From patchwork Tue Mar 26 18:27:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871985 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 081EC1669 for ; Tue, 26 Mar 2019 18:30:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6F6628C46 for ; Tue, 26 Mar 2019 18:30:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D877628C53; Tue, 26 Mar 2019 18:30:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7962B28C46 for ; Tue, 26 Mar 2019 18:30:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732249AbfCZSa0 (ORCPT ); Tue, 26 Mar 2019 14:30:26 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:36123 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732592AbfCZS2G (ORCPT ); Tue, 26 Mar 2019 14:28:06 -0400 Received: by mail-vs1-f74.google.com with SMTP id l4so1796649vsq.3 for ; Tue, 26 Mar 2019 11:28:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=LW7lq5jkExR1NuLSqDh6tdSVxounhx+I412qfIcDAFY=; b=q/9vwQqeELW8VlIFBstln+nSZdV89CEKrwLeAoPYLE0WmwDflbjM9zmZfkKzmVHUCm BRnYfeAzcXfVP3XdbekpJi4zOfVDDYynZcWlYJti/6+3PxXoHiybysEqPwNAyOwkVt5z 6L1AOH9G3bHZuwcCpB3xab+jt0vlMwC1dvuwiaHH84kZPIiYvnVXeABd6keKeimDoNiQ UxsPfKdmLHQpyQPhNC7Sa2RQjxS3K2H2JEzrv6rj/nis1F03CbK2WTnLlqiaDqM6GC0e cx56GL8Ws9KW2dbhz2y9dpGYjqfK4CjEmLkgl8xLX7USn7CY0pmxMYV1pgX6tmm3D3dT gMFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=LW7lq5jkExR1NuLSqDh6tdSVxounhx+I412qfIcDAFY=; b=tdRC0cOP3olZ3Z6Tcovgf0C2kWYviMeYWJxClmzVZO+l9VZ4mivqDAAc6MoPWbHEQW RX6OnemxZuXh4+sMfCSC8LFqAg2yJRyExh89oMtPu4OnHdaaptWM93J2M77E1bNGd417 TlSA/OjJ5c49lUkzdC3ziWZY1rr3IV4MyUE1zlaNV3DJqjc7yEPTrgSh3+iVnSa2UAgR coqhNpXA7dxwARE8n78rAdL0eM2FngUh41EhPY6YVqOEyXu2CLnop9BREEFjffUS52jX wyXxLqdslJ7gbHc4qNR9GfuuWoiWNJzUnDgN56PPGO0t/B+kwozkfczzeCahkBBhXyhA ti4Q== X-Gm-Message-State: APjAAAXXDLSmvWcfTW5Ni9evJuOQl+NL/CKMUuZGQgddxe+5dQlkELgI 10r2xAc7y8vVE12R4crjx+/hbfEe0UH1Z8eC8a7Rgw== X-Google-Smtp-Source: APXvYqyA91v3/8afrN3palsHlyZwOfxxJU/6gpXp8Dz1dELvFCw4kA9b2STRODD028ObSqqbRbJywu9/c/Poz5yc+WFrRA== X-Received: by 2002:a1f:a18e:: with SMTP id k136mr7884472vke.88.1553624885547; Tue, 26 Mar 2019 11:28:05 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:20 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 04/25] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Dave Young , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Dave Young cc: kexec@lists.infradead.org --- kernel/kexec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..57047acc9a36 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down("kexec of unsigned images", + LOCKDOWN_INTEGRITY)) + return -EPERM; + /* * Verify we have a legal set of flags * This leaves us room for future extensions.