From patchwork Thu Apr  4 00:32:23 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884701
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6CDF7922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:37 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 54BD82873F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:37 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 487FC2893D; Thu,  4 Apr 2019 00:35:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4D6C6285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726494AbfDDAc6 (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:32:58 -0400
Received: from mail-vk1-f202.google.com ([209.85.221.202]:34364 "EHLO
        mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726471AbfDDAc6 (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:32:58 -0400
Received: by mail-vk1-f202.google.com with SMTP id y82so445475vkd.1
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:32:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=mQ5g4cIQ2/O4bV4mMbI5aSYOtP1PBIO7lPK9nUNUQf8=;
        b=Dbk+jv38OYNhHUkryqvNt9KxQay1LEtT5kcqKew+J0aOymb9LcU8nCYumXkJD0N85c
         H28So+McrJ4+rtu/SYH+Rcz/S4+8IU+a8ritpKTcrJtR6PHQ8Ikl94hBJjglQvpNZ4Io
         susIk07YMLXwsLBmfbdikuwv/psvYZPxQ6M+L6l2bD//JUwFMNLEh49wO1rfdh9MJwpc
         KgodGB+UY73rgasCUdbaZRVoxB4XxW81u2MbNbM3CrNJowgbFcSyRMQI5xdfNr4jQMCS
         YBUFka9ieixXPtEaKB7Dm2E9cSojbSVTWxsleKeiqWnkeoIE1M6WOWQstYFvBnCzDpPZ
         4PDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=mQ5g4cIQ2/O4bV4mMbI5aSYOtP1PBIO7lPK9nUNUQf8=;
        b=TBAV0L7rvwvHMAhAnEtHdTi0gNhUeK8N3xeJACF6ZRnnlPNHcq/HjILUOgNd+fQXmz
         luVIq8YUJO+WyqZ/eroB3qWy8ydsGolMNv5Uf2G9pIZ/iejQ9L2wewb71IpUDIeMqCjt
         BJNLplIRxoqUBvb7dszb4XT9mfs18g0wjRB6plhpu7ogPsfjKx4TAyflWpZzeg2kOGR4
         O/SN77BJoIvwxMrF7R6fMPDbmwQ/QrdPxL5dObYuAoE846zctJ8EH8jS0E1bz9Nsni9q
         jmNdwwVJ1j42rmHOkkbbVy/nTQKub7n902wlhSzUXmpgQUB1U12rqOiMhE1jYvuJ3lw8
         9PbQ==
X-Gm-Message-State: APjAAAVjFrCquBx0v9dfh2Q2AAGhYXFoUkl/sf2g67syjY2cJVMdIR9l
        F/a+ru5NSe7AyjC4iMjbDI/0lzZ69a+6l3GGrASM5w==
X-Google-Smtp-Source: 
 APXvYqxsaEKhQsfGBo+DW23+n7CxSwaPE1Ij0i1mtQ0q/pzQX6/m4zQKo5BiZv6u/bP2/VXH9rm6hUqACFWo7g3ClNNPCg==
X-Received: by 2002:a1f:b214:: with SMTP id b20mr371982vkf.18.1554337976622;
 Wed, 03 Apr 2019 17:32:56 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:23 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-2-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 01/27] Add the ability to lock down access to the running
 kernel image
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <matthewgarrett@google.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Provide a single call to allow kernel code to determine whether the system
should be locked down, thereby disallowing various accesses that might
allow the running kernel image to be changed including the loading of
modules that aren't validly signed with a key we recognise, fiddling with
MSR registers and disallowing hibernation.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 Documentation/ABI/testing/lockdown            |  19 +++
 .../admin-guide/kernel-parameters.txt         |   9 ++
 Documentation/admin-guide/lockdown.rst        |  60 +++++++
 include/linux/kernel.h                        |  28 ++++
 include/linux/security.h                      |   9 +-
 init/main.c                                   |   1 +
 security/Kconfig                              |  39 +++++
 security/Makefile                             |   3 +
 security/lock_down.c                          | 147 ++++++++++++++++++
 9 files changed, 314 insertions(+), 1 deletion(-)
 create mode 100644 Documentation/ABI/testing/lockdown
 create mode 100644 Documentation/admin-guide/lockdown.rst
 create mode 100644 security/lock_down.c

diff --git a/Documentation/ABI/testing/lockdown b/Documentation/ABI/testing/lockdown
new file mode 100644
index 000000000000..5bd51e20917a
--- /dev/null
+++ b/Documentation/ABI/testing/lockdown
@@ -0,0 +1,19 @@
+What:		security/lockdown
+Date:		March 2019
+Contact:	Matthew Garrett <mjg59@google.com>
+Description:
+		If CONFIG_LOCK_DOWN_KERNEL is enabled, the kernel can be
+		moved to a more locked down state at runtime by writing to
+		this attribute. Valid values are:
+
+		integrity:
+			The kernel will disable functionality that allows
+			userland to modify the running kernel image, other
+			than through the loading or execution of appropriately
+			signed objects.
+
+		confidentiality:
+			The kernel will disable all functionality disabled by
+			the integrity mode, but additionally will disable
+			features that potentially permit userland to obtain
+			confidential information stored within the kernel.
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 91c0251fdb86..594d268d92ba 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2213,6 +2213,15 @@
 	lockd.nlm_udpport=M	[NFS] Assign UDP port.
 			Format: <integer>
 
+	lockdown=	[SECURITY]
+			{ integrity | confidentiality }
+			Enable the kernel lockdown feature. If set to
+			integrity, kernel features that allow userland to
+			modify the running kernel are disabled. If set to
+			confidentiality, kernel features that allow userland
+			to extract confidential information from the kernel
+			are also disabled.
+
 	locktorture.nreaders_stress= [KNL]
 			Set the number of locking read-acquisition kthreads.
 			Defaults to being automatically set based on the
diff --git a/Documentation/admin-guide/lockdown.rst b/Documentation/admin-guide/lockdown.rst
new file mode 100644
index 000000000000..d05dcedd20d1
--- /dev/null
+++ b/Documentation/admin-guide/lockdown.rst
@@ -0,0 +1,60 @@
+Kernel lockdown functionality
+-----------------------------
+
+.. CONTENTS
+..
+.. - Overview.
+.. - Enabling Lockdown.
+
+========
+Overview
+========
+
+Traditionally Linux systems have been run with the presumption that a
+process running with full capabilities is effectively equivalent in
+privilege to the kernel itself. The lockdown feature attempts to draw
+a stronger boundary between privileged processes and the kernel,
+increasing the level of trust that can be placed in the kernel even in
+the face of hostile processes.
+
+Lockdown can be run in two modes - integrity and confidentiality. In
+integrity mode, kernel features that allow arbitrary modification of
+the running kernel image are disabled. Confidentiality mode behaves in
+the same way as integrity mode, but also blocks features that
+potentially allow a hostile userland process to extract secret
+information from the kernel.
+
+Note that lockdown depends upon the correct behaviour of the
+kernel. Exploitable vulnerabilities in the kernel may still permit
+arbitrary modification of the kernel or make it possible to disable
+lockdown features.
+
+=================
+Enabling Lockdown
+=================
+
+Lockdown can be enabled in multiple ways.
+
+Kernel configuration
+====================
+
+The kernel can be statically configured by setting either
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY or
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY. A kernel configured
+with CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY may be booted into
+confidentiality mode using one of the other mechanisms, but otherwise
+the kernel will always boot into the configured mode.
+
+Kernel command line
+===================
+
+Passing lockdown=integrity or lockdown=confidentiality on the kernel
+command line will configure lockdown into the appropriate mode.
+
+Runtime configuration
+=====================
+
+/sys/kernel/security/lockdown will indicate the current lockdown
+state. The system state may be made stricter by writing either
+"integrity" or "confidentiality" into this file, but any attempts to
+make it less strict will fail.
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 8f0e68e250a7..30cf695719d5 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -340,6 +340,34 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
 { }
 #endif
 
+enum lockdown_level {
+	LOCKDOWN_NONE,
+	LOCKDOWN_INTEGRITY,
+	LOCKDOWN_CONFIDENTIALITY,
+	LOCKDOWN_MAX,
+};
+
+#ifdef CONFIG_LOCK_DOWN_KERNEL
+extern bool __kernel_is_locked_down(const char *what,
+				    enum lockdown_level level,
+				    bool first);
+#else
+static inline bool __kernel_is_locked_down(const char *what,
+					   enum lockdown_level level,
+					   bool first)
+{
+	return false;
+}
+#endif
+
+#define kernel_is_locked_down(what, level)				\
+	({								\
+		static bool message_given;				\
+		bool locked_down = __kernel_is_locked_down(what, level, !message_given); \
+		message_given = true;					\
+		locked_down;						\
+	})
+
 /* Internal, do not use. */
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
diff --git a/include/linux/security.h b/include/linux/security.h
index 13537a49ae97..b290946341a4 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1798,5 +1798,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux)
 #endif /* CONFIG_SECURITY */
 #endif /* CONFIG_BPF_SYSCALL */
 
-#endif /* ! __LINUX_SECURITY_H */
+#ifdef CONFIG_LOCK_DOWN_KERNEL
+extern void __init init_lockdown(void);
+#else
+static inline void __init init_lockdown(void)
+{
+}
+#endif
 
+#endif /* ! __LINUX_SECURITY_H */
diff --git a/init/main.c b/init/main.c
index e2e80ca3165a..4c6cca9681c7 100644
--- a/init/main.c
+++ b/init/main.c
@@ -555,6 +555,7 @@ asmlinkage __visible void __init start_kernel(void)
 	boot_cpu_init();
 	page_address_init();
 	pr_notice("%s", linux_banner);
+	init_lockdown();
 	setup_arch(&command_line);
 	/*
 	 * Set up the the initial canary and entropy after arch
diff --git a/security/Kconfig b/security/Kconfig
index 1d6463fb1450..593ff231eac6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -229,6 +229,45 @@ config STATIC_USERMODEHELPER_PATH
 	  If you wish for all usermode helper programs to be disabled,
 	  specify an empty string here (i.e. "").
 
+config LOCK_DOWN_KERNEL
+	bool "Allow the kernel to be 'locked down'"
+	help
+	  Allow the kernel to be locked down. If lockdown support is enabled
+	  and activated, the kernel will impose additional restrictions
+	  intended to prevent uid 0 from being able to modify the running
+	  kernel. This may break userland applications that rely on low-level
+	  access to hardware.
+
+choice
+	prompt "Kernel default lockdown mode"
+	default LOCK_DOWN_KERNEL_FORCE_NONE
+	depends on LOCK_DOWN_KERNEL
+	help
+	  The kernel can be configured to default to differing levels of
+	  lockdown.
+
+config LOCK_DOWN_KERNEL_FORCE_NONE
+       bool "None"
+       help
+          No lockdown functionality is enabled by default. Lockdown may be
+	  enabled via the kernel commandline or /sys/kernel/security/lockdown.
+
+config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
+       bool "Integrity"
+       help
+         The kernel runs in integrity mode by default. Features that allow
+	 the kernel to be modified at runtime are disabled.
+
+config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+       bool "Confidentiality"
+       help
+         The kernel runs in confidentiality mode by default. Features that
+	 allow the kernel to be modified at runtime or that permit userland
+	 code to read confidential material held inside the kernel are
+	 disabled.
+
+endchoice
+
 source "security/selinux/Kconfig"
 source "security/smack/Kconfig"
 source "security/tomoyo/Kconfig"
diff --git a/security/Makefile b/security/Makefile
index c598b904938f..5ff090149c88 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 # Object integrity file lists
 subdir-$(CONFIG_INTEGRITY)		+= integrity
 obj-$(CONFIG_INTEGRITY)			+= integrity/
+
+# Allow the kernel to be locked down
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
diff --git a/security/lock_down.c b/security/lock_down.c
new file mode 100644
index 000000000000..9913fff09ad0
--- /dev/null
+++ b/security/lock_down.c
@@ -0,0 +1,147 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Lock down the kernel
+ *
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <linux/security.h>
+#include <linux/export.h>
+
+static enum lockdown_level kernel_locked_down;
+
+char *lockdown_levels[LOCKDOWN_MAX] = {"none", "integrity", "confidentiality"};
+
+/*
+ * Put the kernel into lock-down mode.
+ */
+static int lock_kernel_down(const char *where, enum lockdown_level level)
+{
+	if (kernel_locked_down >= level)
+		return -EPERM;
+
+	kernel_locked_down = level;
+	pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
+		  where);
+	return 0;
+}
+
+static int __init lockdown_param(char *level)
+{
+	if (!level)
+		return -EINVAL;
+
+	if (strcmp(level, "integrity") == 0)
+		lock_kernel_down("command line", LOCKDOWN_INTEGRITY);
+	else if (strcmp(level, "confidentiality") == 0)
+		lock_kernel_down("command line", LOCKDOWN_CONFIDENTIALITY);
+	else
+		return -EINVAL;
+
+	return 0;
+}
+
+early_param("lockdown", lockdown_param);
+
+/*
+ * This must be called before arch setup code in order to ensure that the
+ * appropriate default can be applied without being overridden by the command
+ * line option.
+ */
+void __init init_lockdown(void)
+{
+#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY)
+	lock_kernel_down("Kernel configuration", LOCKDOWN_INTEGRITY);
+#elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY)
+	lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY);
+#endif
+}
+
+/**
+ * kernel_is_locked_down - Find out if the kernel is locked down
+ * @what: Tag to use in notice generated if lockdown is in effect
+ */
+bool __kernel_is_locked_down(const char *what, enum lockdown_level level,
+			     bool first)
+{
+	if ((kernel_locked_down >= level) && what && first)
+		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
+			  what);
+	return (kernel_locked_down >= level);
+}
+EXPORT_SYMBOL(__kernel_is_locked_down);
+
+static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count,
+			     loff_t *ppos)
+{
+	char temp[80];
+	int i, offset=0;
+
+	for (i = LOCKDOWN_NONE; i < LOCKDOWN_MAX; i++) {
+		if (lockdown_levels[i]) {
+			const char *label = lockdown_levels[i];
+
+			if (kernel_locked_down == i)
+				offset += sprintf(temp+offset, "[%s] ", label);
+			else
+				offset += sprintf(temp+offset, "%s ", label);
+		}
+	}
+
+	/* Convert the last space to a newline if needed. */
+	if (offset > 0)
+		temp[offset-1] = '\n';
+
+	return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
+}
+
+static ssize_t lockdown_write(struct file *file, const char __user *buf,
+			      size_t n, loff_t *ppos)
+{
+	char *state;
+	int i, len, err = -EINVAL;
+
+	state = memdup_user_nul(buf, n);
+	if (IS_ERR(state))
+		return PTR_ERR(state);
+
+	len = strlen(state);
+	if (len && state[len-1] == '\n') {
+		state[len-1] = '\0';
+		len--;
+	}
+
+	for (i = 0; i < LOCKDOWN_MAX; i++) {
+		const char *label = lockdown_levels[i];
+
+		if (label && !strcmp(state, label))
+			err = lock_kernel_down("securityfs", i);
+	}
+
+	kfree(state);
+	return err ? err : n;
+}
+
+static const struct file_operations lockdown_ops = {
+	.read  = lockdown_read,
+	.write = lockdown_write,
+};
+
+static int __init lockdown_secfs_init(void)
+{
+	struct dentry *dentry;
+
+	dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
+					&lockdown_ops);
+	if (IS_ERR(dentry))
+		return PTR_ERR(dentry);
+
+	return 0;
+}
+
+core_initcall(lockdown_secfs_init);

From patchwork Thu Apr  4 00:32:24 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884699
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A0140922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:34 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 89FB2285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7DFB52893D; Thu,  4 Apr 2019 00:35:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1798D285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:34 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727441AbfDDAfd (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:35:33 -0400
Received: from mail-vs1-f74.google.com ([209.85.217.74]:40083 "EHLO
        mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726544AbfDDAdB (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:01 -0400
Received: by mail-vs1-f74.google.com with SMTP id l6so64055vsl.7
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=fNnpo8lLzymZARu5UXrve26AL2A88YZO9HZRbBxOnPc=;
        b=VagzsV/GOtPglfcVAyOphZ6+bVVD4ZbfMzItuKqhvYZLgU1u3KPRVAvlOamt8YnoOJ
         +8QQ+xK45r5Mvlgk0BL4/GKJmr0qmySeg0i2eBUfDL7DwdH+urAgs6KVu+pEfJoTTPeu
         UXdF9MlekstBa4MgT33etfSkXxK7il3rlNJ9jyMix+gouqtxYP8gFTmzJG/WA/FBnSfR
         UhcZZlpWCJLlrRXbC8VoHW4Ne50W8CDKRFmJmmzDXQDXw7C6ZeQK6yOMsbTdkHTDf+TV
         NuWbl7zBb2C2yPMb5aBB9xEsq+SvqwqeFvT4IHTRujmmhYRMC4FkePtUdXu2HPwjqHcc
         aUbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=fNnpo8lLzymZARu5UXrve26AL2A88YZO9HZRbBxOnPc=;
        b=d1n7ApIWnJK7wg/ZDsI7oHtwOqwTlQvl9Evo40yfD28U9abJFWegk0oLoRDqqaDdzj
         mCQLyyRJe4trw8bOAnbEjn2vQulmCEQv+6an+1T7l3eAdOhUh4kngl0k9uxiDmfHDXWo
         s+ucSdpq3shQJGpa/POmNvviwg0/haBzP5aO4vOyoyhnztsb8nFadrSavwPaCaJ7AD1J
         X9LDtq3bMoZMqSY0dVnWBjT4pMW/Yp4rKHo7hC6xRqlx6TECbRajBQUF4fseV8dFnbKR
         DlKEkWwvZZK84+qBkdREF4SMdqA2NGY1thwIOsr17aMhPD2aewF9oVGkTMemzHavWGHD
         0mcw==
X-Gm-Message-State: APjAAAXtpFWWg2NJiRjGaL39OLbvi4BZECl15RICNOpo/jhC/3xYpkBb
        efkcSrj7rDnPqJe5VXXtpwoUbGVfzZZSm1O4jnCE+Q==
X-Google-Smtp-Source: 
 APXvYqzEoCm7SP2u+ZOUlxbsorBu+4zlH+UN4ej/RRdM5tZcMiR0pjXVyaXpI+eG5Hg4KuyXMm0NoVPbFMMEAboSkheVyQ==
X-Received: by 2002:ab0:694b:: with SMTP id c11mr415622uas.17.1554337979931;
 Wed, 03 Apr 2019 17:32:59 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:24 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-3-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 02/27] Enforce module signatures if the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <matthewgarrett@google.com>,
        Jessica Yu <jeyu@kernel.org>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

If the kernel is locked down, require that all modules have valid
signatures that we can verify.

I have adjusted the errors generated:

 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
     ENOKEY), then:

     (a) If signatures are enforced then EKEYREJECTED is returned.

     (b) If there's no signature or we can't check it, but the kernel is
	 locked down then EPERM is returned (this is then consistent with
	 other lockdown cases).

 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
     return the error we got.

Note that the X.509 code doesn't check for key expiry as the RTC might not
be valid or might not have been transferred to the kernel's clock yet.

 [Modified by Matthew Garrett to remove the IMA integration. This will
  be replaced with integration with the IMA architecture policy
  patchset.]

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Cc: Jessica Yu <jeyu@kernel.org>
---
 kernel/module.c | 39 ++++++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index 2ad1b5239910..deea9d2763f8 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2767,8 +2767,9 @@ static inline void kmemleak_load_module(const struct module *mod,
 #ifdef CONFIG_MODULE_SIG
 static int module_sig_check(struct load_info *info, int flags)
 {
-	int err = -ENOKEY;
+	int err = -ENODATA;
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+	const char *reason;
 	const void *mod = info->hdr;
 
 	/*
@@ -2783,16 +2784,40 @@ static int module_sig_check(struct load_info *info, int flags)
 		err = mod_verify_sig(mod, info);
 	}
 
-	if (!err) {
+	switch (err) {
+	case 0:
 		info->sig_ok = true;
 		return 0;
-	}
 
-	/* Not having a signature is only an error if we're strict. */
-	if (err == -ENOKEY && !is_module_sig_enforced())
-		err = 0;
+		/* We don't permit modules to be loaded into trusted kernels
+		 * without a valid signature on them, but if we're not
+		 * enforcing, certain errors are non-fatal.
+		 */
+	case -ENODATA:
+		reason = "Loading of unsigned module";
+		goto decide;
+	case -ENOPKG:
+		reason = "Loading of module with unsupported crypto";
+		goto decide;
+	case -ENOKEY:
+		reason = "Loading of module with unavailable key";
+	decide:
+		if (is_module_sig_enforced()) {
+			pr_notice("%s is rejected\n", reason);
+			return -EKEYREJECTED;
+		}
 
-	return err;
+		if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY))
+			return -EPERM;
+		return 0;
+
+		/* All other errors are fatal, including nomem, unparseable
+		 * signatures and signature check failures - even if signatures
+		 * aren't required.
+		 */
+	default:
+		return err;
+	}
 }
 #else /* !CONFIG_MODULE_SIG */
 static int module_sig_check(struct load_info *info, int flags)

From patchwork Thu Apr  4 00:32:25 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884693
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A7F10922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:25 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8B2F0262F2
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:25 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7F79A2897F; Thu,  4 Apr 2019 00:35:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2CDE8285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726607AbfDDAdE (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:04 -0400
Received: from mail-ot1-f73.google.com ([209.85.210.73]:38306 "EHLO
        mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726600AbfDDAdC (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:02 -0400
Received: by mail-ot1-f73.google.com with SMTP id u18so303943otq.5
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=J/O8uCPgOG3C0ZxSZ9IB3rxgWx3qFX62jDUsj+e+998=;
        b=vgoJjG5q4rtz+YnW7QFxLtkKiNTEeMeN2Jjo6dB4tHhzh6J5rd4VqgVpPMdWxBOhIR
         xyxgHLpoCQRKK9bD+fTPnwzNly08uJah2vgFVECpeRaNEybKY3nkN+XdxeHQVV50rw2N
         O4m1zdBrrDmBC+oemCKnUk8eacn9Cr5CQJyd91MzGsXy+U9bXfWBhWMB9LecvN8p7tZU
         uAhUZWA0D2ckedngDJl5Z3fPF+16NsGiIxhMZTwvIsUtrlXCH4hz9dLACPqX4sWzyrPz
         YkaoDhWXZ0STqfBy9o7EmDFqhNTSR1PavNe2qPxre0g3gQq+nyXfZx081omUpnKA+3qx
         Ecrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=J/O8uCPgOG3C0ZxSZ9IB3rxgWx3qFX62jDUsj+e+998=;
        b=ftlLK6QskUjztk13SkQCo4aohf5tHGAdJiIQEYjoPrCr9xDerhAWFVsSSGKFDNC6mC
         frnVnrTmam7hAyt2/W8vhroz+PN8U35rBHZTabaDwDcASD2duk8Cw88Nm/XumyOGT7Ki
         9QFMEe+0BElRUv89JFKmUk6jdi5XnlZGAjZOL6THWp9/DqUFRMfG3t7tcrM7WhgFoqnq
         G3CX71xeC+2TRZtqnlsz5aH62rC1kmubZFVMQPw5BYSNFZgeFsOZU6M5bg65OVhgsbEZ
         QUiyG1OS8TeVkW/3gTfbS3M3QIcccPeGK/SfU7uG1jw83vMuZyPULkR4U4xrmjXQfkP0
         zVfg==
X-Gm-Message-State: APjAAAXTg/fksacLXVKLRdK8SPmhef7YxIsdyGDkCPZgtQx+BLgzMBLE
        Kk8bhjUI7sSlqPg5abXFY+aRXDqZVIT1X+pq9K8yGw==
X-Google-Smtp-Source: 
 APXvYqxwmhrnvEJcj7E2iS2cbzk7GQPN170VkzubbRKgbmqhvLMPo5PrIol/99FDA/eiKump/mAIdOuL8AnIFtr/II/xuw==
X-Received: by 2002:aca:6c53:: with SMTP id h80mr331384oic.11.1554337982282;
 Wed, 03 Apr 2019 17:33:02 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:25 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-4-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 03/27] Restrict /dev/{mem,kmem,port} when the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>, x86@kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.

Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.

Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: x86@kernel.org
---
 drivers/char/mem.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index b08dc50f9f26..67b85939b1bd 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
 
 static int open_port(struct inode *inode, struct file *filp)
 {
+	if (kernel_is_locked_down("/dev/mem,kmem,port", LOCKDOWN_INTEGRITY))
+		return -EPERM;
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
 }
 

From patchwork Thu Apr  4 00:32:26 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884633
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9B88517E0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:10 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 83A0128913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:10 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 781842893D; Thu,  4 Apr 2019 00:33:10 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 06DB828913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:09 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726628AbfDDAdG (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:06 -0400
Received: from mail-yw1-f73.google.com ([209.85.161.73]:34260 "EHLO
        mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726630AbfDDAdF (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:05 -0400
Received: by mail-yw1-f73.google.com with SMTP id x66so769801ywx.1
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=LW7lq5jkExR1NuLSqDh6tdSVxounhx+I412qfIcDAFY=;
        b=gglAL7lOpCcj1Ipwnf90XUlgfXW0ddR995sFM/Mbq8P4ybdttBrpulbT63vc3U1+cP
         fskFmnda51fUJ0YCe6QcmmT0WwjpV6q230lV7luyLlnRRnzyev3WMyuvcm0pg4adVpUt
         arxvoqA9Pm39cp4hJpJkoS9XbToScJS7Fb5BEqYAblrK7kwV7D9oESDo4aJoQo6csbwZ
         LiPYagdCwqBoxe4hJOj1Fhf0yLyUhNsrqEsJ0IfFA9QxShzKd14vEpUEAwdtyF6MCn5x
         BGcvPfksazSZyXnXhg5tz5OFxe0t7MPPsA2moHkrvDM/cF7RYv7umKsZFKjdN7U/ZGGi
         C9Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=LW7lq5jkExR1NuLSqDh6tdSVxounhx+I412qfIcDAFY=;
        b=ivzWFRfgJCOxRe5jhOkC+JgK8YTKubuRpEn/1QfV3BWiMlGqv/6UEDro8/Bx8VpNKp
         55IYy7xKlZeKmZnY++0AjoAkX2/oUTWtHTgVeKdhFLPNGPpV4ejeQeW8QFt4nILQtTnI
         9ca5bv9lyPIRsXaJMbB9vDwa8k1zewGx/9YlHCGnZ1iUYmtFOvGLJBVf8ca8IPSf79+C
         7coPGSC5rR6Kz0v/UKhcVd/u13FR68NzvKk3HogE68pHv0PSDFnie6xeZZzrMFH2/Ucm
         bDhsZS+QiKxgsSAoxIny3nhJXytHFT96+yQHPbgFYWYxffuvUtQeEqFwzx9ObI7PiBAK
         874A==
X-Gm-Message-State: APjAAAXhwjicMxbJAIr8ff3bBDW92r5SLlIry6HDbiJGgJfWSbGuWG0i
        h/KSSnZA43r1zmVNzO0xN2eBXX/1cgni8aA8xQJCzQ==
X-Google-Smtp-Source: 
 APXvYqwqLCY0WArjOuQ81BErQhQQHmt2wI/EzoMxlwlgQFhYITLEdUZw3j7qVYEpaLie3GHt79cdyFmgLFY6krvZ8+E+0Q==
X-Received: by 2002:a25:9086:: with SMTP id t6mr543895ybl.77.1554337984697;
 Wed, 03 Apr 2019 17:33:04 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:26 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-5-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 04/27] kexec_load: Disable at runtime if the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>,
        Dave Young <dyoung@redhat.com>, kexec@lists.infradead.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

The kexec_load() syscall permits the loading and execution of arbitrary
code in ring 0, which is something that lock-down is meant to prevent. It
makes sense to disable kexec_load() in this situation.

This does not affect kexec_file_load() syscall which can check for a
signature on the image to be booted.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Dave Young <dyoung@redhat.com>
cc: kexec@lists.infradead.org
---
 kernel/kexec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/kexec.c b/kernel/kexec.c
index 68559808fdfa..57047acc9a36 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -207,6 +207,14 @@ static inline int kexec_load_check(unsigned long nr_segments,
 	if (result < 0)
 		return result;
 
+	/*
+	 * kexec can be used to circumvent module loading restrictions, so
+	 * prevent loading in that case
+	 */
+	if (kernel_is_locked_down("kexec of unsigned images",
+				  LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	/*
 	 * Verify we have a legal set of flags
 	 * This leaves us room for future extensions.

From patchwork Thu Apr  4 00:32:27 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884695
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 53A99922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3C908262F2
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 30E59289AF; Thu,  4 Apr 2019 00:35:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D0424285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726670AbfDDAfY (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:35:24 -0400
Received: from mail-oi1-f202.google.com ([209.85.167.202]:45374 "EHLO
        mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726602AbfDDAdH (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:07 -0400
Received: by mail-oi1-f202.google.com with SMTP id v1so339348oif.12
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=ZxYq8cG2sFhGgbw0k3aUDfwIzpbQidarvZYq7w9bkW0=;
        b=cTbmRxtu2jUwcJETn1cw2HiL44MplIt+di+W0OqpKWmtj0D+RjaWKI6JUmwDvqOjgc
         Rl96fi5FPAJb06vs3tp+PtGIXumG8NcOOZdl96kpieo3+S/JUj6mocPiKjl0ZUYS40Gy
         9Bi3BAPvZVKk8p6ORLM1tRfxHvU55s9pgGNijeTtpD4/UCgvsJ5LLMGhqk0gLL6/3nSO
         eZvDEvkUN/JIr/KgnIbcdcF5qWY+SiuWdu8O/9z1tVt2QFjSefCCnpamKII+wI6rIG8c
         oEPm3tbJ2jTPZch5fe5hzqK76tr/s3RmZkXLbhe92GGHVvJyD0BNCPAMfcmoyIZLa2W5
         w+/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=ZxYq8cG2sFhGgbw0k3aUDfwIzpbQidarvZYq7w9bkW0=;
        b=ZFRC5O6kK44nM5EbUAqCYBrzx5UrohdZLPYpQgCCOShg060Jt5TUwIwBb9heueUQmN
         +f4ieu/dqfylxvIYztv+G1X6ptDnlgnBFsrUEF97wSjgIJE4tDVpxYyYaKQ+KIRXSKWD
         Zn2UCwN+B29+ijYISFQgTIFKYBF3m0052qd5WU9Hf5KNIBXiQ6CbCD+saQAlsXwifNon
         KqNsWY82EftfGhyhOHD8Nkfpny4anQpBDu1FslcMwEVOt6HPe6RDU07sE5Jm/YFoPwZj
         WnBtF4ok3g2XEv5YJ2RUMy2WPLx0gUML7a3P7AdPmjwDqoLSDkVf8teJpKYtdG4hjeSi
         C27A==
X-Gm-Message-State: APjAAAWllUY81UqKRhpG9CRjwMWnOFfJY9v99QVxRbjiFypmteDp0D3b
        pfCUdX1GIP6nMmqjD60PyRsD6qKWdbmCpFUXmjL7rw==
X-Google-Smtp-Source: 
 APXvYqzeF/5ARGboj1rgaNG0wh8/NpDdVQj41bbjjfIzlbjV3l72O+FbucqOLXfi3OQDi/HWRtdsLh1FkxcoQ+FI+UeeQA==
X-Received: by 2002:a9d:6208:: with SMTP id g8mr289988otj.15.1554337987036;
 Wed, 03 Apr 2019 17:33:07 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:27 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-6-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 05/27] Copy secure_boot flag in boot params across kexec
 reboot
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Dave Young <dyoung@redhat.com>,
        Matthew Garrett <mjg59@google.com>, kexec@lists.infradead.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Dave Young <dyoung@redhat.com>

Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load.  In this state, the system is missing the protections provided
by secure boot.

Adding a patch to fix this by retain the secure_boot flag in original
kernel.

secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub.  Fixing this issue by copying secure_boot flag across kexec reboot.

Signed-off-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
cc: kexec@lists.infradead.org
---
 arch/x86/kernel/kexec-bzimage64.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 278cd07228dd..d49554b948fd 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
 	if (efi_enabled(EFI_OLD_MEMMAP))
 		return 0;
 
+	params->secure_boot = boot_params.secure_boot;
 	ei->efi_loader_signature = current_ei->efi_loader_signature;
 	ei->efi_systab = current_ei->efi_systab;
 	ei->efi_systab_hi = current_ei->efi_systab_hi;

From patchwork Thu Apr  4 00:32:28 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884697
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F20AB1800
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB004285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CF5BF2873F; Thu,  4 Apr 2019 00:35:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F2C12897F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:30 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726206AbfDDAfY (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:35:24 -0400
Received: from mail-vk1-f201.google.com ([209.85.221.201]:48566 "EHLO
        mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726670AbfDDAdL (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:11 -0400
Received: by mail-vk1-f201.google.com with SMTP id l85so431567vke.15
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=DR3rBb2V8Dk77n+84nIF0+Znm0UqE9/8zaxdQ5CO2lo=;
        b=k4T3Nw21xOXEgT1+4ojRalZBG6PaMDr5iMtJUJF/zPD0JeOPZGN0RJlZ/WcxfZFEsI
         Q8CKYtYL2CinpCjBUEDha9kChTKJ6x12LBYqnfcvSa+IJuqhCoVYbd5TuQUcVH0SYqLN
         8d1y72QUjsqto7fh2VHYanFOVji/MJkU4oLDvxHEkLXLcP6lhABR7dmt0lolrPlwnUSW
         tHB90LzrAFIiQ6VDnWVTW37yUCFvbnZv8PQ/zs6mi6I8QrKHAntN8c0lxFS8U5VRtBuu
         DfBYW+xcFZabEWqel4gNb2GrP8CFheQ3zDUCbnK1j4t/R5+n1lMm6NnAjdAMbmL/lzif
         W+HA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=DR3rBb2V8Dk77n+84nIF0+Znm0UqE9/8zaxdQ5CO2lo=;
        b=hA/C+IwR4zcCXG+osn7EGX7cE0DwliMsyoolewPJgBF8Sm8vu2qZgqoCQgFXfgYTqk
         yQ+WgEEDKmX7KGqBsFRCJWYw8h4ZKlesRvIkavIVIUQj3ykdEbH5CnKWa9NvxplzbFR3
         xWGotZ7KN+wjHimgU7tOe/Q9xTvjCIwnibqIwagQjVp9GW+p6BtmktaOfek7QVb0MHuO
         RxOJbIn5aLKHk3bt+SXwurdZfUdZHoFwrNf+gFSMShNFaHYZRMfhIG/FgSZ8f/e5ybnc
         qn8tZ5QGJMiHmwV+6P8ZAcuawc6l8wzPRsVhGFqi1dIFod7SGyXbDAYXTmsrYH+wysk2
         6rAw==
X-Gm-Message-State: APjAAAVUWp6sHygnnFjP+ZIfsf4ldf6aKHuUnkDvx/q1WkgNoJyMQmAS
        iT/Oppsl0nm4KJ45YOU18ejz3nK6zjVKiZq1N82wLw==
X-Google-Smtp-Source: 
 APXvYqzYcYD1Ehu3yKB9X6K9iRCLwUgIBs39CMxUv917TLFxVzrP7XuXd88+t9EaSzt0UhIhiJD6xpoEPh1qy8tNEucXoQ==
X-Received: by 2002:a1f:9d44:: with SMTP id g65mr372059vke.10.1554337989385;
 Wed, 03 Apr 2019 17:33:09 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:28 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-7-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 06/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG
 and KEXEC_SIG_FORCE
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Jiri Bohac <jbohac@suse.cz>,
        Matthew Garrett <mjg59@google.com>, kexec@lists.infradead.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Jiri Bohac <jbohac@suse.cz>

This is a preparatory patch for kexec_file_load() lockdown.  A locked down
kernel needs to prevent unsigned kernel images from being loaded with
kexec_file_load().  Currently, the only way to force the signature
verification is compiling with KEXEC_VERIFY_SIG.  This prevents loading
usigned images even when the kernel is not locked down at runtime.

This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.
Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG
turns on the signature verification but allows unsigned images to be
loaded.  KEXEC_SIG_FORCE disallows images without a valid signature.

[Modified by David Howells such that:

 (1) verify_pefile_signature() differentiates between no-signature and
     sig-didn't-match in its returned errors.

 (2) kexec fails with EKEYREJECTED and logs an appropriate message if
     signature checking is enforced and an signature is not found, uses
     unsupported crypto or has no matching key.

 (3) kexec fails with EKEYREJECTED if there is a signature for which we
     have a key, but signature doesn't match - even if in non-forcing mode.

 (4) kexec fails with EBADMSG or some other error if there is a signature
     which cannot be parsed - even if in non-forcing mode.

 (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
     the signature - even if in non-forcing mode.

]

Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
cc: kexec@lists.infradead.org
---
 arch/x86/Kconfig                       | 20 ++++++++---
 crypto/asymmetric_keys/verify_pefile.c |  4 ++-
 include/linux/kexec.h                  |  4 +--
 kernel/kexec_file.c                    | 48 ++++++++++++++++++++++----
 4 files changed, 61 insertions(+), 15 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 4b4a7f32b68e..735d04a4b18f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2016,20 +2016,30 @@ config KEXEC_FILE
 config ARCH_HAS_KEXEC_PURGATORY
 	def_bool KEXEC_FILE
 
-config KEXEC_VERIFY_SIG
+config KEXEC_SIG
 	bool "Verify kernel signature during kexec_file_load() syscall"
 	depends on KEXEC_FILE
 	---help---
-	  This option makes kernel signature verification mandatory for
-	  the kexec_file_load() syscall.
 
-	  In addition to that option, you need to enable signature
+	  This option makes the kexec_file_load() syscall check for a valid
+	  signature of the kernel image.  The image can still be loaded without
+	  a valid signature unless you also enable KEXEC_SIG_FORCE, though if
+	  there's a signature that we can check, then it must be valid.
+
+	  In addition to this option, you need to enable signature
 	  verification for the corresponding kernel image type being
 	  loaded in order for this to work.
 
+config KEXEC_SIG_FORCE
+	bool "Require a valid signature in kexec_file_load() syscall"
+	depends on KEXEC_SIG
+	---help---
+	  This option makes kernel signature verification mandatory for
+	  the kexec_file_load() syscall.
+
 config KEXEC_BZIMAGE_VERIFY_SIG
 	bool "Enable bzImage signature verification support"
-	depends on KEXEC_VERIFY_SIG
+	depends on KEXEC_SIG
 	depends on SIGNED_PE_FILE_VERIFICATION
 	select SYSTEM_TRUSTED_KEYRING
 	---help---
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
index d178650fd524..4473cea1e877 100644
--- a/crypto/asymmetric_keys/verify_pefile.c
+++ b/crypto/asymmetric_keys/verify_pefile.c
@@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
 
 	if (!ddir->certs.virtual_address || !ddir->certs.size) {
 		pr_debug("Unsigned PE binary\n");
-		return -EKEYREJECTED;
+		return -ENODATA;
 	}
 
 	chkaddr(ctx->header_size, ddir->certs.virtual_address,
@@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
  *  (*) 0 if at least one signature chain intersects with the keys in the trust
  *	keyring, or:
  *
+ *  (*) -ENODATA if there is no signature present.
+ *
  *  (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
  *	chain.
  *
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index b9b1bc5f9669..58b27c7bdc2b 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
 			     unsigned long cmdline_len);
 typedef int (kexec_cleanup_t)(void *loader_data);
 
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 typedef int (kexec_verify_sig_t)(const char *kernel_buf,
 				 unsigned long kernel_len);
 #endif
@@ -134,7 +134,7 @@ struct kexec_file_ops {
 	kexec_probe_t *probe;
 	kexec_load_t *load;
 	kexec_cleanup_t *cleanup;
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 	kexec_verify_sig_t *verify_sig;
 #endif
 };
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index f1d0e00a3971..67f3a866eabe 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
 	return kexec_image_post_load_cleanup_default(image);
 }
 
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
 					  unsigned long buf_len)
 {
@@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 			     const char __user *cmdline_ptr,
 			     unsigned long cmdline_len, unsigned flags)
 {
-	int ret = 0;
+	const char *reason;
+	int ret;
 	void *ldata;
 	loff_t size;
 
@@ -207,15 +208,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 	if (ret)
 		goto out;
 
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
 					   image->kernel_buf_len);
-	if (ret) {
-		pr_debug("kernel signature verification failed.\n");
+#else
+	ret = -ENODATA;
+#endif
+
+	switch (ret) {
+	case 0:
+		break;
+
+		/* Certain verification errors are non-fatal if we're not
+		 * checking errors, provided we aren't mandating that there
+		 * must be a valid signature.
+		 */
+	case -ENODATA:
+		reason = "kexec of unsigned image";
+		goto decide;
+	case -ENOPKG:
+		reason = "kexec of image with unsupported crypto";
+		goto decide;
+	case -ENOKEY:
+		reason = "kexec of image with unavailable key";
+	decide:
+		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
+			pr_notice("%s rejected\n", reason);
+			ret = -EKEYREJECTED;
+			goto out;
+		}
+
+		ret = 0;
+		break;
+
+		/* All other errors are fatal, including nomem, unparseable
+		 * signatures and signature check failures - even if signatures
+		 * aren't required.
+		 */
+	default:
+		pr_notice("kernel signature verification failed (%d).\n", ret);
 		goto out;
 	}
-	pr_debug("kernel signature verification successful.\n");
-#endif
+
 	/* It is possible that there no initramfs is being loaded */
 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,

From patchwork Thu Apr  4 00:32:29 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884691
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 40DFB1800
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:17 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 28BA42893D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:17 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1D161289AF; Thu,  4 Apr 2019 00:35:17 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD7F12893D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726310AbfDDAfQ (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:35:16 -0400
Received: from mail-vk1-f202.google.com ([209.85.221.202]:50751 "EHLO
        mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726725AbfDDAdN (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:13 -0400
Received: by mail-vk1-f202.google.com with SMTP id k78so426786vkk.17
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=iaaF5/aYD/K1PTKwNLEWQdX8WLqLGYfc09hndKsTKvo=;
        b=IRAlL/xFWhgbbpXtzjS8gWTXeZcNeEhAKd8NbdYGUmAEC44bgqLt8+paigb80y/Q0j
         EhV7F6H8vUaAzgky2cnEOMhIdDbk1k6Fv6F3Q+LIf2cT/CCUnf4GmpjSJPMvtiH2tkYG
         DcvYmZAKAj6LnpeL7LtQoyvQ58e3LcxfNJMrANWVlrJGynzrJEELOa5/D8v4unQ04F0D
         cWPZYcEadltcA9SHWmsAWpxyXliB1Rlsqv+3CXICyR9weXkQOfvfgDs2Jchw2Pd86cwk
         o2v5txavD8MqgJlM6iqRLbj4+x1qUHY1kEoEM3vxd8y+jE4rxGz4Mlc1IRFvNTCy9Ro5
         60Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=iaaF5/aYD/K1PTKwNLEWQdX8WLqLGYfc09hndKsTKvo=;
        b=eJ4tbaP99fzdgR3xUsE4xx2ktdBLbhzs/Vem3adoqjF0lbMB5vqXGz3Vuj9U3f8KLd
         4foXWpc85Rh56/9sI4SlMvZhyQDpSjnz87oUuZwaPgaVETloxdfM/EVXUfYBYZRB/IRC
         tU/AHFOkSgd13GU28co6iDbQ2Jl+8t6h6Y/ybXLro0j6N6l5U1o5sWVbsnAhc5TIvmK1
         FAUPHungfebFyzo8b1xT9pEDjCqPgTvRgR3BUSqAx5rDEkfNIIzR3Ov/9khiVVrQKRjt
         yMEHiL8J0Lm6++lNExEk2n6XEhLktaWAls5kCFGI3uO5Ss+hKSmh7yEawaW8LeftCuh0
         quiA==
X-Gm-Message-State: APjAAAUPc22TRegZMCQXXgH6r4Kdrx3Pj8Hf2aCMbxo1W3rVvOzwvntR
        hJWpfx8sGwUt5eloZhCniDF0pGV5NbgU8Z0APh6wtw==
X-Google-Smtp-Source: 
 APXvYqw9Lw50mP2E9RFKzr2uBzyKV4bQkDkKFIehcmqEqfdPpSpIAo1DzC+63SbTNAY3OaDhNoijQBd0lYyFH/X0Ouz5nw==
X-Received: by 2002:a1f:1b82:: with SMTP id b124mr367884vkb.11.1554337992127;
 Wed, 03 Apr 2019 17:33:12 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:29 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-8-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 07/27] kexec_file: Restrict at runtime if the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Jiri Bohac <jbohac@suse.cz>,
        Matthew Garrett <mjg59@google.com>, kexec@lists.infradead.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Jiri Bohac <jbohac@suse.cz>

When KEXEC_SIG is not enabled, kernel should not load images through
kexec_file systemcall if the kernel is locked down.

[Modified by David Howells to fit with modifications to the previous patch
 and to return -EPERM if the kernel is locked down for consistency with
 other lockdowns. Modified by Matthew Garrett to remove the IMA
 integration, which will be replaced by integrating with the IMA
 architecture policy patches.]

Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
cc: kexec@lists.infradead.org
---
 kernel/kexec_file.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 67f3a866eabe..a1cc37c8b43b 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -239,6 +239,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 		}
 
 		ret = 0;
+
+		if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) {
+			ret = -EPERM;
+			goto out;
+		}
+
 		break;
 
 		/* All other errors are fatal, including nomem, unparseable

From patchwork Thu Apr  4 00:32:30 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884689
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9CE35922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:16 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8DA142893D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:16 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8186D289AF; Thu,  4 Apr 2019 00:35:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 303FC2893D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726791AbfDDAdR (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:17 -0400
Received: from mail-vk1-f202.google.com ([209.85.221.202]:37160 "EHLO
        mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726783AbfDDAdQ (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:16 -0400
Received: by mail-vk1-f202.google.com with SMTP id y19so443039vky.4
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=;
        b=sO21lW7sz/ns18hN7SlX/zr3jQmDJ3mtD+apq3GlD6ckhlTw4v2i3gXRCDm5Vs5mYJ
         LXfNtWylXdBIxsbGmj49dHEtJRQscclkifyUJzoI6tYiqt9G++U1u0mdT4UXu6GRsZrY
         nO9Xpph8Wlcubg6vFg0+ujbv4AIIyGkcFSBIu6hJLD1aFptXeunfoCHimJHu9ftuCjbj
         fHNRo8lSHZr1QTwAT2mMO1+TGOTMV08gr5UcjRCX0+XynqvJN1D2NJW1jGd2xgp96M7q
         YIOcYbi66upbn2IlI0Jyn8gqpwMLkYSB0ynJh9dN0VNKnzLvf6ke3qxidogrCkgeQbgh
         M0Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=;
        b=gcWiUIcvzpB6IxQdTFfeS5f49dpwyhxai7V7Xj4PyUcgO2gEhmSM+YS+zhKyMTme1B
         08GWJ3hR2sjOdIKW5RULW5PMk2Do/spE6Y6ln0Nfo1avpmL9WYy7/jvIoHhiwB6yxelW
         jbBrgFZSCrO6ijPaEgw38RUFLfDs5tXXvXwZn9+jfi2HEc77JSKi46H7eQUyN1DPFlG1
         6J8gt5mrLW11Iyv/dC5n43zyMcULgbn1yeNRZyM8CudluIWZR+qsQGB3jFBDZ3JkLoIb
         t6Lk0pu6TatJTawkdl/vnGpis2zydpmHJA993DmMhZ13MD3EGoSne0ZmmW60XUPhjiey
         OrMw==
X-Gm-Message-State: APjAAAUegBsh2++zWs7bxXldZSUM5JU3hA3jpOXnb13ET1iR8YzGjSY1
        eESJzQHM4Cpq2p9e0Kx0N29xYNKvd/CaA1jQSURfBA==
X-Google-Smtp-Source: 
 APXvYqxLmuf70AXpG3iG6EAnmL96VT12fM4bfEXi3TJeEBqfuOYC0uB+zvU9Rtoi5NfBIV0Q26AsocD8JxxzMQZgEMeYHQ==
X-Received: by 2002:ab0:2653:: with SMTP id q19mr418981uao.2.1554337994994;
 Wed, 03 Apr 2019 17:33:14 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:30 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-9-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 08/27] hibernate: Disable when the kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Josh Boyer <jwboyer@fedoraproject.org>,
        Matthew Garrett <mjg59@google.com>, rjw@rjwysocki.net,
        pavel@ucw.cz, linux-pm@vger.kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Josh Boyer <jwboyer@fedoraproject.org>

There is currently no way to verify the resume image when returning
from hibernate.  This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: rjw@rjwysocki.net
Cc: pavel@ucw.cz
cc: linux-pm@vger.kernel.org
---
 kernel/power/hibernate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..928b198cfa26 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -70,7 +70,8 @@ static const struct platform_hibernation_ops *hibernation_ops;
 
 bool hibernation_available(void)
 {
-	return (nohibernate == 0);
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation",
+							  LOCKDOWN_INTEGRITY);
 }
 
 /**

From patchwork Thu Apr  4 00:32:31 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884637
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C6F8A17E1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B1FED28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A618B2893D; Thu,  4 Apr 2019 00:33:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4EFB828913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:22 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726833AbfDDAdT (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:19 -0400
Received: from mail-ot1-f74.google.com ([209.85.210.74]:38307 "EHLO
        mail-ot1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726797AbfDDAdS (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:18 -0400
Received: by mail-ot1-f74.google.com with SMTP id u18so304160otq.5
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=UWUYbOZniscPzPib57I8cPwH1j1zNPSziYufzU02lOY=;
        b=A2EFYZwEC5y58dctC8LWHsqA6qoE5h0LFuFYwP6Uwqnal/NFUhQVsKZ/0Ysr8bH//x
         FT17CqgqigWaJaw5c+416HEm1SOJ5orG1jO9WJ4kVGBoTxfe2sFF3NgIGiHr1ETJUCoC
         AGe5N/8cJDz2uObdp0e8WjGFpC8mGvo4d5ebbKSY9TuIQ8SyXWnil8fW2KzUZCt/aofk
         8biDkpWIJeJyZnldpFA5lFAbH8dXFWs7Ho0n0l1twAexbAB/330nKb/6uAkKYGyTrW0N
         OJepi47SLo9FwbAlZUvw24949yhqGJ+zGZV7oTsTvqOH+6+6k01sIrImWHkw9JwsgDIu
         28oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=UWUYbOZniscPzPib57I8cPwH1j1zNPSziYufzU02lOY=;
        b=VP89GDkVzO8Dn4zJOl7wOoSfXX67hBNxcOgXcSGyRwF+6GHhUzaTFDTvUMmXZGGckx
         /MEOwPN49/QT4TFyXWDI9Kiwd2iMeBWj0tP4tZC7neWd21OdXVUa4QWw3ZEFDTZVf537
         qSWiNpau9z+qKh2PRJVp7RJ0xI+cQ7xXe15GSsA9TcxqWZAu0seQ2j4Cxqzl0lTZhFUA
         4ruFH6Px49nnShWYv1NISUAi/NU+DWnxBFVl0zhSl0Y1odApU7WkKUsWr+G/Q7cNEGqm
         vnR4FCdt5OoWG/C5rwgYpId5TuSB5ttSIcmekL3jdbDSqTZTCj9KV2pG/o9MQfPNPGJR
         ZkPw==
X-Gm-Message-State: APjAAAXbiV/JQ0A5gxLPpCzPfUBFyuyO6L5V5tgOcj3KOHfPnAenZ7nm
        6IjcIWWVv31UMINK5cB6VeGBSWJtm+T5oIYCTidOvw==
X-Google-Smtp-Source: 
 APXvYqzL3jPDtiMeU77dXPt0+VSnZ8pBp/Uh79/K3V3E8HHlCSQfc9Fzun4Dp6GY5hR8FwEKn511hYcZ8i+fnLxtrC+4KQ==
X-Received: by 2002:a9d:6343:: with SMTP id y3mr301853otk.38.1554337997827;
 Wed, 03 Apr 2019 17:33:17 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:31 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-10-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 09/27] uswsusp: Disable when the kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>, linux-pm@vger.kernel.org,
        pavel@ucw.cz, rjw@rjwysocki.net
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel.  Disable this if the kernel
is locked down.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
cc: linux-pm@vger.kernel.org
Cc: pavel@ucw.cz
Cc: rjw@rjwysocki.net
---
 kernel/power/user.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/power/user.c b/kernel/power/user.c
index 2d8b60a3c86b..99e13fd13237 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
 	if (!hibernation_available())
 		return -EPERM;
 
+	if (kernel_is_locked_down("/dev/snapshot", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	lock_system_sleep();
 
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {

From patchwork Thu Apr  4 00:32:32 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884683
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 83B8A17E1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 68009285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5C6E428A05; Thu,  4 Apr 2019 00:35:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 12D09285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726864AbfDDAdW (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:22 -0400
Received: from mail-oi1-f201.google.com ([209.85.167.201]:33192 "EHLO
        mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726849AbfDDAdV (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:21 -0400
Received: by mail-oi1-f201.google.com with SMTP id d63so355294oig.0
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=;
        b=ocjKRk2uUtqZ4iOJV2jedYJKPEapKDEzvfWc8HY+i+xFfEyayOYqbLWPu8Z3xN6v7m
         7vE6H9PK8L1J2QZZhJeDyD0kawGilYXs+t0n4wzbstR/VqOE7iCdQ/AhSVLMB8zkTEkP
         hED0gN06yC/q53ohr6GM0JuqFX+wx9Lc4u4EgwAuwiiKvzPNJDyAx3lCJYmK9/Vx+bq8
         F0vaeAYBmLnAM+aAWf44QmkFfIRr3tMYARd7EInNJb2QflHlEqzW4rXTX9RM+klXPMzl
         q1PsBfL5YaDXc14Lm2QkznhvbIaNW7bGY4Luc6wiotRneuT0jRSaYY9bEDbhEFKYRmWi
         drbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=;
        b=i+JJnaj46aaFRn220CRtQYpiGf/vzHmlTy+8jYf5eOGgpUOyaKPI4rV7Ewv5NUSqjB
         ib+iG9nwyX+R0qlatb6cwsxD2XUYUuwezq5c0p0qqJt6UINaymoxcCeapBbkPOhIxnL5
         NzEY1s/CyI57tJLHr7ldD4cp1dyw1DOEMjwIsxAlfaK4DqBp/7UUjNsT+rNfAl1Q6YKZ
         448IdKtvx1omnrL5mdRrVO5TI8rYoipgiPWfJbgitPnT3QqldKHsUcwfasPXZ0MS9ZYO
         j71aP8/o9YRoNFQ0D+HIq/E65b05oMqkCCBI2ThKxzqT2/pYKZPYBQUae8lMBrMJ4do5
         Xu8A==
X-Gm-Message-State: APjAAAV6rt3ik3z6vOMCAUKmW6sSCfMZpCyTE97CVoIQlHw5VKZ7JZoc
        F2V0k57geVsQA9h+RJYixw01r+b1o1220ARa6fXJfw==
X-Google-Smtp-Source: 
 APXvYqwi6dSpI9p/5yHXUp5zHUlVc9aBYPhvQtpRQtFUwPCGKLeTlUt0GbyXS3R2mPTpVRAld1ySv5RUcgaNvopbDpSu3Q==
X-Received: by 2002:aca:abd7:: with SMTP id u206mr329089oie.36.1554338000165;
 Wed, 03 Apr 2019 17:33:20 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:32 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-11-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 10/27] PCI: Lock down BAR access when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>,
        Bjorn Helgaas <bhelgaas@google.com>, linux-pci@vger.kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
allowing them to circumvent disabled module loading or module signing.
Default to paranoid - in future we can potentially relax this for
sufficiently IOMMU-isolated devices.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
cc: linux-pci@vger.kernel.org
---
 drivers/pci/pci-sysfs.c | 9 +++++++++
 drivers/pci/proc.c      | 9 ++++++++-
 drivers/pci/syscall.c   | 3 ++-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 9ecfe13157c0..59d02088945e 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
 	loff_t init_off = off;
 	u8 *data = (u8 *) buf;
 
+	if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	if (off > dev->cfg_size)
 		return 0;
 	if (off + count > dev->cfg_size) {
@@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
 	enum pci_mmap_state mmap_type;
 	struct resource *res = &pdev->resource[bar];
 
+	if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
 		return -EINVAL;
 
@@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
 				     struct bin_attribute *attr, char *buf,
 				     loff_t off, size_t count)
 {
+	if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
 }
 
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 6fa1627ce08d..85769f222b6d 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 	int size = dev->cfg_size;
 	int cnt;
 
+	if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	if (pos >= size)
 		return 0;
 	if (nbytes >= size)
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
 #endif /* HAVE_PCI_MMAP */
 	int ret = 0;
 
+	if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	switch (cmd) {
 	case PCIIOC_CONTROLLER:
 		ret = pci_domain_nr(dev->bus);
@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
 	struct pci_filp_private *fpriv = file->private_data;
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
 
-	if (!capable(CAP_SYS_RAWIO))
+	if (!capable(CAP_SYS_RAWIO) ||
+	    kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY))
 		return -EPERM;
 
 	if (fpriv->mmap_state == pci_mmap_io) {
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
index d96626c614f5..0669cb09e792 100644
--- a/drivers/pci/syscall.c
+++ b/drivers/pci/syscall.c
@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
 	u32 dword;
 	int err = 0;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable(CAP_SYS_ADMIN) ||
+	    kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY))
 		return -EPERM;
 
 	dev = pci_get_domain_bus_and_slot(0, bus, dfn);

From patchwork Thu Apr  4 00:32:33 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884681
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2DCB81800
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 17EC728936
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0C40328958; Thu,  4 Apr 2019 00:35:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ACC1928936
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726789AbfDDAdY (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:24 -0400
Received: from mail-ua1-f74.google.com ([209.85.222.74]:37855 "EHLO
        mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726879AbfDDAdX (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:23 -0400
Received: by mail-ua1-f74.google.com with SMTP id w19so147240uar.4
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=;
        b=QRSZ0exPdykYG3cj/sT33FZBrVPjgVKfkWxlUaPoJlH+1DajR1vVTmcbDfFyR6avby
         Wxe4IX3n1oC3chdRudvb0e+ylQ28+iwE2YhKNTqQlSkzpMHCx9hqehJekQmQTDokmLzD
         mUkkVXl4ZFfV+2k1VnSAdGJSBoZXckgW5Np1Wb2y03jTR/jTtQomaIxjwojXJpKhc54d
         RbmFl9S2XnDxKq1OmSjsZastyUtz1ogS5H3eMyo7zoETL3YfYxiJLoRJeAiH5J3BOuFd
         S1pbxEnJEOyBQJoBiT363sBxTIMeCic0LZm2gV8woq1tCeca4SEbm2+knVkM1qWyvagC
         3IUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=;
        b=JkwSBkpacTTDGawyLwEJ1urADmm9zoLpOH3RhQpUVPEQEtYfHOkCtEWdFrv1yrAYm7
         WKtnIYXVevs/kuPnaRG6PAMrZqhltbRuVclfq52Az47pxqafDHX3PloY0MPalOuxJ9O7
         FgxQV/eKWGsZKdv5R6C4rBFeloPmN+0Xvbs2GJTFmkT6GHnf83uMBSk7ywBtRrkhJkUH
         xCjS1BhgU0uBMjw3c+jCTGfyKzOIbxXz3PdKrnzLcTN9ub9YDBU/QlhNqH1Ft24qoegR
         AIMqRI/LgmoQp15zmI63rlbIHnebW30E99Dv06K+b/J9t2DA2x+DeM7hY2VUzXJjixwk
         PH9Q==
X-Gm-Message-State: APjAAAVZLNi8c6iO8pLb5vrAXKBtlT50bMh2iTKxOz6hLpXtvsXBwFtR
        64lLMzOX/fy/bN/JYTjUIsWjUvSiA850HNt7VtskQw==
X-Google-Smtp-Source: 
 APXvYqyOil3nuWTZ6/0rdgwNmW40JoGvRbCcJ0rRgKX73/Ad46aVWMGAxdMPUwnYWI5bZZbMNYaINRVrrUkWxTpUmAg1uQ==
X-Received: by 2002:a1f:746:: with SMTP id 67mr371895vkh.24.1554338002654;
 Wed, 03 Apr 2019 17:33:22 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:33 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-12-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 11/27] x86: Lock down IO port access when the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>, x86@kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.

This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: x86@kernel.org
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
---
 arch/x86/kernel/ioport.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 0fe1c8782208..febbd7eb847c 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
 		return -EINVAL;
-	if (turn_on && !capable(CAP_SYS_RAWIO))
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+			kernel_is_locked_down("ioperm", LOCKDOWN_INTEGRITY)))
 		return -EPERM;
 
 	/*
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
 		return -EINVAL;
 	/* Trying to gain more privileges? */
 	if (level > old) {
-		if (!capable(CAP_SYS_RAWIO))
+		if (!capable(CAP_SYS_RAWIO) ||
+		    kernel_is_locked_down("iopl", LOCKDOWN_INTEGRITY))
 			return -EPERM;
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |

From patchwork Thu Apr  4 00:32:34 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884679
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A6DED922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 90D0F28936
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 84A9E28958; Thu,  4 Apr 2019 00:35:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 26CF428936
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726856AbfDDAfD (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:35:03 -0400
Received: from mail-pg1-f202.google.com ([209.85.215.202]:51304 "EHLO
        mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726919AbfDDAd0 (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:26 -0400
Received: by mail-pg1-f202.google.com with SMTP id 132so346568pgc.18
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=;
        b=g1Y/PUQzlr8w4VbBSoNg3vi8qaTpIpeLwblcFxEbA8qgL2rreczYP6Bcjr7XsnesyH
         JqyppDVnmHCPzfeUQZjpdFAH3WIzAnSKJUHQCaN2Vphxplco+8Zi9eUJxtm7PO+crggJ
         g4Z6IBr5ZZV+k2CogsXEWfCz6cHrWFVfx6dbJRpB4n0S6gihi2EaMdTKcxudSZhrSb1j
         MFW/0KS184jEDPQeKjVqRFI8ypNBAEmtUINRkS1b8X8lQu9V9onqA0UBC7sijlTciyrz
         Jr0PefO1jwwaoQTJIFrBlWNJ0AwlLY6GVcM6v4bXpCtj/ALGGohGwP4YOH1manzxcME0
         qurA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=;
        b=FXGGXlEkhzKOuOF4712kPFUHzY77xAR+QYthGGv4GVipmZhwjpyExAN3fTlwsT+1eu
         TvWbFwYV6hKt/o1iRbvXWohZPtDIZSMziRQ8F0W7Dz24GGVXDlJFSCIaotRG/KbJJU9z
         DJx+jaaWhhuFO3yW0u9mqGx7EpiFRysfo2N3i7LCd+8LQc/qJF7qNfhsib5aHjnOSg2l
         PfHLB68PfzwpN3QK6aV43eNebWMZtmHh8w1yR3/AjlhrkyQ5j0shmqXkBGfKA03Eu0hK
         gCedi40NSQHTogXPDlTs5NsWGnCRvIllGD/QoUo/H6ihTPQvrGehptNzdHLOVz/ojdXS
         d3oA==
X-Gm-Message-State: APjAAAWurw65ga17rHJTcu4QH0xEnhFGKxfyrfhBCK9Hr0tiAtbhu3Fp
        tEQoxU58adlmHs0Q6UVexWrxoxn3ZTMFvvzQIY7MSg==
X-Google-Smtp-Source: 
 APXvYqxf6ja6WDBpp/nIeSrs09Nn3VWuH4kTMGiDNVKtdM11YDUCyXx5y4Tt7mmUZ4ZNFw5Tna+rlzOcwcwYuiHPw8Mpaw==
X-Received: by 2002:a62:e103:: with SMTP id q3mr83578pfh.1.1554338005084; Wed,
 03 Apr 2019 17:33:25 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:34 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-13-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 12/27] x86/msr: Restrict MSR access when the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>,
        Kees Cook <keescook@chromium.org>,
        Thomas Gleixner <tglx@linutronix.de>, x86@kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode.  Based on a
patch by Kees Cook.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
cc: x86@kernel.org
---
 arch/x86/kernel/msr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 4588414e2561..731be1be52b6 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
 	int err = 0;
 	ssize_t bytes = 0;
 
+	if (kernel_is_locked_down("Direct MSR access", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	if (count % 8)
 		return -EINVAL;	/* Invalid chunk size */
 
@@ -135,6 +138,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
 			err = -EFAULT;
 			break;
 		}
+		if (kernel_is_locked_down("Direct MSR access",
+					  LOCKDOWN_INTEGRITY)) {
+			err = -EPERM;
+			break;
+		}
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
 		if (err)
 			break;

From patchwork Thu Apr  4 00:32:35 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884641
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2C41417E1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:31 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1C20B28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:31 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 102882893D; Thu,  4 Apr 2019 00:33:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B69BD28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:30 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726978AbfDDAda (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:30 -0400
Received: from mail-vk1-f202.google.com ([209.85.221.202]:47892 "EHLO
        mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726880AbfDDAd2 (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:28 -0400
Received: by mail-vk1-f202.google.com with SMTP id l11so433781vkl.14
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=aQw0KGeWmvPzPQJC9aCiMXHo5RCdIiAFpbvhdBtqfOA=;
        b=HrnnfxtEOmZgJzYuk+1NGAEVH3FcUFjd6/CBWrK13gcpvb388nqYaCopTOLyHeiL1d
         BKx8619edH1V2dmHSMJXG+k3mIUlblQzV2u/zO0e4fFTXaPhYH3qkk2oBZtOPkDf/pMH
         c54kprWqcu9bnxwX2huhYfWI0NK19dx+cOTVdTShh6O9RpDn5d1CRWLTj74UYSVkLfjk
         m9UNjHC3gaOX9OtPbO5zNNbbdyPtrCAFi3EKo2W41SCPOU88rp2S8NL6uCUmQdKvJubH
         3qMyUCCEogMiavG6CtQUFSXB3/s/iNE8LHMbqsYvZCIifSgPCsE7EMCoYzlvMPlip49W
         ZGow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=aQw0KGeWmvPzPQJC9aCiMXHo5RCdIiAFpbvhdBtqfOA=;
        b=jkR4zNdgN8DKGb1KvtqSMWb1GSFVWZSBYTvAd3JiWrJJ0aDSYHTegVErtbfJU1VCKU
         BF2B/k7VuQo3bUq5z3Pk9Ta6t8CsHR5VB+fo6/TIP/8J8v7Pk44A/9+WBd8UiQHmGdIe
         tLPXhH6mK0Z0hhvQcR2JA5r6qcxBbEF5pKXVmcwzVhviCtUSMZxYJayPUPVP1C2nJ42y
         7mCWSfmM47kg7fLiJE6lBArRuKnqZwV+RHOrRCNwUIoaPym95Kn21bzegRxn22Glu07D
         oHc9j6DMkH5iR/ywagbsyJHZZHgzVw/Hn7j76KUCNdirmjMmVRXEJXxAKpeDmAntkJLY
         p6PQ==
X-Gm-Message-State: APjAAAWevtz9SHDLpIsUxJavPeNda3EXYq2/hdTWxLSoVxUCF51LQfKx
        qIlyfFU24GfRU3i/FRfmwJZGDbBsBqRldSfAheBVFQ==
X-Google-Smtp-Source: 
 APXvYqwn9uDV4QCW3Ysw0OeGe8fuj1O+mbnQ+p5+YyWGjXPdgos0oC1yx4GJVCZSHMnrpHBueWMml8CLMI4YTuAGQGSUpA==
X-Received: by 2002:a1f:9010:: with SMTP id s16mr372950vkd.12.1554338007705;
 Wed, 03 Apr 2019 17:33:27 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:35 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-14-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 13/27] ACPI: Limit access to custom_method when the kernel
 is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>, linux-acpi@vger.kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-acpi@vger.kernel.org
---
 drivers/acpi/custom_method.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index 4451877f83b6..37de3cd84493 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
 	struct acpi_table_header table;
 	acpi_status status;
 
+	if (kernel_is_locked_down("ACPI custom methods", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	if (!(*ppos)) {
 		/* parse the table header to get the table length */
 		if (count <= sizeof(struct acpi_table_header))

From patchwork Thu Apr  4 00:32:36 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884677
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1B9C41800
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:02 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0C77628705
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:02 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 000152872E; Thu,  4 Apr 2019 00:35:01 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9B34728705
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:35:01 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726528AbfDDAez (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:34:55 -0400
Received: from mail-vk1-f201.google.com ([209.85.221.201]:37164 "EHLO
        mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727015AbfDDAdb (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:31 -0400
Received: by mail-vk1-f201.google.com with SMTP id y19so443311vky.4
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=B6VKNJoBZyOp9UQCoOkYqDvTMA68uU6nV4VivW8ayKY=;
        b=S1y6ny4+jWv/gWeoO1G3tzhnZv+bXGsPYsaXFnXd9BW0WIzzQVHNEe7Mp+1DhTvAHK
         t04RZjK7SgpfIcQ1TcyiglrSXM7BLVu/37v1Z/a8Sc4pLE+s5Db8MMk7UKxtmzWktqE/
         X8SdZ0h/jX8QLITQGrFaqZ6fF58W542kSDEK3m9lj2nwIuuh06se57HA/kz+meVOIelG
         LTqKKtWdgYWx9QaE0QaXcQKZhD4t7pX6zz9lWi/Oxf4hYzQMFOLZsdUhhRRuR7npfP/J
         wSz86q5bCjocH/M3nlOoj8+mOAvkNzpYe8YcGPLNxa3nDue6VGNiU/igoU0QMLovvU6E
         lwMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=B6VKNJoBZyOp9UQCoOkYqDvTMA68uU6nV4VivW8ayKY=;
        b=Hy/UgeivrH/+MgXEulPs3DyhYldxnBkY5JON0fDAbr8N3ms9gKMlqXPfOhqwxGf2i8
         HkDmooPlXALGrDIDpM62ezm56D/om2hSqdj+xZVStKiH2OPkSGuexKwskLqzOLnTVNEb
         Y1oxGfC6ojlyNyb2R2Lkd6AIVG1sR33uTuo5xCYati3D1Psh8V1XHV9UdxFlsM2vPSFM
         2sVtDpvbleoHIo01ucFn9vKfg7V2Rpbi2r+frXtP12SLOEkhuS+C/VkD9+6i3cFqwRNx
         XdcanMlzf332YHNbk8eDjpOWOh3WpY76YKTY6/V+pmfao+EI0W0zY0900l3BOo4p3USV
         lQ9g==
X-Gm-Message-State: APjAAAUyxzDcctDnl+HC3jsStfb4TU6KgAO6Yd8YKZquv7MHnU8pUiWf
        F5kymg3dV0XGuT9z3+5KcsZ05iZac+KWdkNBM85QBw==
X-Google-Smtp-Source: 
 APXvYqwKkPizHiC4OnZjT0pH7YvylRNZ+BSxAOhO5bw2H08BAHNzQZo5RvC3LnRmNcoFcH18MAP9iudbn4wRZZXcLgMy+w==
X-Received: by 2002:a1f:5842:: with SMTP id m63mr366264vkb.15.1554338010216;
 Wed, 03 Apr 2019 17:33:30 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:36 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-15-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 14/27] acpi: Ignore acpi_rsdp kernel param when the kernel
 has been locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Josh Boyer <jwboyer@redhat.com>,
        Matthew Garrett <mjg59@google.com>,
        Dave Young <dyoung@redhat.com>, linux-acpi@vger.kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Josh Boyer <jwboyer@redhat.com>

This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to modify the workings of hardware .  Reject
the option when the kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
cc: Dave Young <dyoung@redhat.com>
cc: linux-acpi@vger.kernel.org
---
 drivers/acpi/osl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index f29e427d0d1d..cd5bba7b8eb3 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -194,7 +194,8 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
 	acpi_physical_address pa;
 
 #ifdef CONFIG_KEXEC
-	if (acpi_rsdp)
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification",
+						LOCKDOWN_INTEGRITY))
 		return acpi_rsdp;
 #endif
 	pa = acpi_arch_get_root_pointer();

From patchwork Thu Apr  4 00:32:37 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884673
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C52C11800
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B4B0A28613
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:51 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A8C9B28705; Thu,  4 Apr 2019 00:34:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 586A72872E
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727115AbfDDAde (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:34 -0400
Received: from mail-yw1-f74.google.com ([209.85.161.74]:47703 "EHLO
        mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727082AbfDDAdd (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:33 -0400
Received: by mail-yw1-f74.google.com with SMTP id z130so742586ywb.14
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=;
        b=kd5rMP1Qtyn082YVhSc0Jd3M947vR51IQTEVj2AYZe7cP2NTWS4KxRVONQxH1eCAHY
         uvwAEXznChwulgOwt2Boe2ySEQwdCbPfh7kQoYHty5eAl3+zzx7niYRClw2AtT2KwaJb
         RuL2vZbSfNY58VDgVp1bDUeyn7GIHu0NUo/P4ytyqVubpRSETOMI0RRAe9HOmTbZmI5H
         7o5SSn0FVGFdJsLWtzQwd7sQ7dq5p2N0JmoExed3CG/CxjtgBgcvgRxnnhqCxmxa78X4
         G6ejZSklQZTk5KWaEsE7h/NVEBp/kgyj6aCo94XIBgZC03f4VTnaUttGivPPzWWz+eLm
         1I+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=;
        b=eBdwN46153ew4H6gMtDeno7KoRzuhONEiNb0HKaufvppLPr9oasu4qnpnUZpS2dhuR
         Edruv9HXDEYKimxpYZygDueVYMEmuMiplX4kpD15mB1+iLWlu89RjdOOeZUdXQdmJnPo
         3nODsSJcXoQODhxB1F4DKAOOXgicr1Kjii5z8mnoPIWs36VwrpoCgtymh85SMhwaUcyg
         PGtx6aXoymk3P8jl1+E2rQHW3FqkTYf/8BDC8rzk/hzL1cA0eiKvaYdHQRRL6psg6Q81
         UdZsJcGTRvc10aMi0SHJ9vE7Il/2DX9NZHcipQOZIgIimWdpCpnW18nYPscMPERKviIf
         ubsA==
X-Gm-Message-State: APjAAAVeahA4UT0MzZhJw1BDzGCHpg0DQ8pj+QCJh2MFPRO6eE52ooY/
        aiHQzW3MdLHxrlBxp2rQO5883VxXfSa/O92VPyULIA==
X-Google-Smtp-Source: 
 APXvYqyZGsoXxZX57FRqjS/kHN1FpnBpF2J5zqs2Z8EsQnYwyHHmXX6YlOc5guWmnvzwM2l/s+CJmp3VLb/oN0k2lb/5jA==
X-Received: by 2002:a25:3d85:: with SMTP id k127mr784700yba.101.1554338012791;
 Wed, 03 Apr 2019 17:33:32 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:37 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-16-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 15/27] acpi: Disable ACPI table override if the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Linn Crosetto <linn@hpe.com>,
        Matthew Garrett <mjg59@google.com>, linux-acpi@vger.kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Linn Crosetto <linn@hpe.com>

From the kernel documentation (initrd_table_override.txt):

  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
  to override nearly any ACPI table provided by the BIOS with an
  instrumented, modified one.

When lockdown is enabled, the kernel should disallow any unauthenticated
changes to kernel space.  ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
cc: linux-acpi@vger.kernel.org
---
 drivers/acpi/tables.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index 48eabb6c2d4f..0dc561210c86 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void)
 	if (table_nr == 0)
 		return;
 
+	if (kernel_is_locked_down("ACPI table override", LOCKDOWN_INTEGRITY)) {
+		pr_notice("kernel is locked down, ignoring table override\n");
+		return;
+	}
+
 	acpi_tables_addr =
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
 				       all_tables_size, PAGE_SIZE);

From patchwork Thu Apr  4 00:32:38 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884669
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 57ECD922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 42AA1285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 373FD2871E; Thu,  4 Apr 2019 00:34:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E2468285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:49 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727280AbfDDAdj (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:39 -0400
Received: from mail-vk1-f201.google.com ([209.85.221.201]:34376 "EHLO
        mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726412AbfDDAdi (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:38 -0400
Received: by mail-vk1-f201.google.com with SMTP id y82so446088vkd.1
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=4G8m95jwtwdfjA5z7EFk9aUl9ztD0RqYosPZp4xmjEc=;
        b=Crz5pwAhhGfJ0QYGLtrhjgTwc28guJi6H/Id0SKwWnJIKYGPPm2VUMcicPe48h/eOT
         UcmCpUt3C0UrJ4X77h+cvV41W2pqvyneD2rLGVq1W8zMb6190GtxQWQ3ncoa3Vx+D5HJ
         mgC7r5/geCa4OpN5ejJlsGjspfTd0+y6LC4AE7j9RvCqR2HKzcRq18fSSnEagdIIAEad
         0yVCAn6iJ70IVGzVf7QUDOATfxcDtENqwBx1POTRzmWqsvLuikbJYNFT6+TJyiLOgo0Z
         DdQ1SjRYn09pSaYBc8g+Slk8tipFCdyY/lz7hBqGwUaED4rQA2H1saWZEAXRPPFV3INX
         N5uA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=4G8m95jwtwdfjA5z7EFk9aUl9ztD0RqYosPZp4xmjEc=;
        b=uhvqiTbaJH4pRYHYDmZiFzgyZx3yfw8Q1Uc+gkxHdIRP8CuUis7S4C3v3F0uv9cQ3H
         a9oR562UsMd4enhpuPekpzLhRit9KKlV3HJu0jCAfTtyo0cNxdAF+/DfCbqZlGMnYShD
         AiRQkqjaWhm5GjAO70TANM8jxJNgm3u/EZn1K2E182vJfqO53amoZzT06ecx7ivZMJah
         khv4o5OSKohwsppd2D0N4wGK5kQojmIQW6NejkLh1PpWx6rNkkX8kl7Eit8M1pqz3BYj
         +wXE7GIbL4Izxg4q+NUreV05WFxSYVZeDvvnkeF8jzNehV/yyYpLr3CPWeRbKxz9yILD
         mbsQ==
X-Gm-Message-State: APjAAAXeNVF4Y1ja2HaaeoDs5jo1sau8gVYvmITAFsh7Jv0px9uAsZyv
        10FjKZg8gdAqbJONKlTPAWHmOhK7XGBixOdJkRUzhA==
X-Google-Smtp-Source: 
 APXvYqwCJbB1Ph8ibXeXAEcWqJMS+HDQJVi4XlZx7IvM+zE0X/miIe9mQ2NXG8cXGUbuQbUvq6zUtkUVOg0BqqaypiQ8iA==
X-Received: by 2002:a1f:3c0a:: with SMTP id j10mr367978vka.17.1554338017457;
 Wed, 03 Apr 2019 17:33:37 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:38 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-17-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 16/27] Prohibit PCMCIA CIS storage when the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Matthew Garrett <mjg59@google.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Prohibit replacement of the PCMCIA Card Information Structure when the
kernel is locked down.

Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
---
 drivers/pcmcia/cistpl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
index ac0672b8dfca..9e23300a55e5 100644
--- a/drivers/pcmcia/cistpl.c
+++ b/drivers/pcmcia/cistpl.c
@@ -1578,6 +1578,10 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
 	struct pcmcia_socket *s;
 	int error;
 
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage",
+				  LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	s = to_socket(container_of(kobj, struct device, kobj));
 
 	if (off)

From patchwork Thu Apr  4 00:32:39 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884643
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6B53417E0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5582628913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4912B2893D; Thu,  4 Apr 2019 00:33:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E5D3F28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727259AbfDDAdl (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:41 -0400
Received: from mail-pf1-f202.google.com ([209.85.210.202]:45548 "EHLO
        mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727354AbfDDAdk (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:40 -0400
Received: by mail-pf1-f202.google.com with SMTP id u78so514778pfa.12
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=h9EnFy04jMHVM1ZMNH2nx3A+bDTELFHTwxmLElxP71o=;
        b=MN1yXbqBCCTTy42BJKCEKzcNSpCVI9QaCSde6dHY9nVoglt6DHZ2fuci9W/00kyRF5
         Ts6mPovN9ohlqPZjT2uk9sa9MxeuKSqBWm5zkVtm9dlesak92Ga9hE9Hja+66abKI+Es
         wB6u5AfgV5rWUrezpynHB8Nbg4bZ/03nLRF0kxyZevHMN1CjetAQK7ShhT+5aT+xSXO5
         e9hH7f9vpdqsDa6dOJLdy1lO1U7EJpTlLKKf/3EJJ4UfxmHeiNt01Bd737BoJvtC/ZgY
         viDIrtHsf/jwB23jwY+pW4Vre06W3qyOVxhRl+DH6qY9vEIre409m6nmcFcDv4UR/Cl6
         9AMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=h9EnFy04jMHVM1ZMNH2nx3A+bDTELFHTwxmLElxP71o=;
        b=c9Kv6JjhX96Fm7A6Ljcts9v7zEUWo8W3yM8v39xuDoZgWFVhZDi4vbk+zChRnjjkoI
         x7CGW3H2xx8pnqEd0+Z5q/1knkl9QQ/7/Pp/cGDLA87Ex0YcD+6awtbvnelrcTZh7vMQ
         CDhHqJcsjfuH2FMLRbdmWZf8ZsmkpEJpCu89eJM+6QJPiEpc4qYpWMJXA5Spq/179YJj
         U/d+3wSXTvOrtmS/ER3dSxAJBaIvHwLXt3Jl1H8zR011WSfRZjyN/SKZ826OlbAdLeQ5
         ZjXJoy6/IkTzCs5T4MirSNTmw0goFKWvfesqeGgyRiWDyGIiC+lfwtktsbD7qU8e94vO
         F/tw==
X-Gm-Message-State: APjAAAUiTfrRs+Oh0ZoJp+LQ8OvXoVjYp6657uxgfRnuPeKhuW5aBsFv
        QHXpmDSTxyz+m+OOSVcN7SVmv+UUIBp13D8cSDrjrQ==
X-Google-Smtp-Source: 
 APXvYqyhfisNuAlj4WEh7WTqrSKFquTVmzWpEoNMp1mQMYjKSqBSFlno83biCQPnZ4sGVGFqUy4FOHMV7iKrDTtN+d8IvQ==
X-Received: by 2002:a62:25c6:: with SMTP id l189mr75197pfl.19.1554338019633;
 Wed, 03 Apr 2019 17:33:39 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:39 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-18-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 17/27] Lock down TIOCSSERIAL
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Matthew Garrett <mjg59@google.com>,
        Jiri Slaby <jslaby@suse.com>, linux-serial@vger.kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Lock down TIOCSSERIAL as that can be used to change the ioport and irq
settings on a serial port.  This only appears to be an issue for the serial
drivers that use the core serial code.  All other drivers seem to either
ignore attempts to change port/irq or give an error.

Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
cc: Jiri Slaby <jslaby@suse.com>
Cc: linux-serial@vger.kernel.org
---
 drivers/tty/serial/serial_core.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index d4cca5bdaf1c..65b67f0d4386 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
 	new_flags = (__force upf_t)new_info->flags;
 	old_custom_divisor = uport->custom_divisor;
 
+	if ((change_port || change_irq) &&
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels", LOCKDOWN_INTEGRITY)) {
+		retval = -EPERM;
+		goto exit;
+	}
+
 	if (!capable(CAP_SYS_ADMIN)) {
 		retval = -EPERM;
 		if (change_irq || change_port ||

From patchwork Thu Apr  4 00:32:40 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884667
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 19B2417E1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:49 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 02EE2285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:49 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id EB9EA28705; Thu,  4 Apr 2019 00:34:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4FF3D285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727525AbfDDAdn (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:43 -0400
Received: from mail-pl1-f201.google.com ([209.85.214.201]:37694 "EHLO
        mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727354AbfDDAdm (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:42 -0400
Received: by mail-pl1-f201.google.com with SMTP id v5so630540plo.4
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=e4y+ZQyWx4Nt0qrBtIg+M07eqiLDT0f94JTcXc0xkLQ=;
        b=S5mjTTfJvgYmtb0pk9yg2qX2kfDWmzoiE39gwWHtmT8W4jzuAMrOa2sDqQKxKxPa7h
         qjEP64Mrg6re+iDsC52FxgSOL8Nwvj5Qn+T9WlymnKpX+aDImqUrqqmltqI/0nuYY6zp
         HhSJeJSUCkfcP3v0hk0t0fKyRgxkTcCFNSnCCe5HCEi/GKcv7tV3CHSplyaFxYum0QUr
         uWyxlJtZwG98ThTRKjLMLMiCka/mfEjDJkkj8JE2WgCrYlSa3cpdxQ0A8pexRpHyJIpd
         KtAViuScjJnu54WbD+xdae1wvImjb/+YoDbJCokDwSzH/cvDBOimigtYjc3fP3mR6Pj/
         6kmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=e4y+ZQyWx4Nt0qrBtIg+M07eqiLDT0f94JTcXc0xkLQ=;
        b=SoR5BQdxkh/Fw/2RdhVpM+MyBD7AO7IEXGiR/Sq3zNSamP/0ZRvk7MHcCwhqQPuSMD
         shDEXT+mV3BU0RvATo2ChvFBEpj7eosCEyT5d8F8G+GYLekmBHMcCgytbsX7EoV42RCw
         EbHk55lhoc491drfE1HB1z/U6VAQ9gyMwnIaxGVErxSZQc2sA5S49I7u7cf+tWcDyW94
         TY2kgBmLIfiGWrLEwwvVhAwPBH7M1jYYLJcJ+Dn9jpMhXWkP4daPC8C4nnPVlfCrIsVU
         S+UWm6x2DMEzq6P5NtkUfWX6DCplX3E7rEYzSN3edVFDyhvAzh7thQ1fc5t0KGV03NBR
         VLBw==
X-Gm-Message-State: APjAAAW6EtYg94nAjhF3AU9IClYdmleP/YtXOi0NvENd72HFfN33xyfY
        avLqjxv6zqU2KuW9M+3C5m+vjvmzwqmOkrj7cYULUQ==
X-Google-Smtp-Source: 
 APXvYqxZ3QsT3lULnw7lBZvr1BvN0odte7SRH8IlhPgnw83tXJaUcphlw1Hdg/epzSwg8cAvt2Wu5dnI1NnNsIJginS1IA==
X-Received: by 2002:a63:a54d:: with SMTP id r13mr65091pgu.126.1554338021751;
 Wed, 03 Apr 2019 17:33:41 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:40 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-19-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 18/27] Lock down module params that specify hardware
 parameters (eg. ioport)
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Matthew Garrett <mjg59@google.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).

Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
---
 kernel/params.c | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/kernel/params.c b/kernel/params.c
index ce89f757e6da..da1297f7cc26 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
 	return parameqn(a, b, strlen(a)+1);
 }
 
-static void param_check_unsafe(const struct kernel_param *kp)
+static bool param_check_unsafe(const struct kernel_param *kp,
+			       const char *doing)
 {
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
 		pr_notice("Setting dangerous option %s - tainting kernel\n",
 			  kp->name);
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
 	}
+
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels", LOCKDOWN_INTEGRITY))
+		return false;
+	return true;
 }
 
 static int parse_one(char *param,
@@ -144,8 +150,10 @@ static int parse_one(char *param,
 			pr_debug("handling %s with %p\n", param,
 				params[i].ops->set);
 			kernel_param_lock(params[i].mod);
-			param_check_unsafe(&params[i]);
-			err = params[i].ops->set(val, &params[i]);
+			if (param_check_unsafe(&params[i], doing))
+				err = params[i].ops->set(val, &params[i]);
+			else
+				err = -EPERM;
 			kernel_param_unlock(params[i].mod);
 			return err;
 		}
@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
 	return count;
 }
 
+#ifdef CONFIG_MODULES
+#define mod_name(mod) (mod)->name
+#else
+#define mod_name(mod) "unknown"
+#endif
+
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
 static ssize_t param_attr_store(struct module_attribute *mattr,
 				struct module_kobject *mk,
@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
 		return -EPERM;
 
 	kernel_param_lock(mk->mod);
-	param_check_unsafe(attribute->param);
-	err = attribute->param->ops->set(buf, attribute->param);
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
+		err = attribute->param->ops->set(buf, attribute->param);
+	else
+		err = -EPERM;
 	kernel_param_unlock(mk->mod);
 	if (!err)
 		return len;

From patchwork Thu Apr  4 00:32:41 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884665
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 548DE17E1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:47 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3DCA3285A6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:47 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3226A2872E; Thu,  4 Apr 2019 00:34:47 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 74CCB28613
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726580AbfDDAem (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:34:42 -0400
Received: from mail-it1-f201.google.com ([209.85.166.201]:37223 "EHLO
        mail-it1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727951AbfDDAdo (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:44 -0400
Received: by mail-it1-f201.google.com with SMTP id q203so719860itb.2
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=CCajKTRONhdynt5B0tRKLHYn7gScHVmkVEVnwB9DKOM=;
        b=s1zCieDIbjStDqi+VbZG5xM3sjOwoJ3+HzVhjYLaR7UmIvBxeAXLTptcS0cFeSV0Lz
         GwwpkyfF6ikIFd8i4swwhFgn0GiniGl0SQWvRPZc9xBTZHVHW7SOuzT5nwZpgJ4kcWUK
         2kFc9yOfPIb9IK7g+N8Hgps9d9NR7aCeXNo51766oho8GyfHpeDZKgQKC370JBN3X88H
         l7lEBD/09TPvf5nfQMc+FSxJhVlxrFIXaCImD+1MfyRAtL+nGamntP6IlLnJwVlVZPFp
         1tdmL5VstbWB03EnWSLtu7RwTgKnLRyUwFloXa7ZtktB9qcqCKGxS/E2fhIYDMxx5MXi
         iWnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=CCajKTRONhdynt5B0tRKLHYn7gScHVmkVEVnwB9DKOM=;
        b=Y2pRPtK0IKvP1JDzi4T+8QcqKS3MzfiDe0/sBT6R4AQNNmD8CYoHpGcdZxLSrxza0V
         rB0uVybTa9MutYrhRVF3v8IflpFqYRJ7e5HnSMVKIAaCSiZxzMYeqkpRaypDu3uvpI8g
         auB0kJVa3y4lvDOjpOtVTFM6EobiIbBNgIx0+f3BXjyKf9YwC3bmoLPlbegWSJ2YxHvh
         r3y3fmFVuYi21dRC8VeESNE59YPI4wJDY1LKMyx0VBKEz+z4EWRmaUSZukGS5X9QCdX/
         PmDscxo2kgAEvY53/q8JbpEMRR0NOPWjJW39Mt5E1kKaXXaCg4ByNS/TDydQ1SXLjx2u
         AQnw==
X-Gm-Message-State: APjAAAUYCOnNWxpfBSC9UFgFd2E7zCUqys4LrWCePixBGTUQzQ8bV42G
        bdWJ+finmldnipMymESAItA6qoe4r71QXHNJI0IlHw==
X-Google-Smtp-Source: 
 APXvYqztLpxYOQsQrgxkzqR9K4RbtCE7akUg5egpcVSljxQ3131FkMhQn901XrIhoamzNcWoTW6/aQV7kciTkjgWbgL80w==
X-Received: by 2002:a24:6cd5:: with SMTP id w204mr643820itb.16.1554338023981;
 Wed, 03 Apr 2019 17:33:43 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:41 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-20-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 19/27] x86/mmiotrace: Lock down the testmmiotrace module
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Thomas Gleixner <tglx@linutronix.de>,
        Matthew Garrett <mjg59@google.com>,
        Steven Rostedt <rostedt@goodmis.org>,
        Ingo Molnar <mingo@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

The testmmiotrace module shouldn't be permitted when the kernel is locked
down as it can be used to arbitrarily read and write MMIO space. This is
a runtime check rather than buildtime in order to allow configurations
where the same kernel may be run in both locked down or permissive modes
depending on local policy.

Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: David Howells <dhowells@redhat.com
Signed-off-by: Matthew Garrett <mjg59@google.com>
cc: Thomas Gleixner <tglx@linutronix.de>
cc: Steven Rostedt <rostedt@goodmis.org>
cc: Ingo Molnar <mingo@kernel.org>
cc: "H. Peter Anvin" <hpa@zytor.com>
cc: x86@kernel.org
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
---
 arch/x86/mm/testmmiotrace.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
index f6ae6830b341..9e8ad665f354 100644
--- a/arch/x86/mm/testmmiotrace.c
+++ b/arch/x86/mm/testmmiotrace.c
@@ -115,6 +115,9 @@ static int __init init(void)
 {
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
 
+	if (kernel_is_locked_down("MMIO trace testing", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	if (mmio_address == 0) {
 		pr_err("you have to use the module argument mmio_address.\n");
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");

From patchwork Thu Apr  4 00:32:42 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884645
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 29AA817E0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 138BA28936
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:51 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 079C22897F; Thu,  4 Apr 2019 00:33:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9D4642893D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:50 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728482AbfDDAdt (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:49 -0400
Received: from mail-vk1-f201.google.com ([209.85.221.201]:42951 "EHLO
        mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727948AbfDDAdr (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:47 -0400
Received: by mail-vk1-f201.google.com with SMTP id q135so442055vke.9
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=i92ao4UQPXz3UyfztS9poQmhL/y3JHZOqS1ytGgJ0IM=;
        b=WD2fqHr0nDM4EQFGLbdjZzJ4OnQw5Ddxx68yzwL66IurjJUsv0Yb+gxKTO9lDeytxP
         nSWlzoRoFeHqKw66bCCz3HdUH6+GXH/g812nh8i+kEgTpnZSGeOIZqg3RbAEy5GXEWFV
         JfyHzIWeiBYbK+iKm01BQA7ViUxVDYh96kcMJtkOzrqaPm0bzYclshYaW/xjvX2JOFq/
         at7lM3kTiHHrRFWmjc61Vjk2X71jdUlkZ+EWTKvY2LdmCdxdqei30RkDY5CIDJGXgJYB
         X/UF7Ujc1cDOAOhHBLFtdAPOTxrR2CnKzowQMumOkT2uXSo3kKGchcsuxFGsWDG9tue4
         XjLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=i92ao4UQPXz3UyfztS9poQmhL/y3JHZOqS1ytGgJ0IM=;
        b=DKqOMgO838D+1kdGcygMvM6+vbvQKc+xw0OYkLupMOj5YZl0lKPkM6Gf+Z8OaBHiHI
         q8YjBnr/L4ZY6gl9e996Xh6OExy75H5ilRxqCEayMGj5TcT1nSvmEEtI4Uanc2FiwnAK
         4FaD9YBfyVcw8jH1IgRYm6QOO4Wt1aGtg1JUqb4+rZL9KfjVaWAbZhP7VdK8jOtzhRWE
         MLk7Apq+m81xCt8wie5gmWll35EPZK5ZmU7GxscMv7r6Ic8pEMnbBlHMoKhD0MTLS/3Q
         A+MU6BB1KUt0Ql2Ox5Nen3POVRhGwEccsyBkafMEql6E1TNXU+FBh1N+QVB5PcFIs/Vp
         b80g==
X-Gm-Message-State: APjAAAXNaCXcvZZlpky0EvS3CHsKv59GT8i+X+TUtaNdViVSyfKwACqz
        lOvQ/DEjb8j3w6wZluh+cC0gsu4dup9yvd/Q3pGLLA==
X-Google-Smtp-Source: 
 APXvYqzjmy6IcMnQ8wpH9g+GYhfmT7QUPbLsfV4lkOMbxG0a3u7Cu+T3H2a78xceri8tS8cbdCa7GoAgpAkAPYJuzt3SJw==
X-Received: by 2002:a67:fdd1:: with SMTP id l17mr379136vsq.19.1554338026502;
 Wed, 03 Apr 2019 17:33:46 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:42 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-21-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 20/27] Lock down /proc/kcore
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@google.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Disallow access to /proc/kcore when the kernel is locked down to prevent
access to cryptographic data. This is limited to lockdown
confidentiality mode and is still permitted in integrity mode.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
---
 fs/proc/kcore.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index bbcc185062bb..1c556a453569 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
 
 static int open_kcore(struct inode *inode, struct file *filp)
 {
+	if (kernel_is_locked_down("/proc/kcore", LOCKDOWN_CONFIDENTIALITY))
+		return -EPERM;
 	if (!capable(CAP_SYS_RAWIO))
 		return -EPERM;
 

From patchwork Thu Apr  4 00:32:43 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884663
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 141C1922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:35 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EACB72871E
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DB87B28705; Thu,  4 Apr 2019 00:34:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EA9E728913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:32 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726316AbfDDAeb (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:34:31 -0400
Received: from mail-pg1-f202.google.com ([209.85.215.202]:39902 "EHLO
        mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728523AbfDDAdt (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:49 -0400
Received: by mail-pg1-f202.google.com with SMTP id o4so363558pgl.6
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=J18ALo3LueGVhn7lBcFJjxgV6Duc6Nrvg9c6IUw3gFk=;
        b=f4X9nbNHfY4KPoiY2rsTDeZzZS0xVYDSJh48T/INc5xcxO6l06XtPToGB5Yf4apcsF
         QO9MOn/GG22R7EaKsFZ5VoOMO2fyeDZ2nLv5NFyTUIcChYQg+eLUp5gALnVlBXrYfTQp
         RPpFDlg7gyi/RfbU/aUNdvCAMzBbq4Ux9qoL8qcq3qckUGaWWU5ehr//0EPmpZuM51fH
         rEXxgeXSu9SkJgqz7FnM2j66Vm7PfIenJp7rjiBnINO41wb0GMcbfQdm+vCGGxCVXqra
         UAy733GzeE5eTRjvF98IFUyGNKiT5Sa5nKXo2vH8rdjB/GkvJoZbfYLJS/M4g3VQ751b
         SkEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=J18ALo3LueGVhn7lBcFJjxgV6Duc6Nrvg9c6IUw3gFk=;
        b=bIkbR14gcxFDSqoCrVqfXN8PzP37nQyEDNdX+qJnpbavDl8NGwY34ly0N/J1Te1/MS
         xGn0b9NaqR3vz2aej6ODFgB1q5BJCM20nt62X5d+q+Q3pE4Ukv9QWy95B5qtwZFN6LS5
         Aw+TLg50U7LvQ330s1rx11gPt4E8UctbzS4bD7NLOTXBZ6GNDflFh7CCNcRvBcyQhJgG
         MejzjY7WifWTh9V3uBJ36kw/mP/ZV7CrGlwSHZ1/jl7qXNfvw0+ymTE08U0QDfKs9VZ4
         vE0fIwfy774Y/c/6KHRF5vZVc1AHjNy7m3iJ8gJwh38SlwE3v1QyBJx/FGpUj5VKOoAm
         6Vxw==
X-Gm-Message-State: APjAAAWz8357AIARxialBX2coLrXyPbP8c7qoKQyltLlU0Bm8i6wUbwr
        +99ODc4iwRhi3Pyu3znOgpCHOwBD6z2KqWSalsuMTw==
X-Google-Smtp-Source: 
 APXvYqz4j3QeuhcSeCpssrYno1HhWQWSUHEQbxzBBQkzAYaBEuGhtUI12IUFX6VGtthFChJDwz6dBYHGr0vkhfKiuAft8A==
X-Received: by 2002:a65:6483:: with SMTP id e3mr60177pgv.12.1554338028850;
 Wed, 03 Apr 2019 17:33:48 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:43 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-22-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 21/27] Lock down tracing and perf kprobes when in
 confidentiality mode
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        Matthew Garrett <mjg59@google.com>,
        "Naveen N . Rao" <naveen.n.rao@linux.ibm.com>,
        Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>,
        davem@davemloft.net, Masami Hiramatsu <mhiramat@kernel.org>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Disallow the creation of perf and ftrace kprobes when the kernel is
locked down in confidentiality mode by preventing their registration.
This prevents kprobes from being used to access kernel memory to steal
crypto data, but continues to allow the use of kprobes from signed
modules.

Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: davem@davemloft.net
Cc: Masami Hiramatsu <mhiramat@kernel.org>
---
 kernel/trace/trace_kprobe.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index d5fb09ebba8b..5c70acd80344 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -420,6 +420,9 @@ static int __register_trace_kprobe(struct trace_kprobe *tk)
 {
 	int i, ret;
 
+	if (kernel_is_locked_down("Use of kprobes", LOCKDOWN_CONFIDENTIALITY))
+		return -EPERM;
+
 	if (trace_probe_is_registered(&tk->tp))
 		return -EINVAL;
 

From patchwork Thu Apr  4 00:32:44 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884647
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 08B8417E0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E4C4D28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:58 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D8EAE2893D; Thu,  4 Apr 2019 00:33:58 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BD63428936
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728557AbfDDAdx (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:53 -0400
Received: from mail-pf1-f201.google.com ([209.85.210.201]:37671 "EHLO
        mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728442AbfDDAdw (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:52 -0400
Received: by mail-pf1-f201.google.com with SMTP id p8so530550pfd.4
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=;
        b=UNx4l+uYxC2/8yEfLLnvPjeztGUpZ/k17H1PH96tTx77KaMo+uQMxPkXWfsx5eLYVk
         W+ADfxCS0pWxwheheyJcmGu3LGPDQuiVdLB5xMb4rGnUR9rDa5ak0eiVcuL1XU0WQcod
         71WBPtNkfHxrhFsr9Ijjqe9y2AaijksBWob6H1yicFYbfkWGTf6rRuXlqvdY+M2ObZwv
         N+822NfjdibPbg/am0i68cS9xk0C3hP4zbvmroCUl8NhECmm4eMpp1C7s2HxLq1bVsoP
         HLJ4iqdP7RM9qvbmiRle6HBquZ0gdJuk3WXukSMAP0IN3spUvTUIjPFxz/AOAV3jSkUt
         KBGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=;
        b=mnok9inBcWawmq88ElAvoYGegIZ184Fx/ym/RCN0QPkFf2yFojCIsUFJysSE0EjJT+
         5J5s4XS2/VjKJsozfTdAfkirxFmJT9eAI6bf8bl1h5+9WXcAL7V/eIkJ+6mrUARblweu
         J8RVN9MucSRGIwXQCs5fhOK8rYtvM+RVWfS1+1Yf9IisMPQB61rJdu84MN/a6oCYz8UG
         TRvngZfZlc4FSd59CJDS6OHC+ZOT+F9HrCEgW9scshLpdGI72/PDtGDQkXMQpC4SRhu7
         Yh52FpkuN76EeI8MsRurt7+chLPW0BYWDkRjfJMqBiEkx81Ndc6B7YTeLXusKpeRD6z2
         zfKA==
X-Gm-Message-State: APjAAAUlIN+IhVc0xAlV+RsrNJMYwR+Dv9SeoaZ3yPznEvgxFxwZ+HcU
        oaWc8ugwOSNIReBIvB9jD4/WUU/7EINffkYRkyNfmQ==
X-Google-Smtp-Source: 
 APXvYqytkhwGEo6KJI9bBnasM3o3ugsBZVxr+gxHJUJuytlkBrlS2VQ/SpP9mGUjcCydNQLO3I4PbXNhRbxTL9xazROS9w==
X-Received: by 2002:a17:902:280b:: with SMTP id
 e11mr104020plb.55.1554338031058;
 Wed, 03 Apr 2019 17:33:51 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:44 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-23-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 22/27] bpf: Restrict bpf when kernel lockdown is in
 confidentiality mode
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        Matthew Garrett <mjg59@google.com>, netdev@vger.kernel.org,
        Chun-Yi Lee <jlee@suse.com>,
        Daniel Borkmann <daniel@iogearbox.net>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction. Disable them if the kernel has been locked down in
confidentiality mode.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
---
 kernel/trace/bpf_trace.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 8b068adb9da1..9e8eda605b5e 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -137,6 +137,9 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
 {
 	int ret;
 
+	if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY))
+		return -EINVAL;
+
 	ret = probe_kernel_read(dst, unsafe_ptr, size);
 	if (unlikely(ret < 0))
 		memset(dst, 0, size);
@@ -156,6 +159,8 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
 BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
 	   u32, size)
 {
+	if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY))
+		return -EINVAL;
 	/*
 	 * Ensure we're in user context which is safe for the helper to
 	 * run. This helper has no business in a kthread.
@@ -207,6 +212,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
 	char buf[64];
 	int i;
 
+	if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY))
+		return -EINVAL;
+
 	/*
 	 * bpf_check()->check_func_arg()->check_stack_boundary()
 	 * guarantees that fmt points to bpf program stack,
@@ -535,6 +543,9 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size,
 {
 	int ret;
 
+	if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY))
+		return -EINVAL;
+
 	/*
 	 * The strncpy_from_unsafe() call will likely not fill the entire
 	 * buffer, but that's okay in this circumstance as we're probing

From patchwork Thu Apr  4 00:32:45 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884649
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C39A717E1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AE3A928913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:59 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A2ABA2897F; Thu,  4 Apr 2019 00:33:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E77A28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:33:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728591AbfDDAd6 (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:58 -0400
Received: from mail-io1-f74.google.com ([209.85.166.74]:33233 "EHLO
        mail-io1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728589AbfDDAdy (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:54 -0400
Received: by mail-io1-f74.google.com with SMTP id n15so602522ioc.0
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=H3HRoHYDWMArQkaxv1MNV9sbVAN4QTLQDsX3m+S9eoU=;
        b=EuvZBJXktt6F0ubAptUi55XvRrS0bKkJnnv1U/zgt6sGHkb46NdO1QZ+G9sI+ZkhfA
         JelD4bF/2Pj/hihb+SKHwlJ8aIjjC7e63Pu3qmQ3SlJe54ayQ6S9xdyfaTuT1jP09UZQ
         p5n1e8v2LdA/LRCQEeXI2QKFxaPLp8FNAWrgShmJIxnE1H6AkZMQwuPTyOGlFYMSR0nh
         NoyORJSv21az9frVzup98ATuqYeUtUG0Av2bSGPCU2zcN9wclGUw3JzELE6GzV1KxhFy
         l5/lV4gzrWlUE08BglDw/kUo6esP+LKLYEMhsER7SVRCEC7kdasgVUQWuHjLBMDqKmDc
         8qtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=H3HRoHYDWMArQkaxv1MNV9sbVAN4QTLQDsX3m+S9eoU=;
        b=C5pcN7UT4uGioZmUeyUXNqEOefMhHJA3/EdbV3m59GWaJqqiwjiBo+y7EmAodiQXfp
         MRMZLT0PA/rY3p5FLPoPAj72W0EVumvjyUC1xNIVcBFRPuBQ75ZvVEa+o+Wtgw3fdHBL
         DZneEJNGI6yN0NDl1ecGot8aBLnyw3yUQmeK8Ux2UyQRobheMGX/ebGPrIqc89ab0sjP
         ccnSCMVqWdMxmtQ+FIFvWXXwoLRdYkO5OWq5Rj9EwlZ7okoNmb5Cz+lKNBlDBvb1q8Et
         GRiylBj53wjWNsywIpueNFCnBURUALiRRNM9/io1/MBofS2kjjR6x1ghz3EyrvO4Vs6R
         uiZg==
X-Gm-Message-State: APjAAAXrtt5qooT9+22sfOzQcSYNQpoIkO8p+3dDeqoApNk5Wl8VqDEX
        K2amdkON/oa439nShftu8uKCDSPYwiGfycVl2gl6zA==
X-Google-Smtp-Source: 
 APXvYqx2eKKhEOnybJeNgu76/wWUtSGW35RuZ+QQ32lRZx5l58gboRDh908+pCXmRC8kk88E8Ad7UHpBCodo1958l2JfVg==
X-Received: by 2002:a24:7f52:: with SMTP id r79mr581420itc.33.1554338033807;
 Wed, 03 Apr 2019 17:33:53 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:45 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-24-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 23/27] Lock down perf when in confidentiality mode
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@google.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Disallow the use of certain perf facilities that might allow userspace to
access kernel data.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
---
 kernel/events/core.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3cd13a30f732..6ad3d83c091c 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10461,6 +10461,12 @@ SYSCALL_DEFINE5(perf_event_open,
 			return -EINVAL;
 	}
 
+	if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
+	    kernel_is_locked_down("PERF_SAMPLE_REGS_INTR",
+				  LOCKDOWN_CONFIDENTIALITY))
+		/* REGS_INTR can leak data, lockdown must prevent this */
+		return -EPERM;
+
 	/* Only privileged users can get physical addresses */
 	if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))

From patchwork Thu Apr  4 00:32:46 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884653
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B418F17E0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:00 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A35D028913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:00 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 97B2F28936; Thu,  4 Apr 2019 00:34:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1203E2897F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728555AbfDDAd7 (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:33:59 -0400
Received: from mail-vk1-f202.google.com ([209.85.221.202]:45757 "EHLO
        mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728639AbfDDAd5 (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:57 -0400
Received: by mail-vk1-f202.google.com with SMTP id w71so431848vkd.12
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=1cmna1g3SBbmeXVQ7U4HNm6fqIG1pmKpIOgdIrBMnKE=;
        b=CUItz+OLZxnDhdhbDMyIytTuCRSAmech13/+138rAWrc8qzCgsBTHY9rqY6YXQo1Bl
         46oj1iym3+2BEf73V1DaNekR+Odhpx2kmfxD6BNgjJscILP+Ox3NtfDrGNH/5inLIl5w
         nzDjIYkiJFms643IgUmwXtuELdJhfjAhsDAaFOUOBBBVFyvqD47IQHL0HkdOyT1RQQl+
         vq9P6rrsmlldIu6IqIVM72U0NEyAVKGR6Q359pCN057VxGFGSfy4+Jc6utDwDKVUl6c5
         JqwL7SvFyjAfvPU2oGzgipF6qYxOfXTnu+CqBpW63y5Zkr3r3RQZBOnQhD2KtJsQ7qgv
         3eGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=1cmna1g3SBbmeXVQ7U4HNm6fqIG1pmKpIOgdIrBMnKE=;
        b=tb4cNXRrzXVICze8ADHiTtE4tUl9yfvbrXgUKCBRw6S0DI+eRizCLsz1OpekjyCSKc
         ZyWLBy63lYVxw+uKVdh/sE4OztX/DOhYeCkTJuGTnUj910hSo0vwFA+uJeSdg2Osx3y/
         tZ0qmiGIWol37Sxciy5D48FaGFry+X4Dz4hAXX1t4l29rcSJOKVUWVns39cOAOJaVO6l
         lkvtafDrCXlqP+waoSSo2ySlJI/HxUSVkCGdE+oNByJCJjZLtL52eBCbnOH5bA2s8wma
         2Eid/uIsJK26x3Z3/D0SKzFmwmjoS+ypvuSwGd5HznzjioGErFcHHyRUhLcXQUEibAJt
         jakA==
X-Gm-Message-State: APjAAAWJixusGMazEfKFH6MFBqFS4AksDAA6wYdKY8QXdg4oRQFc76Od
        cY12NhkV7jTbB1k8iAdmpxgtgfUhlZ/iesfmkgBiFQ==
X-Google-Smtp-Source: 
 APXvYqymaJjUWE4QohoQAnavv/039hKLzKnGBAzX+C4k3X+axOP9oov+XRAYGsycaVlf5NFQUisyKpqCn4VBjfyHousFzQ==
X-Received: by 2002:a67:f24f:: with SMTP id y15mr404588vsm.25.1554338036150;
 Wed, 03 Apr 2019 17:33:56 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:46 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-25-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 24/27] kexec: Allow kexec_file() with appropriate IMA
 policy when locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <matthewgarrett@google.com>,
        Matthew Garrett <mjg59@google.com>,
        Mimi Zohar <zohar@linux.ibm.com>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        linux-integrity@vger.kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Systems in lockdown mode should block the kexec of untrusted kernels.
For x86 and ARM we can ensure that a kernel is trustworthy by validating
a PE signature, but this isn't possible on other architectures. On those
platforms we can use IMA digital signatures instead. Add a function to
determine whether IMA has or will verify signatures for a given event type,
and if so permit kexec_file() even if the kernel is otherwise locked down.
This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set
in order to prevent an attacker from loading additional keys at runtime.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-integrity@vger.kernel.org
---
 include/linux/ima.h                 |  9 ++++++
 kernel/kexec_file.c                 |  7 +++-
 security/integrity/ima/ima.h        |  2 ++
 security/integrity/ima/ima_main.c   |  2 +-
 security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++
 5 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h
index b5e16b8c50b7..60007b86f4fc 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -127,4 +127,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
 	return 0;
 }
 #endif /* CONFIG_IMA_APPRAISE */
+
+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
+extern bool ima_appraise_signature(enum kernel_read_file_id func);
+#else
+static inline bool ima_appraise_signature(enum kernel_read_file_id func)
+{
+	return false;
+}
+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
 #endif /* _LINUX_IMA_H */
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index a1cc37c8b43b..7599039623a7 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -240,7 +240,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 
 		ret = 0;
 
-		if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) {
+		/* If IMA is guaranteed to appraise a signature on the kexec
+		 * image, permit it even if the kernel is otherwise locked
+		 * down.
+		 */
+		if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
+		    kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) {
 			ret = -EPERM;
 			goto out;
 		}
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index cc12f3449a72..fe03cc6f1ca4 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -115,6 +115,8 @@ struct ima_kexec_hdr {
 	u64 count;
 };
 
+extern const int read_idmap[];
+
 #ifdef CONFIG_HAVE_IMA_KEXEC
 void ima_load_kexec_buffer(void);
 #else
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 4ffac4f5c647..106f06dee9d1 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -442,7 +442,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
 	return 0;
 }
 
-static const int read_idmap[READING_MAX_ID] = {
+const int read_idmap[READING_MAX_ID] = {
 	[READING_FIRMWARE] = FIRMWARE_CHECK,
 	[READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK,
 	[READING_MODULE] = MODULE_CHECK,
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 122797023bdb..f8f1cdb74a4f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1341,3 +1341,53 @@ int ima_policy_show(struct seq_file *m, void *v)
 	return 0;
 }
 #endif	/* CONFIG_IMA_READ_POLICY */
+
+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
+/*
+ * ima_appraise_signature: whether IMA will appraise a given function using
+ * an IMA digital signature. This is restricted to cases where the kernel
+ * has a set of built-in trusted keys in order to avoid an attacker simply
+ * loading additional keys.
+ */
+bool ima_appraise_signature(enum kernel_read_file_id id)
+{
+	struct ima_rule_entry *entry;
+	bool found = false;
+	enum ima_hooks func;
+
+	if (id >= READING_MAX_ID)
+		return false;
+
+	func = read_idmap[id] ?: FILE_CHECK;
+
+	rcu_read_lock();
+	list_for_each_entry_rcu(entry, ima_rules, list) {
+		if (entry->action != APPRAISE)
+			continue;
+
+		/*
+		 * A generic entry will match, but otherwise require that it
+		 * match the func we're looking for
+		 */
+		if (entry->func && entry->func != func)
+			continue;
+
+		/*
+		 * We require this to be a digital signature, not a raw IMA
+		 * hash.
+		 */
+		if (entry->flags & IMA_DIGSIG_REQUIRED)
+			found = true;
+
+		/*
+		 * We've found a rule that matches, so break now even if it
+		 * didn't require a digital signature - a later rule that does
+		 * won't override it, so would be a false positive.
+		 */
+		break;
+	}
+
+	rcu_read_unlock();
+	return found;
+}
+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */

From patchwork Thu Apr  4 00:32:47 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884661
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4E959922
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A1CC28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2DE742893D; Thu,  4 Apr 2019 00:34:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CBD2128913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726337AbfDDAeW (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:34:22 -0400
Received: from mail-ot1-f73.google.com ([209.85.210.73]:50589 "EHLO
        mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728589AbfDDAd7 (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:59 -0400
Received: by mail-ot1-f73.google.com with SMTP id r23so291829ota.17
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=al58t6ANDPLU85eDCqgZCBVARE5LKCf1VFpj6vFxHNY=;
        b=OMHv1x1HxndU3NYmoUDmr9gQTnccB79SBkQfVDDbXGerRUffhKe6CcKdOi1Ir6U/wV
         63pZmusqM4wrJB3yOIwud+H8z+rdBHLPiu2Nd2+CvehvZTx/coIYOejQtGpr5JFfvqMP
         MNj8GYj1yT0GExuZlz77AKMQyhlLsSMVTk5K7AYVMbxIX35vv6uMnYQvXU+tEVr0nFnJ
         y0NtltQc0YcLV2t1wBZGv+p05r+BoNoBrXxeT+rhmRkJs42rPYcHU7PUIFLfi6y18jM3
         b2GRyv7mdMlx6fdRqiGL8NEZ942MHhJgDUsEAUs0AOwl3ctDo8EtN/OVpbri/oz+lrTG
         QiRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=al58t6ANDPLU85eDCqgZCBVARE5LKCf1VFpj6vFxHNY=;
        b=nNRzl/15bj5UMj6iRgqnntGkpDc/sNgNML+cAPPeZSZhmYJKDCVBlLJK+jYHrp2Sgk
         6QhBmsMI9dxlnFkwnOZQ/sZ2xtnQfKHjI10GAR0MMGduMEENJ+RbfKlJdlDKc8DmwDyZ
         wPl6Xoruvp1k1Rm9C3U7VQzOxg3qqx1+ub09gnWucuJ2s4ZqPDq4jBzv/6x8R7C/yONo
         s207htMecX4efhmLYalUEklZDdMoz2Oiyejs58iX6w6uj/96t9tRva6lbk0PdA0MTrSI
         9X2OS/4q4G4GZZTTfe0F2E7kxeJhbh57VGMSuG0SuWHYmdLaQ0/W6jhOnC88I736Rl3P
         W3vQ==
X-Gm-Message-State: APjAAAXzU6lVYu6kQfa4jPNx3REBkPJW5GPli5oRWWMl/f84P22cWVXz
        qtpXfA9nfICPKq2PshRG2VsCnM6V3M2U3Iex9WRsdg==
X-Google-Smtp-Source: 
 APXvYqyTQMf0hBtIoJQxs48Z7EtRxQ4n5Sm6ALb5kg6yqoQOcbkRO5xTMllm9jjfwmqy/eZaXTvcifddpqNOzWmpA4lWVA==
X-Received: by 2002:a9d:61d9:: with SMTP id h25mr264758otk.27.1554338038536;
 Wed, 03 Apr 2019 17:33:58 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:47 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-26-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 25/27] lockdown: Print current->comm in restriction
 messages
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <matthewgarrett@google.com>,
        Matthew Garrett <mjg59@google.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Print the content of current->comm in messages generated by lockdown to
indicate a restriction that was hit.  This makes it a bit easier to find
out what caused the message.

The message now patterned something like:

        Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
---
 security/lock_down.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/lock_down.c b/security/lock_down.c
index 9913fff09ad0..2659722784cc 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -70,8 +70,8 @@ bool __kernel_is_locked_down(const char *what, enum lockdown_level level,
 			     bool first)
 {
 	if ((kernel_locked_down >= level) && what && first)
-		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-			  what);
+		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
+			  current->comm, what);
 	return (kernel_locked_down >= level);
 }
 EXPORT_SYMBOL(__kernel_is_locked_down);

From patchwork Thu Apr  4 00:32:48 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884655
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F365417E1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DBFB428913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D04EC2893D; Thu,  4 Apr 2019 00:34:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3483328913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728650AbfDDAeC (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:34:02 -0400
Received: from mail-pl1-f201.google.com ([209.85.214.201]:37696 "EHLO
        mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728665AbfDDAeC (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:34:02 -0400
Received: by mail-pl1-f201.google.com with SMTP id v5so630991plo.4
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:34:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=Dcb0Qj0LUavzChJOHbrHpuPY7bvPXNOYdMmn52tha6Y=;
        b=tynZpQX5Z+CztCjr916yNwtl6L+XGXjjGUrFXtQpZ5usSFz4YxlaEAEqhz0HWi2GPr
         3ZndnJqV7lpkt9h2o1qG7ELJPsyc2I6qQfJqaPQ8qrjE47FdeNRJqRq9YFd9POsjU5sP
         mjNoY4lJFK5uRIc84lLf6gub0gv0VEkFb+/wSAU5EUUfHXlRxsobEde4POuj7TCBcWua
         Qi396U9FARAElVVNjubCrxlIQV4ragxeyikFWjDUQaMomsLmWw+6OvivoD7fMKyI5dvv
         wN59ND9OWQ2IQrSevwR0t5KI5uJ6H51qQJrtt7Oj8xfDDhovLufB5SOcc8M1b6S27Jcu
         ZzgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=Dcb0Qj0LUavzChJOHbrHpuPY7bvPXNOYdMmn52tha6Y=;
        b=IOGPl4xep0sIQ3sxBy83Fb05QugWG/uYaRt2mmuikmyFCNjPNt2w13x81sktdR9Vmv
         yXI12wNnP+IYlon25uqiVW0FzBWvIuYSTsx5zqMYeqg3bTCDSf1q/8yMcNfiDnr1NOWm
         EnrL774PDPq2IONiY+Z1brzAI/cRsvqb/7BMOQkyB7v5Kuji/56KHx+uTr0dqcss88RN
         dXg3Lj5Lk+pbX1KYRmOv9pQlXgNBXoX2Bcpd9wCiseR18Bmhct5tT/ilyLocKM2h3Ja6
         lz4E7Cca/4EXi7ftIEPqVblAPW3KtLDNyJjkuwrLxJLt+rCGmt9a43JKKf8otNfeKBZm
         gtcQ==
X-Gm-Message-State: APjAAAVXB99w9aID28OgD2uyqAXweScdni3AbmtpGt9B6MnV/S3kAr8Y
        NBJuY6R5XoZKNPISEOUx+pIo1iNyEKDLWflNG3e67w==
X-Google-Smtp-Source: 
 APXvYqxU+tVV28xQIhgdT/FVHPkyo6fMTrvZk4rLlPIu3rL4x8+P0psjSA0AtuCUikHEC1c/qdoCFYdxcp84BXPXHLvofw==
X-Received: by 2002:a17:902:7487:: with SMTP id
 h7mr134354pll.86.1554338040783;
 Wed, 03 Apr 2019 17:34:00 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:48 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-27-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 26/27] debugfs: Restrict debugfs when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Andy Shevchenko <andy.shevchenko@gmail.com>,
        acpi4asus-user@lists.sourceforge.net,
        platform-driver-x86@vger.kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Matthew Garrett <matthewgarrett@google.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Disallow opening of debugfs files that might be used to muck around when
the kernel is locked down as various drivers give raw access to hardware
through debugfs.  Given the effort of auditing all 2000 or so files and
manually fixing each one as necessary, I've chosen to apply a heuristic
instead.  The following changes are made:

 (1) chmod and chown are disallowed on debugfs objects (though the root dir
     can be modified by mount and remount, but I'm not worried about that).

 (2) When the kernel is locked down, only files with the following criteria
     are permitted to be opened:

	- The file must have mode 00444
	- The file must not have ioctl methods
	- The file must not have mmap

 (3) When the kernel is locked down, files may only be opened for reading.

Normal device interaction should be done through configfs, sysfs or a
miscdev, not debugfs.

Note that this makes it unnecessary to specifically lock down show_dsts(),
show_devs() and show_call() in the asus-wmi driver.

I would actually prefer to lock down all files by default and have the
the files unlocked by the creator.  This is tricky to manage correctly,
though, as there are 19 creation functions and ~1600 call sites (some of
them in loops scanning tables).

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
cc: acpi4asus-user@lists.sourceforge.net
cc: platform-driver-x86@vger.kernel.org
cc: Matthew Garrett <mjg59@srcf.ucam.org>
cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 fs/debugfs/file.c  | 28 ++++++++++++++++++++++++++++
 fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
 2 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 4fce1da7db23..2d18e7711fca 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
 }
 EXPORT_SYMBOL_GPL(debugfs_file_put);
 
+/*
+ * Only permit access to world-readable files when the kernel is locked down.
+ * We also need to exclude any file that has ways to write or alter it as root
+ * can bypass the permissions check.
+ */
+static bool debugfs_is_locked_down(struct inode *inode,
+				   struct file *filp,
+				   const struct file_operations *real_fops)
+{
+	if ((inode->i_mode & 07777) == 0444 &&
+	    !(filp->f_mode & FMODE_WRITE) &&
+	    !real_fops->unlocked_ioctl &&
+	    !real_fops->compat_ioctl &&
+	    !real_fops->mmap)
+		return false;
+
+	return kernel_is_locked_down("debugfs", LOCKDOWN_INTEGRITY);
+}
+
 static int open_proxy_open(struct inode *inode, struct file *filp)
 {
 	struct dentry *dentry = F_DENTRY(filp);
@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
 		return r == -EIO ? -ENOENT : r;
 
 	real_fops = debugfs_real_fops(filp);
+
+	r = -EPERM;
+	if (debugfs_is_locked_down(inode, filp, real_fops))
+		goto out;
+
 	real_fops = fops_get(real_fops);
 	if (!real_fops) {
 		/* Huh? Module did not clean up after itself at exit? */
@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
 		return r == -EIO ? -ENOENT : r;
 
 	real_fops = debugfs_real_fops(filp);
+	r = -EPERM;
+	if (debugfs_is_locked_down(inode, filp, real_fops))
+		goto out;
+
 	real_fops = fops_get(real_fops);
 	if (!real_fops) {
 		/* Huh? Module did not cleanup after itself at exit? */
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 13b01351dd1c..4b877cb1431d 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount;
 static int debugfs_mount_count;
 static bool debugfs_registered;
 
+/*
+ * Don't allow access attributes to be changed whilst the kernel is locked down
+ * so that we can use the file mode as part of a heuristic to determine whether
+ * to lock down individual files.
+ */
+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
+{
+	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
+	    kernel_is_locked_down("debugfs", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+	return simple_setattr(dentry, ia);
+}
+
+static const struct inode_operations debugfs_file_inode_operations = {
+	.setattr	= debugfs_setattr,
+};
+static const struct inode_operations debugfs_dir_inode_operations = {
+	.lookup		= simple_lookup,
+	.setattr	= debugfs_setattr,
+};
+static const struct inode_operations debugfs_symlink_inode_operations = {
+	.get_link	= simple_get_link,
+	.setattr	= debugfs_setattr,
+};
+
 static struct inode *debugfs_get_inode(struct super_block *sb)
 {
 	struct inode *inode = new_inode(sb);
@@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
 	inode->i_mode = mode;
 	inode->i_private = data;
 
+	inode->i_op = &debugfs_file_inode_operations;
 	inode->i_fop = proxy_fops;
 	dentry->d_fsdata = (void *)((unsigned long)real_fops |
 				DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
@@ -513,7 +539,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
 		return failed_creating(dentry);
 
 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
-	inode->i_op = &simple_dir_inode_operations;
+	inode->i_op = &debugfs_dir_inode_operations;
 	inode->i_fop = &simple_dir_operations;
 
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
@@ -608,7 +634,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
 		return failed_creating(dentry);
 	}
 	inode->i_mode = S_IFLNK | S_IRWXUGO;
-	inode->i_op = &simple_symlink_inode_operations;
+	inode->i_op = &debugfs_symlink_inode_operations;
 	inode->i_link = link;
 	d_instantiate(dentry, inode);
 	return end_creating(dentry);

From patchwork Thu Apr  4 00:32:49 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10884657
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B45A317E1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9D72E28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8DED52897F; Thu,  4 Apr 2019 00:34:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 209CC28913
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  4 Apr 2019 00:34:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726676AbfDDAeM (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 3 Apr 2019 20:34:12 -0400
Received: from mail-qk1-f201.google.com ([209.85.222.201]:33406 "EHLO
        mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728679AbfDDAeF (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 3 Apr 2019 20:34:05 -0400
Received: by mail-qk1-f201.google.com with SMTP id a188so816402qkf.0
        for <linux-security-module@vger.kernel.org>;
 Wed, 03 Apr 2019 17:34:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=oJN/8vrOD8P2EbLKMtCZWob1U7HL7tDO5O5Qy0qbLZY=;
        b=ZrR284SvWcC7W7DKhrssZkI3UOeYBGUqL32MCAYDqsPO6wWcT70fQ17WUOFw6skt14
         cz9Of0GbzyW5RkL5N0bOWU/UPd/Jt9jpsTPPV6e3jpgNBE6bBMq4h51fDkALLFqPg4oG
         gQ93oDF/DPrxKjE4COy8qk3nV0qDGS7Wb209mnJBR7U73e86HgdnC+2B2WarfuBohgpe
         eWPT05bF/kBEDq6oU1AcSg9rajqGC2V7tGOKGNeyaoKWO0ntauwei7Ups4PU2yf+pHU4
         6nOoS8gk3GS3kvfGxSCLkzw5f+x8DT70rDUabPzitghw7iDMJu5AIazyzvoArmh5bKyy
         z5ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=oJN/8vrOD8P2EbLKMtCZWob1U7HL7tDO5O5Qy0qbLZY=;
        b=sbisyIj+ujwrYItnFv79NX/hXVjV1NJZaD/Vf4yXcvkBHFHpavu0mZkyE9IjgZpaaz
         KWd9lVF9FmbxT5OU1V3CX2SgbLPbQi93tq9TJ4C15opr7DU4wZNDzeX9Knl48ggYCLCb
         ZSsch9EQHAV7EPARhwR7pSM+gzkz1HorqFSv0AO3DAQHpftfnmnDD9EhPVmIkkLcX3R+
         Ph/Npw3VUxro0lD/BIW1rwVqiorsK7UUP6a/MPSmdXo0NWQipbA10Lz1zEp4g9lEI3Ny
         l7anOMHqrtV7b2rUDJ19vDEvZ/w/mrstJpQ8vpgxE5XhqTRbFHrJg2SZDHnx2dYa2hLF
         KTrA==
X-Gm-Message-State: APjAAAVBCl2UChRBdhwToGyQcPCC8DI8hr3OSlYCkGU+05QruwKKe8Bg
        /I2XVfwRRLIChKf0T1U8fwKC6JWLZE9pKDkChFIMDQ==
X-Google-Smtp-Source: 
 APXvYqwIdvzciKq2xx+gIDu8qCgK0TJ3kdOf1zNlqkenTNUc+eQx8nRjGv9C414rQvslhXgFmvvx+DwLAVwXPlUYdnNR/w==
X-Received: by 2002:ac8:1812:: with SMTP id q18mr498916qtj.29.1554338044162;
 Wed, 03 Apr 2019 17:34:04 -0700 (PDT)
Date: Wed,  3 Apr 2019 17:32:49 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-28-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 27/27] tracefs: Restrict tracefs when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <matthewgarrett@google.com>,
        Matthew Garrett <mjg59@google.com>,
        Steven Rostedt <rostedt@goodmis.org>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Tracefs may release more information about the kernel than desirable, so
restrict it when the kernel is locked down in confidentiality mode by
preventing open().

Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
---
 fs/tracefs/inode.c | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
index 7098c49f3693..576327ffd9d1 100644
--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -31,6 +31,21 @@ static struct vfsmount *tracefs_mount;
 static int tracefs_mount_count;
 static bool tracefs_registered;
 
+static int default_open_file(struct inode *inode, struct file *filp)
+{
+	struct dentry *dentry = filp->f_path.dentry;
+	struct file_operations *real_fops;
+
+	if (!dentry)
+		return -EINVAL;
+
+	if (kernel_is_locked_down("tracefs", LOCKDOWN_CONFIDENTIALITY))
+		return -EPERM;
+
+	real_fops = dentry->d_fsdata;
+	return real_fops->open(inode, filp);
+}
+
 static ssize_t default_read_file(struct file *file, char __user *buf,
 				 size_t count, loff_t *ppos)
 {
@@ -50,6 +65,13 @@ static const struct file_operations tracefs_file_operations = {
 	.llseek =	noop_llseek,
 };
 
+static const struct file_operations tracefs_proxy_file_operations = {
+	.read =		default_read_file,
+	.write =	default_write_file,
+	.open =		default_open_file,
+	.llseek =	noop_llseek,
+};
+
 static struct tracefs_dir_ops {
 	int (*mkdir)(const char *name);
 	int (*rmdir)(const char *name);
@@ -225,6 +247,12 @@ static int tracefs_apply_options(struct super_block *sb)
 	return 0;
 }
 
+static void tracefs_destroy_inode(struct inode *inode)
+{
+	if S_ISREG(inode->i_mode)
+		kfree(inode->i_fop);
+}
+
 static int tracefs_remount(struct super_block *sb, int *flags, char *data)
 {
 	int err;
@@ -260,6 +288,7 @@ static int tracefs_show_options(struct seq_file *m, struct dentry *root)
 
 static const struct super_operations tracefs_super_operations = {
 	.statfs		= simple_statfs,
+	.destroy_inode  = tracefs_destroy_inode,
 	.remount_fs	= tracefs_remount,
 	.show_options	= tracefs_show_options,
 };
@@ -393,6 +422,7 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode,
 {
 	struct dentry *dentry;
 	struct inode *inode;
+	struct file_operations *proxy_fops;
 
 	if (!(mode & S_IFMT))
 		mode |= S_IFREG;
@@ -406,8 +436,16 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode,
 	if (unlikely(!inode))
 		return failed_creating(dentry);
 
+	proxy_fops = kzalloc(sizeof(struct file_operations), GFP_KERNEL);
+	if (!proxy_fops)
+		return failed_creating(dentry);
+
+	dentry->d_fsdata = fops ? (void *)fops :
+		(void *)&tracefs_file_operations;
+	memcpy(proxy_fops, dentry->d_fsdata, sizeof(struct file_operations));
+	proxy_fops->open = default_open_file;
 	inode->i_mode = mode;
-	inode->i_fop = fops ? fops : &tracefs_file_operations;
+	inode->i_fop = proxy_fops;
 	inode->i_private = data;
 	d_instantiate(dentry, inode);
 	fsnotify_create(dentry->d_parent->d_inode, dentry);