From patchwork Thu Feb 28 23:12:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10834245 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 00BB3139A for ; Thu, 28 Feb 2019 23:13:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E3CE42FC45 for ; Thu, 28 Feb 2019 23:13:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D55BB2FC41; Thu, 28 Feb 2019 23:13:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 408292FC41 for ; Thu, 28 Feb 2019 23:13:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727866AbfB1XNQ (ORCPT ); Thu, 28 Feb 2019 18:13:16 -0500 Received: from mail-vk1-f202.google.com ([209.85.221.202]:43409 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727918AbfB1XNN (ORCPT ); Thu, 28 Feb 2019 18:13:13 -0500 Received: by mail-vk1-f202.google.com with SMTP id 200so11251788vkc.10 for ; Thu, 28 Feb 2019 15:13:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7QkbDbP+GRZ/V9Qo/5i0BV7SDpKyUCe2HSzEnDWi3YA=; b=coFq3/fIru9D6Fig7A/JpcQ1gRCvDXvV1SBzoJ08Z7pUVNaE/eg97pPE6fy1/JmyaI une17srv6r+snGUw8Ii/fNqHmagi4YGZ7HT3Z1hA4qnCBmmVyMwOI//oCicaSoVc4OpK ahc06gBt8NOW012Fc9rwysWvOCab0uL4MTdqPqv2vuLmis0g493iN2nuNkCCcMPxhy2I 77C/Xm0vPGh0CVF1j+FLUg665yibqiPGjQmhSUuR3vSLBnAsZStSQeX0FPQshIlWKGXU BW0E0QxWhLWjHWjl+Bk2Ew+6t4xcUxxX+rSClIIB2Vnd9sj8hE7qcGbsQJy8feQHQEsn 8zKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7QkbDbP+GRZ/V9Qo/5i0BV7SDpKyUCe2HSzEnDWi3YA=; b=tGECsK7tvqfdBvMiQhBynWH+YmSr6PW6uPCjPxi9Od5Z8BSoZY8Ppm4ZRZFoTl9Gr1 w9vrGQWBW0EOhMIwz4V9BCyOe0kpxijQFWx2XlhZRfd0taIJzV09RpELkd2emDfVDQNt lRnZlUsThaTIKNUmqSZ2i1kNqU7lWgIwnXhQCsf4eJoMM1NJRixShixpuoDIcSBOyLoA MU8hixSStzcjTzQZSQyk4SvzihYojnobGxNvWbVGviF/To8PYIqpe/dgQvP1YppQYP2Y /l9CZy1HrIRkUGYZR1PXZ9sDWHVLTbxh/7zUQgqX655rf+MJTEKy6huDVqUQbjINZPYL EqXA== X-Gm-Message-State: APjAAAVxdQMOKnRZScfSM7wlVQ6CK8a+p8orUmoeoD7PQ71wdPvfLUeh l0Ct1G1cB+DeLvbVtmolKLs0Mm66MITcdX6L5OLZeg== X-Google-Smtp-Source: APXvYqwoa8hsrMMot9xkDTWUoyKrMlyMNXznKcqu7n3bNohP78Ohocl5H3wIGl3IDf6D+hL1mUASf3iT/ogmJGVfMwpYjg== X-Received: by 2002:a9f:35c4:: with SMTP id u4mr1142458uad.23.1551395592133; Thu, 28 Feb 2019 15:13:12 -0800 (PST) Date: Thu, 28 Feb 2019 15:12:02 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 26/27] debugfs: Restrict debugfs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow opening of debugfs files that might be used to muck around when the kernel is locked down as various drivers give raw access to hardware through debugfs. Given the effort of auditing all 2000 or so files and manually fixing each one as necessary, I've chosen to apply a heuristic instead. The following changes are made: (1) chmod and chown are disallowed on debugfs objects (though the root dir can be modified by mount and remount, but I'm not worried about that). (2) When the kernel is locked down, only files with the following criteria are permitted to be opened: - The file must have mode 00444 - The file must not have ioctl methods - The file must not have mmap (3) When the kernel is locked down, files may only be opened for reading. Normal device interaction should be done through configfs, sysfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. I would actually prefer to lock down all files by default and have the the files unlocked by the creator. This is tricky to manage correctly, though, as there are 19 creation functions and ~1600 call sites (some of them in loops scanning tables). Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner --- fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++ fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 4fce1da7db23..c33042c1eff3 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry) } EXPORT_SYMBOL_GPL(debugfs_file_put); +/* + * Only permit access to world-readable files when the kernel is locked down. + * We also need to exclude any file that has ways to write or alter it as root + * can bypass the permissions check. + */ +static bool debugfs_is_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) +{ + if ((inode->i_mode & 07777) == 0444 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && + !real_fops->mmap) + return false; + + return kernel_is_locked_down("debugfs"); +} + static int open_proxy_open(struct inode *inode, struct file *filp) { struct dentry *dentry = F_DENTRY(filp); @@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = -EPERM; + if (debugfs_is_locked_down(inode, filp, real_fops)) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not clean up after itself at exit? */ @@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + r = -EPERM; + if (debugfs_is_locked_down(inode, filp, real_fops)) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not cleanup after itself at exit? */ diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index 29c68c5d44d5..3a62dbfd3840 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount; static int debugfs_mount_count; static bool debugfs_registered; +/* + * Don't allow access attributes to be changed whilst the kernel is locked down + * so that we can use the file mode as part of a heuristic to determine whether + * to lock down individual files. + */ +static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) +{ + if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) && + kernel_is_locked_down("debugfs")) + return -EPERM; + return simple_setattr(dentry, ia); +} + +static const struct inode_operations debugfs_file_inode_operations = { + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_dir_inode_operations = { + .lookup = simple_lookup, + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_symlink_inode_operations = { + .get_link = simple_get_link, + .setattr = debugfs_setattr, +}; + static struct inode *debugfs_get_inode(struct super_block *sb) { struct inode *inode = new_inode(sb); @@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, inode->i_mode = mode; inode->i_private = data; + inode->i_op = &debugfs_file_inode_operations; inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); @@ -516,7 +542,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) return failed_creating(dentry); inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; inode->i_fop = &simple_dir_operations; /* directory inodes start off with i_nlink == 2 (for "." entry) */ @@ -611,7 +637,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, return failed_creating(dentry); } inode->i_mode = S_IFLNK | S_IRWXUGO; - inode->i_op = &simple_symlink_inode_operations; + inode->i_op = &debugfs_symlink_inode_operations; inode->i_link = link; d_instantiate(dentry, inode); return end_creating(dentry);