From patchwork Fri Dec 9 19:57:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13070113 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 703FAC4167B for ; Fri, 9 Dec 2022 19:57:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230014AbiLIT5w (ORCPT ); Fri, 9 Dec 2022 14:57:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229940AbiLIT5u (ORCPT ); Fri, 9 Dec 2022 14:57:50 -0500 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1D11F02C for ; Fri, 9 Dec 2022 11:57:48 -0800 (PST) Received: by mail-pj1-x1033.google.com with SMTP id u15-20020a17090a3fcf00b002191825cf02so6054806pjm.2 for ; Fri, 09 Dec 2022 11:57:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AWRQXWMGLPgHepp4vFWTTWBscI/fkP3Si7wPX1GCGCk=; b=euqFpG+4uBmvDf843vzZWop+YwoQXBlPf7xZAvfP7CUKN0IBX5xhIxbaRt4orfqkPh y9ggtZJHS/QIOVAQA1qopga++DFumRKRURcPC5xzeH8wrgIeCUVpsio5L4MIpTubhkj3 teI5hu3BHh2BaubBAhfnhNs85u/g5vJNaGsXw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AWRQXWMGLPgHepp4vFWTTWBscI/fkP3Si7wPX1GCGCk=; b=BWk+PqNEY8UFaekXK/jrxaPxvT6Iz/AZMskgRCxm19GvByaPCNz6f8993rt9bM6L38 wYCZqZPlCH2suDAR5Vwmj0iHKHice90bu/KoqRCDrDoDUlZHzCRKhKiVlYciYtNOYWTC oTEiDDNcL1H07YgCjLHlH8pnl0hEVS/Gml1NlFL8dYSEn22HiWhdB0ofz/s2Rp31A7El 8D2MedDSLHHG0GVvhp5yQQwY5GsRKDbwawmFoXhQCMC26+fE+NUuWj8zxvHnciCzmts1 TBQBmC1hkoz8SwcO+eDjkeMOcoXzwgugssaBSOqTOj3ppy1ju+NB2ZD+N/zFRcYEdrGU WYkw== X-Gm-Message-State: ANoB5pnJ/Rr9oqpHuw6fHy3w5f6JLlyJmEYvKB39GTOHEnMFXc7UmuNN yy3wOjpv67AeRJVo031tp/mhJw== X-Google-Smtp-Source: AA0mqf4xreSs2kzJGdPh7ZzAenPhd/07+xeZE9HjNIvQ4yzD3TI933zWiQ1lKTSzRaY/8XsSLATOFg== X-Received: by 2002:a17:902:7243:b0:18c:cde:fddb with SMTP id c3-20020a170902724300b0018c0cdefddbmr5513700pll.65.1670615868075; Fri, 09 Dec 2022 11:57:48 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e14-20020a17090301ce00b00188c9c11559sm1713993plh.1.2022.12.09.11.57.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 11:57:47 -0800 (PST) From: Kees Cook To: Paul Moore Cc: Kees Cook , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/4] LoadPin: Refactor read-only check into a helper Date: Fri, 9 Dec 2022 11:57:42 -0800 Message-Id: <20221209195746.1366607-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209195520.never.357-kees@kernel.org> References: <20221209195520.never.357-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3377; h=from:subject; bh=gbYMbpgNPEhAbd9b/hiVEdi/hzWQV3pKzGKmwKeatLM=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjk5M4v863YO6OmjVAFboqWMjG+L24JbKQ295kQddg gOTTpUqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY5OTOAAKCRCJcvTf3G3AJmBXEA Ckm9C7K7+KpajGNz01m4kpN8j+B9Uh9yHTSEHIRzhNPhaYrRavAx15k+ok+34SVIDmwD9yA7F9fg+i p6dmh1hpfThWXVuHH+KFw2jl7ag+g3XuagmOeLArJ8QlJte9iJ/qePM01979RwywvQ58mKDuyNfV5C URF1KUR24VIDmkd6UsSvndjBfeR0IH4g2pnloK7pCmkpKJc/5wKm8wRQrWCFuh+f/cBNxjLUf9pulM zkM5Mht0zLP481O7GbDImBdYk3E+F2dRRhg4fS2KG5io6VvwQKtaCdwj5Lwg8iP69ACE7/D86/Gxkb o11b6wAnj6HQv0zT5f+h27oXGHPR0YVObqaQKU5bnt6r87ryn7JdYS9GLtqF9ToR2eiowLfxJDC7of x4fFsNmfMYJQcEOXNzXZBDM0CMvVHzL1LuMM2UNyQZs82AV0u0HQH5v7pznh63Fo0lEdzTKEz8VclN cuG/isssBg/HIf2vVQowPMvDvUZyUqaDQm8Ex/QBrPMLbDURLk7xWT9UGIY49+DywGxN8maa4Qr9Bw ZQMstCN2Zk8itpTs7HYSuBJKzS2QbxT71fQDtot3+Qz5N7Rc57dZ+HGeALsXS2PyrbuJ3L8PCSgJcA Cr8HBfjXNL0sVJn1HCjyvc4Ibx67CdX/OBNHpmiXpFmFMNXSzEfliun+nmMA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: In preparation for allowing mounts to shift when not enforced, move read-only checking into a separate helper. Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- security/loadpin/loadpin.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 110a5ab2b46b..ca0eff3ce9d0 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -72,28 +72,21 @@ static struct ctl_table loadpin_sysctl_table[] = { { } }; -/* - * This must be called after early kernel init, since then the rootdev - * is available. - */ -static void check_pinning_enforcement(struct super_block *mnt_sb) +static void report_writable(struct super_block *mnt_sb, bool writable) { - bool ro = false; - /* * If load pinning is not enforced via a read-only block * device, allow sysctl to change modes for testing. */ if (mnt_sb->s_bdev) { - ro = bdev_read_only(mnt_sb->s_bdev); pr_info("%pg (%u:%u): %s\n", mnt_sb->s_bdev, MAJOR(mnt_sb->s_bdev->bd_dev), MINOR(mnt_sb->s_bdev->bd_dev), - ro ? "read-only" : "writable"); + writable ? "writable" : "read-only"); } else pr_info("mnt_sb lacks block device, treating as: writable\n"); - if (!ro) { + if (writable) { if (!register_sysctl_paths(loadpin_sysctl_path, loadpin_sysctl_table)) pr_notice("sysctl registration failed!\n"); @@ -103,12 +96,26 @@ static void check_pinning_enforcement(struct super_block *mnt_sb) pr_info("load pinning engaged.\n"); } #else -static void check_pinning_enforcement(struct super_block *mnt_sb) +static void report_writable(struct super_block *mnt_sb, bool writable) { pr_info("load pinning engaged.\n"); } #endif +/* + * This must be called after early kernel init, since then the rootdev + * is available. + */ +static bool sb_is_writable(struct super_block *mnt_sb) +{ + bool writable = true; + + if (mnt_sb->s_bdev) + writable = !bdev_read_only(mnt_sb->s_bdev); + + return writable; +} + static void loadpin_sb_free_security(struct super_block *mnt_sb) { /* @@ -126,6 +133,7 @@ static int loadpin_check(struct file *file, enum kernel_read_file_id id) { struct super_block *load_root; const char *origin = kernel_read_file_id_str(id); + bool load_root_writable; /* If the file id is excluded, ignore the pinning. */ if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) && @@ -146,6 +154,7 @@ static int loadpin_check(struct file *file, enum kernel_read_file_id id) } load_root = file->f_path.mnt->mnt_sb; + load_root_writable = sb_is_writable(load_root); /* First loaded module/firmware defines the root for all others. */ spin_lock(&pinned_root_spinlock); @@ -162,7 +171,7 @@ static int loadpin_check(struct file *file, enum kernel_read_file_id id) * enforcing. This would be purely cosmetic. */ spin_unlock(&pinned_root_spinlock); - check_pinning_enforcement(pinned_root); + report_writable(pinned_root, load_root_writable); report_load(origin, file, "pinned"); } else { spin_unlock(&pinned_root_spinlock);