvOMkaN5wYJO4P7AP0HLuNoMiYIIvFwFvfk0hUBiR13 4UAMjUq31t9bSPe0MnXikCSkC2eyMupf0ei8U0Ch/JsGWJCIxjQKrkYNixwHJNhsKf+8 ewiscQ7iVR6PbhjFJ6irRmuxUVbZLX5V1eFKDgOc+diXskj2lcYCgwC0GRCcxdXfP6YA uW7rY+3bIfIzXqyMc9UiOcDQaANdLrPOlfGEVIiD5evpn8H4GKKNhOV6Dgx16grRJ0Oi rDHP+gZaykXlVyw38TJLvk19ALMIfOGPG8dCFPBpoaR2er4L7WOE5TXOO0+zJmre7Hh8 8mgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=SVP6hj06HAhEZoxp6oLq9zn31UYmjAHjPkx3c3kz5kQcmQWdsmUAWNTah66hhwICh3 jfWt0wMKPsEg50If8s2P8AbJXnWtXxrTuFfcTro6ZjIVQyrFNAvPAY5jNFQyBIM7mkYg 0dpg485H7y0POlAWbjHreAc9wgGBPNS/fXvZcUA/FDI6cPA22dZN7nLkaixe4PIPKjRj zZEQRego4gXoG+h5BrtQ4bbTOaEjcSkWJw6jz49LK+Mi/sWY9bzIl3tGbKkWqCrilpL3 tfInskuITYIaG/jwVRdMKzxh7M6RV1ec/24jm+2phaDEmZ1rPIaa5diLxtwrCMsi1FZT I6Vg== X-Gm-Message-State: APjAAAWHS5TZokK7CteLj9gKWa7ZSXFhEqcvSxzInr26ahA9gpqDjn67 SmWDq5zdxfjpBGdksHuOpuSsLbWxZGZUzod7DOEcIg== X-Google-Smtp-Source: APXvYqzlbcsO0MLfv7TbuLhLJ50spDBJ4EO9m5/RfC1cSvWt7EDQbTTXzw3lPerDfy2lNc3+4Q1va2ANipQsr3I+ft+bOg== X-Received: by 2002:a65:5343:: with SMTP id w3mr13108859pgr.232.1553624912801; Tue, 26 Mar 2019 11:28:32 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:31 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 15/25] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Linn Crosetto , Matthew Garrett , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 48eabb6c2d4f..0dc561210c86 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override", LOCKDOWN_INTEGRITY)) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); From patchwork Tue Mar 26 18:27:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871965 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6B1831669 for ; Tue, 26 Mar 2019 18:29:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 578A128382 for ; Tue, 26 Mar 2019 18:29:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 482C628569; Tue, 26 Mar 2019 18:29:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E43A727861 for ; Tue, 26 Mar 2019 18:29:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732485AbfCZS3i (ORCPT ); Tue, 26 Mar 2019 14:29:38 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:54537 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732777AbfCZS2g (ORCPT ); Tue, 26 Mar 2019 14:28:36 -0400 Received: by mail-qt1-f201.google.com with SMTP id b3so14392694qtr.21 for ; Tue, 26 Mar 2019 11:28:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=4G8m95jwtwdfjA5z7EFk9aUl9ztD0RqYosPZp4xmjEc=; b=h7dNOb7RQMavv0sp0Zow1gRw63LnZH39UfrTPdhj02fkrvrZrEAZH78cfkEj+UQc+0 CJjusC/IoWX8sWu5YfQZWyBfIgCg1kdW7WmC1R0rHpjM1s0mtPsNpGYbUAw46xxOqXel 5tAmEK9SZvRqh7JM+1CynPqgm4agy0u9BCaznisqLEyI4iz7fwYVAXlnEe3mqReVkYi5 4mr/vqCxtGCrvpZY5FgmdB521DBRBqUSK5XY3wb/gMVqgChTLP1opGEFzTWsSfXhNHwd HVr3wnpU0+ls7oaLhQK8AaYMFujCCN2584QK2ScCQc8RLOMnVgvxdxBTdqIU+FBrYXyX 6JOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=4G8m95jwtwdfjA5z7EFk9aUl9ztD0RqYosPZp4xmjEc=; b=qvPLn2eKHYj2c4e92037/kWI3vhnq9QtI/B1+HN5wVvRjjevbFllPxnesiDoqNg3sH xeLghULKW//mcWRSyVP16VOzmfxd2Cl5PJukUw6JBF09BD5XQUJs7k7qQFROD/ryyR9Q WUVGmTAXFn06D2Ks4tFdF0rTuGzOOhta2WDA6ZE56jzBFF0i+7D2c4t3X6wVmziAGxN9 7c+0Gyopa/H9/ub+ttr186TOs/WjBS3J6+SsQFh7p8rrDVbzZNbYMaHYLUXklBBHVIX7 EDb2nMb3+0EchSTEP1C5A1lsyJQs/Muw2S8NrKyJjUcrWVwwmoNu7Ica8acGXSGNmI9F P+CA== X-Gm-Message-State: APjAAAXp+Ok1pnVhi6XJmk3S/aqZtA4DLMcy0v8N4rEJ7y7VLcLwO+b6 LQ1y/DqOzJfQy3F/p+Xu8AZI2MgauFsbNoWLeUqRuA== X-Google-Smtp-Source: APXvYqxQhg0QFZGUTOuDkDlVLMMfRXQc/lsxF8gnvkp3TvGjpj2EedXHo5jW5sl13rNyrq6r75ypdN01tARzQW4WSXWCWQ== X-Received: by 2002:a05:620a:1428:: with SMTP id k8mr24386884qkj.185.1553624915314; Tue, 26 Mar 2019 11:28:35 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:32 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 16/25] Prohibit PCMCIA CIS storage when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Dominik Brodowski , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- drivers/pcmcia/cistpl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c index ac0672b8dfca..9e23300a55e5 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -1578,6 +1578,10 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; + if (kernel_is_locked_down("Direct PCMCIA CIS storage", + LOCKDOWN_INTEGRITY)) + return -EPERM; + s = to_socket(container_of(kobj, struct device, kobj)); if (off) From patchwork Tue Mar 26 18:27:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871963 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1C2181669 for ; Tue, 26 Mar 2019 18:29:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0818C27861 for ; Tue, 26 Mar 2019 18:29:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F00B62846C; Tue, 26 Mar 2019 18:29:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7E4FE28382 for ; Tue, 26 Mar 2019 18:29:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732604AbfCZS3g (ORCPT ); Tue, 26 Mar 2019 14:29:36 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:48206 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732782AbfCZS2i (ORCPT ); Tue, 26 Mar 2019 14:28:38 -0400 Received: by mail-qk1-f201.google.com with SMTP id b188so12383329qkg.15 for ; Tue, 26 Mar 2019 11:28:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=h9EnFy04jMHVM1ZMNH2nx3A+bDTELFHTwxmLElxP71o=; b=Z7k55eRQRYGcZah8QOHEIlHkH8KCl4gYI7fGrsmv4pyVRN2TE0VQxMVCfKBoCJFYcV kvxQC/SOAqFtnWiz6XNtEHDlp0wdjYRXLoWdNGYNtazGpr1wIYh7W9UzmDh5iZf7wwKM bpBIXO6ymj34WPya4v+dPjhxdGs93VkG7jXgcc7DLXNfHMLrPcWGD1nX79BWUY3qY48s DgpRcNhmY8ZJAqANIbasB7lKFamqPuXlJZNJNd40vPj/fgZvScq0VExRxburPO3qk/JN 1PtAOp8+Mk7977nxUVBg5Z6w7LvRhumrO/NQ7JKIlm0NMH9sDbothKVECbiaIBhj6xzz yUIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=h9EnFy04jMHVM1ZMNH2nx3A+bDTELFHTwxmLElxP71o=; b=igcnMcPgc8SWTik1eP0+8go2Fe2tQNEi/xyf7uBEexeUnED6Mbnr43ZYDvZ3Yb9wuj ffAXAjm/b1t1lytnXHsuDwSH7XYJFyAdVGE1/I8Glo8jXDBhzgFFg3Qe7+p5Lt9w8SbL JydMkrK8RhjVFd10KwoneNChcp6LbX73slRCdPcARxv1CVE76LE1CAMaEDzllYIW/xTu mkbsZj4cYM6D54P5mzxu7oxiPgEx6LWlRdyV77Jo77OuWHSWS/IeSPN7aRtqsGJzTH91 0zKRm2XqRz4evJd2UcCXRbQr4kDIHg+XlJFPY1eGBIjVxtSWEdwqJjn75nRjGuNl5raP bvZA== X-Gm-Message-State: APjAAAX+0l6u/S/5dDMjVCzRoJUIoE5tkCLvr660tiCX7WyJQ7ewduIo UfbeFqXc7Caz6dU1bJWptAqsSh2zjHoPaQmxSlAFMw== X-Google-Smtp-Source: APXvYqxdTd1jUs6dwf4ovhU+ZzR5OkjsK7SluXNtMP4TQSlVeJye4bUNfuWPhjrz9fQ9H73M9kP4eC8pkZdt7zfnoeQ90g== X-Received: by 2002:a37:a797:: with SMTP id q145mr2953780qke.292.1553624917716; Tue, 26 Mar 2019 11:28:37 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:33 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-18-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 17/25] Lock down TIOCSSERIAL From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Greg Kroah-Hartman , Matthew Garrett , Jiri Slaby , linux-serial@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: Jiri Slaby Cc: linux-serial@vger.kernel.org --- drivers/tty/serial/serial_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index d4cca5bdaf1c..65b67f0d4386 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; + if ((change_port || change_irq) && + kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels", LOCKDOWN_INTEGRITY)) { + retval = -EPERM; + goto exit; + } + if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port || From patchwork Tue Mar 26 18:27:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871947 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4A6B313B5 for ; Tue, 26 Mar 2019 18:28:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3635028DEE for ; Tue, 26 Mar 2019 18:28:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2A8AF28E33; Tue, 26 Mar 2019 18:28:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9566F28DEE for ; Tue, 26 Mar 2019 18:28:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732784AbfCZS2l (ORCPT ); Tue, 26 Mar 2019 14:28:41 -0400 Received: from mail-ot1-f74.google.com ([209.85.210.74]:55893 "EHLO mail-ot1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732804AbfCZS2l (ORCPT ); Tue, 26 Mar 2019 14:28:41 -0400 Received: by mail-ot1-f74.google.com with SMTP id d38so8835490otb.22 for ; Tue, 26 Mar 2019 11:28:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=e4y+ZQyWx4Nt0qrBtIg+M07eqiLDT0f94JTcXc0xkLQ=; b=lAD+QzjyPkuMWI1jtrwYUcf9ZLsCsgEAV8IiHR2c/Giu1mweyB6KOIX9V7bRUMz3KS 21b4OTxu7xK5eC1N0v77eagIpq/LbKXwRJS5XlQ4ux8JVVcGH/79E9Aqu/MlHN+BG83Q s63yKyZH0rorrlhZwK4+OD/kLn5ykpACdXHTMpCcfhVzKV8mm56UXHrvwTEyIKgMLYwm 9+nV2/SVnS29ukwpXBcLbBMVsylFeXxX3Dj86XBbxl6L2a9j4b0wOHCTSIs7/9yqe5xK dXu5KTEuDJcq3bINEDmkRQmgq1sNVXBJ2s3Tt6W87zlrp3KwKRdoIU0KG8z2jTxMlJO8 svBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=e4y+ZQyWx4Nt0qrBtIg+M07eqiLDT0f94JTcXc0xkLQ=; b=gV88I1Ia2TF6fGlNx69dFZdTGqiWtUAe/+IKaaifyB22U0wOLrM/VMvJyOQ0RxBxFp OIKkY+Ctck/0iDEQ8BiL+3fiBf0KtbuoVmr5CHE84EI9nV4D77InVDEUmEzsIqxucdrK wfKyIXyXjz1zQVexZOjhAbCERZbMJIR33HgF6qkhSuIX2heCTHrHR3Me4bL6hCYVcRbF +Y+sEcR/oTk/IGPB+H0OyrDH96m7340JvEli4D8pvrMeplEbw9VaIHaW3cSaRjnNPqcX +/VG8Mr1AyOVvGkfen2dIkvB9ayL/5pGvOIR4arT2sjQqIbOVlKMgNhdokbMI2xe8WSj tkeA== X-Gm-Message-State: APjAAAW9w1eixC94Cz6HVNxfnN0abPgUtQxm1o/5yc02M42Mjqj5jo5J SEhmMb/9r6FHJtfc1GFyPzmHYi4H7SBmvQiRZps1Ow== X-Google-Smtp-Source: APXvYqxKOCWDIgBn5rlg5DtWC2EvLiyCBHCBifCiS+zDJTN3dSw5kDx/CYcMYlbSMIB7aU/iaezdCEW+L4pijefSPl72Ng== X-Received: by 2002:aca:3d44:: with SMTP id k65mr15898886oia.143.1553624920139; Tue, 26 Mar 2019 11:28:40 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:34 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-19-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 18/25] Lock down module params that specify hardware parameters (eg. ioport) From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alan Cox , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- kernel/params.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/kernel/params.c b/kernel/params.c index ce89f757e6da..da1297f7cc26 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels", LOCKDOWN_INTEGRITY)) + return false; + return true; } static int parse_one(char *param, @@ -144,8 +150,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) (mod)->name +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; From patchwork Tue Mar 26 18:27:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871961 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DC99413B5 for ; Tue, 26 Mar 2019 18:29:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C604F27861 for ; Tue, 26 Mar 2019 18:29:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B511328475; Tue, 26 Mar 2019 18:29:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C92D27861 for ; Tue, 26 Mar 2019 18:29:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732553AbfCZS3b (ORCPT ); Tue, 26 Mar 2019 14:29:31 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:37685 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732807AbfCZS2n (ORCPT ); Tue, 26 Mar 2019 14:28:43 -0400 Received: by mail-vs1-f74.google.com with SMTP id r74so3449543vsc.4 for ; Tue, 26 Mar 2019 11:28:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=CCajKTRONhdynt5B0tRKLHYn7gScHVmkVEVnwB9DKOM=; b=f1UEVtxL0EVlbPLDdmHVG79aucAXc1fBqJUwg7tt7fSA+AaesqY3P1p2ZfzU8cEB3n 03bsTL9VAsQne/n8Nhvw1sWnpcWum4Nqv3Yd9wb0ciIhqZ81AcSWIwiSc4FpvQcIXzja GBTM5kZH/0zi5Ne9dZ+ikq9lnF2Q32FFRZvvpt9YRkY75BhFAUNRNgck5+N1zyk4f1qA vMNtUXdf9cac4ri6xntmYw06VGoUUZsq8lxd2e2TecdKei4KeSsc3xhm0MGSU87S8/FC RxRKWWq47aOtlEK1k4qA6SDhvIGzXiN34T2kO23uj22gg09sBp27vGRNkphNud+PLe70 YX9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=CCajKTRONhdynt5B0tRKLHYn7gScHVmkVEVnwB9DKOM=; b=G5Fo2/RT5Q+k5gOOlNf8NVeRUhPDMC7gyCrPby8z2rw+ESd8ezjpW2YYVUh/I/CLhG sC9LHA3wPUgbfIup11uQsK/crecPQD80gMLu5QwetGrgI/4wDZWOo0IDtzEe0nzKkzhV q9sCeSim0AC39gbg0Rdjdt5+33DJ6zHXM4lPRs8sjz8pyFluSW+E2dMEXTyOGLGbP87F b2l/sGxcPVVW9K8sD8UD8GuYQKx27H5e7zVbCUAmeqOj8fMp74HyDMFLIKDxZzD3EuG7 FXiPgCaP2sWy3zuhVg044y9a3yrTm5jx2JVODj6NactNRbUge1FfONW9SPgrlDsnn4iY ULwQ== X-Gm-Message-State: APjAAAVaEYcfN3CYm91bwTBW8MkNVR6JDSNezPetZC7KAeT7GvPP317O t0NvnWWPKrMTAhxWssOoERTRZvZCLvK8pGoXGsGT1w== X-Google-Smtp-Source: APXvYqz5uwzG+qKt/vXAWjIFjKNq6CxLPDoTjZaK9Y+pyALLrDT+Cci9K4q1KvaMk9n8XrM1s9rc/+mImVPEnueEPe9h4A== X-Received: by 2002:a67:e405:: with SMTP id d5mr11689528vsf.236.1553624922695; Tue, 26 Mar 2019 11:28:42 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:35 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-20-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Thomas Gleixner , Matthew Garrett , Steven Rostedt , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. This is a runtime check rather than buildtime in order to allow configurations where the same kernel may be run in both locked down or permissive modes depending on local policy. Suggested-by: Thomas Gleixner Signed-off-by: David Howells cc: Thomas Gleixner cc: Steven Rostedt cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org Acked-by: Steven Rostedt (VMware) --- arch/x86/mm/testmmiotrace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index f6ae6830b341..9e8ad665f354 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -115,6 +115,9 @@ static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + if (kernel_is_locked_down("MMIO trace testing", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); From patchwork Tue Mar 26 18:27:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871949 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E34921669 for ; Tue, 26 Mar 2019 18:28:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D003528DEE for ; Tue, 26 Mar 2019 18:28:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C424528E33; Tue, 26 Mar 2019 18:28:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7D01E28DEE for ; Tue, 26 Mar 2019 18:28:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732836AbfCZS2r (ORCPT ); Tue, 26 Mar 2019 14:28:47 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:40430 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732832AbfCZS2q (ORCPT ); Tue, 26 Mar 2019 14:28:46 -0400 Received: by mail-qk1-f201.google.com with SMTP id l187so12368393qkd.7 for ; Tue, 26 Mar 2019 11:28:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=i92ao4UQPXz3UyfztS9poQmhL/y3JHZOqS1ytGgJ0IM=; b=IireMRZbHx4vA3G+/KY1Qp86vmqOO6m0TVHgQHNQc+DBPoZ/Ypi0LkIWmaO3+z2s/m 5C1L/OQacdr55cpK+BtdpqB1jMJ3ddX/JBAV/dGbD35Qq1bdCKpTUIiOuFos3WkJG+KT TtE03CjoZl4K4rqofSP9GDPM85kvl055ArYJIhbb7HiLBrrphd/IP0YCb7aRPM+WYo0q gqP37V6kBTTxQd2WlFY2084Ber08eBTVOKVw7PeBKH9Io3PY3hSK0lbKZky3cv9WE65z s+r4hpr41eMuC74315P0niUfnwjt0AqBQ9TfKQ+j6wrbZNXrQlm3aGZQxASMtyXGY5bI YDBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=i92ao4UQPXz3UyfztS9poQmhL/y3JHZOqS1ytGgJ0IM=; b=VLixh84Txh77eZpfzs6ks/kGbnnIeToH3fs6LPhDqyR9MKPT9xMdDGpEE31gxkchKS h/yUqgRDrYJunpCqPMvnZE04zt8CF/Pc7xyNR/EcjW2F6Da2pCJ7dy1HQ34W2vSFkSfF l7fQWwiyun2Ph5LIyv77pHz6ia9TW3RmF1AR85994QkivciUzqh4S2GDNv9Hx69GIFDR manUR3arO4ett0dx8RDe3pNMqYm42IZqjc8VHjZvlnLGw4vn0uaPP+2XJa9Ht5pk7RXB RyVcupN7mA2WZx7YkPM+ZGGpqxvdCgjvVNbBU5OXhuGM3T8LOiJjFLpSFB5o+fqU1ovS 04FQ== X-Gm-Message-State: APjAAAUlyPOWlD5nMBtpwPwpXUio5zIGVf87021pcPxRQxcAseTThoz+ hqGQb3QWL0poQoZCpVejeICqKWxCqurLmH7f0UMTew== X-Google-Smtp-Source: APXvYqypggcG2fCExyn/1b0Jk74TXG8U+m5+z6/9Pu2BcIHAegaLxb67Ayhs7PmQ7gKNqObF+HrvkXaEizoEZ77vQGVIgw== X-Received: by 2002:a0c:d413:: with SMTP id t19mr26692906qvh.8.1553624925174; Tue, 26 Mar 2019 11:28:45 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:36 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 20/25] Lock down /proc/kcore From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. This is limited to lockdown confidentiality mode and is still permitted in integrity mode. Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- fs/proc/kcore.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index bbcc185062bb..1c556a453569 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/proc/kcore", LOCKDOWN_CONFIDENTIALITY)) + return -EPERM; if (!capable(CAP_SYS_RAWIO)) return -EPERM; From patchwork Tue Mar 26 18:27:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871959 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 94BCD13B5 for ; Tue, 26 Mar 2019 18:29:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8034E271E6 for ; Tue, 26 Mar 2019 18:29:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 740FA28382; Tue, 26 Mar 2019 18:29:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 10732271E6 for ; Tue, 26 Mar 2019 18:29:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732499AbfCZS3T (ORCPT ); Tue, 26 Mar 2019 14:29:19 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:37823 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732834AbfCZS2s (ORCPT ); Tue, 26 Mar 2019 14:28:48 -0400 Received: by mail-qk1-f202.google.com with SMTP id f196so12412893qke.4 for ; Tue, 26 Mar 2019 11:28:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Ma5wFY8S+zLWiDtQQwXloQOufb4HtIW6yNfW58R46nU=; b=wN0OIU1HzFEnoV/MZj6PHWhTJfdiTInfVQklLLV38xbLMNs2qONKeSBC8YID/jggEH t/1BopOkbJq1ePdwJ+QdFX7IctHJCxejZ3vf2jLDkjb3qnbZWMwH8eR/WUCB8Q5Th/Ez 4lrlGF72lQ48rIq//y3d2kcNqTVMHtToNl/cbQCf2DzfZZG+EjUqxiX4YFqpg71sB+3K 4F64WWZw8uoy6mXFzkzm4yC/FjOfp8xhXFADBtx6zsC84pABkQC1Oh53fW8hNhMTWWqZ fpvmV869hLUznUiw3l7GE6Wlbk40rS3dJJXRhoC6YMJHivTGDpfIWVe8mY/XJ/XO+/57 VC6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Ma5wFY8S+zLWiDtQQwXloQOufb4HtIW6yNfW58R46nU=; b=c2Wph9CVyHiY+PBFGkSLj+rmnsE+F8PHizw0RYyoHn9iRAVXcQa1EkuYfhOwndyIS5 t5DtC9XNovB5y4XUTP95h8+7CI1qB053wOMIXMaN152d/rtnUVv+/5iareVatBEfEnWA z+KPUiTxxgPU1jrS9jdjjRLagGubUGmv3r250pYUac5vjez2C34TZBnJ5l99Hl4eXllo xiAzCABv15Ic/ryDo5zMy75nPAZ/UyltQqyt6VW3jnWyiKiy4yU1s2n71DQNV0lVJ3FM rhnhRBHi6Ifku9uPtW3GC5FI8ZUO1V5GIJBx6FN93wJYmqiVjpmwE29J/C6HQQNpvKZw osvw== X-Gm-Message-State: APjAAAVRYILxsordgXMJzbyKjleGc1HFoRd9MZSd6qMdWWsvQR6f1Tyg AWG9c+v4tkqiyQ+BK052vVbcFSl4sn1jelVyRyv5rQ== X-Google-Smtp-Source: APXvYqwe4mmFrCuPysLxkasGyEoSo4wHh50ua9s3bXX44JvYkgrjNaVz/zCC7KJz3TKl7vwF7Bx3Swls6JSZeKjjZ97dXQ== X-Received: by 2002:a05:620a:153b:: with SMTP id n27mr23767904qkk.343.1553624927797; Tue, 26 Mar 2019 11:28:47 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:37 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 21/25] Lock down kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alexei Starovoitov , Matthew Garrett , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net, Masami Hiramatsu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the creation of kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index f4ddfdd2d07e..b9781bd2db8c 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; + if (kernel_is_locked_down("Use of kprobes", LOCKDOWN_CONFIDENTIALITY)) + return -EPERM; + /* Adjust probe address from symbol */ addr = kprobe_addr(p); if (IS_ERR(addr)) From patchwork Tue Mar 26 18:27:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871957 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6FC191669 for ; Tue, 26 Mar 2019 18:29:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C100271E6 for ; Tue, 26 Mar 2019 18:29:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4FC4528382; Tue, 26 Mar 2019 18:29:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDC6A271E6 for ; Tue, 26 Mar 2019 18:29:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732858AbfCZS2w (ORCPT ); Tue, 26 Mar 2019 14:28:52 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:41506 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732853AbfCZS2v (ORCPT ); Tue, 26 Mar 2019 14:28:51 -0400 Received: by mail-ot1-f73.google.com with SMTP id 31so8843655ota.8 for ; Tue, 26 Mar 2019 11:28:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=lv/FPdRA1RfB3vLPLo6Ht+4Uq/7S0A/5brocYyTzI3Cf2VUnSQ0RmEPSquMVKX6uD/ zrJp1bviYSiy6SZJcrSi/SnU87S//a3xTTx7d70ujTGBa19BZ9d9eIyQ09yXI5ydGDm3 smeM5uI0HkkoRudgW/7BwSzvYdn15I5Yz2VcXUuI/bHa1I+JU653xnazjSzECXoneTPe v1cOzCuVgxkyoJ9o43anec390AhCSqaQ43q4Y/AlB4htB/+T7rAzeG+CKI6r+eVG7ng+ iYwL4rTtcFO/MU3+KOdZahY6L4QxGGU3QfQMGKQiCJGn8N0OSOLJy8xVW6rUeAIuOxsx c/+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=OJle4q9feW8qaTDam7jtr/Vhwcj7I7e85X4F12Hw2gziMeEvcM41gZIp+AdjatdixZ 84i+itGjwHkGH88gTBm+aR/iHbaqj9qUNNp2KtfbChigtVV3/VJxlQxYe9/X0JuOQznO F67Jhhs6Vstj1Uku7G3xHZ2s+Zwl7bzyIpWUPohtKBHYwDbnSXDX3u2+V0qymZeLVNl0 qqTvMBV0VnrIaFfR1dyqLJ06A0qN4Aec5ZQAR6d9HPfu4yl2qYmtyxPs3jdM5jVtvYf9 Z40OVk3kSzdV5zMYxwlA5i4Ih7Q0Jok5HzFb0CJyKc2cZKBtqQMKV9HYIGVrOaXTT5f0 mB+w== X-Gm-Message-State: APjAAAWPvK7CK1jS0WvqZ6zg79IOP7dYtSjvmwLhbVKTIFqlEyDEn60P eGz5e5avFxr8WD6CZN1mU70nnBP9Ky0KV0N5cJAp5g== X-Google-Smtp-Source: APXvYqyAbat3PPV8AUkDGHHq4kmMbVqdPiRxqPB9rTmjyAlQ7tu5Vz3fAT5SgF1mWOwG5CrW9kJuVlZEyPz2qkjecy/Upg== X-Received: by 2002:aca:558d:: with SMTP id j135mr16551138oib.49.1553624930168; Tue, 26 Mar 2019 11:28:50 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:38 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alexei Starovoitov , Matthew Garrett , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann --- kernel/trace/bpf_trace.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 8b068adb9da1..9e8eda605b5e 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -137,6 +137,9 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) memset(dst, 0, size); @@ -156,6 +159,8 @@ static const struct bpf_func_proto bpf_probe_read_proto = { BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, u32, size) { + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; /* * Ensure we're in user context which is safe for the helper to * run. This helper has no business in a kthread. @@ -207,6 +212,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, char buf[64]; int i; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + /* * bpf_check()->check_func_arg()->check_stack_boundary() * guarantees that fmt points to bpf program stack, @@ -535,6 +543,9 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing From patchwork Tue Mar 26 18:27:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871951 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 704331669 for ; Tue, 26 Mar 2019 18:28:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5DC1B28DEE for ; Tue, 26 Mar 2019 18:28:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 51BA128E33; Tue, 26 Mar 2019 18:28:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 019D628DEE for ; Tue, 26 Mar 2019 18:28:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732806AbfCZS2y (ORCPT ); Tue, 26 Mar 2019 14:28:54 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:39971 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732877AbfCZS2x (ORCPT ); Tue, 26 Mar 2019 14:28:53 -0400 Received: by mail-pl1-f202.google.com with SMTP id q7so2641173plr.7 for ; Tue, 26 Mar 2019 11:28:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=H3HRoHYDWMArQkaxv1MNV9sbVAN4QTLQDsX3m+S9eoU=; b=Cuvbwz8H/UPT74uyS/N/4qnzLflOCWavMy5nGUSyYS7YEzjkinR90BjdsCrgcJkE3I nx4KbkC9dnoe9GkBObKBMRpDYEdqno8HqIh6XA2YCeqV6CvG7JzzRNQF6q8pd5BERf2L RFxm3yO2wG89tTrr53Mp5FuBliWeQ+U4jl6R2mVmbyq/irL9EVf0dyxEQAXY+gsnOrUa sjp/qtKV1gEMDqiY5H2Ik89SIJ7l/HNOQiiyV055Dk+vHQVGGJnndcLvaKRB3EJIEJ7P b5O2WEtybYZzvX3/wEfbV1lJ62nVHR0Vg+h1YgKtbRZ41TCuXQBY+ohnhrP2W4Cl8SFS GMMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=H3HRoHYDWMArQkaxv1MNV9sbVAN4QTLQDsX3m+S9eoU=; b=udc8bkA7IcIKbArcy7aPzXy2+fgOf5Yn54gQKzu1vNBdYkrWMGWO8hmLj9NU68L5L9 NeqU3c+jDZaWFXB/wpP10zaoZWoVvNvJSdGZkjd1RsphpaKbozP0PQBdism0xuAUXI71 Za6p97Tj+faRyu0sf3ZI0/hTZOciPVYlNrV2++46E56PAPh78lnY19Dt3rfP9gq2p80Z jQol4/wQIV475w9stip7YrQ6fx2dqoixB98P2Vs69DmabzNVM2/iFooc+PfhuT9jcjjd NNdMMFO80qQYkpi1jNoKN6svMPV6pcyZlYMd5qBfYW1so8CbWJja8fok3DZgCOYCgvRB gw0w== X-Gm-Message-State: APjAAAXuSIvloF3vq3U7XUFbtjaABD4129j6822uqdDtnisbMNWBLiAo qeyGwXnQ8wLB/a/fFOfwAOTvC7jRJm4uMQotmtryLQ== X-Google-Smtp-Source: APXvYqwphmFpi3T6TN1vNeRaZ63APL0Md38wVERg+esYXiBHNy7zUZ/YoDtb9yiRRaTqqwrQlnsrIfBnrwPddl2w0CiOFw== X-Received: by 2002:a63:f146:: with SMTP id o6mr29796370pgk.360.1553624932579; Tue, 26 Mar 2019 11:28:52 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:39 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 23/25] Lock down perf when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo --- kernel/events/core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index 3cd13a30f732..6ad3d83c091c 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10461,6 +10461,12 @@ SYSCALL_DEFINE5(perf_event_open, return -EINVAL; } + if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) && + kernel_is_locked_down("PERF_SAMPLE_REGS_INTR", + LOCKDOWN_CONFIDENTIALITY)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return -EPERM; + /* Only privileged users can get physical addresses */ if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) From patchwork Tue Mar 26 18:27:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871955 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 480801669 for ; Tue, 26 Mar 2019 18:29:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3427628E3C for ; Tue, 26 Mar 2019 18:29:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2860628E3F; Tue, 26 Mar 2019 18:29:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0AE8828E3C for ; Tue, 26 Mar 2019 18:29:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732900AbfCZS3F (ORCPT ); Tue, 26 Mar 2019 14:29:05 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:53249 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732888AbfCZS24 (ORCPT ); Tue, 26 Mar 2019 14:28:56 -0400 Received: by mail-qk1-f202.google.com with SMTP id z123so12364059qka.20 for ; Tue, 26 Mar 2019 11:28:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ahwCRT59PUZ2OMjvkc7Um/co/AqhkFAUQugbjFE3pQg=; b=R2jr48bzMerg1oMgmmmSMR8HlYXKL/FiNAnxSWmcCueCQBGJw2kMfBP1Nz952fYkw0 zBz5k5I+oWx5YpGuyN8UqSbN973STVZEUATKECDMUb5svS2fWjQvt7fJEWLHBIMpvKQR C/P22YtQMfpusPgycXDw6S5EOrM2LaVN/i1Atun13qW8SO8k1BgLeiM3rFsUS6J6EN4j A/RsDbmdC/nSF42Vgk+LeCcwJDHXkWuek2Ou5bla/HgqZtwODBp8cVGYwB1D49tefdjL mYL23awC4c+Nv8UwxlbIZPdnFQlQjWNjHk/xls8WLrxuEqzUlYy5VSWjSF4rcy2Ulwku nLwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ahwCRT59PUZ2OMjvkc7Um/co/AqhkFAUQugbjFE3pQg=; b=Eir/yo7ipU21qaeMAGcuFEV3yPsBNGh9tfcC8kN8aXjISSzPqtFAVbf5Z0RbKyW0pq WA8JznXl8NLZmCzU8+0rI6brfI8tH2vO9VdX5rvSyMxW9VGD9rpiMlJMDepnPvp480l7 pLMg0fcRUoCm0dmtvsnHhiarMm/qCwe8OZTg9sblMvlTqRTcfaeRAxC+9htPslGcK85z MeKHyAoNyym3X7N5gks9AuN7TUa8RVXp+53BMFwUc1T8AZBKS5TqiZb2mtCdLAst4aVJ f4047Q7v+bDF2vXhnxi/8nsJZc7DAZtgSbYB4XmxIEcAMsfVuuv+MhX6We8o+TJ/Q0yl xeOw== X-Gm-Message-State: APjAAAUiyqDbP93oHU7wqese4+dIXgNMbTLpsVYaEWaDMlJAgSpp9LKP CCqqVCT/URbZF5/U38Nt4Xpp/Dzk3rwqdnQS+VjWfQ== X-Google-Smtp-Source: APXvYqy+PZO657NT2rtW8JWUD/4TRR5zbeRGjli9Y62NtWOMN/t8xuRoQeqW8HHqnCrtjXRhw6Wm22riuwZjNviQj7ZjFg== X-Received: by 2002:a0c:ad4a:: with SMTP id v10mr26132549qvc.232.1553624935093; Tue, 26 Mar 2019 11:28:55 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:40 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 24/25] lockdown: Print current->comm in restriction messages From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: : is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- include/linux/ima.h | 9 ++++++ kernel/kexec_file.c | 7 +++- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ security/lock_down.c | 4 +-- 6 files changed, 70 insertions(+), 4 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index b5e16b8c50b7..05921227d700 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -127,4 +127,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_kexec_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index a1cc37c8b43b..7599039623a7 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -240,7 +240,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, ret = 0; - if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) { + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) { ret = -EPERM; goto out; } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..fe03cc6f1ca4 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -115,6 +115,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 4ffac4f5c647..106f06dee9d1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -442,7 +442,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 122797023bdb..f8f1cdb74a4f 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1341,3 +1341,53 @@ int ima_policy_show(struct seq_file *m, void *v) return 0; } #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ diff --git a/security/lock_down.c b/security/lock_down.c index 0f9ef4c30aa8..6bcffd0bb200 100644 --- a/security/lock_down.c +++ b/security/lock_down.c @@ -70,8 +70,8 @@ bool __kernel_is_locked_down(const char *what, enum lockdown_level level, bool first) { if ((kernel_locked_down >= level) && what && first) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - what); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, what); return (kernel_locked_down >= level); } EXPORT_SYMBOL(__kernel_is_locked_down); From patchwork Tue Mar 26 18:27:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871953 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1261613B5 for ; Tue, 26 Mar 2019 18:29:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0000428E33 for ; Tue, 26 Mar 2019 18:29:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E8BFF28E3D; Tue, 26 Mar 2019 18:29:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 969D628E33 for ; Tue, 26 Mar 2019 18:29:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732891AbfCZS3E (ORCPT ); Tue, 26 Mar 2019 14:29:04 -0400 Received: from mail-oi1-f202.google.com ([209.85.167.202]:44746 "EHLO mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732900AbfCZS26 (ORCPT ); Tue, 26 Mar 2019 14:28:58 -0400 Received: by mail-oi1-f202.google.com with SMTP id i80so5714176oib.11 for ; Tue, 26 Mar 2019 11:28:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=IoXKM0YaE9Y+1YAYJ3jkE86oI9WuPOYgAsUS7wsInCs=; b=kKv5y01A21+36GWT1D4YyTFV1FMwIxaRgmZ3DkG7OUNg1kOgHEFkifuJwfBADEAl9r UlrestlL5PTDbdz6BL4gJKhnoOiL1vt6dr3ZdGRhdBSNCWdatU+k6Gy8qNWZ8Fgoq+cp kt6JGA6vd9D1HMp1m015CDo9jp4DqGO8Z74WjSl6r2+IwhvaZfdS/iDxhepP7yVB2vYB pZ2hOElr5UfIyrvrEG3cWvVCW8h/vbp0iVdw4EvRzjyGPIHw2gzZ9ejJQczvsuqGkRn4 k3vQ6Ka5ApjuDBzlYiMO2QHGnjvPuRgtounl5Od9RHGDOsC40Fg7QEqqHostyWFT5ZvV VewQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=IoXKM0YaE9Y+1YAYJ3jkE86oI9WuPOYgAsUS7wsInCs=; b=Bts+YrCdqxjkvAhpKb0WrIqFUd1H/zzuh5ynyH5cPPBlDdrhB9KRPItxgEn0Qm/Ht3 8y8Z5HavErni/KYxoF2IpO2g/pWVhk9pcZVNrWTimI0NdG4hi5JwXKFN9l9IfGmQwzBf TJzAheDVTrruYqg68o8uPkHTZ0EdzU7WljIqLwHdBX+RkTrx3kcAxUGM5BxWg4630wyf DUbE923/cwVYZDlEEnw8iZxXxHJzwpJH5+TZ9ZB4F5Vx2i5Pvwn+w3UxUFgHKmnz5Y0g h4fVW9OOZd/dkTeZudpLseVvfOuzkNQ9vFpyPGKo53KzshTV9CXzKGlqi78YY643fsw+ G2hA== X-Gm-Message-State: APjAAAVRIoKL682htfpPJxTdPqbfzrX0RxdEf5QeqSIj4Bpl3nc8Za8c OJ6nYtiThrBfD7gGXi1QUIXodQeXm28vem0L92QEeA== X-Google-Smtp-Source: APXvYqyjNbwetsmBZSAi0gFELSpsFCAArafwfWaxUI3YirST+VOWV22o0s3zFRN5vHlTvkKDMRzgm8tVZfCAaQC6/Njgyg== X-Received: by 2002:aca:4b56:: with SMTP id y83mr16163700oia.63.1553624937594; Tue, 26 Mar 2019 11:28:57 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:41 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , gregkh@linuxfoundation.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett debugfs has not been meaningfully audited in terms of ensuring that userland cannot trample over the kernel. At Greg's request, disable access to it entirely when the kernel is locked down. This is done at open() time rather than init time as the kernel lockdown status may be made stricter at runtime. Signed-off-by: Matthew Garrett Cc: gregkh@linuxfoundation.org --- fs/debugfs/file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 4fce1da7db23..9ae12ef29ba0 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -142,6 +142,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp) const struct file_operations *real_fops = NULL; int r; + if (kernel_is_locked_down("debugfs", LOCKDOWN_INTEGRITY)) + return -EPERM; + r = debugfs_file_get(dentry); if (r) return r == -EIO ? -ENOENT : r; @@ -267,6 +270,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp) struct file_operations *proxy_fops = NULL; int r; + if (kernel_is_locked_down("debugfs", LOCKDOWN_INTEGRITY)) + return -EPERM; + r = debugfs_file_get(dentry); if (r) return r == -EIO ? -ENOENT : r;