From patchwork Thu Feb 28 23:11:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834283 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C67DB180E for ; Thu, 28 Feb 2019 23:14:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB4652FC45 for ; Thu, 28 Feb 2019 23:14:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AFA482FC4C; Thu, 28 Feb 2019 23:14:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2F8612FC45 for ; Thu, 28 Feb 2019 23:14:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733244AbfB1XMI (ORCPT ); Thu, 28 Feb 2019 18:12:08 -0500 Received: from mail-io1-f73.google.com ([209.85.166.73]:40236 "EHLO mail-io1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733049AbfB1XMH (ORCPT ); Thu, 28 Feb 2019 18:12:07 -0500 Received: by mail-io1-f73.google.com with SMTP id 68so16749941iov.7 for ; Thu, 28 Feb 2019 15:12:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=JgzwmpXUZt6KNQDOAKfrLdx7UP057Xc3K0KJM8I4IMs=; b=fuzj4be/utb+s8Vx8KsNnR8tKuIypLsihlSey2iVxr/B69aksur8ZBLCEe5qHUi4M/ gT0dCRdr9REFLg9BcSIq2lGwMowoZNYjT4z61z8x/i8D1i7y2Pr5xHCygz8DV+VO3Xij SiN7R40q56yNmnWWHqE4dUsKeeCJEEu3LmTIFQVGko0g6yLFzzulfe9ISxxaY/1OIupS qv36MEwUlYTg4MF5PjvS9hovsByQdbGmTZXRVzuyspodNjJQkN56+uHVWSOan7vpQRgO 4evyp/Oq0eRH9pxiaBRcaCpm3/6Y+CT68cEolbeRQ/gx/gSyj2O0cBWEBgpWFi+qBDhf I3KA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=JgzwmpXUZt6KNQDOAKfrLdx7UP057Xc3K0KJM8I4IMs=; b=o+XmRiUy1Z4o5uy88+B2T8ZQ+748k7VDrxsmmTfJbw+cULqHhMWh966e9Yco7DWTSc zHvatu4BEyw0RH8Is/vYiMB00Rl6D6HbHp1gNHKNXq1Q4j0KTtMt2yrE3c9iRkoCbT8P yUWbPv/p3HsQAXkd2wOnc0yfrCwyceScvtKAkrWq4iKWq+bbLjT5ZqF+axGuEhCREh2j guGEf1dCwnc9rxt/k2B9nB8u9HQAdOnKmxDf8YeHwW6LfH5jrS4e0dO+Y2laJohQ8sNh Ml+3QSiBhBHbs9UA/H3hPm8xydE72jDxsYdCUt66N20hAxIkaRTRvMLlwR99mRNOzFNc yhiw== X-Gm-Message-State: APjAAAWm2mbmQWpROD9dIKHmhu7ijVoaZjt4oy2c8Ifq5smJW2EJoGk6 dfDaoBmzc5Vj6crFs2lNfTckd5QYVBLUHtkQNJU6bQ== X-Google-Smtp-Source: AHgI3IaSrBaKC5+f/5QeKpdJHq6ck0jHfNE6DAmlYm5+YRAfPkcS64HbRS9/++8n1he4M8qosCmX4e4+7uliIWEwbmwczQ== X-Received: by 2002:a24:5947:: with SMTP id p68mr1493419itb.27.1551395526454; Thu, 28 Feb 2019 15:12:06 -0800 (PST) Date: Thu, 28 Feb 2019 15:11:37 -0800 In-Reply-To: Message-Id: <20190228231203.212359-1-matthewgarrett@google.com> Mime-Version: 1.0 References: X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 01/27] Add the ability to lock down access to the running kernel image From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provide a single call to allow kernel code to determine whether the system should be locked down, thereby disallowing various accesses that might allow the running kernel image to be changed including the loading of modules that aren't validly signed with a key we recognise, fiddling with MSR registers and disallowing hibernation. Signed-off-by: David Howells Acked-by: James Morris --- include/linux/kernel.h | 17 ++++++++++++ include/linux/security.h | 9 +++++- security/Kconfig | 15 ++++++++++ security/Makefile | 3 ++ security/lock_down.c | 59 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 security/lock_down.c diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 8f0e68e250a7..833bf32ce4e6 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -340,6 +340,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) { } #endif +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern bool __kernel_is_locked_down(const char *what, bool first); +#else +static inline bool __kernel_is_locked_down(const char *what, bool first) +{ + return false; +} +#endif + +#define kernel_is_locked_down(what) \ + ({ \ + static bool message_given; \ + bool locked_down = __kernel_is_locked_down(what, !message_given); \ + message_given = true; \ + locked_down; \ + }) + /* Internal, do not use. */ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); diff --git a/include/linux/security.h b/include/linux/security.h index dbfb5a66babb..35f0be540e0b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1793,5 +1793,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux) #endif /* CONFIG_SECURITY */ #endif /* CONFIG_BPF_SYSCALL */ -#endif /* ! __LINUX_SECURITY_H */ +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern void __init init_lockdown(void); +#else +static inline void __init init_lockdown(void) +{ +} +#endif +#endif /* ! __LINUX_SECURITY_H */ diff --git a/security/Kconfig b/security/Kconfig index e4fe2f3c2c65..c2aff0006de2 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -230,6 +230,21 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). +config LOCK_DOWN_KERNEL + bool "Allow the kernel to be 'locked down'" + help + Allow the kernel to be locked down. If lockdown support is enabled + and activated, the kernel will impose additional restrictions + intended to prevent uid 0 from being able to modify the running + kernel. This may break userland applications that rely on low-level + access to hardware. + +config LOCK_DOWN_KERNEL_FORCE + bool "Enable kernel lockdown mode automatically" + depends on LOCK_DOWN_KERNEL + help + Enable the kernel lock down functionality automatically at boot. + source "security/selinux/Kconfig" source "security/smack/Kconfig" source "security/tomoyo/Kconfig" diff --git a/security/Makefile b/security/Makefile index 4d2d3782ddef..507ac8c520ce 100644 --- a/security/Makefile +++ b/security/Makefile @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity obj-$(CONFIG_INTEGRITY) += integrity/ + +# Allow the kernel to be locked down +obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o diff --git a/security/lock_down.c b/security/lock_down.c new file mode 100644 index 000000000000..13a8228c1034 --- /dev/null +++ b/security/lock_down.c @@ -0,0 +1,59 @@ +/* Lock down the kernel + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include + +static __ro_after_init bool kernel_locked_down; + +/* + * Put the kernel into lock-down mode. + */ +static void __init lock_kernel_down(const char *where) +{ + if (!kernel_locked_down) { + kernel_locked_down = true; + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", + where); + } +} + +static int __init lockdown_param(char *ignored) +{ + lock_kernel_down("command line"); + return 0; +} + +early_param("lockdown", lockdown_param); + +/* + * Lock the kernel down from very early in the arch setup. This must happen + * prior to things like ACPI being initialised. + */ +void __init init_lockdown(void) +{ +#ifdef CONFIG_LOCK_DOWN_FORCE + lock_kernel_down("Kernel configuration"); +#endif +} + +/** + * kernel_is_locked_down - Find out if the kernel is locked down + * @what: Tag to use in notice generated if lockdown is in effect + */ +bool __kernel_is_locked_down(const char *what, bool first) +{ + if (what && first && kernel_locked_down) + pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", + what); + return kernel_locked_down; +} +EXPORT_SYMBOL(__kernel_is_locked_down);