From patchwork Mon Jul 15 19:59:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044809 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3546C112C for ; Mon, 15 Jul 2019 20:00:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2383728538 for ; Mon, 15 Jul 2019 20:00:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 173ED28560; Mon, 15 Jul 2019 20:00:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F055228538 for ; Mon, 15 Jul 2019 19:59:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731325AbfGOT76 (ORCPT ); Mon, 15 Jul 2019 15:59:58 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:40520 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731380AbfGOT75 (ORCPT ); Mon, 15 Jul 2019 15:59:57 -0400 Received: by mail-pg1-f201.google.com with SMTP id d187so11083023pga.7 for ; Mon, 15 Jul 2019 12:59:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=597mNbti9AE4jskQLQ5sdKqhsrWUg3noqnu7lsx00Ik=; b=qXB9/03I2v0SQWRLeW94P6XcZj6GfchdLI5KIX/Oc/jP0g6lEUziHD0GWBjc92EIwX 9FpEM9CCTqU6SU+Ktsj25Uiac4QHY31M4NQrUW0EEJqyTPLqbIkwYGXvaVknZb+eR12y 4C1+3rLmdc3oqgEZ5XfafqgLUrpaEN3cruTaeOcoeZYhcP1grF0y2QvS7UPAbRzl4CXI uL6R4iu7cfIlBMUAIgGN9NvgiFiF/2BXYrcj2sNMn8tu3EV+yHD+8CVW3oq/ggGfNn4M JKlL3/pGCseiHww2Wv3rLRxt0/TGKiWVRN6uR2snMRR0ervpq0vxbgCqgKEsKVrDtmMe zqpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=597mNbti9AE4jskQLQ5sdKqhsrWUg3noqnu7lsx00Ik=; b=YzS3GB67hAAXP5HWpd5yGbcxVwzJ3299eALbPPYsJomgHJvyHtsQpiXr1fRmkFqfjb N2ZC4f2hvI8KCeHwtcCgN05TdZZRD7WVgKrmrHTs4nOSh3b9BqLtlsf2PppzN3kKpOSp Iz++7DW4ZiHg44pDeIRkfmlP2Rw0qBvmIeNp1thyWyi6zH2Zmjn1N2Y2fhOHWTp1fls/ f3WRmxFzkvvvfWU78Qgoe18AmCKUtXoTrjQAg/YLm/RKysltyv4bbxUBiXdidCa0Fm3S MLBtBUJ6Cv3K8EYYzWbmNwWJqHiymJLVV4rPpnLNUAA71cz9x3Oo8eRr0MWKaxFyf+cz oz3Q== X-Gm-Message-State: APjAAAVylNdB0psWMCg8K8UBXIUhVbsfrqNEEqsVJBtMEj4Dv1ym0ey8 UoMqIsapBXEHnMCNwxQz4MgipxYPz9zruCLh7wo98w== X-Google-Smtp-Source: APXvYqwNTTIdEuMGXz3Iw58j73xNVDdOcjrELPbQVXz18A8tAxMFEB9tpgqdWiCxEK0YXGrkvdE4NmuXjfS7hF0WayC3lw== X-Received: by 2002:a65:6288:: with SMTP id f8mr24436680pgv.292.1563220795628; Mon, 15 Jul 2019 12:59:55 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:18 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-2-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 01/29] security: Support early LSMs From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The lockdown module is intended to allow for kernels to be locked down early in boot - sufficiently early that we don't have the ability to kmalloc() yet. Add support for early initialisation of some LSMs, and then add them to the list of names when we do full initialisation later. Early LSMs are initialised in link order and cannot be overridden via boot parameters, and cannot make use of kmalloc() (since the allocator isn't initialised yet). Signed-off-by: Matthew Garrett Acked-by: Kees Cook --- include/asm-generic/vmlinux.lds.h | 8 ++++- include/linux/lsm_hooks.h | 6 ++++ include/linux/security.h | 1 + init/main.c | 1 + security/security.c | 50 ++++++++++++++++++++++++++----- 5 files changed, 57 insertions(+), 9 deletions(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index ca42182992a5..6cc6174a2a4c 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -215,8 +215,13 @@ __start_lsm_info = .; \ KEEP(*(.lsm_info.init)) \ __end_lsm_info = .; +#define EARLY_LSM_TABLE() . = ALIGN(8); \ + __start_early_lsm_info = .; \ + KEEP(*(.early_lsm_info.init)) \ + __end_early_lsm_info = .; #else #define LSM_TABLE() +#define EARLY_LSM_TABLE() #endif #define ___OF_TABLE(cfg, name) _OF_TABLE_##cfg(name) @@ -616,7 +621,8 @@ ACPI_PROBE_TABLE(irqchip) \ ACPI_PROBE_TABLE(timer) \ EARLYCON_TABLE() \ - LSM_TABLE() + LSM_TABLE() \ + EARLY_LSM_TABLE() #define INIT_TEXT \ *(.init.text .init.text.*) \ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index df1318d85f7d..aebb0e032072 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2104,12 +2104,18 @@ struct lsm_info { }; extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; +extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; #define DEFINE_LSM(lsm) \ static struct lsm_info __lsm_##lsm \ __used __section(.lsm_info.init) \ __aligned(sizeof(unsigned long)) +#define DEFINE_EARLY_LSM(lsm) \ + static struct lsm_info __early_lsm_##lsm \ + __used __section(.early_lsm_info.init) \ + __aligned(sizeof(unsigned long)) + #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* * Assuring the safety of deleting a security module is up to diff --git a/include/linux/security.h b/include/linux/security.h index 5f7441abbf42..66a2fcbe6ab0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -195,6 +195,7 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb); /* prototypes */ extern int security_init(void); +extern int early_security_init(void); /* Security operations */ int security_binder_set_context_mgr(struct task_struct *mgr); diff --git a/init/main.c b/init/main.c index ff5803b0841c..0fefca3fd43c 100644 --- a/init/main.c +++ b/init/main.c @@ -593,6 +593,7 @@ asmlinkage __visible void __init start_kernel(void) boot_cpu_init(); page_address_init(); pr_notice("%s", linux_banner); + early_security_init(); setup_arch(&command_line); mm_init_cpumask(&init_mm); setup_command_line(command_line); diff --git a/security/security.c b/security/security.c index 250ee2d76406..90f1e291c800 100644 --- a/security/security.c +++ b/security/security.c @@ -33,6 +33,7 @@ /* How many LSMs were built into the kernel? */ #define LSM_COUNT (__end_lsm_info - __start_lsm_info) +#define EARLY_LSM_COUNT (__end_early_lsm_info - __start_early_lsm_info) struct security_hook_heads security_hook_heads __lsm_ro_after_init; static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); @@ -277,6 +278,8 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) static void __init lsm_early_cred(struct cred *cred); static void __init lsm_early_task(struct task_struct *task); +static int lsm_append(const char *new, char **result); + static void __init ordered_lsm_init(void) { struct lsm_info **lsm; @@ -323,6 +326,26 @@ static void __init ordered_lsm_init(void) kfree(ordered_lsms); } +int __init early_security_init(void) +{ + int i; + struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + struct lsm_info *lsm; + + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); + i++) + INIT_HLIST_HEAD(&list[i]); + + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { + if (!lsm->enabled) + lsm->enabled = &lsm_enabled_true; + prepare_lsm(lsm); + initialize_lsm(lsm); + } + + return 0; +} + /** * security_init - initializes the security framework * @@ -330,14 +353,18 @@ static void __init ordered_lsm_init(void) */ int __init security_init(void) { - int i; - struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + struct lsm_info *lsm; pr_info("Security Framework initializing\n"); - for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); - i++) - INIT_HLIST_HEAD(&list[i]); + /* + * Append the names of the early LSM modules now that kmalloc() is + * available + */ + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { + if (lsm->enabled) + lsm_append(lsm->name, &lsm_names); + } /* Load LSMs in specified order. */ ordered_lsm_init(); @@ -384,7 +411,7 @@ static bool match_last_lsm(const char *list, const char *lsm) return !strcmp(last, lsm); } -static int lsm_append(char *new, char **result) +static int lsm_append(const char *new, char **result) { char *cp; @@ -422,8 +449,15 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, hooks[i].lsm = lsm; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); } - if (lsm_append(lsm, &lsm_names) < 0) - panic("%s - Cannot get early memory.\n", __func__); + + /* + * Don't try to append during early_security_init(), we'll come back + * and fix this up afterwards. + */ + if (slab_is_available()) { + if (lsm_append(lsm, &lsm_names) < 0) + panic("%s - Cannot get early memory.\n", __func__); + } } int call_blocking_lsm_notifier(enum lsm_event event, void *data) From patchwork Mon Jul 15 19:59:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044891 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 74C4A6C5 for ; Mon, 15 Jul 2019 20:02:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 645D92843B for ; Mon, 15 Jul 2019 20:02:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 58E342855A; Mon, 15 Jul 2019 20:02:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A1F432843B for ; Mon, 15 Jul 2019 20:02:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730893AbfGOUCy (ORCPT ); Mon, 15 Jul 2019 16:02:54 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:41320 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732166AbfGOT77 (ORCPT ); Mon, 15 Jul 2019 15:59:59 -0400 Received: by mail-pg1-f202.google.com with SMTP id b18so11102286pgg.8 for ; Mon, 15 Jul 2019 12:59:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=f/RnEfWSrg+mjsb2cXMX4L7C/xNmjjOSgJcVU/cQXL4=; b=O3wJDTMnR9+H3RojAsFfUzZ287o93Xl/j+eBzr9xiJ7GSnL6wH09hswz5HkUJo5TO0 zSIxrKaO7KxH1NGZU7OTkNwfKk0GwAeKc+MKisrrtdIClB8NctvgLH77qjBC5hKc/QNx 90e0sVBG4jPv7BUvyWIiRJhlq59sTL/+jDBqvmkICOjjJPFXRubWcJBrG3bYXhIeJMTx WcdMWTeTFuVC1gX8BKQw0/+98YB4jYff2uID6Vz0O0yOW0JHGKEGXJHEzUU/7bJ8ovCB z1mfyjYl0jF0/UyMq87sSAtqXC8sIdTLF2q38qdJlTGG5wkbomCUUrM9ehm3vT5Nppbc C49g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=f/RnEfWSrg+mjsb2cXMX4L7C/xNmjjOSgJcVU/cQXL4=; b=VpJbRC/40Vbmd6y7R4bSY/mLvI5mk2Jl37qg2yAk8bxsC6pVYb6Ht+RrttSEJ+cqbp ZvChQqVh0K52mUyqvfo5vzRZ8j9e/PSLVNlSqMzNS+DX4FY39BEWhbF5RQ6UQwN/Js/Y d6HGr5YvT32jwa+uoHCuRzGYQyp1/vRui0YasnkXErmcVH4q2RuM+IqnVyK2OchMJhmJ 1qd+i+wjxtqpnzzC9CMT/JrX4GXuXcc/10997rqzk2ISeklC8jY7eCKZ2CHS8TtIz4Df /C0Iqe8CJp8rR6BbmVu/TpWRohFOaI6HFqETodH2FD2hyXMFnt2KzrN/67gkbL+D7A/M /TSw== X-Gm-Message-State: APjAAAU9j/7FJIlWgtm1E8vW+CWQ5l1EG76cpcdolmOiCCTYG1pFbOn1 HoWY6gyuKplUaM2DQBrmcgAZKR8uiXodM97HW8QgHg== X-Google-Smtp-Source: APXvYqwymNGgJxKQXYrvXHvEFFXosA7/epA7W3EwA368wSAhTsTwzUzG35fXHKoCej+cuEmSBj+RFWvwC9co2fGpXfPAiw== X-Received: by 2002:a63:1310:: with SMTP id i16mr28407114pgl.187.1563220798084; Mon, 15 Jul 2019 12:59:58 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:19 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 02/29] security: Add a "locked down" LSM hook From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Add a mechanism to allow LSMs to make a policy decision around whether kernel functionality that would allow tampering with or examining the runtime state of the kernel should be permitted. Signed-off-by: Matthew Garrett Acked-by: Kees Cook --- include/linux/lsm_hooks.h | 2 ++ include/linux/security.h | 32 ++++++++++++++++++++++++++++++++ security/security.c | 6 ++++++ 3 files changed, 40 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index aebb0e032072..29c22cf40113 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1807,6 +1807,7 @@ union security_list_options { int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux); void (*bpf_prog_free_security)(struct bpf_prog_aux *aux); #endif /* CONFIG_BPF_SYSCALL */ + int (*locked_down)(enum lockdown_reason what); }; struct security_hook_heads { @@ -2046,6 +2047,7 @@ struct security_hook_heads { struct hlist_head bpf_prog_alloc_security; struct hlist_head bpf_prog_free_security; #endif /* CONFIG_BPF_SYSCALL */ + struct hlist_head locked_down; } __randomize_layout; /* diff --git a/include/linux/security.h b/include/linux/security.h index 66a2fcbe6ab0..c2b1204e8e26 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -77,6 +77,33 @@ enum lsm_event { LSM_POLICY_CHANGE, }; +/* + * These are reasons that can be passed to the security_locked_down() + * LSM hook. Lockdown reasons that protect kernel integrity (ie, the + * ability for userland to modify kernel code) are placed before + * LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel + * confidentiality (ie, the ability for userland to extract + * information from the running kernel that would otherwise be + * restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX. + * + * LSM authors should note that the semantics of any given lockdown + * reason are not guaranteed to be stable - the same reason may block + * one set of features in one kernel release, and a slightly different + * set of features in a later kernel release. LSMs that seek to expose + * lockdown policy at any level of granularity other than "none", + * "integrity" or "confidentiality" are responsible for either + * ensuring that they expose a consistent level of functionality to + * userland, or ensuring that userland is aware that this is + * potentially a moving target. It is easy to misuse this information + * in a way that could break userspace. Please be careful not to do + * so. + */ +enum lockdown_reason { + LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_CONFIDENTIALITY_MAX, +}; + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -393,6 +420,7 @@ void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_locked_down(enum lockdown_reason what); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1205,6 +1233,10 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 { return -EOPNOTSUPP; } +static inline int security_locked_down(enum lockdown_reason what) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #ifdef CONFIG_SECURITY_NETWORK diff --git a/security/security.c b/security/security.c index 90f1e291c800..ce6c945bf347 100644 --- a/security/security.c +++ b/security/security.c @@ -2392,3 +2392,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) call_void_hook(bpf_prog_free_security, aux); } #endif /* CONFIG_BPF_SYSCALL */ + +int security_locked_down(enum lockdown_reason what) +{ + return call_int_hook(locked_down, 0, what); +} +EXPORT_SYMBOL(security_locked_down); From patchwork Mon Jul 15 19:59:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044811 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AECA3746 for ; Mon, 15 Jul 2019 20:00:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 986C328538 for ; Mon, 15 Jul 2019 20:00:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8651328560; Mon, 15 Jul 2019 20:00:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 522FA28538 for ; Mon, 15 Jul 2019 20:00:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732046AbfGOUAD (ORCPT ); Mon, 15 Jul 2019 16:00:03 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:33982 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732020AbfGOUAC (ORCPT ); Mon, 15 Jul 2019 16:00:02 -0400 Received: by mail-pg1-f201.google.com with SMTP id x19so11115965pgx.1 for ; Mon, 15 Jul 2019 13:00:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=NnCrZK7mO5PlTAg4uWVu2k0itqWFaMzEBRN1DgyleQQ=; b=kdrDLQju2mGiw5QHu3gb6x8XdJiC3tiOHKRT5Yg789K+y/leYnfvYDoQjGZIL1eqvC ho1+f9wn9vKypKptQsoWGlakLbK3C3YrhE6Pwisuymc5o+nDaZjchlp2C+J6VmfPFsPb W3G7DBoejc5RrowYRu/+BUVOd158pSU3mdbQkATPYb8kgwB4VsmWOtSdAP6yFJJS6AxG Pvbr7b8La4UnK6qDL0yb1fwErSKO1ky4cFyrc8psrT/IF2vBx+IBAYhROIiS5G951Vvw mm9BIoFJQfWJ/tzEx+iMTQaNI9hIvebKXpCna52qylXqqrfRNj1SI5QwvdGugxGFfFnF yDDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=NnCrZK7mO5PlTAg4uWVu2k0itqWFaMzEBRN1DgyleQQ=; b=DG6z0DSd6lQQ+c8xPuUyJuB23nT5KduDQbnmVnEzGTfGB0AjaFH9qYrk+HylbTlk2m eLLVthR3rTCwG2V+3vaSgXvhfgTQY/4YfQeSkYS45j+ZP4JNIOAulsBPFgtW5coKsgCB FBDU3JG2GzgANM3JrC9zZ7ECbX8FP01mKsUh9bSrrEj+LqZj68FnCCreCQthX0PWxl/c yOkrATIFocR1vuNEOJNaMZ9zS8yJDr4UKc2X+kO1442H6Ol2FRWZHb4IEmmAyJjNS7pe OsphvvLzS3gbpFkj7RCZl118W0Ef2Q+LQla3yfU0/5JtPgLrB6QdkD/+veCXYFfG1IAm ifJA== X-Gm-Message-State: APjAAAVcEJXDzGtxgSpCN8oiaHmeZeUIOS2Th/ebspunxuQjCvdNi1lF k/QrijqkLVyQoXEf4pfTJXPI2skOsMzYHImGx34VQA== X-Google-Smtp-Source: APXvYqxOjGtlezI/HEEZUjBrDqYM7ZhJpEhmlrwxu42f1zxpsbtla+rQ9UBvcVFKc3xzBw7rCK7AheiywesvkqsJz87wHA== X-Received: by 2002:a63:c4:: with SMTP id 187mr28277330pga.272.1563220800996; Mon, 15 Jul 2019 13:00:00 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:20 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-4-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 03/29] security: Add a static lockdown policy LSM From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook , David Howells Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP While existing LSMs can be extended to handle lockdown policy, distributions generally want to be able to apply a straightforward static policy. This patch adds a simple LSM that can be configured to reject either integrity or all lockdown queries, and can be configured at runtime (through securityfs), boot time (via a kernel parameter) or build time (via a kconfig option). Based on initial code by David Howells. Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: David Howells --- .../admin-guide/kernel-parameters.txt | 9 + include/linux/security.h | 3 + security/Kconfig | 11 +- security/Makefile | 2 + security/lockdown/Kconfig | 47 +++++ security/lockdown/Makefile | 1 + security/lockdown/lockdown.c | 172 ++++++++++++++++++ 7 files changed, 240 insertions(+), 5 deletions(-) create mode 100644 security/lockdown/Kconfig create mode 100644 security/lockdown/Makefile create mode 100644 security/lockdown/lockdown.c diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 099c5a4be95b..95acd46fd891 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2248,6 +2248,15 @@ lockd.nlm_udpport=M [NFS] Assign UDP port. Format: + lockdown= [SECURITY] + { integrity | confidentiality } + Enable the kernel lockdown feature. If set to + integrity, kernel features that allow userland to + modify the running kernel are disabled. If set to + confidentiality, kernel features that allow userland + to extract confidential information from the kernel + are also disabled. + locktorture.nreaders_stress= [KNL] Set the number of locking read-acquisition kthreads. Defaults to being automatically set based on the diff --git a/include/linux/security.h b/include/linux/security.h index c2b1204e8e26..54a0532ec12f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -97,6 +97,9 @@ enum lsm_event { * potentially a moving target. It is easy to misuse this information * in a way that could break userspace. Please be careful not to do * so. + * + * If you add to this, remember to extend lockdown_reasons in + * security/lockdown/lockdown.c. */ enum lockdown_reason { LOCKDOWN_NONE, diff --git a/security/Kconfig b/security/Kconfig index 06a30851511a..967e86fc415a 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -237,6 +237,7 @@ source "security/apparmor/Kconfig" source "security/loadpin/Kconfig" source "security/yama/Kconfig" source "security/safesetid/Kconfig" +source "security/lockdown/Kconfig" source "security/integrity/Kconfig" @@ -276,11 +277,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK - default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR - default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO - default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC - default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" + default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK + default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR + default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO + default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC + default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/Makefile b/security/Makefile index c598b904938f..be1dd9d2cb2f 100644 --- a/security/Makefile +++ b/security/Makefile @@ -11,6 +11,7 @@ subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid +subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown # always enable default capabilities obj-y += commoncap.o @@ -27,6 +28,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig new file mode 100644 index 000000000000..7374ba76d8eb --- /dev/null +++ b/security/lockdown/Kconfig @@ -0,0 +1,47 @@ +config SECURITY_LOCKDOWN_LSM + bool "Basic module for enforcing kernel lockdown" + depends on SECURITY + help + Build support for an LSM that enforces a coarse kernel lockdown + behaviour. + +config SECURITY_LOCKDOWN_LSM_EARLY + bool "Enable lockdown LSM early in init" + depends on SECURITY_LOCKDOWN_LSM + help + Enable the lockdown LSM early in boot. This is necessary in order + to ensure that lockdown enforcement can be carried out on kernel + boot parameters that are otherwise parsed before the security + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. + +choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE + depends on SECURITY_LOCKDOWN_LSM + help + The kernel can be configured to default to differing levels of + lockdown. + +config LOCK_DOWN_KERNEL_FORCE_NONE + bool "None" + help + No lockdown functionality is enabled by default. Lockdown may be + enabled via the kernel commandline or /sys/kernel/security/lockdown. + +config LOCK_DOWN_KERNEL_FORCE_INTEGRITY + bool "Integrity" + help + The kernel runs in integrity mode by default. Features that allow + the kernel to be modified at runtime are disabled. + +config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY + bool "Confidentiality" + help + The kernel runs in confidentiality mode by default. Features that + allow the kernel to be modified at runtime or that permit userland + code to read confidential material held inside the kernel are + disabled. + +endchoice + diff --git a/security/lockdown/Makefile b/security/lockdown/Makefile new file mode 100644 index 000000000000..e3634b9017e7 --- /dev/null +++ b/security/lockdown/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown.o diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c new file mode 100644 index 000000000000..d30c4d254b5f --- /dev/null +++ b/security/lockdown/lockdown.c @@ -0,0 +1,172 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Lock down the kernel + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include + +static enum lockdown_reason kernel_locked_down; + +static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { + [LOCKDOWN_NONE] = "none", + [LOCKDOWN_INTEGRITY_MAX] = "integrity", + [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", +}; + +static enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_CONFIDENTIALITY_MAX}; + +/* + * Put the kernel into lock-down mode. + */ +static int lock_kernel_down(const char *where, enum lockdown_reason level) +{ + if (kernel_locked_down >= level) + return -EPERM; + + kernel_locked_down = level; + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", + where); + return 0; +} + +static int __init lockdown_param(char *level) +{ + if (!level) + return -EINVAL; + + if (strcmp(level, "integrity") == 0) + lock_kernel_down("command line", LOCKDOWN_INTEGRITY_MAX); + else if (strcmp(level, "confidentiality") == 0) + lock_kernel_down("command line", LOCKDOWN_CONFIDENTIALITY_MAX); + else + return -EINVAL; + + return 0; +} + +early_param("lockdown", lockdown_param); + +/** + * lockdown_is_locked_down - Find out if the kernel is locked down + * @what: Tag to use in notice generated if lockdown is in effect + */ +static int lockdown_is_locked_down(enum lockdown_reason what) +{ + if (kernel_locked_down >= what) { + if (lockdown_reasons[what]) + pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", + lockdown_reasons[what]); + return -EPERM; + } + + return 0; +} + +static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), +}; + +static int __init lockdown_lsm_init(void) +{ +#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_INTEGRITY_MAX); +#elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX); +#endif + security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks), + "lockdown"); + return 0; +} + +static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count, + loff_t *ppos) +{ + char temp[80]; + int i, offset = 0; + + for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) { + enum lockdown_reason level = lockdown_levels[i]; + + if (lockdown_reasons[level]) { + const char *label = lockdown_reasons[level]; + + if (kernel_locked_down == level) + offset += sprintf(temp+offset, "[%s] ", label); + else + offset += sprintf(temp+offset, "%s ", label); + } + } + + /* Convert the last space to a newline if needed. */ + if (offset > 0) + temp[offset-1] = '\n'; + + return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); +} + +static ssize_t lockdown_write(struct file *file, const char __user *buf, + size_t n, loff_t *ppos) +{ + char *state; + int i, len, err = -EINVAL; + + state = memdup_user_nul(buf, n); + if (IS_ERR(state)) + return PTR_ERR(state); + + len = strlen(state); + if (len && state[len-1] == '\n') { + state[len-1] = '\0'; + len--; + } + + for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) { + enum lockdown_reason level = lockdown_levels[i]; + const char *label = lockdown_reasons[level]; + + if (label && !strcmp(state, label)) + err = lock_kernel_down("securityfs", level); + } + + kfree(state); + return err ? err : n; +} + +static const struct file_operations lockdown_ops = { + .read = lockdown_read, + .write = lockdown_write, +}; + +static int __init lockdown_secfs_init(void) +{ + struct dentry *dentry; + + dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, + &lockdown_ops); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + + return 0; +} + +core_initcall(lockdown_secfs_init); + +#ifdef CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +DEFINE_EARLY_LSM(lockdown) = { +#else +DEFINE_LSM(lockdown) = { +#endif + .name = "lockdown", + .init = lockdown_lsm_init, +}; From patchwork Mon Jul 15 19:59:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044889 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AC4236C5 for ; Mon, 15 Jul 2019 20:02:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9B88D28449 for ; Mon, 15 Jul 2019 20:02:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9018F28538; Mon, 15 Jul 2019 20:02:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 164392843B for ; Mon, 15 Jul 2019 20:02:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732231AbfGOUAF (ORCPT ); Mon, 15 Jul 2019 16:00:05 -0400 Received: from mail-qt1-f202.google.com ([209.85.160.202]:41501 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732217AbfGOUAE (ORCPT ); Mon, 15 Jul 2019 16:00:04 -0400 Received: by mail-qt1-f202.google.com with SMTP id e39so15799967qte.8 for ; Mon, 15 Jul 2019 13:00:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=TwJXmltaqPXLScJPeplt82MxiWbulhRh2wFIx7ld1zA=; b=ez1GXT9nZIq+ffUv9Nt01xF//IGziQvTA9O3l8axleQKlvpyQ/S9oROQTNMx41aKgk AU1ljjo2SB6lQxwVtYMG5LSys/JGSzfOQhO7tjfYkz7vqisWa3myMVUEq1C7zuazG6kh V2/ee+25ZZYB9wV+O+XRFY4UJbr8AlNLlh5FWHE8SuYpGoLMCIeBPSoPni6/Z9QYzt+x 6kTgCUVdFOPZJ+WN/b93E35YbI5w5711X6Ll4qJnB8xsVNA4V2tN5yFrZVTkBksC3oBH j0enEoqd1uSR8FgrlnVs+3SEG6030xrGzQAJGOdntHDolpEOAl/HoL+X7zaQD/0aPoYB KOHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=TwJXmltaqPXLScJPeplt82MxiWbulhRh2wFIx7ld1zA=; b=eYkiarB0ATE8MEwVRl1ZGG1yMifPneZulqkpUSFSRizKh+G4M9TSDsvmNZyfp9iUrD RAwf8z5t7jQtEhCpmF9lGNHmUEAt1EQ2eTESBx6640yJv6C4AjF5wC0lVochAmb/fLeP cg28F6wi4+W656wtQpaYhsDuujkLLrpV368pi2WWvE1whpD1ZXVW5vIfLQolrNV9EoUC YiKYDF1E90F5gV06gfQv4ItjXe5RaOmXUXjJmsq7YDx069q7WaL3GkzhwXWNsrNvuLm+ Nxtz41Y0LgfGnoQmbcQq5b3pLR+8iL4br2YNiWqWihGYAWocmMkKr4GjTSQEYHGqduAX 4QXQ== X-Gm-Message-State: APjAAAVxz4l7JsM75C7KxYU1dceBujPRy+DHrXf/Srj6UPPPrS+750Qh CaKIoGgjoYFiPR5dQFB6uoJEGk7CabksvGNKCGDfmg== X-Google-Smtp-Source: APXvYqzi+4fr5TD7sMKrXWIt+3sjf0W2pz9ll2yGx0MlNg/GG0+GnAIP/TxUIAD1SxjzU8Y/+X3ewjIBvsG9TUx1jMhQQw== X-Received: by 2002:a05:620a:1411:: with SMTP id d17mr17132602qkj.137.1563220803792; Mon, 15 Jul 2019 13:00:03 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:21 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 04/29] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook , Jessica Yu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.] Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Jessica Yu --- include/linux/security.h | 1 + kernel/module.c | 37 +++++++++++++++++++++++++++++------- security/lockdown/lockdown.c | 1 + 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 54a0532ec12f..8e70063074a1 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -103,6 +103,7 @@ enum lsm_event { */ enum lockdown_reason { LOCKDOWN_NONE, + LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/module.c b/kernel/module.c index a2cee14a83f3..d8e1258e54af 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2753,8 +2753,9 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, int flags) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2769,16 +2770,38 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d30c4d254b5f..2c53fd9f5c9b 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -18,6 +18,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", + [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044813 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 02B18112C for ; Mon, 15 Jul 2019 20:00:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E505A28538 for ; Mon, 15 Jul 2019 20:00:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D93EA28560; Mon, 15 Jul 2019 20:00:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C7AEE28553 for ; Mon, 15 Jul 2019 20:00:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732254AbfGOUAH (ORCPT ); Mon, 15 Jul 2019 16:00:07 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:55356 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732244AbfGOUAH (ORCPT ); Mon, 15 Jul 2019 16:00:07 -0400 Received: by mail-pg1-f202.google.com with SMTP id z14so4108607pgr.22 for ; Mon, 15 Jul 2019 13:00:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=oRvWsZp4PPUfRyX2ON14DSSZgIGsbQD9v/C1S79uaF4=; b=u19ff6FTpFVbyQDEinDr9SJQnvqnV5os6TEuvxanMydy1b2YqvhyBFNo/tU/vKfZ4w TfzbNDIZivzuO7va8fNKDvqvQB9395QkHj9O1Tg1GWCdkHhfMs4ETA6aN28O7wFTNGyc q8o/BKGnaIjrhv3DQ4cA8soI5fYow8qx7tOLEYly4hwxfKxMiRw5fDyeq8qTuGbfW8Po d/YWDf52a2vnTtVWqh3JAHTFS1XAvYw4xC89kbaPNWEL4DV2eoGx+6y6tAyI9eHMZeyO mhDVi/LgvCcTw8vRnWbAvhpxmTzH3MiP8dt16CDV+pPSdJJvm4H2oVZrMSV37g3QPu/r Wiig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=oRvWsZp4PPUfRyX2ON14DSSZgIGsbQD9v/C1S79uaF4=; b=Ce5KaP/2Ktkq93mR2EakXdBaFwpBp1rHgn4anEDPFGn+FGxaoGdgMMHFzukr63N0oo bIG8HyBZTVVM0RsM9JB6gapGmA4aQtPsoYnT0mvVYtt4KuT6MLMWOYhmQ2YAUOq0170u 8+jNzWu/jFp2CW47LuGOz07vcA/JBugrsy5kZ6Rb3efUbkZHIfzinKibWks8q+K09iU5 UCCTli2lSgAPuQnlAar/Omnf+K6GiGBJ7j56i4gtwDnCFIGo/nAXY1xCqXDp6VaDpjPR dVY7yPTIsSnJFmyzgMCmUhBFAb9u5lkWfvofJQh8aIZ96Q+Tb8w155kVUh/3srpQ+2lp IWnw== X-Gm-Message-State: APjAAAVUuVJDV26yF6nQZZWfPOgULq6++8lzg6LpO5Ir1PojA/f7y8/L uLSNNJT7NgkbiUDOA44sLTAeIJN8uWYkYTMYsbGKlg== X-Google-Smtp-Source: APXvYqzKgOw7wVyeoqQwjH8KUrijPHlX0N3PyzYOsHxoYKdGfqeiWlHAIXeUilSk+oMaVxq3UXNAH8JgdkOClRUAdbwVkA== X-Received: by 2002:a63:3ec7:: with SMTP id l190mr29802503pga.334.1563220806224; Mon, 15 Jul 2019 13:00:06 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:22 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: x86@kernel.org --- drivers/char/mem.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..d0148aee1aab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + + return security_locked_down(LOCKDOWN_DEV_MEM); } #define zero_lseek null_lseek diff --git a/include/linux/security.h b/include/linux/security.h index 8e70063074a1..9458152601b5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -104,6 +104,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2c53fd9f5c9b..d2ef29d9f0b2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044885 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1BE0F746 for ; Mon, 15 Jul 2019 20:02:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0B4612843B for ; Mon, 15 Jul 2019 20:02:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F34282844B; Mon, 15 Jul 2019 20:02:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9411E2843B for ; Mon, 15 Jul 2019 20:02:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732451AbfGOUCj (ORCPT ); Mon, 15 Jul 2019 16:02:39 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:35627 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732274AbfGOUAK (ORCPT ); Mon, 15 Jul 2019 16:00:10 -0400 Received: by mail-qk1-f201.google.com with SMTP id 5so14730229qki.2 for ; Mon, 15 Jul 2019 13:00:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=eu667FWqsyv1eiS+2MgLd1pI1Yi90NnjxQ1QKJHeSZs=; b=Ly3WMPXU1S4RyjVKw9rxuEW+oUhZzw9lqnq9BFk1blOsZzlx/rv+LHMtWwkLypsNsx xt5ySUIqKJcr2jhA4IxpsEio1sZN2ApfyF8YkWF2rTk9JRLWdO+EDXKFGtk9/Hk/swju sd96PlDKVvhKzefI9kwmhbQGiMg1JMKrirK+n0sTUK2AqbqHWilAYbF7KCFH8y7SWqwq E7vPiwA5s8TjPUrxfIczXqHjBQtJNa3meRsTMYOaYy30NqAvW8svCofDEcOSQgL+ST08 6g2Yaua9ngtJj5E574QVzroVOioZSTkRPYWXHp9zVKq8+iIIKNmi9s0OOSF4e4mVx3X9 HwPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=eu667FWqsyv1eiS+2MgLd1pI1Yi90NnjxQ1QKJHeSZs=; b=EOdNtC4WimO8ifBW4/7Q3NR+tq3CDfpAZEUiMAqgUHdXnHUm7zN/Dfc2WE2BhHrlU3 oMc4/iXQfNG08RMaZAkP0VFi4tEu0DyFeLXh4KiuZ4Bht7H5iYcxcwPJ5Psi/Wkc+mkJ hv01X4F+ChXiOd3ZNb18Xwo8rMfylM79ALMcv5AZcVloDWFi8VYW5CcfLws963NtiYWs /8e62NE5qyMd5LAYqyLooioT9V5kLDloUIyb9nRsr9dTG6QypMRPhrBiRLW4cKIN4/yO vSAMI6hM9JUNLJFGggn1nlVN1yURGxXV8WJIpIvqlh1jaWfzMHP1MQsYr7pf+fCD4cP8 m65Q== X-Gm-Message-State: APjAAAWd40t6iIOg2kjFaSmMDGBLvwOIpAod/XwvjjvJMhmK19PEBJoC +T9DMJf7kOdam3k4r5N8kzYxmctQMy26Dx6KyxuQYA== X-Google-Smtp-Source: APXvYqy7oiu794xVtd5fUDkrGDGk/p0p31oCH0KAa0a2Zo9FPzjquLWnnXJBeY4GZfWjZ6zXgQvIPVxrTG9JXHGjBxXoDA== X-Received: by 2002:a05:620a:142e:: with SMTP id k14mr18219466qkj.336.1563220809135; Mon, 15 Jul 2019 13:00:09 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:23 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 06/29] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Dave Young , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Dave Young Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- include/linux/security.h | 1 + kernel/kexec.c | 8 ++++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 9458152601b5..69c5de539e9a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -105,6 +105,7 @@ enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, + LOCKDOWN_KEXEC, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/kexec.c b/kernel/kexec.c index 1b018f1a6e0d..bc933c0db9bf 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -205,6 +205,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + result = security_locked_down(LOCKDOWN_KEXEC); + if (result) + return result; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d2ef29d9f0b2..6f302c156bc8 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -20,6 +20,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", + [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044815 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CF98C112C for ; Mon, 15 Jul 2019 20:00:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BEEFF28538 for ; Mon, 15 Jul 2019 20:00:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B328128560; Mon, 15 Jul 2019 20:00:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C0B0D28538 for ; Mon, 15 Jul 2019 20:00:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732300AbfGOUAO (ORCPT ); Mon, 15 Jul 2019 16:00:14 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:56293 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732276AbfGOUAM (ORCPT ); Mon, 15 Jul 2019 16:00:12 -0400 Received: by mail-pf1-f201.google.com with SMTP id i26so10821207pfo.22 for ; Mon, 15 Jul 2019 13:00:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Ze1m51/U9qyeKdYZTkURxXHO7/2Jq1vWiS2UsV2hr9c=; b=AxSl7ByC571hgB4NOLtS7SsxUTZj2nJz1kjFEvu6QXZNWkTAq4ckIZ3uMUWLg+omXa gQCF60SO+5FhvuloODfitEKxnqK2Ud9Ke7Ut2KXrASynck2/yJDhEmUCv/SiCL/LnS6Z foFn7LR0MludcBbwvt/rK79Awp3YN1kE+UStUw6ZmdDsTm4ffGswjufyLrxfXF6AE/NN 7a+spbgSULZAlT5LjRxTXyiyoO5QMa8kyRslayysR0pLUMt4Sna3aoVdhhA3DgT6uj94 DwwivdBwt/SuDS6eAWJhtbrGn7o2yongnexmhT6mrymBMoRm2BEZbfvlnh4PW+U/EQ41 XlvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Ze1m51/U9qyeKdYZTkURxXHO7/2Jq1vWiS2UsV2hr9c=; b=da03vjEC0e+Yq62ZBGfUBl4uf9Nx2frcCHd2g5BC4VZq1AtWLLbta7TExAncyzihpQ rBN+CThyn2/tJvwob15KbLUwHGGuKrG+CBDnQzj8LupJVczDmA1DWnb5eMTM+bgpi01B 6w966c3F+iO0SFUnYQ9JnWxGUA+ewCCzuOxaaV+J41iCAeo+MpaXqz4a87CQWMCy5Ann /qLgE05STJxazJWoBdsdjxTo/GmVl+HE2PFBPkFW7HIsM0c2zcbvZBcAidlmyh8TK0WF 4HlpzMQnQDyKZ7UjflvYhpmwFN3m7qiNB2AOCO5pgyAmAouPZpmIeW/QVcJ5u/XFKL/W K4fw== X-Gm-Message-State: APjAAAVrDKa3t9WRgJXTnqiFas4xrnIs+hC53JMmfPDWJYPZSvRWBEOz lieiXAsz3ejiM6a+Lk5DaDn+IWLTwxJNiLXHtLlI9Q== X-Google-Smtp-Source: APXvYqw3kz8vxqJr04RTj1gLbL27dI8ApTISQuqjlO54p7acDyqHccEy7zqlCPthKqcQRy7/95xxR7ZdHBOEJmGBPjFQUA== X-Received: by 2002:a63:2ad5:: with SMTP id q204mr15899633pgq.140.1563220811612; Mon, 15 Jul 2019 13:00:11 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:24 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-8-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 07/29] Copy secure_boot flag in boot params across kexec reboot From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Dave Young , David Howells , Matthew Garrett , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Dave Young Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 5ebcd02cbca7..d2f4e706a428 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; From patchwork Mon Jul 15 19:59:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044817 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DC89E746 for ; Mon, 15 Jul 2019 20:00:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CAE3828538 for ; Mon, 15 Jul 2019 20:00:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BEEDF28560; Mon, 15 Jul 2019 20:00:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AAE6E28538 for ; Mon, 15 Jul 2019 20:00:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732312AbfGOUAQ (ORCPT ); Mon, 15 Jul 2019 16:00:16 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:56295 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732307AbfGOUAP (ORCPT ); Mon, 15 Jul 2019 16:00:15 -0400 Received: by mail-pf1-f201.google.com with SMTP id i26so10821331pfo.22 for ; Mon, 15 Jul 2019 13:00:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=PCICfIHHpaCEusksfbBew0bfQ3A1o3TIgacS2JftM/8=; b=oi0iFypfLJpI6YXJlHU8SgSaAxT7gHbUfS93f7SMmaoHesIGCZCYJUN7SXlt3OYne9 rgxKbHexis8fqo8dfoPSq7SkR8AMdUjFQxxLdqtEj77cjYvIEhAiRVjfq8pUA7QjsdML 3+Q4w5PzpuMwbh5kXPLp5Jn6a0afKnzypFmVoPjgyP3QbG7kcWmc+VK5hNzn/I2CelbR XX+HBHYeTB0TdubCc4U7gEtvrRlyB9QYwQh1yiHUvm7IS7kie8gcBlrEAV7f6DW3nbP3 glS7vTBekJuEq93vR8oOBhFI3v4VVUMP14DUJ0WYssh0BFJF7PPbhekDiMRg+lhNX9QV YiFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=PCICfIHHpaCEusksfbBew0bfQ3A1o3TIgacS2JftM/8=; b=LweqQQlxD9kvG/3f4KagOrC3V1xxBwN1NcjWO5Fv3P2+BpN1du6e9/Jv3f0mjn+Fhu Z7TbIj2JcX5kGDgnKHQCTUmGnnwunA3NDNL2hPhrt6Ak/cL/yA2/FoXC/LyQe2BB3Khw emUnfuUF3Ue2qhb/sFCKUDlAeGLAcfMf2gWCIk6LJPyB9imp2RDNJZVt2ahX3wVPAY/y a+Z82kt6Zfto58HCqnW9uCXFKciRB2qQKTH4ELHQwe1mbTkZs/99Sj6MD13UMmWsHaQ1 gtkYzqsyBc4ostdAhRn86KCMz4TU340kSyiLZ4HGBbnSkMiNwI2cN0PqNjxP0jIrGJ7e AzwA== X-Gm-Message-State: APjAAAUhKEfy8KnE9RQk9QdAl6iTxsBE8qTEAro+VCQn3Pcb0ovcRudF 0iDOstL9JX+eCKr6A2yFy8F46cF+vNFDCp5ty6mgsQ== X-Google-Smtp-Source: APXvYqzNr+4h1YlCyy9y+u0KdRfZh0eMDyeRgdif1KTkYb6Q7MZO0z1n5OBBrjOXHa0Q+pbx4iQRfKGsAQce/xjMl86sVg== X-Received: by 2002:a63:ff66:: with SMTP id s38mr29053409pgk.363.1563220814322; Mon, 15 Jul 2019 13:00:14 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:25 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , Dave Young , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac This is a preparatory patch for kexec_file_load() lockdown. A locked down kernel needs to prevent unsigned kernel images from being loaded with kexec_file_load(). Currently, the only way to force the signature verification is compiling with KEXEC_VERIFY_SIG. This prevents loading usigned images even when the kernel is not locked down at runtime. This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG turns on the signature verification but allows unsigned images to be loaded. KEXEC_SIG_FORCE disallows images without a valid signature. Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac Reviewed-by: Dave Young cc: kexec@lists.infradead.org --- arch/x86/Kconfig | 20 +++++++++---- crypto/asymmetric_keys/verify_pefile.c | 4 ++- include/linux/kexec.h | 4 +-- kernel/kexec_file.c | 41 ++++++++++++++++++++++---- 4 files changed, 55 insertions(+), 14 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 9df2d1cb7a9e..104995fd32d0 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2026,20 +2026,30 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE -config KEXEC_VERIFY_SIG +config KEXEC_SIG bool "Verify kernel signature during kexec_file_load() syscall" depends on KEXEC_FILE ---help--- - This option makes kernel signature verification mandatory for - the kexec_file_load() syscall. - In addition to that option, you need to enable signature + This option makes the kexec_file_load() syscall check for a valid + signature of the kernel image. The image can still be loaded without + a valid signature unless you also enable KEXEC_SIG_FORCE, though if + there's a signature that we can check, then it must be valid. + + In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work. +config KEXEC_SIG_FORCE + bool "Require a valid signature in kexec_file_load() syscall" + depends on KEXEC_SIG + ---help--- + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + config KEXEC_BZIMAGE_VERIFY_SIG bool "Enable bzImage signature verification support" - depends on KEXEC_VERIFY_SIG + depends on KEXEC_SIG depends on SIGNED_PE_FILE_VERIFICATION select SYSTEM_TRUSTED_KEYRING ---help--- diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index 3b303fe2f061..cc9dbcecaaca 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, if (!ddir->certs.virtual_address || !ddir->certs.size) { pr_debug("Unsigned PE binary\n"); - return -EKEYREJECTED; + return -ENODATA; } chkaddr(ctx->header_size, ddir->certs.virtual_address, @@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * (*) 0 if at least one signature chain intersects with the keys in the trust * keyring, or: * + * (*) -ENODATA if there is no signature present. + * * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a * chain. * diff --git a/include/linux/kexec.h b/include/linux/kexec.h index b9b1bc5f9669..58b27c7bdc2b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, unsigned long cmdline_len); typedef int (kexec_cleanup_t)(void *loader_data); -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG typedef int (kexec_verify_sig_t)(const char *kernel_buf, unsigned long kernel_len); #endif @@ -134,7 +134,7 @@ struct kexec_file_ops { kexec_probe_t *probe; kexec_load_t *load; kexec_cleanup_t *cleanup; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG kexec_verify_sig_t *verify_sig; #endif }; diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b8cc032d5620..875482c34154 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG static int kexec_image_verify_sig_default(struct kimage *image, void *buf, unsigned long buf_len) { @@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, unsigned long cmdline_len, unsigned flags) { - int ret = 0; + const char *reason; + int ret; void *ldata; loff_t size; @@ -202,14 +203,42 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, if (ret) goto out; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); - if (ret) { - pr_debug("kernel signature verification failed.\n"); + switch (ret) { + case 0: + break; + + /* Certain verification errors are non-fatal if we're not + * checking errors, provided we aren't mandating that there + * must be a valid signature. + */ + case -ENODATA: + reason = "kexec of unsigned image"; + goto decide; + case -ENOPKG: + reason = "kexec of image with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "kexec of image with unavailable key"; + decide: + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + pr_notice("%s rejected\n", reason); + goto out; + } + + ret = 0; + break; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + pr_notice("kernel signature verification failed (%d).\n", ret); goto out; } - pr_debug("kernel signature verification successful.\n"); #endif /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { From patchwork Mon Jul 15 19:59:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044819 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E34E5112C for ; Mon, 15 Jul 2019 20:00:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D0FF428538 for ; Mon, 15 Jul 2019 20:00:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C407528560; Mon, 15 Jul 2019 20:00:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6974C28538 for ; Mon, 15 Jul 2019 20:00:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732336AbfGOUAT (ORCPT ); Mon, 15 Jul 2019 16:00:19 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:43899 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732326AbfGOUAS (ORCPT ); Mon, 15 Jul 2019 16:00:18 -0400 Received: by mail-pf1-f202.google.com with SMTP id 6so10857257pfz.10 for ; Mon, 15 Jul 2019 13:00:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=9fXbmdfL5KhuvIZCfCGIG29n6zuww7qo8MROnWxS5+E=; b=JPp3v2OPQVj5mQJ/3b5Yokag8YTSA13e3ADgk52AJxxllBnhkjU93txgGax0+MtozO 26npTj2DMHNGP+TUBNZNV0ZhOD85M1Dq+QQ9kYUVPt28DoNQvCjG+QQHwGm6kxbIX3zE bc/r3C46ba2V3MCrciOB1HN57gPuvCJn5Cgltuz2ShtXDuI6cZqwi8Aeo1nOyb6sQ8YR QEswHcPf2gsuizE5pTK7+h04w+vZ5zRxYx/AtW8kIIjFRAXWGUco5+7wsec28LI6f9s8 klefOADpWTmW2jS+yNC1A6YoHbtJ5rZxucOV9+SbKsLuPFcZM4VP0TNv2nw+RJr7PKg/ JWPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=9fXbmdfL5KhuvIZCfCGIG29n6zuww7qo8MROnWxS5+E=; b=toDL9YtJxegLdPs2sLAYYnJ6d+5ZGUZjiLTGlrQ87yq7he8arOQF+CGqiXDcDqZipd 0/Q6tRUlh9dgpnTjIyaTaipIyRQ+tjUg/iLU6JgbpfLO7OxJT8WFcEMdmmcXxp9iDqlm GaGccbmAeu31/Yp7auUijumn8qsVwX9ESeqM4rDnDhmMT7Lz3bhtSS2pXTpDq3WkAM59 ZQmk/2KDQoMfW3E9MBTkiv5+cLaE3SKlYpxJEtzUbBgCormFomw2dRiTca9EgleMG9Kb R/GfIxDjL+oP9psX4MvuSz5jZs3FDIwuS4HL4NO0LE7t97TEhIws6h+eekq9guxDvyaO ZSVA== X-Gm-Message-State: APjAAAX9FTVAUXOiGj/qFXvZVeOBbESQZnSQRkyGAdNXoXS4Bkybz9TW q8xXJOW2CxdZxzBVzdAjROrp9HhO2ZiXtOTb9ZVAZw== X-Google-Smtp-Source: APXvYqzda0/+2/0BqgthTmHOTrEpqoXHvj8K+1i4P8qSZQtlqD+IWxOpDGqqORGgEcnwNsr18QG8jmmfFfkwNCSJxnuVGQ== X-Received: by 2002:a63:2004:: with SMTP id g4mr27570338pgg.97.1563220817485; Mon, 15 Jul 2019 13:00:17 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:26 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 09/29] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- kernel/kexec_file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 875482c34154..dd06f1070d66 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -228,7 +228,10 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = 0; + ret = security_locked_down(LOCKDOWN_KEXEC); + if (ret) + goto out; + break; /* All other errors are fatal, including nomem, unparseable From patchwork Mon Jul 15 19:59:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044881 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 091BC746 for ; Mon, 15 Jul 2019 20:02:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EC5BA28449 for ; Mon, 15 Jul 2019 20:02:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E06692844B; Mon, 15 Jul 2019 20:02:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 78D3C2843B for ; Mon, 15 Jul 2019 20:02:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732318AbfGOUC1 (ORCPT ); Mon, 15 Jul 2019 16:02:27 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:37968 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732326AbfGOUAU (ORCPT ); Mon, 15 Jul 2019 16:00:20 -0400 Received: by mail-pg1-f202.google.com with SMTP id w5so11104869pgs.5 for ; Mon, 15 Jul 2019 13:00:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7Fsa5djs+VQ2BrQJC+FUs9YwCCHQQfjCNM9PGrMIw+A=; b=cJ58uU0XE/YKJRyI5Mt8XS66fhl7mlr/5SBCN06rI3kOZahs9sJMcXx2ibpLoUVCaE 9N1NY7OgxzhRPwe9rAJ9sX1BJ0ihRRRL3eB1ATlWoL9AgojAMGNFU+IEzasvl9Qi8eeC ZkFc3LVDfGlr7B4KL2h2Fk7rzQRbQLG0fV2EprbbLhYAb3pInpVl0C4tpIWrC5ke1CaF 8SpfsbNg0HaA8UNxyOZPyFO9oH7pXi6W4xurmmtxgY7D5fmX5k+NL4JCD8shTiLjN3Q2 SXoPSH4JASf5Jv9Der3AxoWSuW+W9hMxss6p61KH1/LToqcS5HgvobYgH+qD2KX+O9I0 NjTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7Fsa5djs+VQ2BrQJC+FUs9YwCCHQQfjCNM9PGrMIw+A=; b=sSNdyaHB58jcg9m0fGWaJfjnW6s6FEBP2DM+cmgbyRPOlwq/6S0csf8iz4xlYEpeIw Pwmad5iJWhr21viqBTXLHDmoziDQ6jCOx3N65nuDwMp9XoMXniF28QUCEuTgkPpIQ8hp Eqg/180Pf+n4/AAREOf4b7QFzjGsYP1P0giAsVbKzCby/O+LdIymq6furzFjYAeg3UjN 3TmPIQvNCeuE9ZNEk2RBVpF2RRylRbfKHxHVz/uxbprUDWVajFIlZbExmtUdeUnckN9b XbAwo2VNs1xciSQG/KF/zKkgLx1inD/PqNnE6D2guafhq3I5Oa6V7FN0HwnjGwihMdGW V5mA== X-Gm-Message-State: APjAAAVRBD6Nwnq7NgNQMeQaZSaaSgTTBoUceK5IQTOkxp28aqmTTatX nUNBs7EjSZ7b/5SPrSVK6Ka08BSWwTwN3myP/ZhAFA== X-Google-Smtp-Source: APXvYqwVtJa9IPgk7H5zDUOO19rxBXwa1dInRZDEXWO7Uz1DWQaii5wotdUMuZXkJSevrN+xH8Yzo5reUPeuqmqn92YMUQ== X-Received: by 2002:a63:f857:: with SMTP id v23mr3963600pgj.228.1563220820065; Mon, 15 Jul 2019 13:00:20 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:27 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 10/29] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Josh Boyer , David Howells , Matthew Garrett , Kees Cook , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org --- include/linux/security.h | 1 + kernel/power/hibernate.c | 3 ++- security/lockdown/lockdown.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/security.h b/include/linux/security.h index 69c5de539e9a..304a155a5628 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -106,6 +106,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, + LOCKDOWN_HIBERNATION, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index cd7434e6000d..3c0a5a8170b0 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include "power.h" @@ -68,7 +69,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION); } /** diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 6f302c156bc8..a0996f75629f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", + [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044821 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 66D43746 for ; Mon, 15 Jul 2019 20:00:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5482F28538 for ; Mon, 15 Jul 2019 20:00:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 48F7328560; Mon, 15 Jul 2019 20:00:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AFFB128538 for ; Mon, 15 Jul 2019 20:00:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732362AbfGOUAY (ORCPT ); Mon, 15 Jul 2019 16:00:24 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:54530 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732356AbfGOUAX (ORCPT ); Mon, 15 Jul 2019 16:00:23 -0400 Received: by mail-pg1-f202.google.com with SMTP id m17so2172185pgh.21 for ; Mon, 15 Jul 2019 13:00:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ae+mrOFMmNbS13ze66pnDjDUvUjQtnZm37VMj80uCqw=; b=kGFfI2kp0vs7fPFda0rD2APJ9FUrV8KTzNqZoDg9edVUXAPAhWyAJZJB52EkkhTI/c /BrBPHK65MG5bgvvfg05puV5Mlab7hsouQAse03MbALorI42GEC6hQyMYdtbYdHNwth7 LlcI7b0LAgk4UKW7icylJnYyoumIzjfnCWYkPJbvsfsSXOApARGDo9Qhemk/Sj5mCFS/ XrISpfX40sAI82HeH3JCWGTPG3BSDZl0pAU6zeieU5Ohx4dYOfA+TBJ0TWiyCfZcC4Al 9OcDNLzQGxtgE2FBNAE9wc+feRb4+H4OJ8Z1F0eGsr2Ke1PEpRphHVx6ttvjK1wRbJCL Jucw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ae+mrOFMmNbS13ze66pnDjDUvUjQtnZm37VMj80uCqw=; b=o1vWWnwPKFSwINYDHXcQt1fdcoLGIjFl+nKirxVk5jlWCnaFcXE1hU65nOBLUfm8wB ElYO/0K+iYJDqdG2TtbTA4L3TQKtBoZliNJztBPpiMsuLNTLD7RZ2U4J3yNzuu3Pr1Kp m8efXm9mOFjGuM8WlBd936xnAp7yWe6JmkibhdqWy0SGRx5mLNPeLWNCea6q2WGuTab8 kik8Q5mR1gkT8wKbAM6X0v28UjxH1jqn2vPhvrT3zjplFpbxFBnmCqHX4SdMC2GAVon2 +WkP+0MQH/1AuQQOywZ0UYjiPWjSkpostyIoOUGSS/OwN3pzAc0hhNp8MMaxMaO70dBQ eUzA== X-Gm-Message-State: APjAAAVCPFgJ4xfDujFRTE3GZUmFKX76Svmgl8Wr1+FwVWxX5CJrodPm 3B3k3TU7o5EUWMi00bkF5yBCcMjitPe3lukyviJHWA== X-Google-Smtp-Source: APXvYqyzcgU5WIiPz+emFhgYiHrUTwZNIxdL53YE0B46ZawKgz5c0wLyRLQu0utk9KLAZ5cT6sTvAoaR/wM/K78n7LhW/g== X-Received: by 2002:a63:5823:: with SMTP id m35mr29162482pgb.329.1563220822679; Mon, 15 Jul 2019 13:00:22 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:28 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 11/29] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Bjorn Helgaas , Kees Cook , linux-pci@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Bjorn Helgaas Reviewed-by: Kees Cook cc: linux-pci@vger.kernel.org --- drivers/pci/pci-sysfs.c | 16 ++++++++++++++++ drivers/pci/proc.c | 14 ++++++++++++-- drivers/pci/syscall.c | 4 +++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 5 files changed, 33 insertions(+), 3 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 6d27475e39b2..ec103a7e13fc 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -903,6 +903,11 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, unsigned int size = count; loff_t init_off = off; u8 *data = (u8 *) buf; + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (off > dev->cfg_size) return 0; @@ -1164,6 +1169,11 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, int bar = (unsigned long)attr->private; enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1240,6 +1250,12 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 445b51db75b0..e29b0d5ced62 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include "pci.h" @@ -115,7 +116,11 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, struct pci_dev *dev = PDE_DATA(ino); int pos = *ppos; int size = dev->cfg_size; - int cnt; + int cnt, ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (pos >= size) return 0; @@ -196,6 +201,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -238,7 +247,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_PCI_ACCESS)) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..31e39558d49d 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -7,6 +7,7 @@ #include #include +#include #include #include #include "pci.h" @@ -90,7 +91,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + security_locked_down(LOCKDOWN_PCI_ACCESS)) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); diff --git a/include/linux/security.h b/include/linux/security.h index 304a155a5628..8adbd62b7669 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -107,6 +107,7 @@ enum lockdown_reason { LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, + LOCKDOWN_PCI_ACCESS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index a0996f75629f..655fe388e615 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -22,6 +22,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", + [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044877 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C79BB6C5 for ; Mon, 15 Jul 2019 20:02:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B5ACC28449 for ; Mon, 15 Jul 2019 20:02:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A97C728538; Mon, 15 Jul 2019 20:02:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 38B7828449 for ; Mon, 15 Jul 2019 20:02:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732320AbfGOUCV (ORCPT ); Mon, 15 Jul 2019 16:02:21 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:48692 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732378AbfGOUA0 (ORCPT ); Mon, 15 Jul 2019 16:00:26 -0400 Received: by mail-pl1-f201.google.com with SMTP id i33so8814892pld.15 for ; Mon, 15 Jul 2019 13:00:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=RqpfjquZ0GE2zpg4eJx3Cd128lI5VFuP5LKKMsWaFSI=; b=pAFIQjO33EAXPRRh+j+8nZiaw+WI8Xw1Fa6DZNgdB7zZx2A1EGkXPj46P4Q5VOpGBz JcmYxpaDUscEFw1lRXB/bfKXJrsUlP0FHkN1oEFjUJdwwrdeE9Q6j+FsfTTaDvdF/lOL 7CGophnnEH0kve3B7v4Xky1J6MS3VJ0IfYjtEucLIHGAbLN5l3iB0/fgauLGOPwt1RRf gdTugZchq9qqOL2i9ei2vjVNzJ1cQr8L2LQeGJuzqDA6nin6fVzaeMWaR5xx+njjTvy8 gXoOwFkBUhRx1ycrD/WIirZVvdk2PE+Vg587H1WoE/kf0p6xm9UtCXWMciAbcD7ByrhV g/5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=RqpfjquZ0GE2zpg4eJx3Cd128lI5VFuP5LKKMsWaFSI=; b=RCPRqaxS/NEsYvhAmtw9dS/8k6UcUQRjtGj2z939C1tewaVRfdKQao7NimvsAnX83I x37Unfs+t0lb03Gape57aZ26V4HgHAnc2/fB2uGXPCwsEqMatzYPExiucHY4WkrzknYv IF+M4rCcfyxWhFDfJyX7+kKFpeSrwpDIZXwQ/iDfklITO0XmSNpXir2TAcSJkhmvB4CI vKFyKM6pSBLFqokM7bHTCAIKpl7oUh9Dzig7fsVpzdfUB0zsDcu1+upyBuWRZBQmWZFh qvc/Aul4BNnruqTZlzwDOTNuZnbeiUuUNJ5cRC7NyADYm+puopxU+9HVJVChy+6wrP+c UEYA== X-Gm-Message-State: APjAAAU73Ldv7Re2F3tROb2LYHMAuQP+9tIZKJs1MKuazGUJjk9BQrYY Akkn0RIggL4DmX3mwVA6udTeqb9Bf3hrJBimpwnx0Q== X-Google-Smtp-Source: APXvYqyGVV4UqtL4SyuFVuLy4As2KjplUBshYGHg/OONSN3srDOmMtYRsJ6sOWrUX2XwlAdRaYdP14jkVrCbHX6ZEvoc7A== X-Received: by 2002:a63:1305:: with SMTP id i5mr29060137pgl.211.1563220825360; Mon, 15 Jul 2019 13:00:25 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:29 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 8adbd62b7669..79250b2ffb8f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -108,6 +108,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 655fe388e615..316f7cf4e996 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044875 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F1737746 for ; Mon, 15 Jul 2019 20:02:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF6CE28449 for ; Mon, 15 Jul 2019 20:02:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D246F28538; Mon, 15 Jul 2019 20:02:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C1E728449 for ; Mon, 15 Jul 2019 20:02:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730833AbfGOUCT (ORCPT ); Mon, 15 Jul 2019 16:02:19 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:38598 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732400AbfGOUA3 (ORCPT ); Mon, 15 Jul 2019 16:00:29 -0400 Received: by mail-pf1-f201.google.com with SMTP id e25so10863931pfn.5 for ; Mon, 15 Jul 2019 13:00:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=minBZuRPisw7H2/W4JdDr67L/DoNl62iO6bi7/9H078=; b=d74tXKiZoNQe7CxJS6ufF6sO/j8wOIqa3x36LTPJYLKZ9UdNFn6dgCyjw3/Z1aZ7Jc F3DtrAN/vtTDtkmrDzpkxG4Ygv6pu2RnHQgx+UpdbfbCvP9LKb/XEd+WoKaB0truEiZV G30B5f9wQ+I4+G219HkbVJ3pushqH/sfs+uV8CxSJcwLYdl6CKlnuujbj3YPZOuefjN4 IMG0qqIg37wHdHnGXCuiScEUx/4uD4x1aRjE4UtBtO4xlVP3+rg6eU9zIk7E8mbY1+SB 2LR4iXq7zh3pK+SLZHXn08NYLKIY1FDi3EqHL5Eu48yvD8bL4AC0PpEIL8meyHk6F15Z DJMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=minBZuRPisw7H2/W4JdDr67L/DoNl62iO6bi7/9H078=; b=Wau2Up5dk3aSYV9SryjqPX1XYwPKJnUhA/7191Xh7c329bNs/IkUJ2VntiJfQfNmJr 34YTu5O+erNEUtD50OnLaRpwsShMkDfJaGZPpje0PFsbw0u6FNFdNwHH4tRx0ieJxJWN 7iOwISFrbQnjQd5++e991C/1HwIgJEhtxFPIK2XPMyutbVKS2JnxdngeqiiaajYA7aEv xWyWw0YfBdFQIar9ONbP0DYUXFdkZZin0d7Qipkh6eNXiigyub1zIbsDGf74HPAG5mu+ VkR10vFtieKCf4k6hCYGq/XDfsGLshhimCydxIeXo6YEEZzITy/5TrvHIN274lkuoeiw Ey4Q== X-Gm-Message-State: APjAAAWFtSCqzsGqY7ez+Zx55mRtG1jL78tJLNxVokXnMy70T3skPQbj ye4ySReoHjKJIy9q3JJ6GLKrwKbZomxAyZ9qfavQjQ== X-Google-Smtp-Source: APXvYqwpmLV6Y3KrAl675DyixIjSMa8yMxj/Kd/VeXi89WUSQLx54b4G2b0/HphFUXnOK4guo6cOGJdMcvbyvZGU24+InQ== X-Received: by 2002:a63:e14d:: with SMTP id h13mr28815497pgk.431.1563220828029; Mon, 15 Jul 2019 13:00:28 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:30 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 13/29] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , Thomas Gleixner , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner cc: x86@kernel.org --- arch/x86/kernel/msr.c | 8 ++++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 3db2252b958d..1547be359d7f 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -34,6 +34,7 @@ #include #include #include +#include #include #include @@ -79,6 +80,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + err = security_locked_down(LOCKDOWN_MSR); + if (err) + return err; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -130,6 +135,9 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + err = security_locked_down(LOCKDOWN_MSR); + if (err) + break; err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; diff --git a/include/linux/security.h b/include/linux/security.h index 79250b2ffb8f..155ff026eca4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -109,6 +109,7 @@ enum lockdown_reason { LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, + LOCKDOWN_MSR, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 316f7cf4e996..d99c0bee739d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -24,6 +24,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", + [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044873 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7A289746 for ; Mon, 15 Jul 2019 20:02:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6B75C2843B for ; Mon, 15 Jul 2019 20:02:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5FD752844B; Mon, 15 Jul 2019 20:02:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB61228449 for ; Mon, 15 Jul 2019 20:02:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732460AbfGOUAc (ORCPT ); Mon, 15 Jul 2019 16:00:32 -0400 Received: from mail-yw1-f74.google.com ([209.85.161.74]:37601 "EHLO mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732441AbfGOUAb (ORCPT ); Mon, 15 Jul 2019 16:00:31 -0400 Received: by mail-yw1-f74.google.com with SMTP id f11so14497134ywc.4 for ; Mon, 15 Jul 2019 13:00:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ZEWny5IFVoAY7+7cwG/iN1wA0h299zlUxTBItvDj0ts=; b=Zfkc7JwT5DU9z/o6qruZxUvtSG5dHseEY5MyWv9EfNowXWpECqNH74HmrCMpY6Lsun 3lxELHqfkmTXqStjmCVEcrC3IDwxUkHckii/7WySAhjlykpTyjBF/liwYjw9UnL/kVae 6ClWIRuDpOr2LvVMtLUJHKoWljg+4Ia5S3WKrOGk7PtbLhtvrFnyIgSOjTwxG00RrlCb 3oWH8ea4VF9Ft1q0IQz4DKN+4VMPrFH5nCiC93O9QyydA33KSjv/A+IzI++Hmng0T7tw 9HMZSl3RRI4QVLFy5s5SjteInYvM820efwrlprc802kSCOH8bjGGcPa4+zTPM19yVLAS 8Lwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ZEWny5IFVoAY7+7cwG/iN1wA0h299zlUxTBItvDj0ts=; b=I7fVMOWmSXLZpDX5x+Hw3pP69TqK0ErUQboYHtqrdzzRCW4XhukfXO/qH+j7HyLKEz N14R3pM9QrY8/zjgslWdDugTbFOC08rw9ZE+RisRa+u3wtFBQOndfyABMma5L466NP7N 9bqrMx5nj+fbQhAsguU3I//Jnn/NKgbEtyzpSSgSCMmFnUN+32HKpugXmjq87AwyjAGi bd7NvEp+mzMvrsSbsJkPL2UqMIjcjhvPGrZngzX1uGkIsVL+ZnETg4lcwZqau+08/hjs 9fqNeR2mI5lPd+/PllMjet3xVfNvI6TYTfF6vH8D2w1SSEibKJiiP+9UFLszt/aJ/ngF soCw== X-Gm-Message-State: APjAAAX09KdyeTYu788cmQyqVQURh/er0Gc4uu5zllE/zUR9+v2MkFMg gxjFjDvYxSwPLmJjG5nZhWT5fVgVNDbVbGYwFKPWmQ== X-Google-Smtp-Source: APXvYqyzP/ucQqITruoZ0U+xlf6n9TF8TcpzkJcXEBuAaYKylOcVnzZ/5O1mjzra9mVwgBw/6PyLE7/KRPqtyFMjsNtNrA== X-Received: by 2002:a81:1d05:: with SMTP id d5mr15971402ywd.299.1563220830741; Mon, 15 Jul 2019 13:00:30 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:31 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 14/29] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: linux-acpi@vger.kernel.org --- drivers/acpi/custom_method.c | 6 ++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 8 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index b2ef4c2ec955..7031307becd7 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -9,6 +9,7 @@ #include #include #include +#include #include "internal.h" @@ -29,6 +30,11 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + int ret; + + ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + if (ret) + return ret; if (!(*ppos)) { /* parse the table header to get the table length */ diff --git a/include/linux/security.h b/include/linux/security.h index 155ff026eca4..1c32522b3c5a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -110,6 +110,7 @@ enum lockdown_reason { LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, LOCKDOWN_MSR, + LOCKDOWN_ACPI_TABLES, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d99c0bee739d..67dbc5c70ea0 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -25,6 +25,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", + [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044823 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 904EF746 for ; Mon, 15 Jul 2019 20:00:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 80298205F8 for ; Mon, 15 Jul 2019 20:00:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 742F7212D5; Mon, 15 Jul 2019 20:00:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1ACFE205F8 for ; Mon, 15 Jul 2019 20:00:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732489AbfGOUAf (ORCPT ); Mon, 15 Jul 2019 16:00:35 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:52098 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731720AbfGOUAe (ORCPT ); Mon, 15 Jul 2019 16:00:34 -0400 Received: by mail-pf1-f202.google.com with SMTP id 145so10858114pfv.18 for ; Mon, 15 Jul 2019 13:00:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ltEwpddVsPtTuDLtrlTH79lQ0wtxe6Ku3Ez2JGRWXl8=; b=qUGNTWHd8cZUGEV/MrQ6Rzs0Q6B03B3+qYdukUxrV7I471dM21/tJLvicY0ImNJ5We qA9WMrnUGec3rGwDICVFEFPT/u9uaAxn6SQ9vmcvY9BUP2imWeStbHygN1Aro1OCdzo1 yNJua5MFZK/5Ai8sct0Rj4jAzW8ESYSK5h502yHPVOZ2Ne76w6p43gV39FGdMo/su427 rOq9MGgHlOc1a4pGIkuVXo/0Gq4fCpC7VI3CTydOCwcj0cvLD7OsiVFHz7J2hDLMOchv yqesyv/lbO1tLXprCbEMBrutWPFgm5ZraO09zU8e1dGWTa1FpkM7DzvME5t06lxkfmSh eY5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ltEwpddVsPtTuDLtrlTH79lQ0wtxe6Ku3Ez2JGRWXl8=; b=UD7NzM/ls9M8iCcpDBc5f0+PVOT2UBvQKL/cDEZjZm7zUkV/OLZa3xC4RsM5XMgJ9a F2ijtbH7MaMCkayvH3hAsgxVefmZIJEHOKQDbM5YjWc/lb0ydSF3offiZMdBTI8Hv2fN TvPu/vgECKJbWJlLJ9itOcbD/+OkzAY+f8N5KOnqTBXfNd2ssd476VYoLEme5XzsgoZh tzFBEpCw2SxtWPI6PWLmdnxd/3sy/l51SO8wqv+JfCwGDL3EBp1Td+qHB18TfeRGflsd Z/84YBmbY6Kqujr30zojqJoqIbwgC/cvG/oa28Wt/ScaJXFGvZb8DEINC7Jd844Y3jJR xhXg== X-Gm-Message-State: APjAAAUHKdo6z9e5WkWEJl6j+V3Wb7KQ1bonxWZpFwZ4S52sIuR++TAF Tkq4iYRqgfR4VLHydwVGA7Jyc5nHz4pnvV3kqGscLA== X-Google-Smtp-Source: APXvYqzaZwXWU1ppSmCsSN1we8DZ21N1eqAeSFesPXn+z4flX/4Su/naENifMnq+dmC88rLw/yveo0+fpL5mxSXNg+hiMA== X-Received: by 2002:a63:774c:: with SMTP id s73mr27072981pgc.238.1563220833268; Mon, 15 Jul 2019 13:00:33 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:32 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Josh Boyer , David Howells , Matthew Garrett , Kees Cook , Dave Young , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware . Reject the option when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: Dave Young cc: linux-acpi@vger.kernel.org --- drivers/acpi/osl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index 9c0edf2fc0dd..06e7cffc4386 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include @@ -180,7 +181,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && !security_locked_down(LOCKDOWN_ACPI_TABLES)) return acpi_rsdp; #endif pa = acpi_arch_get_root_pointer(); From patchwork Mon Jul 15 19:59:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044867 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DAA9114DB for ; Mon, 15 Jul 2019 20:02:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CC6142843B for ; Mon, 15 Jul 2019 20:02:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C0EB428449; Mon, 15 Jul 2019 20:02:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C2FD2844B for ; Mon, 15 Jul 2019 20:02:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732464AbfGOUCD (ORCPT ); Mon, 15 Jul 2019 16:02:03 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:36032 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732446AbfGOUAh (ORCPT ); Mon, 15 Jul 2019 16:00:37 -0400 Received: by mail-qk1-f201.google.com with SMTP id t124so14748094qkh.3 for ; Mon, 15 Jul 2019 13:00:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=5T+b4pkocKIcoPwPocbouCfMQE+Kz4ndw1ZbXIQy5/k=; b=WiP2xn7hpAfVzOYD0zMTv398nzim5ITpRx7xasgZ/7JJ1ldY9RN+GzQar/QJ/H559P As5LDUrSxo3S742mB7JhtBaQ/zw4YzZtwjpUltwV0ZC2+ynjaufKYbosyx7j33dmTPPL VjzNr6fWWw3AUfow3dbdCh0DJ1k6PjUSXU2vgnyE8Dn4KYjN2keZYQ5aPvD2KL8j5hSp iLn5yiPDspkHNxs0iDVApzCb3WbakwL4P2nZGEKVZg5zQvsvRnKJwQ/FfhB9FT6dmnkE NAuQ4zblcRoTtABvv1i8qmWTPsv/kFIPVHdXDUjHet9xV1C6dL3t3HMhTD7tdT6rCxPl ZoQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=5T+b4pkocKIcoPwPocbouCfMQE+Kz4ndw1ZbXIQy5/k=; b=W3neCqlwfjQ6yQGqXeK2k5mCBC8DHd1wagxMbJSBKBs+BiiD9gfjypyHm+6RNQHr+t o1+ePnZe5kGaUhoBj00a5CUR6Ve+idqfeej6DOfsClMfOid6gkD+U0TRPADcVyZCMLNj xgK5f566faY8w1HNlsJLec7B50TUjQHwHHEo+StHGhM0d2CmJPYPmrIcm5yL0lhZ5w2p zOvg4kVwd/b+gN6SH/aHVoZRrj0fJ5cTiub0jHN+m/rK1hpSOxuSMc0zyawoJ2ZZjWEd rutTh9FJZEw4rFMbEq2W2IHOFSZJ8maIo8tCZEObgFGbV5PmMWk4cRI7FFkj1ZPB9Qm+ a5kw== X-Gm-Message-State: APjAAAWOf2iXGXexA9z2FfrP8be1Ue23v2AfsrcFgCW4B7nWqvSUBG9T Z+Z0vd/K4+E6r50bhm/vB6hEZDlqAksax5veo1WDjQ== X-Google-Smtp-Source: APXvYqxrHpgFWUgZ9E+cUYHX+RPLtAcPfO7gJMJvEmlA6W+iOSXGyUu0fsENQ6p+pjnV5VI8Ui+qzLBkbHarm4qbjeEzkA== X-Received: by 2002:ac8:24b8:: with SMTP id s53mr20092158qts.276.1563220836026; Mon, 15 Jul 2019 13:00:36 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:33 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 16/29] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Linn Crosetto , David Howells , Matthew Garrett , Kees Cook , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index b32327759380..180ac4329763 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "internal.h" #ifdef CONFIG_ACPI_CUSTOM_DSDT @@ -578,6 +579,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (security_locked_down(LOCKDOWN_ACPI_TABLES)) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); From patchwork Mon Jul 15 19:59:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044863 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 999FD14DB for ; Mon, 15 Jul 2019 20:02:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8959F2843B for ; Mon, 15 Jul 2019 20:02:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7DDBE2844B; Mon, 15 Jul 2019 20:02:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 216A12843B for ; Mon, 15 Jul 2019 20:02:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732546AbfGOUCB (ORCPT ); Mon, 15 Jul 2019 16:02:01 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:43609 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732464AbfGOUAj (ORCPT ); Mon, 15 Jul 2019 16:00:39 -0400 Received: by mail-pg1-f202.google.com with SMTP id p29so2877633pgm.10 for ; Mon, 15 Jul 2019 13:00:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=6D0LT3kOVXFnzThxDWKYD3nJFmfA+k8GxVnpNpHN0jQ=; b=skNA0Zp0MFTgZ25ppBqcBepyRwgDB+SK+DMX63rm062qS/6ITw3TJ65vULvshl/TtW 1yZWQbMVqnxpBWEsQYNtyKQ6lRuwNRorHBsub03kLBk72nEp68iw8HJZXBRNwVeE+USZ itxOsdWZdOvNbvaZECK5Ty85MxqMfKwYPCQtWK37i3zMdD/zXKZ7z0NzXOoC+t1DpYpx 9PDFJhuk7aEFF7pchF4lWOUpfd5Ywv26LZROy4USqNjgj3ka56bjikdRTRSJj1e+cLJr xpNkbDDWelhTVtGwZAdkulUh13MBt8NDAm1EA8qyfqFu1ZGbS0D8/iJhrnDBfYWmZE4x lxNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=6D0LT3kOVXFnzThxDWKYD3nJFmfA+k8GxVnpNpHN0jQ=; b=ZhUPfsT+8qMVhpxOqAsyfCRzgH9+1tuHyS/9A8ZLeDd5CeIB/r1U90w6v9NLWRdthz xy6G6j74USnfQAx1y8izwp9Lfo2Jp4zdErYSau0WgrG8iZfdayFhcBuATdnmw2/CcB8K kf8APWvqWnMyIMlJIxmC/RJEmOf6W8ndsn4muXxXqFZp52PuCI6RCKz/j/5z8TDkpbLU JTmH27DgMs6VUhlWblePJaBLmu0iiF1kCe0DvkCJSRmqFjfpFjp8bDjO9pp2/aP4gt7P GE+iZllll7JiENBHfUunvwg7sY8b39qkuX/Po0UFUvG+xJaEXWScs2IHhzn04dHK9Szq pRng== X-Gm-Message-State: APjAAAUCWQ9bafTREicMGcHenr4F0XdFKDjAc/cSJZAnKWbhaUPBaLDn f9dLYL3N0iflkxqzvMQmR4Ymd3Mru0dx794NIDvKuQ== X-Google-Smtp-Source: APXvYqwX139JUoCV5imG25Ui0tA/gIuLEykR+UmIdT4xltTZpxM2nFpRz0YlncnpYVBThrlKvKGvsPAzEJX07X+Rj65jCw== X-Received: by 2002:a63:fc52:: with SMTP id r18mr28640627pgk.378.1563220838301; Mon, 15 Jul 2019 13:00:38 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:34 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-18-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Dominik Brodowski , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- drivers/pcmcia/cistpl.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c index abd029945cc8..629359fe3513 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -1575,6 +1576,10 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; + error = security_locked_down(LOCKDOWN_PCMCIA_CIS); + if (error) + return error; + s = to_socket(container_of(kobj, struct device, kobj)); if (off) diff --git a/include/linux/security.h b/include/linux/security.h index 1c32522b3c5a..3773ad09b831 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -111,6 +111,7 @@ enum lockdown_reason { LOCKDOWN_IOPORT, LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, + LOCKDOWN_PCMCIA_CIS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 67dbc5c70ea0..96106c2870ef 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -26,6 +26,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", + [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044827 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 984B5112C for ; Mon, 15 Jul 2019 20:00:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 87898205F8 for ; Mon, 15 Jul 2019 20:00:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7B5AD223A6; Mon, 15 Jul 2019 20:00:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 55FC6205F8 for ; Mon, 15 Jul 2019 20:00:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732561AbfGOUAm (ORCPT ); Mon, 15 Jul 2019 16:00:42 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:54402 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732551AbfGOUAm (ORCPT ); Mon, 15 Jul 2019 16:00:42 -0400 Received: by mail-qk1-f201.google.com with SMTP id b139so14656742qkc.21 for ; Mon, 15 Jul 2019 13:00:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=+BVs4+IbUnzxqigablcI43G/OcpEsyLzvDMqSyBhvlI=; b=jgN+Hy5rzJRsBCdzAEzybx+UKxNAwDH+7UJAzEJ2Cej0p1BYdTOfvUb/mP4HbNphci wrI7yB5rVVj8A0KGE1Fb6LoYjo7Pbc9q5dzrpOD95LWQon1UmAeJE4nwUMagb5z8r8d3 wJS0X52iwL8P8Dk14P9COut/Pc9XhvXqzQ+SyzWPSqAFqRoPJ0Eg5MTWcfS304S/WHfS iWIW3wBMWMj0oDP+DU/dD4dI2hPNlFGpu6neH8iTGqAP7t7Im0bNLKehHfrhvor/J0oZ Ymvh2xn8z+PugScxAa/rXUXqRxdwnHJ3iJQNEakHptBYqM/si+stCFQjrTP56XmKQOFA d2Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=+BVs4+IbUnzxqigablcI43G/OcpEsyLzvDMqSyBhvlI=; b=j4eH1MiDFjd3i3QIeZ944E8Z9oWbY1IK+yvWg/lb7/focUYA+0BIRhKCQ96Yj6op4Y ehi6i0MPcjiwxEI1E5irGyYQtAnFlYxPo0ELux0jQsHdgtH/HdTUjYflYKqWJQgMWYVW /mq/OG5BmGBcJ3wQKotA+USzrjsbDnQQ36lqmPfI4PzQB7IVu304/ldScpQHAtGmYo4F lubHbL1cagoSeWlPTWVhcd9t8FLqh0dmmQworpw8iHPwHHFKPhuLqlM/FjPgrgThIXT1 YMyaaidQdGMKasqEZQCkwofvAWZMbm0mBZiwCYqwYdHwEB5rO0OEyNmLgBVqtqVDFwMI +v4A== X-Gm-Message-State: APjAAAV7jarUd/fol+QJzHnGB98zs6d0L+Ht3xVMrZEwcV6TetpnZ7Cl X1BE7uKv3FmNpKJ5Tu8MyZZFcJnQC+RPG7JWXeK+ag== X-Google-Smtp-Source: APXvYqz5vvHyqfroaIhAkEducyiSejDIwwb5RxaoLydNSP26fz0XARD+t+kfcq7TPA3VrlndqDtTAjK4bu1ie1cI3VCE7g== X-Received: by 2002:a05:620a:1286:: with SMTP id w6mr17687717qki.219.1563220841099; Mon, 15 Jul 2019 13:00:41 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:35 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-19-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 18/29] Lock down TIOCSSERIAL From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Greg Kroah-Hartman , Matthew Garrett , Kees Cook , Jiri Slaby , linux-serial@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: Jiri Slaby Cc: linux-serial@vger.kernel.org --- drivers/tty/serial/serial_core.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 4223cb496764..6e713be1d4e9 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -862,6 +863,10 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, goto check_and_exit; } + retval = security_locked_down(LOCKDOWN_TIOCSSERIAL); + if (retval && (change_irq || change_port)) + goto exit; + /* * Ask the low level driver to verify the settings. */ diff --git a/include/linux/security.h b/include/linux/security.h index 3773ad09b831..8f7048395114 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -112,6 +112,7 @@ enum lockdown_reason { LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, + LOCKDOWN_TIOCSSERIAL, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 96106c2870ef..07a49667f234 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -27,6 +27,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", + [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044829 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9CA51746 for ; Mon, 15 Jul 2019 20:00:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8847E212D5 for ; Mon, 15 Jul 2019 20:00:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 78FC7205F8; Mon, 15 Jul 2019 20:00:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D6B99205F8 for ; Mon, 15 Jul 2019 20:00:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732520AbfGOUAr (ORCPT ); Mon, 15 Jul 2019 16:00:47 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:53771 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732572AbfGOUAo (ORCPT ); Mon, 15 Jul 2019 16:00:44 -0400 Received: by mail-pl1-f202.google.com with SMTP id y22so8806666plr.20 for ; Mon, 15 Jul 2019 13:00:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=cmSzh4dtjNx/P+yROnH7EGJs7UfjLe1mZ8JUMa9RMlI=; b=oZY9eqJZOq0g+fIwSn9L1Bd7+IvSG5PmYH+irfYuUEGUGVedGZ4zYdyHPlquK/xafd S/N656316SMDuzoFQRZ1psGUlP7iBlP6T46CJkRLSw9K4A9IoLoLCVFz04u9xHIp86fh 6GrUCyj07ZsajFN9ou+5adigVhuwrUrL25pP2XqvyMAXa2lFs4ZFsANlOyK7v99xJjq/ JMTIZlQKyYbUxMooIuvlFJq5MRV5yMs5Nnv3dtR1UiTgl3PRzN9e/fco2UIij/KZB4ar gbm1XsZIh/tLzuqSQpDHN9QuVBPQD8Ete1dI2AiLp6x3Me+rTf8WVDcRp6YGfd0hJOqK Az0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=cmSzh4dtjNx/P+yROnH7EGJs7UfjLe1mZ8JUMa9RMlI=; b=Lkz3mpBeOo8gw/KrfnlV7js3UJqZRmgw4hggq2TkRvCLqQncHKsEEOToJqpxbRvvmv BEJ7XY8UPjE5vXbr1WgCQwdtIiBJRZ8NxMN/+uQCcGGY3OnFIzHeEM6UCiozNv5u2jZE KkWtXy3laokMh18bOf8asc2c6Zqz1m5aXchseB1Sh9pyzg4meZT0VmWOiNi7V/PmP38K Nxmoh11iSwkgvYMTBeDRE9qPRjkz2XngeHhW2GqWpc8ZS73tnU+2fI2OQWgFPEo2GYLV 2tJtWVUzZEhGd6DkjxSx5Hi6uruSLaiIEnq3aUROLe+rk+Z0gnwa5VE8b7kKdZpMlSYE zOqQ== X-Gm-Message-State: APjAAAUfsSDiCzdtSyeySpyiRVpHXEkIYAwNRwEqL+7RGONoWXs2BWfU 4xEWjV7oxr7Vmc2dnDRONe7hb9mg3gYJhoQZDOMqKw== X-Google-Smtp-Source: APXvYqyzIvqz0TZoPY8nlguNiiDuTnJcj8lZOYnyhvWc4EfdP/oipkbD8qlGc4Cay8amBfhAwZMB7gdMHVNA1s1E3DLv2Q== X-Received: by 2002:a63:e807:: with SMTP id s7mr27900175pgh.194.1563220843484; Mon, 15 Jul 2019 13:00:43 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:36 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-20-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 19/29] Lock down module params that specify hardware parameters (eg. ioport) From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alan Cox , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- include/linux/security.h | 1 + kernel/params.c | 28 +++++++++++++++++++++++----- security/lockdown/lockdown.c | 1 + 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 8f7048395114..43fa3486522b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -113,6 +113,7 @@ enum lockdown_reason { LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, + LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/params.c b/kernel/params.c index cf448785d058..f2779a76d39a 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -12,6 +12,7 @@ #include #include #include +#include #ifdef CONFIG_SYSFS /* Protects all built-in parameters, modules use their own param_lock */ @@ -96,13 +97,20 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + security_locked_down(LOCKDOWN_MODULE_PARAMETERS)) + return false; + if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + return true; } static int parse_one(char *param, @@ -132,8 +140,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -541,6 +551,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) ((mod)->name) +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -553,8 +569,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 07a49667f234..065432f9e218 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -28,6 +28,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", + [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044861 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F248B6C5 for ; Mon, 15 Jul 2019 20:02:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD7D228449 for ; Mon, 15 Jul 2019 20:02:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CE6272843B; Mon, 15 Jul 2019 20:02:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6589C2843B for ; Mon, 15 Jul 2019 20:02:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732294AbfGOUBz (ORCPT ); Mon, 15 Jul 2019 16:01:55 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:43235 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732573AbfGOUAr (ORCPT ); Mon, 15 Jul 2019 16:00:47 -0400 Received: by mail-vs1-f74.google.com with SMTP id w76so3645395vsw.10 for ; Mon, 15 Jul 2019 13:00:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Q3+BJ8wFVQ84xOQmot2tpofx7ZuUIMeG+qiO4R/dTeo=; b=s833uP+L4ndInqcO7GVUrtgYxpgQOxfcIAJuNg943dQtpHD4E7hXQVRZIOTd/uawj4 oGrfRyVmCzlmicBOw8BCgIkPXsIDf+ypqYFhmPvrrMlqnNtGWmGgVwyZyOK1H6yJJrW/ yxuUI5haFcN1zNzVHLsgTO40BkwD4a39tTybSR/DO6gs16AfVekX1ErS+jiAorl/zBgN yBfcVfvuEoWE0ID5D806uCdbO7eGnhgmI0FZtO8nm1o+inQ+qcg6HVifHrKKdy+TqkgZ zrixfylqxM4OOf22PAN+y2BHGtyZsmZOZchbtYK+107UyAgxlPT1NnZpHeBeHWgEXXcQ VPvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Q3+BJ8wFVQ84xOQmot2tpofx7ZuUIMeG+qiO4R/dTeo=; b=Dhk5tE8ivBjQNKw8gIfWbMwS8qs3uJa95p9oZ0xjV/mqc9xfVUq6I+5cI8EpReGfwg QDdG3BVS9T1RTT5eGeRz3f6p3GM9xwjMIfAM8efK8Gj/bMAnfuR+qWp5D8M2VB7BYNGo BePK7fHhe/7sT+6cVFFgw67E2QT72IgC0OmHUZC4tBKpn5Gq1Rmi+xu8O299YIe3xiMz gSnuvgvDkr19XrOLcXEJ3fM0B+I+j4UnM7w5hiDI33Mz0M92je2BQMwHJYFDnpJMHirH IovteByJUgsVPX9LhmO2ghKtR60XPWK+uEPZ/9aPQK3k3H5Fse2SJVl3EHRcFi9JsIVP yqIQ== X-Gm-Message-State: APjAAAUyTKvU7ofpz9JF44YlRg5aTroHCzKGO6pBB/11u8mT9nZsMWO9 5z3Nlq0MsHlQfn/IUqmkOwpZuOMB9A/MPfawLDjzmA== X-Google-Smtp-Source: APXvYqzrPvNGN/I7uy3eU578IGNHpPaFnCI2yCyyv/JO/KlFVh2mCOEzjvCze1/gjfsCrqwBlwaAgvlfBrtyCtyysV9DWA== X-Received: by 2002:a1f:a887:: with SMTP id r129mr10860627vke.75.1563220846821; Mon, 15 Jul 2019 13:00:46 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:37 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 20/29] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Thomas Gleixner , Matthew Garrett , Steven Rostedt , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. This is a runtime check rather than buildtime in order to allow configurations where the same kernel may be run in both locked down or permissive modes depending on local policy. Suggested-by: Thomas Gleixner Signed-off-by: David Howells Acked-by: Steven Rostedt (VMware) cc: Thomas Gleixner cc: Steven Rostedt cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org --- arch/x86/mm/testmmiotrace.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index 0881e1ff1e58..a8bd952e136d 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -8,6 +8,7 @@ #include #include #include +#include static unsigned long mmio_address; module_param_hw(mmio_address, ulong, iomem, 0); @@ -115,6 +116,10 @@ static void do_test_bulk_ioremapping(void) static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + int ret = security_locked_down(LOCKDOWN_MMIOTRACE); + + if (ret) + return ret; if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); diff --git a/include/linux/security.h b/include/linux/security.h index 43fa3486522b..3f7b6a4cd65a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -114,6 +114,7 @@ enum lockdown_reason { LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, + LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 065432f9e218..e725f63c29d2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -29,6 +29,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", + [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044859 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 28C40746 for ; Mon, 15 Jul 2019 20:01:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 16FC82843B for ; Mon, 15 Jul 2019 20:01:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0AEE32844B; Mon, 15 Jul 2019 20:01:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 90D0028449 for ; Mon, 15 Jul 2019 20:01:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732614AbfGOUAv (ORCPT ); Mon, 15 Jul 2019 16:00:51 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:37352 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732603AbfGOUAu (ORCPT ); Mon, 15 Jul 2019 16:00:50 -0400 Received: by mail-pf1-f202.google.com with SMTP id x18so10848002pfj.4 for ; Mon, 15 Jul 2019 13:00:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=27bG30v551PCUw49w0IhwfwVjWUxHkMd+OR3VLoSFAQ=; b=TtALnbKpnTpmzFXbZcyThBpPXUD2vVMXHLz9/K8WCJZcT3sMigJcUb/tqieCDmJYOh LKx1gN0TYA3+pZ4/kF+qHhWNB06etdiDXdmEYNb/MtNPes8oGYvUJlPhfR4z8qXd4ldc q3cHPE6KMeWpAwlHSonpn/7Li7o6pH7n3SRDWVXWy0KDhxAewWkmSChbNmDmbAwsy+OO m/KF6f0nDfVKtyBESrNNS6tPtxph9XndwqSrxe5fJU3pbkhLrN14ZuxLHqMZ6DVhzq3x Ll+p9sRpyRcNcxXNlcvQmuSwnxf+IIPUZzC2PZ56UEdGVoIGdscmmb0Tqyh/yQPbDJ0N HL/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=27bG30v551PCUw49w0IhwfwVjWUxHkMd+OR3VLoSFAQ=; b=ZVPLZLBP/CRCLbocRVuqOCQXnAvPET6ZpR2q41be3J/h4pZYGWONoEse7wL0IM56uk m4DnmKAA0zeZcUOP8Tt0N4a8QlYZ98Apx2l05LqwhezdwQ2Gcq2eCFfKylABhXdO/I/6 SAnh+A6ODFf4HIayFOZbAIOsbtz/Zn70zkPCo5s14RsM2yNAxDchRT3BDbuxxLA1wqSD MxGNqjtpQ0kYiwN1N4xGitgDUgACljIvhlD0xv0064vguvDXXD6dj96Mlwp1Dk5fFuQe sg58IArjy1K5gYXOLbq+iKRwE+Q/pKuysAVdluGyNi9iwpTaQSq7R2M+7mwm6RJJGrq7 zHyQ== X-Gm-Message-State: APjAAAXr17j5ZOUF7ZcCyzPh5SXodYPr798IlC7qEpsYnlNGeijZjnrW aqC3kvf23ucGdSxw/lHleLI5y+Uywf2WQ+R9314rzQ== X-Google-Smtp-Source: APXvYqzkGmLJbJxcjs2hj9aWPl3QD/H1QcvcXF5PeHJYQdVT4P2+EUPV+l8kcWG1CRmP7Y/ux0sv82HRaOS4eeckdgZiew== X-Received: by 2002:a63:4522:: with SMTP id s34mr28567890pga.362.1563220849269; Mon, 15 Jul 2019 13:00:49 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:38 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 21/29] Lock down /proc/kcore From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. This is limited to lockdown confidentiality mode and is still permitted in integrity mode. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- fs/proc/kcore.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index f5834488b67d..ee2c576cc94e 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -31,6 +31,7 @@ #include #include #include +#include #include #include "internal.h" @@ -545,6 +546,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + int ret = security_locked_down(LOCKDOWN_KCORE); + + if (ret) + return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; diff --git a/include/linux/security.h b/include/linux/security.h index 3f7b6a4cd65a..f0cffd0977d3 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -116,6 +116,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_KCORE, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index e725f63c29d2..9c097240a3a6 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -31,6 +31,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", + [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044857 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 161B6746 for ; Mon, 15 Jul 2019 20:01:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 046C62843B for ; Mon, 15 Jul 2019 20:01:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EA4DC2855A; Mon, 15 Jul 2019 20:01:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 701C22843B for ; Mon, 15 Jul 2019 20:01:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732194AbfGOUBt (ORCPT ); Mon, 15 Jul 2019 16:01:49 -0400 Received: from mail-qt1-f202.google.com ([209.85.160.202]:40672 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732617AbfGOUAx (ORCPT ); Mon, 15 Jul 2019 16:00:53 -0400 Received: by mail-qt1-f202.google.com with SMTP id e32so15818416qtc.7 for ; Mon, 15 Jul 2019 13:00:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=uhU8rRk9ssWJivLHP7v3OR1+99tdkTFoizPFQKNdwe8=; b=JJBIrjjJzae8JoufMUY5p2Xzah+XXUlMVPZRSmZOY36Jgo20AhbpPZawkEBT4xt9CI UMnuaCruuSHuXXvqdFZBMtwSvl4t0IqdLAWwTmYA52CfjZGA3E4i8Gfl2ESgAszhKDWH 1oEEltwJN2uPQ3KjZNWNFT+0uMtDU4H1avgCjsBQu3I6RhBh3srjJDwJPD1QLjUhDVdU 8+jctr+k5408YV2PlndTV18NE43rC+ipzp7az2r5gd6dXRRGRlBBoi/2hUPYmZ30+PCU X+MNhgkwY1Y72MueKA0y585tPXunJy8hcgIfBqY/aBrhr2wnBn2wAliTIc0u45bqvkWY qb3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=uhU8rRk9ssWJivLHP7v3OR1+99tdkTFoizPFQKNdwe8=; b=B2jVrH1SCdxfLARQUQWIGbov//7x1dkZ8f0t7raBsYXRW7hA4tVHdMmEyU3PKXQshA ZeyVCTsbog4hzCJ6Kd/L01UmuhxBAHWKtHlrU5N3NMf/ReXUUXjTAQhmxlwzdM45Gf0v DqKVrUSLeil3L7qq5Qlb0SCDGIUIuQ6qWSKGCuNDwmcgo501mgz66eYXtxnZ/BudNgt5 60a/kXj5+vBdz4E2hx6kKF5TNK2NDDcxFKvwqnO/Nkqfn86V2fsfDbecCQ8eUusJ9d2b HRsYD1SWvVrP/gOhOu1osf2LLI7iN7105vQY7fZYwFTpkcf5hzxzepf1kkl1L40LZcu4 PVvA== X-Gm-Message-State: APjAAAWgu1vmyb+AYLbk2xmU7Vo2W0/isAr1f5J8vGFb5x45tbJWqsB7 SmFQ0XhLGauxO1sCe0Fq8aVDGZMDoENeGbLJrVKSUQ== X-Google-Smtp-Source: APXvYqylW6r3pfE8eFjlmMirtVudGlaMh2+nmiRimFW5pWQ7r+wx5kZxLBjObC/dT2zgY9YDhkhq0AHf3oUq3xTxcd/s4g== X-Received: by 2002:ac8:142:: with SMTP id f2mr19678032qtg.336.1563220851847; Mon, 15 Jul 2019 13:00:51 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:39 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Masami Hiramatsu , Kees Cook , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Masami Hiramatsu Reviewed-by: Kees Cook Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index f0cffd0977d3..987d8427f091 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -117,6 +117,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 7d736248a070..fcb28b0702b2 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "trace_dynevent.h" #include "trace_kprobe_selftest.h" @@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_probe_is_registered(&tk->tp)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 9c097240a3a6..ccb3e9a2a47c 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044855 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DA6C26C5 for ; Mon, 15 Jul 2019 20:01:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C92FD2843B for ; Mon, 15 Jul 2019 20:01:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BD0012844B; Mon, 15 Jul 2019 20:01:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A8D92843B for ; Mon, 15 Jul 2019 20:01:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732671AbfGOUA4 (ORCPT ); Mon, 15 Jul 2019 16:00:56 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:40548 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732646AbfGOUAz (ORCPT ); Mon, 15 Jul 2019 16:00:55 -0400 Received: by mail-pg1-f201.google.com with SMTP id d187so11085691pga.7 for ; Mon, 15 Jul 2019 13:00:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=CbwHWoXyGcnhOVZUnM7OMDg0cwOUL6ogIm2Fr7FvovA=; b=YWFTU9HcoYgzmu9wA7LmGLEFRoVQk/di4jeMQIvZ5i7etSuzudqbvAeHEU23fHCjEJ Twn+lgELlaBebCAm10iQk2sO045aRCwc7jzNL4FLw+c5zZae9Z6C8DPkyoCe4llfLpZV L1J5bBHV80K9V7jH3s+soISD4N05L5Efrvta23P4J94jyVY9D+b7TK9tpmjPAiX+1JN3 IUWRqtlamp89QR8N0D1GwnZAED3Yk8HGsV4cTnTOP7IwtWH0zTY7OMkKcGRaD9PzXlto FeMyVXGYrflmG3XVDIhTRhYrxxi12jB4usPg7nxkGif/9CqLQ4GqCXoVU9ejb2SoDgjQ a/6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=CbwHWoXyGcnhOVZUnM7OMDg0cwOUL6ogIm2Fr7FvovA=; b=kXVj+qbOwNi5GFhrS7fpZk4Ayt8+R5xQl33PutEFahzkzN0G+QsPHFAE+nIqF/gkuY zorZ567Z8rmh3BV4bodMThJ+JXgsCE0aSsQTGoB5Tc8CfNugQCwXSN/NV8WDTNQlbKYD qbmabNhe7KD1EhNn158lHXM8IgGf8zjSp4rWszDKir5Zm9wqB/wQIntSe5FFcaQS+htR 7s83xuPMg9IwARlht08YotDFDbBwM5Hr3D25i6+1gpJe+mV0mTF7Ct7HnTltiO0BaiMy yzviWlqO8z3wS5hzlRb6uTxaj7kwzjeQVwtZwAM2fXEOlq9rMu3vglOyrkDBNyuJaSBV K8pA== X-Gm-Message-State: APjAAAXXPQbam9SR6X/+S/VPnmDf1XZikrbscGhZ7S9hFiwReQiq9OFq oV7xKlNdqnifvetmTKEUciSZZaVi5tEyT0LYtoXGbg== X-Google-Smtp-Source: APXvYqzXTWM8o+p7eNl5c1FE2vi3gFcd7/ND3U/Yw29Ulc0bTGkU6g6c2KrmDwiVmSg1X43rJT0t1FZI3F4FiNKwMFJgvQ== X-Received: by 2002:a63:6f41:: with SMTP id k62mr28980026pgc.32.1563220854296; Mon, 15 Jul 2019 13:00:54 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:40 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells bpf_read() and bpf_read_str() could potentially be abused to (eg) allow private keys in kernel memory to be leaked. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: Matthew Garrett cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann --- include/linux/security.h | 1 + kernel/trace/bpf_trace.c | 10 ++++++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 12 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 987d8427f091..8dd1741a52cd 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -118,6 +118,7 @@ enum lockdown_reason { LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, + LOCKDOWN_BPF_READ, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index ca1255d14576..605908da61c5 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -142,7 +142,12 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret) + goto out; + ret = probe_kernel_read(dst, unsafe_ptr, size); +out: if (unlikely(ret < 0)) memset(dst, 0, size); @@ -569,6 +574,10 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret) + goto out; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing @@ -579,6 +588,7 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, * is returned that can be used for bpf_perf_event_output() et al. */ ret = strncpy_from_unsafe(dst, unsafe_ptr, size); +out: if (unlikely(ret < 0)) memset(dst, 0, size); diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index ccb3e9a2a47c..d14b89784412 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", + [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044831 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5FD8F112C for ; Mon, 15 Jul 2019 20:01:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4BB50223C7 for ; Mon, 15 Jul 2019 20:01:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3F5C9205F8; Mon, 15 Jul 2019 20:01:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C18FD205F8 for ; Mon, 15 Jul 2019 20:00:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732695AbfGOUA6 (ORCPT ); Mon, 15 Jul 2019 16:00:58 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:39702 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732683AbfGOUA6 (ORCPT ); Mon, 15 Jul 2019 16:00:58 -0400 Received: by mail-pf1-f202.google.com with SMTP id 6so10864913pfi.6 for ; Mon, 15 Jul 2019 13:00:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=6flDTB2cc+idlYkETJxAjqgCPIisACHtzrHaM3jrXOY=; b=ChqgzH2zFDK3tT4H5IhQ4S8ryxEnULmECSos4ucFSEGrnmOhH4smTTrqP3rLmwJ6bm nHqApST8qhDWjUtUcr05S+8nZlo1vwWRNXWvAH5yUG7B1wschRgRPDG81Xmrt0cTjm6s 7rqClyqIOA12viOU8/hoPxZYow/PEP4KU1BVkH7NLkKaDTPJZ+EEy2X+6KtwhHhSjpY7 /azlbfPRNT+YYiwAd0qDqEvJpgwfUi+gsZUtQoQnBN1qPg+us7qlLqvddyD4IpPC3m6C 5cSUD3Klw3rDnkU7p39B7KGLg28nfmarFbFKQ2a2psShO56Euq2nph1i5SHHvAcsrVz1 QFOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=6flDTB2cc+idlYkETJxAjqgCPIisACHtzrHaM3jrXOY=; b=AXEMF2b5scK7tYGWgNEQKdPVcTngD79peeuohtF2Jed2FOQqYhJ3Vhe6WQam3YOMok lvqWRmdBoTCTxVIrgfAKFxikH0nr5IxdRolcWsSX5Lfj283iBy4zMR/azyw/mDOj5kb1 kOiCL4JQXF8MlUbxBfiNEF90SJdjNFyGtDytgbrLGSCNs4PPM25WgHsoc+lykUTC0QYw lDbEMCno4ISAamx3PJrGbhzbQQwAQpTgQHeiVwF5QcrAusl1mtE8FBYp3gbvfcLK3b/Y usEPK+QnG842hzAh7cMCTJUscFUSKzLnAOHxh+XwBenDbAsxZR0eWSFVxzoZiUUV64kr YFSA== X-Gm-Message-State: APjAAAWnwUQlH/jjKIMsbOKqH7UVX9yZLKILElLg/0TvjVi9uId49kMu JSuj1YBVFECVm/7TNNILOzRUnwFmBWsJLJhg3frvlw== X-Google-Smtp-Source: APXvYqxg52NsoxTabPM1Dv5rjomAok9LsWGgpqy0K2qiQR90JV7TUbpE8F353AcRIJ8oasv5d+Jl4wW0ZOgZMy7Slf0MLQ== X-Received: by 2002:a63:1a03:: with SMTP id a3mr27318096pga.397.1563220857095; Mon, 15 Jul 2019 13:00:57 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:41 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 24/29] Lock down perf when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo --- include/linux/security.h | 1 + kernel/events/core.c | 7 +++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 8dd1741a52cd..8ef366de70b0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -119,6 +119,7 @@ enum lockdown_reason { LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, + LOCKDOWN_PERF, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/events/core.c b/kernel/events/core.c index 785d708f8553..738d6f1cf5ec 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10806,6 +10806,13 @@ SYSCALL_DEFINE5(perf_event_open, perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EACCES; + err = security_locked_down(LOCKDOWN_PERF); + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return err; + + err = 0; + /* * In cgroup mode, the pid argument is used to pass the fd * opened to the cgroup directory in cgroupfs. The cpu argument diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d14b89784412..e43c9d001e49 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", + [LOCKDOWN_PERF] = "unsafe use of perf", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044837 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8E358746 for ; Mon, 15 Jul 2019 20:01:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C3232843B for ; Mon, 15 Jul 2019 20:01:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7091C28449; Mon, 15 Jul 2019 20:01:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB3B52844B for ; Mon, 15 Jul 2019 20:01:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732737AbfGOUBF (ORCPT ); Mon, 15 Jul 2019 16:01:05 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:53392 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732714AbfGOUBA (ORCPT ); Mon, 15 Jul 2019 16:01:00 -0400 Received: by mail-pf1-f202.google.com with SMTP id 191so10841560pfy.20 for ; Mon, 15 Jul 2019 13:01:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7AN62uUjggsGkjuR8QbGPFtdpCdy/nAEaFCETV075VE=; b=nYfXtqFp5FLgsTl8pZGFenfAnwsXmlefH7SI4eBPK7rsLgTBTW80J9EyEUmyu/hNt2 NX5HZEqJ2BSuU/Uh6ge6MS58RHOOFFWd3N24Yzd0IXbi/ypUhi5O5gT1tRnYFCa4QsHw J3BbNIAqto+NfQr2Vnh9ewyGrWPdlUUAYbUNfGWd0EwCeswjvLylfuIW1hWdEGyOI8uX mud0kvUHOZjqQykLAaetipJ1/EPph1jHn/GRpJJhN6GW44GhYMFwQrNWO/a0gUeidxbT havga/zHmY1SkUyNyYgRDpfHWudIkh56dDfvZpYE85QVjNHh/rjk+Y8fW/X1SqzyluWH Vzkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7AN62uUjggsGkjuR8QbGPFtdpCdy/nAEaFCETV075VE=; b=oFmfE1TbYfznJuBZ384Yp9fjWHJNHBBACld2x/eu4z53i2AUTzZNqqQknI6YhVVbPR /oa0jC8VC1bsYu3IZABcvDYZUoHvPmSCO9CDu+kf2LtqQ6Psorpte83CNplwoHB9QFzi acGX1lEhIYfT2Kjb4fWXSJcx7Z1zCzryirEyIMVlOw4OEaYbBkR4ZyWeNMKecNL/1h9V qEOl8Q4IEKYYNjyHGSAhknPuO/tBHryxQn7nUrbKQNUuLnLtfFbZsq70NzoEbl0VcIRm MfOZv6s7Jr+5WtTK2e4bSQ+b+m9zfY2oyI0Jds2tePFT6TqtpT05maZ1UKtysfcqh9kw RMUg== X-Gm-Message-State: APjAAAWB70/abTXZnP4D9IwTIXDyxBGBomIHJavMq0rCpO2fz7wtZqlS G8Fo92pIsJzGKjXO5lDoLwVdfVwZ2UuR4skILUDDvg== X-Google-Smtp-Source: APXvYqw82UEBKJiBPfo6CHgts6BJHnNBk8mmORY2P9YBkhrle331njX7YlHvBzaq4hJ9V3RAeLcJexIq9SecpHpQ0NvkbA== X-Received: by 2002:a63:e54f:: with SMTP id z15mr28757422pgj.4.1563220859521; Mon, 15 Jul 2019 13:00:59 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:42 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Systems in lockdown mode should block the kexec of untrusted kernels. For x86 and ARM we can ensure that a kernel is trustworthy by validating a PE signature, but this isn't possible on other architectures. On those platforms we can use IMA digital signatures instead. Add a function to determine whether IMA has or will verify signatures for a given event type, and if so permit kexec_file() even if the kernel is otherwise locked down. This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in order to prevent an attacker from loading additional keys at runtime. Signed-off-by: Matthew Garrett Acked-by: Mimi Zohar Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org --- include/linux/ima.h | 9 ++++++ kernel/kexec_file.c | 12 +++++-- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 3 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index a20ad398d260..1c37f17f7203 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -131,4 +131,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index dd06f1070d66..13c9960a5860 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -228,9 +228,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = security_locked_down(LOCKDOWN_KEXEC); - if (ret) + ret = 0; + + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + security_locked_down(LOCKDOWN_KEXEC)) { + ret = -EPERM; goto out; + } break; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 011b91c79351..64dcb11cf444 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -113,6 +113,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 584019728660..b9f57503af2c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -502,7 +502,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 6df7f641ff66..827f1e33fe86 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1456,3 +1456,53 @@ int ima_policy_show(struct seq_file *m, void *v) return 0; } #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ From patchwork Mon Jul 15 19:59:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044833 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 97C5F112C for ; Mon, 15 Jul 2019 20:01:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 864312843B for ; Mon, 15 Jul 2019 20:01:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7956128538; Mon, 15 Jul 2019 20:01:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDC032843B for ; Mon, 15 Jul 2019 20:01:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732742AbfGOUBF (ORCPT ); Mon, 15 Jul 2019 16:01:05 -0400 Received: from mail-qt1-f202.google.com ([209.85.160.202]:45068 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732735AbfGOUBE (ORCPT ); Mon, 15 Jul 2019 16:01:04 -0400 Received: by mail-qt1-f202.google.com with SMTP id l9so15790250qtu.12 for ; Mon, 15 Jul 2019 13:01:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=5rLBbkLuWE6Uq5BhJGP2mx4VNNWNNoOxTMDsDFqoaow=; b=CHuZx8WQeViTXz0nQj0pyeMBJBBDdj/FPWpXCYtIJ686MTm2IbzT71dmVobUGZmgcR mD/l2lyX8wXGxsMUd1szrEHIxDZSqyfVF7BvcxCtEDFndg1+ujTt2FGhWRBagOkyRmv/ LWJAx9mXSUcnyRIOwKtMBnHNe7NDbGzZQ14Sso5YKorV6irYEG3aMlxIfC6X2iwwslb4 kO/7QHinm0pnkTaPWvODGyiLAuoZa0F+LcPsncRvSvRLmqIBGLdqEO0s7wUIP4KKrOP3 jeDuM8Qj0quhoXY+lciMolxyGAXSL1EYeQiyi6d8DTE6hjh3HMFe/SuDh9WIBrVWOq2u Binw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=5rLBbkLuWE6Uq5BhJGP2mx4VNNWNNoOxTMDsDFqoaow=; b=j7+x6gaIr+WsQuFule4djERnlWppSna2eMlgU0JiD89tzu30Gul42//sBH2Z959fn5 MRbfIeTGMH064u4F4CvR2rYrgi++UkwBOSIo/JnnEu9qo3rQFMchjg2oQavlkYn1tS5u CZdiAFr+n8l/r8Ru0MrcM4MA/FmA/SV1TS4WoffAlKZKoBznuDkEfxJg1tQDjP4IlT9F RDl+mCToLWnxcPbquZLeqJ4x5m14BthamIxG4nMOgG7KPe7iaBNvih131Mtuls4znR2n e4aM5SK5lCAAwY1I4Kw7H/Rm2u24Z0ku/LwWx38v4bXJj9NsEdgXKB2e1vgLfL1bxp93 EpOw== X-Gm-Message-State: APjAAAWwR6oCr6i30Ncst7iUvv6qtAr2JtEsZNsgNiRllo+jAoLzNYZA BSfI1NcPTReTTPpoJ0L4vj+WeMMhVnEW1ENOzf5aew== X-Google-Smtp-Source: APXvYqztbYXmeq/Gu/+l2HVW/qUZmfeRu26r6ei9F/1qCLL5FdhEcGj/z53+mlrrRKThXz0wUkxgCYWUu3FPxO6zXHu0IQ== X-Received: by 2002:ac8:38c5:: with SMTP id g5mr19819458qtc.299.1563220862265; Mon, 15 Jul 2019 13:01:02 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:43 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-27-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 26/29] debugfs: Restrict debugfs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Andy Shevchenko , acpi4asus-user@lists.sourceforge.net, platform-driver-x86@vger.kernel.org, Matthew Garrett , Thomas Gleixner , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow opening of debugfs files that might be used to muck around when the kernel is locked down as various drivers give raw access to hardware through debugfs. Given the effort of auditing all 2000 or so files and manually fixing each one as necessary, I've chosen to apply a heuristic instead. The following changes are made: (1) chmod and chown are disallowed on debugfs objects (though the root dir can be modified by mount and remount, but I'm not worried about that). (2) When the kernel is locked down, only files with the following criteria are permitted to be opened: - The file must have mode 00444 - The file must not have ioctl methods - The file must not have mmap (3) When the kernel is locked down, files may only be opened for reading. Normal device interaction should be done through configfs, sysfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. I would actually prefer to lock down all files by default and have the the files unlocked by the creator. This is tricky to manage correctly, though, as there are 19 creation functions and ~1600 call sites (some of them in loops scanning tables). Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner Signed-off-by: Matthew Garrett --- fs/debugfs/file.c | 30 ++++++++++++++++++++++++++++++ fs/debugfs/inode.c | 32 ++++++++++++++++++++++++++++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 4 files changed, 62 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 93e4ca6b2ad7..87846aad594b 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -19,6 +19,7 @@ #include #include #include +#include #include "internal.h" @@ -136,6 +137,25 @@ void debugfs_file_put(struct dentry *dentry) } EXPORT_SYMBOL_GPL(debugfs_file_put); +/* + * Only permit access to world-readable files when the kernel is locked down. + * We also need to exclude any file that has ways to write or alter it as root + * can bypass the permissions check. + */ +static bool debugfs_is_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) +{ + if ((inode->i_mode & 07777) == 0444 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && + !real_fops->mmap) + return false; + + return security_locked_down(LOCKDOWN_DEBUGFS); +} + static int open_proxy_open(struct inode *inode, struct file *filp) { struct dentry *dentry = F_DENTRY(filp); @@ -147,6 +167,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = debugfs_is_locked_down(inode, filp, real_fops); + if (r) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not clean up after itself at exit? */ @@ -272,6 +297,11 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = debugfs_is_locked_down(inode, filp, real_fops); + if (r) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not cleanup after itself at exit? */ diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index 042b688ed124..7b975dbb2bb4 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "internal.h" @@ -35,6 +36,32 @@ static struct vfsmount *debugfs_mount; static int debugfs_mount_count; static bool debugfs_registered; +/* + * Don't allow access attributes to be changed whilst the kernel is locked down + * so that we can use the file mode as part of a heuristic to determine whether + * to lock down individual files. + */ +static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) +{ + int ret = security_locked_down(LOCKDOWN_DEBUGFS); + + if (ret && (ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) + return ret; + return simple_setattr(dentry, ia); +} + +static const struct inode_operations debugfs_file_inode_operations = { + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_dir_inode_operations = { + .lookup = simple_lookup, + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_symlink_inode_operations = { + .get_link = simple_get_link, + .setattr = debugfs_setattr, +}; + static struct inode *debugfs_get_inode(struct super_block *sb) { struct inode *inode = new_inode(sb); @@ -369,6 +396,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, inode->i_mode = mode; inode->i_private = data; + inode->i_op = &debugfs_file_inode_operations; inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); @@ -532,7 +560,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) } inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; inode->i_fop = &simple_dir_operations; /* directory inodes start off with i_nlink == 2 (for "." entry) */ @@ -632,7 +660,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, return failed_creating(dentry); } inode->i_mode = S_IFLNK | S_IRWXUGO; - inode->i_op = &simple_symlink_inode_operations; + inode->i_op = &debugfs_symlink_inode_operations; inode->i_link = link; d_instantiate(dentry, inode); return end_creating(dentry); diff --git a/include/linux/security.h b/include/linux/security.h index 8ef366de70b0..d92323b44a3f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -115,6 +115,7 @@ enum lockdown_reason { LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, + LOCKDOWN_DEBUGFS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index e43c9d001e49..37ef46320ef4 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -30,6 +30,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_MMIOTRACE] = "unsafe mmio", + [LOCKDOWN_DEBUGFS] = "debugfs access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", From patchwork Mon Jul 15 19:59:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044843 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 33933112C for ; Mon, 15 Jul 2019 20:01:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 23E072855A for ; Mon, 15 Jul 2019 20:01:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 177A528560; Mon, 15 Jul 2019 20:01:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9682728538 for ; Mon, 15 Jul 2019 20:01:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732817AbfGOUBX (ORCPT ); Mon, 15 Jul 2019 16:01:23 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:42277 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732743AbfGOUBF (ORCPT ); Mon, 15 Jul 2019 16:01:05 -0400 Received: by mail-pg1-f202.google.com with SMTP id d3so11096204pgc.9 for ; Mon, 15 Jul 2019 13:01:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=tkMY5oaKzsB1Pqxhl3bO3jhBsQDfIdKwMj02mn1y4qc=; b=gaIqn5n2zaAML3AcWDxxFLtVKFE2mxwCCzBUkP/chMhNRpUHfCJwX8zK+3rutqXATC /cMfRHB6XJz2FZWFr87AFUcsJfzA2tAcBQPMBEnqJuGd1netSwRImF5pTDbRRaR5DAIV T1ugwqG7EHCm8uKIueDC8PA/lmKT9LjJ2DTS54K9Vjds/N3jpWykUKk2eqh7d3SC/ydY 5hPh6oDnA6KdmmHary9oDLdnqgXIqv7Xm9qtC1W/G4jUpfJX0kCApNeRkpiP8lmho0+z pT11fdn5YiLqQyPtjadDGcE3q/uH2y/M8ax4lwKLBpRWO0cLUYgEKzii7kaOODHlHEVy wI9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=tkMY5oaKzsB1Pqxhl3bO3jhBsQDfIdKwMj02mn1y4qc=; b=bSU6MjgqwBoFoUvoAF/aB3XIRfoUi9FnoCehvdtnlST3KS3VMvqtUKAn6bpo1J7aJw w2lxD5NaP3BFvAdMzORMIQj/+R8lKByWmbSZutvsupunbWX/vLPdLFMuIdenqNFpKOBs TWq1Uz3dzFZAbc6S54shyJb1cF5YyGLHIaulPBYYI2+GS7KHBeRtcffddtjjiJNbbZvj j7wpZPun+pmVd65pSzYobt046ePwhDyIMSmAtIxxaV3kLEH6HhJmkU56+FX1pDuiIojY ldRlEGvqoommwY3FOtV7TzwB9knMHwMy1dsz/uKcruNYI1MxlJ1iIVQG5tGdEh4CAiSh tk0w== X-Gm-Message-State: APjAAAWrRPVmEZ6PVmUeOY71fj/ZHkOYOPWOBuJX0g7At6Ci0WuM6SLR VblBAR+OEc8YQ/RygADUx9i69GMv9tNrU6fiWMIglw== X-Google-Smtp-Source: APXvYqxK0dFi/fS4M8pEnYmQwGYG1r9vWj+oqdoSezkRwICSEdjfjPf9nn5i3PDLYlzh4gi//XvIQfu3ZuuF2/nRph4rPw== X-Received: by 2002:a65:5082:: with SMTP id r2mr3913629pgp.170.1563220864659; Mon, 15 Jul 2019 13:01:04 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:44 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-28-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 27/29] tracefs: Restrict tracefs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Steven Rostedt Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Tracefs may release more information about the kernel than desirable, so restrict it when the kernel is locked down in confidentiality mode by preventing open(). Signed-off-by: Matthew Garrett Cc: Steven Rostedt --- fs/tracefs/inode.c | 38 +++++++++++++++++++++++++++++++++++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c index eeeae0475da9..4c04c0c89514 100644 --- a/fs/tracefs/inode.c +++ b/fs/tracefs/inode.c @@ -20,6 +20,7 @@ #include #include #include +#include #define TRACEFS_DEFAULT_MODE 0700 @@ -27,6 +28,23 @@ static struct vfsmount *tracefs_mount; static int tracefs_mount_count; static bool tracefs_registered; +static int default_open_file(struct inode *inode, struct file *filp) +{ + struct dentry *dentry = filp->f_path.dentry; + struct file_operations *real_fops; + int ret; + + if (!dentry) + return -EINVAL; + + ret = security_locked_down(LOCKDOWN_TRACEFS); + if (ret) + return ret; + + real_fops = dentry->d_fsdata; + return real_fops->open(inode, filp); +} + static ssize_t default_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos) { @@ -221,6 +239,12 @@ static int tracefs_apply_options(struct super_block *sb) return 0; } +static void tracefs_destroy_inode(struct inode *inode) +{ + if (S_ISREG(inode->i_mode)) + kfree(inode->i_fop); +} + static int tracefs_remount(struct super_block *sb, int *flags, char *data) { int err; @@ -256,6 +280,7 @@ static int tracefs_show_options(struct seq_file *m, struct dentry *root) static const struct super_operations tracefs_super_operations = { .statfs = simple_statfs, + .destroy_inode = tracefs_destroy_inode, .remount_fs = tracefs_remount, .show_options = tracefs_show_options, }; @@ -389,6 +414,7 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode, { struct dentry *dentry; struct inode *inode; + struct file_operations *proxy_fops; if (!(mode & S_IFMT)) mode |= S_IFREG; @@ -402,8 +428,18 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode, if (unlikely(!inode)) return failed_creating(dentry); + proxy_fops = kzalloc(sizeof(struct file_operations), GFP_KERNEL); + if (!proxy_fops) + return failed_creating(dentry); + + if (fops) + fops = &tracefs_file_operations; + + dentry->d_fsdata = (void *)fops; + memcpy(proxy_fops, fops, sizeof(*proxy_fops)); + proxy_fops->open = default_open_file; inode->i_mode = mode; - inode->i_fop = fops ? fops : &tracefs_file_operations; + inode->i_fop = proxy_fops; inode->i_private = data; d_instantiate(dentry, inode); fsnotify_create(dentry->d_parent->d_inode, dentry); diff --git a/include/linux/security.h b/include/linux/security.h index d92323b44a3f..807dc0d24982 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -121,6 +121,7 @@ enum lockdown_reason { LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, LOCKDOWN_PERF, + LOCKDOWN_TRACEFS, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 37ef46320ef4..fd7cdbddd814 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -36,6 +36,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", [LOCKDOWN_PERF] = "unsafe use of perf", + [LOCKDOWN_TRACEFS] = "use of tracefs", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Mon Jul 15 19:59:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044839 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 67AD3746 for ; Mon, 15 Jul 2019 20:01:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5634528538 for ; Mon, 15 Jul 2019 20:01:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 49EE02844B; Mon, 15 Jul 2019 20:01:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D36672844B for ; Mon, 15 Jul 2019 20:01:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732733AbfGOUBJ (ORCPT ); Mon, 15 Jul 2019 16:01:09 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:38610 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732764AbfGOUBI (ORCPT ); Mon, 15 Jul 2019 16:01:08 -0400 Received: by mail-pf1-f201.google.com with SMTP id e25so10866142pfn.5 for ; Mon, 15 Jul 2019 13:01:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=1gkPgS/LUQWYTDhNcm4n5VtrDpueDO81OkRBGTKoxwg=; b=SGpuCm9nyv32QRgah8+1J8biiXF/tNR9HQ4GFBCBrRmNuWoaPEMCoMeG8CznrJ2xBC zkbDMbcYm8YcsYwmLzYCmSKjnsTMSvkKRRECL0tqQ36b9oNCLd5cuBcoa4BpCMdF21Fu O2tmCsQco516iIqUSW/mBRVF6fBtQAPjVYpsnS6G2E/HLyeMh1D0p0TkTpbvhIPBXbtS qtbaAbxFrni0pU2z0i41Fjy8ygJksGW51zsL1JC0ZC9Y3KF+G5b/rSrWYgjlPNfyEXRH GI0wIh/cCu2IgLJwz+vjTQ1V+oJarCXW6xl6K2cpPDlePYHuZsHrVGZ78+B3jX0whKqm o3xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=1gkPgS/LUQWYTDhNcm4n5VtrDpueDO81OkRBGTKoxwg=; b=N/Xhb2TnHXY40N9rtyWhM3kdz5iWdmgWTbazFv/3Zw1XHaP9TUpBnp7lxxJehaedKe 8NaGUI3LRUKttL5ha4zl6fX0gGWMp6RuGQ87YrdlzSPgbUQpdiyt57qALa+nbi0/82+T DR78dCB42yFH6MHJrmgxrEgY56XHLvwXxZj2d+WUqcjdrleezRRJsPDoLetO+rAodZQ4 5xQN83fl+jfIoKNu9f2xOm8wIs+dehJtf9JWxXq11/fQ52XpFa/Al3egqfMCWbeGFPgF GJCbGZyt/Dv/JwALqk3CCYeUUgDCfctrOA7F3Ss16Zr34H1RnDBGXxob8OPoLUF4GxLn TF6g== X-Gm-Message-State: APjAAAXsrs0GqjaLLy2g7jA3Zwt/OrMCvkSlHuVPJ/f3q/e0Ldl7IkOg wTLYaoaJs5nr6VPym9SZFWdyB0FZ9E20GhDjHnkzMg== X-Google-Smtp-Source: APXvYqx8IB42RsjuQvqr21hPpPSRXnXopU3sD+HW/qRD9CSWBN6XHwG27W8+mPAUWW4oj0dcn2icPxBiU0iXrQYpoIx1NQ== X-Received: by 2002:a63:7e1d:: with SMTP id z29mr28729222pgc.346.1563220867059; Mon, 15 Jul 2019 13:01:07 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:45 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-29-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Ard Biesheuvel , Kees Cook , linux-efi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. Signed-off-by: Matthew Garrett Acked-by: Ard Biesheuvel Reviewed-by: Kees Cook Cc: Ard Biesheuvel Cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/efi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index ad3b1f4866b3..776f479e5499 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -30,6 +30,7 @@ #include #include #include +#include #include @@ -242,6 +243,11 @@ static void generic_ops_unregister(void) static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; static int __init efivar_ssdt_setup(char *str) { + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; + if (strlen(str) < sizeof(efivar_ssdt)) memcpy(efivar_ssdt, str, strlen(str)); else From patchwork Mon Jul 15 19:59:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11044845 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 92CD3746 for ; Mon, 15 Jul 2019 20:01:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7EBA828449 for ; Mon, 15 Jul 2019 20:01:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 730A92855A; Mon, 15 Jul 2019 20:01:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1EFBF28538 for ; Mon, 15 Jul 2019 20:01:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732811AbfGOUBW (ORCPT ); Mon, 15 Jul 2019 16:01:22 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:56316 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732771AbfGOUBK (ORCPT ); Mon, 15 Jul 2019 16:01:10 -0400 Received: by mail-pf1-f201.google.com with SMTP id i26so10824233pfo.22 for ; Mon, 15 Jul 2019 13:01:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=dW3mrZIEp1awhdhw/Gqc2hqiwmL3xRsZmPf/kk0Pt2o=; b=QgsOBiTZ0JhGodLW/2DddiolYVh1/RB2P89soOifvOkQAzAzj6aYj874inMcQbf3VF xIIB2u2IJscrI0ajrGL9OY7tvtGZ2dRmXXPfodDUx8Tc2cRd3DS3+JRzX6JPu5ld1fiq ktIEGLvBlrPjHXVdJZU5GlDhxSfY/1VeW1AWBneKr1dmb/b8/ToFzQieChyjqVJy2rct T1oAJMJFnipJ6mKvQ43tWK4kMMM7LgHioVLczeGji5iBUo6NUPumV98PLuxE9R7R+m+r Y+b3mu0fnGkey7EA1KW2dWvIVqjz7n2nY+aaqtE34JAljTplN395F2YnFoxko5GiYLNg b53g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=dW3mrZIEp1awhdhw/Gqc2hqiwmL3xRsZmPf/kk0Pt2o=; b=KPfkVOxcQetmUit5P1kLyLryAgMn9jMmHiPpTe5aBaHIfOg1Zn6rPW5YaSLiG1cdGY ZUm+PvP0xCu5B97W4iRIeBOG8Ph+sU0ZFMfEq8om8HVEOkaklomB0kKBcT5AXq9fSgob 8mZh7jfH6fTbOCrG4uvLOuOJiLvi+0FhIl6YYZIkH3ELRyKVJRprgokWl+3fbdYJUP4E BmtYKydPTOYRKDIwaMtIesw5AmjaW3RBm3TzL62K1S3HwWK5JZ3F4TGH7UjH9jI0qCYy 2IuW8JL3qWWyVw1P8/RGVASbJ6m0FHsX9jbLFcTFAtSxC1x/FaS/FD4RNLUVEJRkJF2r EA6g== X-Gm-Message-State: APjAAAVnSW3bCrjP1H+n9oXcFt3/Po7NftsKidQCJ7DgmaIyyZjnXg+m 4EWPFcu+5ceziFHKa07YPnukzE+CTuzflXqDhJOBPA== X-Google-Smtp-Source: APXvYqxyIbjo/rprP2+a3LVCiD9lzTGJMTCQXA9mBfowhfTZ5DAkTI1aTkwiyc4SG4vQGr0LCsXl7VoQfC/s7XMPlfaSAw== X-Received: by 2002:a63:c748:: with SMTP id v8mr12746095pgg.418.1563220869628; Mon, 15 Jul 2019 13:01:09 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:46 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-30-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 29/29] lockdown: Print current->comm in restriction messages From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: : is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- fs/proc/kcore.c | 5 +++-- security/lockdown/lockdown.c | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index ee2c576cc94e..e2ed8e08cc7a 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -548,11 +548,12 @@ static int open_kcore(struct inode *inode, struct file *filp) { int ret = security_locked_down(LOCKDOWN_KCORE); - if (ret) - return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; + if (ret) + return ret; + filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL); if (!filp->private_data) return -ENOMEM; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index fd7cdbddd814..bbf30d34542c 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param); */ static int lockdown_is_locked_down(enum lockdown_reason what) { + if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX, + "Invalid lockdown reason")) + return -EPERM; + if (kernel_locked_down >= what) { if (lockdown_reasons[what]) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - lockdown_reasons[what]); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, lockdown_reasons[what]); return -EPERM; }