From patchwork Thu Jul 18 19:43:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049533 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 804E914DB for ; Thu, 18 Jul 2019 19:46:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6EE4728179 for ; Thu, 18 Jul 2019 19:46:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 631022883B; Thu, 18 Jul 2019 19:46:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C732828179 for ; Thu, 18 Jul 2019 19:46:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391342AbfGRToX (ORCPT ); Thu, 18 Jul 2019 15:44:23 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:39714 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727687AbfGRToW (ORCPT ); Thu, 18 Jul 2019 15:44:22 -0400 Received: by mail-pg1-f202.google.com with SMTP id t19so17244085pgh.6 for ; Thu, 18 Jul 2019 12:44:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=597mNbti9AE4jskQLQ5sdKqhsrWUg3noqnu7lsx00Ik=; b=ZkbTGs7FpCCiRrttiRilxiosF826QIW9kfAEaMUPuIIsni9gHspwmsJZINkI68V1h+ thby5knIHW5YcyoqCtJTb28itY6d4hcSzENtydyHVroBQPbRu5BDoYVVNE9cD46wMWvC +Ds1ahXGoXfrchTMurL0hVloEDiYdIsBPqw/lZef45ZqW+QAsGyd+tD+Ksk6OxWbnRr9 s4QFsT1vI+rA6XNKsTFnpILQZgUtcf3RnYdK+jYdpErSbDlB1BZhDxxbLbzdHtOFv4+w NdD0YMfgj2C/se3LHFetW4Zb+7rs60QWm2t7nDKuPII9tZvkOc9iCGzEcoAvACnBvA40 A6TQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=597mNbti9AE4jskQLQ5sdKqhsrWUg3noqnu7lsx00Ik=; b=Ackyl4nfrL5+EpElVJHWElLFzxUP2sXnyBZSFIzhVp/EFWYX+qNU8auvegdnWWnwKy nOywMOphrUUkxOWX3PFjpKRS0uZb/renSbNRcP+MPCaleog4FoxKE01nm3oSTpkFdu9z locZ+12nPt76yylcqkHteSHw7zoPq9a9Of59FhFwb/492+MZJ2I9W3ZNYfX6K3k4Wzs2 ge3FoHt3CUKIL0iefWYXxkLFE/8xbZsbubzlBgmjYO3Lln44pOKTP2jHOyamq7jQfzUU fSG3X8I2RMgl15d20XujSQzfRMQMdCj2SvtF3XaWpbmMAMb8p+ZzXjKG6LQf2JLO2V1T /ayA== X-Gm-Message-State: APjAAAXdPxVRIFFv3EhUJrWyfVCW/IJlbFVFRfG2zRaE3ym0Vd2BBXNU 4zEWyBdI0hOGOK9+F5E+NzhyS32msZ7dKPWgWsOFMg== X-Google-Smtp-Source: APXvYqxC8oXMhGBSsruKuBX7m7e9PA7Cmox+WxmN9bWO2QCRGCC8FVz1afN0q1rtFmZ+/IoG9TgL/daj+aJpQTz6+ZTZyA== X-Received: by 2002:a65:464d:: with SMTP id k13mr44644813pgr.99.1563479061158; Thu, 18 Jul 2019 12:44:21 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:47 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-2-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 01/29] security: Support early LSMs From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The lockdown module is intended to allow for kernels to be locked down early in boot - sufficiently early that we don't have the ability to kmalloc() yet. Add support for early initialisation of some LSMs, and then add them to the list of names when we do full initialisation later. Early LSMs are initialised in link order and cannot be overridden via boot parameters, and cannot make use of kmalloc() (since the allocator isn't initialised yet). Signed-off-by: Matthew Garrett Acked-by: Kees Cook Acked-by: Casey Schaufler --- include/asm-generic/vmlinux.lds.h | 8 ++++- include/linux/lsm_hooks.h | 6 ++++ include/linux/security.h | 1 + init/main.c | 1 + security/security.c | 50 ++++++++++++++++++++++++++----- 5 files changed, 57 insertions(+), 9 deletions(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index ca42182992a5..6cc6174a2a4c 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -215,8 +215,13 @@ __start_lsm_info = .; \ KEEP(*(.lsm_info.init)) \ __end_lsm_info = .; +#define EARLY_LSM_TABLE() . = ALIGN(8); \ + __start_early_lsm_info = .; \ + KEEP(*(.early_lsm_info.init)) \ + __end_early_lsm_info = .; #else #define LSM_TABLE() +#define EARLY_LSM_TABLE() #endif #define ___OF_TABLE(cfg, name) _OF_TABLE_##cfg(name) @@ -616,7 +621,8 @@ ACPI_PROBE_TABLE(irqchip) \ ACPI_PROBE_TABLE(timer) \ EARLYCON_TABLE() \ - LSM_TABLE() + LSM_TABLE() \ + EARLY_LSM_TABLE() #define INIT_TEXT \ *(.init.text .init.text.*) \ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index df1318d85f7d..aebb0e032072 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2104,12 +2104,18 @@ struct lsm_info { }; extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; +extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; #define DEFINE_LSM(lsm) \ static struct lsm_info __lsm_##lsm \ __used __section(.lsm_info.init) \ __aligned(sizeof(unsigned long)) +#define DEFINE_EARLY_LSM(lsm) \ + static struct lsm_info __early_lsm_##lsm \ + __used __section(.early_lsm_info.init) \ + __aligned(sizeof(unsigned long)) + #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* * Assuring the safety of deleting a security module is up to diff --git a/include/linux/security.h b/include/linux/security.h index 5f7441abbf42..66a2fcbe6ab0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -195,6 +195,7 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb); /* prototypes */ extern int security_init(void); +extern int early_security_init(void); /* Security operations */ int security_binder_set_context_mgr(struct task_struct *mgr); diff --git a/init/main.c b/init/main.c index ff5803b0841c..0fefca3fd43c 100644 --- a/init/main.c +++ b/init/main.c @@ -593,6 +593,7 @@ asmlinkage __visible void __init start_kernel(void) boot_cpu_init(); page_address_init(); pr_notice("%s", linux_banner); + early_security_init(); setup_arch(&command_line); mm_init_cpumask(&init_mm); setup_command_line(command_line); diff --git a/security/security.c b/security/security.c index 250ee2d76406..90f1e291c800 100644 --- a/security/security.c +++ b/security/security.c @@ -33,6 +33,7 @@ /* How many LSMs were built into the kernel? */ #define LSM_COUNT (__end_lsm_info - __start_lsm_info) +#define EARLY_LSM_COUNT (__end_early_lsm_info - __start_early_lsm_info) struct security_hook_heads security_hook_heads __lsm_ro_after_init; static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); @@ -277,6 +278,8 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) static void __init lsm_early_cred(struct cred *cred); static void __init lsm_early_task(struct task_struct *task); +static int lsm_append(const char *new, char **result); + static void __init ordered_lsm_init(void) { struct lsm_info **lsm; @@ -323,6 +326,26 @@ static void __init ordered_lsm_init(void) kfree(ordered_lsms); } +int __init early_security_init(void) +{ + int i; + struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + struct lsm_info *lsm; + + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); + i++) + INIT_HLIST_HEAD(&list[i]); + + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { + if (!lsm->enabled) + lsm->enabled = &lsm_enabled_true; + prepare_lsm(lsm); + initialize_lsm(lsm); + } + + return 0; +} + /** * security_init - initializes the security framework * @@ -330,14 +353,18 @@ static void __init ordered_lsm_init(void) */ int __init security_init(void) { - int i; - struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + struct lsm_info *lsm; pr_info("Security Framework initializing\n"); - for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); - i++) - INIT_HLIST_HEAD(&list[i]); + /* + * Append the names of the early LSM modules now that kmalloc() is + * available + */ + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { + if (lsm->enabled) + lsm_append(lsm->name, &lsm_names); + } /* Load LSMs in specified order. */ ordered_lsm_init(); @@ -384,7 +411,7 @@ static bool match_last_lsm(const char *list, const char *lsm) return !strcmp(last, lsm); } -static int lsm_append(char *new, char **result) +static int lsm_append(const char *new, char **result) { char *cp; @@ -422,8 +449,15 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, hooks[i].lsm = lsm; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); } - if (lsm_append(lsm, &lsm_names) < 0) - panic("%s - Cannot get early memory.\n", __func__); + + /* + * Don't try to append during early_security_init(), we'll come back + * and fix this up afterwards. + */ + if (slab_is_available()) { + if (lsm_append(lsm, &lsm_names) < 0) + panic("%s - Cannot get early memory.\n", __func__); + } } int call_blocking_lsm_notifier(enum lsm_event event, void *data) From patchwork Thu Jul 18 19:43:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049531 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AAC1014DB for ; Thu, 18 Jul 2019 19:46:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9A9C628179 for ; Thu, 18 Jul 2019 19:46:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8EDF32883B; Thu, 18 Jul 2019 19:46:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7FFF428179 for ; Thu, 18 Jul 2019 19:46:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391451AbfGRTo0 (ORCPT ); Thu, 18 Jul 2019 15:44:26 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:37029 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391444AbfGRToZ (ORCPT ); Thu, 18 Jul 2019 15:44:25 -0400 Received: by mail-qt1-f201.google.com with SMTP id 41so19513199qtm.4 for ; Thu, 18 Jul 2019 12:44:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=f/RnEfWSrg+mjsb2cXMX4L7C/xNmjjOSgJcVU/cQXL4=; b=jsRInamEwvOW5gKVCPS6gAzLtaGfVBCHyt8GuZv9y/xonXNaTWjlDWyFRdEgikwvLi cqfuqEGIrHDApAZ+ysnScHx3BzvuZhJTkvlWbvXW6slZFCFZi5ys5kdQV27WLcB4HIG6 5MgeZTgdoXbZacSFO0WDSN/WGEWkdZmIH7KKxmtyyUT12+w0/AL6N11eh7mwcq+livto DxlLdf1fOlHRcKsjg2IfnOAR4K6/0qWUPiGi//ucqWtIAooXzQb7AkF0TCMLewCJR832 65FwlNREl7Mo/MVTYFwOBOM7CMnn5xO8NYd0MDaNmsG+IddKdneQQYOmHWOmzeKJXdcU 5yJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=f/RnEfWSrg+mjsb2cXMX4L7C/xNmjjOSgJcVU/cQXL4=; b=CWDsPrSz8fltrwsAxnkvMeVGp730g+8A8HQax3805UJScATLtOTfrwJsPaSmZksrur 8Pu+qE2o0JUvvx/gkmxrbunzKZjORcDYopG7wYyTAL0atVukyvJjFCToWVzeRA9X6YkA Pwg7pNO+k88vMi+YHN/Re8AH8F1uyhOaFL55metyMXMlhCM3FtOvWdFR9Zr1Xu+5mPux 5eR19Q6owrUle2MYQBd8fctiiC2ILa6tNv0oS0lP5aKrLbhPbLif9H9EdphSM9czpv+W VmT+H0NQU+45UbYakcAC+f8MiZ68pveruqiWtOb5/ICDbCbrDisO17zBo9a7nEV9TC/K kJoA== X-Gm-Message-State: APjAAAWMYShd4C9WyvzJxbC0KiaZJd0dkGe8rVj51WlSobGsPczEWZw5 oNbT2AgTd1HsWGvgbWNelJCFsaOiaRs1lIWLh+2sgA== X-Google-Smtp-Source: APXvYqw+JsRBNHiAanPLyriUj70/+WJ5ZrVT82KeDFFh1TY+pdCGaJVMixIOL+mU07DfwWxGfCpqCo4opDBtRLVdkbbOiQ== X-Received: by 2002:ac8:3f81:: with SMTP id d1mr34152373qtk.5.1563479063836; Thu, 18 Jul 2019 12:44:23 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:48 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 02/29] security: Add a "locked down" LSM hook From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Add a mechanism to allow LSMs to make a policy decision around whether kernel functionality that would allow tampering with or examining the runtime state of the kernel should be permitted. Signed-off-by: Matthew Garrett Acked-by: Kees Cook Acked-by: Casey Schaufler --- include/linux/lsm_hooks.h | 2 ++ include/linux/security.h | 32 ++++++++++++++++++++++++++++++++ security/security.c | 6 ++++++ 3 files changed, 40 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index aebb0e032072..29c22cf40113 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1807,6 +1807,7 @@ union security_list_options { int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux); void (*bpf_prog_free_security)(struct bpf_prog_aux *aux); #endif /* CONFIG_BPF_SYSCALL */ + int (*locked_down)(enum lockdown_reason what); }; struct security_hook_heads { @@ -2046,6 +2047,7 @@ struct security_hook_heads { struct hlist_head bpf_prog_alloc_security; struct hlist_head bpf_prog_free_security; #endif /* CONFIG_BPF_SYSCALL */ + struct hlist_head locked_down; } __randomize_layout; /* diff --git a/include/linux/security.h b/include/linux/security.h index 66a2fcbe6ab0..c2b1204e8e26 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -77,6 +77,33 @@ enum lsm_event { LSM_POLICY_CHANGE, }; +/* + * These are reasons that can be passed to the security_locked_down() + * LSM hook. Lockdown reasons that protect kernel integrity (ie, the + * ability for userland to modify kernel code) are placed before + * LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel + * confidentiality (ie, the ability for userland to extract + * information from the running kernel that would otherwise be + * restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX. + * + * LSM authors should note that the semantics of any given lockdown + * reason are not guaranteed to be stable - the same reason may block + * one set of features in one kernel release, and a slightly different + * set of features in a later kernel release. LSMs that seek to expose + * lockdown policy at any level of granularity other than "none", + * "integrity" or "confidentiality" are responsible for either + * ensuring that they expose a consistent level of functionality to + * userland, or ensuring that userland is aware that this is + * potentially a moving target. It is easy to misuse this information + * in a way that could break userspace. Please be careful not to do + * so. + */ +enum lockdown_reason { + LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_CONFIDENTIALITY_MAX, +}; + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -393,6 +420,7 @@ void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_locked_down(enum lockdown_reason what); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1205,6 +1233,10 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 { return -EOPNOTSUPP; } +static inline int security_locked_down(enum lockdown_reason what) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #ifdef CONFIG_SECURITY_NETWORK diff --git a/security/security.c b/security/security.c index 90f1e291c800..ce6c945bf347 100644 --- a/security/security.c +++ b/security/security.c @@ -2392,3 +2392,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) call_void_hook(bpf_prog_free_security, aux); } #endif /* CONFIG_BPF_SYSCALL */ + +int security_locked_down(enum lockdown_reason what) +{ + return call_int_hook(locked_down, 0, what); +} +EXPORT_SYMBOL(security_locked_down); From patchwork Thu Jul 18 19:43:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049529 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2EFA913AC for ; Thu, 18 Jul 2019 19:46:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1DD1128179 for ; Thu, 18 Jul 2019 19:46:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 122222883B; Thu, 18 Jul 2019 19:46:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 39D5328179 for ; Thu, 18 Jul 2019 19:46:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391476AbfGRTo1 (ORCPT ); Thu, 18 Jul 2019 15:44:27 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:40723 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391468AbfGRTo1 (ORCPT ); Thu, 18 Jul 2019 15:44:27 -0400 Received: by mail-pf1-f202.google.com with SMTP id z1so17182575pfb.7 for ; Thu, 18 Jul 2019 12:44:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=NnCrZK7mO5PlTAg4uWVu2k0itqWFaMzEBRN1DgyleQQ=; b=e6LXep9gdrX6g6v1PwwQNFofCwSozaqM0fEYPINLlHcHiNPQuboKAqVpTUREIMW44M aOBQBrK8jl95o9GgHbONec36H1HhHZrplx/x04NRBVSVHpFg9zZy1C53JzU6r91XxtN0 dTiYJ4c+I6d+pJHnnoVZV/jE89tYEolIvPWqsTHi6TAZZQv7BjKxdZcSRRhZow5/TTxJ 8c+Cu5VHz+iIncyms3zUT0Q5mzl8rTVVr+MIQoV4SC3hy2t7lFtHfBW971x27ayA4Q92 W4KcHXHONOObnoIH/4qHxlqzixCgWkRY0eWISEUIWiSZNp3RfZ6gTj6qDQQFyoBFs1Fh W/uA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=NnCrZK7mO5PlTAg4uWVu2k0itqWFaMzEBRN1DgyleQQ=; b=TOsIOs+hy9dAlypPALy5UzkR8aweU+wj8GJG5BKK6pjWA+IVzAUnrRvqKpBHI4Fy7a CuOgjDB94+/F2jVmfOYK5jFhLeSZipl31XyzIdwPgBqTNgfJEAllWVIBMb4dmjZEt1iV bZzbePWAlPeOBbEB44zQQvBG3Yyl9vwQDlZmdC9xm9RUX0I079/IxDoHDWqipyn2GNQV A6DkKO5PQx1y4GGskucyjA1jZXkndmruvF6cJYNAyPB4TQP8Jh1mY7KxT89YrnIFDWlM VGQ1yGkUf16wPDqm38DuIZ9A0FLXZf73esmhpEP3ebN+LsECrIHjr41a+VknkWEDJISW HSGg== X-Gm-Message-State: APjAAAXhq+kjD7Qb5bbAnX2kIjwfKrJvsAKSt2W3YPQiGHbhw4Zlza0J QEl1WbDBwzV5dyL6+hIwweSg+8YT2LdBF3B0iv13GQ== X-Google-Smtp-Source: APXvYqzroEVw1jQ+ooyL6nE85Ul/ZgGj4e6Xg8ArWi9k2ixWonD6mUmD9NripRHiMSwmM3GpPx+GTwHCm+Sy/Mk6BF5k5Q== X-Received: by 2002:a65:5cca:: with SMTP id b10mr50544487pgt.365.1563479066235; Thu, 18 Jul 2019 12:44:26 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:49 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-4-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 03/29] security: Add a static lockdown policy LSM From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook , David Howells Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP While existing LSMs can be extended to handle lockdown policy, distributions generally want to be able to apply a straightforward static policy. This patch adds a simple LSM that can be configured to reject either integrity or all lockdown queries, and can be configured at runtime (through securityfs), boot time (via a kernel parameter) or build time (via a kconfig option). Based on initial code by David Howells. Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: David Howells --- .../admin-guide/kernel-parameters.txt | 9 + include/linux/security.h | 3 + security/Kconfig | 11 +- security/Makefile | 2 + security/lockdown/Kconfig | 47 +++++ security/lockdown/Makefile | 1 + security/lockdown/lockdown.c | 172 ++++++++++++++++++ 7 files changed, 240 insertions(+), 5 deletions(-) create mode 100644 security/lockdown/Kconfig create mode 100644 security/lockdown/Makefile create mode 100644 security/lockdown/lockdown.c diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 099c5a4be95b..95acd46fd891 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2248,6 +2248,15 @@ lockd.nlm_udpport=M [NFS] Assign UDP port. Format: + lockdown= [SECURITY] + { integrity | confidentiality } + Enable the kernel lockdown feature. If set to + integrity, kernel features that allow userland to + modify the running kernel are disabled. If set to + confidentiality, kernel features that allow userland + to extract confidential information from the kernel + are also disabled. + locktorture.nreaders_stress= [KNL] Set the number of locking read-acquisition kthreads. Defaults to being automatically set based on the diff --git a/include/linux/security.h b/include/linux/security.h index c2b1204e8e26..54a0532ec12f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -97,6 +97,9 @@ enum lsm_event { * potentially a moving target. It is easy to misuse this information * in a way that could break userspace. Please be careful not to do * so. + * + * If you add to this, remember to extend lockdown_reasons in + * security/lockdown/lockdown.c. */ enum lockdown_reason { LOCKDOWN_NONE, diff --git a/security/Kconfig b/security/Kconfig index 06a30851511a..967e86fc415a 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -237,6 +237,7 @@ source "security/apparmor/Kconfig" source "security/loadpin/Kconfig" source "security/yama/Kconfig" source "security/safesetid/Kconfig" +source "security/lockdown/Kconfig" source "security/integrity/Kconfig" @@ -276,11 +277,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK - default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR - default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO - default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC - default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" + default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK + default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR + default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO + default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC + default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/Makefile b/security/Makefile index c598b904938f..be1dd9d2cb2f 100644 --- a/security/Makefile +++ b/security/Makefile @@ -11,6 +11,7 @@ subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid +subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown # always enable default capabilities obj-y += commoncap.o @@ -27,6 +28,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig new file mode 100644 index 000000000000..7374ba76d8eb --- /dev/null +++ b/security/lockdown/Kconfig @@ -0,0 +1,47 @@ +config SECURITY_LOCKDOWN_LSM + bool "Basic module for enforcing kernel lockdown" + depends on SECURITY + help + Build support for an LSM that enforces a coarse kernel lockdown + behaviour. + +config SECURITY_LOCKDOWN_LSM_EARLY + bool "Enable lockdown LSM early in init" + depends on SECURITY_LOCKDOWN_LSM + help + Enable the lockdown LSM early in boot. This is necessary in order + to ensure that lockdown enforcement can be carried out on kernel + boot parameters that are otherwise parsed before the security + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. + +choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE + depends on SECURITY_LOCKDOWN_LSM + help + The kernel can be configured to default to differing levels of + lockdown. + +config LOCK_DOWN_KERNEL_FORCE_NONE + bool "None" + help + No lockdown functionality is enabled by default. Lockdown may be + enabled via the kernel commandline or /sys/kernel/security/lockdown. + +config LOCK_DOWN_KERNEL_FORCE_INTEGRITY + bool "Integrity" + help + The kernel runs in integrity mode by default. Features that allow + the kernel to be modified at runtime are disabled. + +config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY + bool "Confidentiality" + help + The kernel runs in confidentiality mode by default. Features that + allow the kernel to be modified at runtime or that permit userland + code to read confidential material held inside the kernel are + disabled. + +endchoice + diff --git a/security/lockdown/Makefile b/security/lockdown/Makefile new file mode 100644 index 000000000000..e3634b9017e7 --- /dev/null +++ b/security/lockdown/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown.o diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c new file mode 100644 index 000000000000..d30c4d254b5f --- /dev/null +++ b/security/lockdown/lockdown.c @@ -0,0 +1,172 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Lock down the kernel + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include + +static enum lockdown_reason kernel_locked_down; + +static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { + [LOCKDOWN_NONE] = "none", + [LOCKDOWN_INTEGRITY_MAX] = "integrity", + [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", +}; + +static enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_CONFIDENTIALITY_MAX}; + +/* + * Put the kernel into lock-down mode. + */ +static int lock_kernel_down(const char *where, enum lockdown_reason level) +{ + if (kernel_locked_down >= level) + return -EPERM; + + kernel_locked_down = level; + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", + where); + return 0; +} + +static int __init lockdown_param(char *level) +{ + if (!level) + return -EINVAL; + + if (strcmp(level, "integrity") == 0) + lock_kernel_down("command line", LOCKDOWN_INTEGRITY_MAX); + else if (strcmp(level, "confidentiality") == 0) + lock_kernel_down("command line", LOCKDOWN_CONFIDENTIALITY_MAX); + else + return -EINVAL; + + return 0; +} + +early_param("lockdown", lockdown_param); + +/** + * lockdown_is_locked_down - Find out if the kernel is locked down + * @what: Tag to use in notice generated if lockdown is in effect + */ +static int lockdown_is_locked_down(enum lockdown_reason what) +{ + if (kernel_locked_down >= what) { + if (lockdown_reasons[what]) + pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", + lockdown_reasons[what]); + return -EPERM; + } + + return 0; +} + +static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), +}; + +static int __init lockdown_lsm_init(void) +{ +#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_INTEGRITY_MAX); +#elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX); +#endif + security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks), + "lockdown"); + return 0; +} + +static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count, + loff_t *ppos) +{ + char temp[80]; + int i, offset = 0; + + for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) { + enum lockdown_reason level = lockdown_levels[i]; + + if (lockdown_reasons[level]) { + const char *label = lockdown_reasons[level]; + + if (kernel_locked_down == level) + offset += sprintf(temp+offset, "[%s] ", label); + else + offset += sprintf(temp+offset, "%s ", label); + } + } + + /* Convert the last space to a newline if needed. */ + if (offset > 0) + temp[offset-1] = '\n'; + + return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); +} + +static ssize_t lockdown_write(struct file *file, const char __user *buf, + size_t n, loff_t *ppos) +{ + char *state; + int i, len, err = -EINVAL; + + state = memdup_user_nul(buf, n); + if (IS_ERR(state)) + return PTR_ERR(state); + + len = strlen(state); + if (len && state[len-1] == '\n') { + state[len-1] = '\0'; + len--; + } + + for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) { + enum lockdown_reason level = lockdown_levels[i]; + const char *label = lockdown_reasons[level]; + + if (label && !strcmp(state, label)) + err = lock_kernel_down("securityfs", level); + } + + kfree(state); + return err ? err : n; +} + +static const struct file_operations lockdown_ops = { + .read = lockdown_read, + .write = lockdown_write, +}; + +static int __init lockdown_secfs_init(void) +{ + struct dentry *dentry; + + dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, + &lockdown_ops); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + + return 0; +} + +core_initcall(lockdown_secfs_init); + +#ifdef CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +DEFINE_EARLY_LSM(lockdown) = { +#else +DEFINE_LSM(lockdown) = { +#endif + .name = "lockdown", + .init = lockdown_lsm_init, +}; From patchwork Thu Jul 18 19:43:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049527 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BDB9F13AC for ; Thu, 18 Jul 2019 19:46:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ABE2428179 for ; Thu, 18 Jul 2019 19:46:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9FC1C2883B; Thu, 18 Jul 2019 19:46:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3050728179 for ; Thu, 18 Jul 2019 19:46:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391507AbfGRToa (ORCPT ); Thu, 18 Jul 2019 15:44:30 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:45666 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391500AbfGRTo3 (ORCPT ); Thu, 18 Jul 2019 15:44:29 -0400 Received: by mail-pf1-f201.google.com with SMTP id i27so17219639pfk.12 for ; Thu, 18 Jul 2019 12:44:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=TwJXmltaqPXLScJPeplt82MxiWbulhRh2wFIx7ld1zA=; b=KpW5XOBG641l/Xw8B2PEiHxAcqUkwOdT8pWMv4P9X4i+9tASsD+6DKmFEGZAItkLm3 nt+eL03RKB94E27Z+0SWtx0TsF44fWmjxgOtF7Cs9dp929LT5CINR0ubQgGECLFjJZ9b CBGqD0yXt2ziKZH/d3fp5ogvaF6WdfGy97JSO7OMqv0X+tki9ZHCr2+fiw/XlJ6SrObJ yF5qQ8imSZIYloYPzge8UZvrzBiV9dfpFgb+FEj56i6tVz5f5s0K17nWcTTh9VZGux5y azQvE+1YXrsqP9Ep53uXtGtJZPhew0u89/7pYmaCmMG+M7r3LcHMmHanccR7UURyvdFV bxrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=TwJXmltaqPXLScJPeplt82MxiWbulhRh2wFIx7ld1zA=; b=B2oR8I0gEGJbN33IdLpArY4vbJwQQanDyRf+0poLi9/z/Bu8YjXuH7O1vMv0SW1NcI /uSBSYIjR3MBBK8aNIhFo7JlcNVD70gus/ZSAvrcjA0FgnCWSDKFld49xzeKbxqRPQ0g jVHKDQ1ChqPTZWlaQd+I856PKxGROLqnFvNpWXzaY6XUHIpqXPYbtcFJY8gWeYj7eR2z Mc2kjmhPKLi68A+vc7bQsExOVX+nl/RFOBvLgmrSv6bREOX1vla6sPt2mNTjDt+QeI0q b7YpYO/llJuqvvU6gq81Khkba8StU5EgKc7Csk+P7c3Vb8pcmkQMSul+0OG6eCQPEoDr JqMA== X-Gm-Message-State: APjAAAXaOlJHuP25m4gC9YttfumJhhJeXlBIBd8qFFq76zR+CdRgFgMT SsUbo9JGyNQpZTBJD8q5MDmNX0HAKBW0RrOAiFEEKA== X-Google-Smtp-Source: APXvYqxsgSe+hKIUupoQACu1/e2K7TL8mPi+SfdyEwMn/PeozIXLkIfTEE+jqRKohan3TNzkLTn9q6P0KM1Cs9A3zxP4YQ== X-Received: by 2002:a63:10a:: with SMTP id 10mr50049340pgb.281.1563479068817; Thu, 18 Jul 2019 12:44:28 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:50 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 04/29] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook , Jessica Yu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.] Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Jessica Yu --- include/linux/security.h | 1 + kernel/module.c | 37 +++++++++++++++++++++++++++++------- security/lockdown/lockdown.c | 1 + 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 54a0532ec12f..8e70063074a1 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -103,6 +103,7 @@ enum lsm_event { */ enum lockdown_reason { LOCKDOWN_NONE, + LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/module.c b/kernel/module.c index a2cee14a83f3..d8e1258e54af 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2753,8 +2753,9 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, int flags) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2769,16 +2770,38 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d30c4d254b5f..2c53fd9f5c9b 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -18,6 +18,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", + [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:43:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049523 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 859C513AC for ; Thu, 18 Jul 2019 19:46:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 737B728179 for ; Thu, 18 Jul 2019 19:46:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 67D9328869; Thu, 18 Jul 2019 19:46:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0600828179 for ; Thu, 18 Jul 2019 19:46:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391536AbfGRTqi (ORCPT ); Thu, 18 Jul 2019 15:46:38 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:56142 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391525AbfGRToc (ORCPT ); Thu, 18 Jul 2019 15:44:32 -0400 Received: by mail-pg1-f201.google.com with SMTP id z14so10236418pgr.22 for ; Thu, 18 Jul 2019 12:44:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=oRvWsZp4PPUfRyX2ON14DSSZgIGsbQD9v/C1S79uaF4=; b=GvCEMMQFq8YVuuH/+JijpqMd2l2xH6x1LMaUu/SVjMGJOGBby5tLLNPrZj6pXsPLEd ZFSxIg5suyCmyTsSQVYRKUaR8xC1f+4xFHsqFVxXoTpsAXKbowhu4vjYgddRbVmUa8Fl EZumOubz5h8kwiV9SmskAV3kv23BydkTpRqFDT7+m0Jan8LgXyeIt/aD+OoaQFM7iQsz cL9+qzHdKAITKq0WPFZbrXvRFsWQN5pwTr3sjOcaotgjM2trQ6fZaMf71DjWW/VGs3KQ YKJqe8gmiPzo6DojHAdNNYOGay8QxOvfeaIXCY+038zQeV+by699BL8r8awvLWH12EpO 45Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=oRvWsZp4PPUfRyX2ON14DSSZgIGsbQD9v/C1S79uaF4=; b=uf3/vD1Ick7UpslDFmvMZUtwUSGGb/uQHkOUFgeNL7IrKKhVWrcyIw54kvG4Qj9flY OcIcJeHUqHCb1+rgYGFHdE2/NUoyoNf1KCBroOuLg4e0839rSOwrtHajkbDedMGNds4e ybm6dlhPn4uzB8o9qmOQZlsPU6GMEONMoHJZY6Te4YNZb/B+9I5FY8I5gTsfK7US/r0O sbHBKgMM3+x5/tRPifBwbCHJQx8k4DG+Zsp6MR3qNfURdZxtzseRJtHM7iiAXlHLuCMi HV0Mp9vTftfz8korhlFCEHBdWiqqd7ZqvZZYZJZ/cbtizB1Vd+JksT3p7tbym6Zt81FY yOtg== X-Gm-Message-State: APjAAAXbmqY+TRnnEMz0Bb+pKf2prerLEWBtf0ZLsqt/3nC25qM8s4x1 GhrCT1UocP0EU3CnAHo82wNCAh102hbfDB2+nXejGw== X-Google-Smtp-Source: APXvYqwtMjJhE9QZ+9DHXbweIeAox0CuZXW9cE82ADx+CCjrC+PGj+9gFGrydyeYFQYQ27UGyztfwVA2E/6h4peFZC3szg== X-Received: by 2002:a63:ce45:: with SMTP id r5mr24775979pgi.435.1563479071446; Thu, 18 Jul 2019 12:44:31 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:51 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: x86@kernel.org --- drivers/char/mem.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..d0148aee1aab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + + return security_locked_down(LOCKDOWN_DEV_MEM); } #define zero_lseek null_lseek diff --git a/include/linux/security.h b/include/linux/security.h index 8e70063074a1..9458152601b5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -104,6 +104,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2c53fd9f5c9b..d2ef29d9f0b2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:43:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049463 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2D31A746 for ; Thu, 18 Jul 2019 19:44:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1AE9C2883B for ; Thu, 18 Jul 2019 19:44:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0DCAA2889C; Thu, 18 Jul 2019 19:44:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A22EB2883B for ; Thu, 18 Jul 2019 19:44:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391558AbfGRTof (ORCPT ); Thu, 18 Jul 2019 15:44:35 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:55043 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391549AbfGRTof (ORCPT ); Thu, 18 Jul 2019 15:44:35 -0400 Received: by mail-pg1-f201.google.com with SMTP id m17so8313506pgh.21 for ; Thu, 18 Jul 2019 12:44:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=eu667FWqsyv1eiS+2MgLd1pI1Yi90NnjxQ1QKJHeSZs=; b=ohrtYog4gGPeInnSgPNEoQxrDXPaBrUloNn0kHObJFwMww/WL/1QitIjfRTdQ7Io3l 3SFmno+zU0LHqnjj1iwf/EcXC0mkATM1jwJSktN3EWogC7qhjF9T+4Vc2XXS/dPtmlKX mz5jQECVWQ2KxykCHqcx7Q4Oj8ogBpTDoACnxdCUgqa3Ot4HPl0AkiJXF4fk6mY7//oL 7PbCHo+Yh6dVRTJvVO6GMzSfDJ2XD8gX5qc9TCAmUHKXJA2d2DOUhz+oq/Fg4W64rGof PvjyvsAmKWx9isgpl4njBFhx7acc40bmEcgvG4s2a7Usp9NXUY50lVDgZ8lf+u3ipVh8 +y9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=eu667FWqsyv1eiS+2MgLd1pI1Yi90NnjxQ1QKJHeSZs=; b=jHJRd685cRnDtlvULhw9ysuR5a15Omo4JOZ6K/BniC0E0un3ToCOHwRzG/3tiJ8DjQ jrFR4/g3sT+Oh0jxih8yHLTGQmNTCNTtz5t0bt5TKIZa25uvIGnDoM5VYxAXpvMH3TUn KwvwNQZwVdwD4v3n82czznBH3f4HHQJQnPZqtRPMlwAcHfb7qMVnr8Ua0+7zCrtF5ZSD 5MnOHSQQ1fN3HvrxoPmwe+JUr7K6VqSiZuhA9G4Y5A3fYnyMblsWhmRIha/9a417sjKp Hpuqaq/tLKQJh6WFR2CwMDzqbltz4/ajzeJhw53uC2p6j+oGbmju1GvKlMo9nRDTg1M+ 2lYA== X-Gm-Message-State: APjAAAWOzV9Nv/vWcYmFKBl3QfyDbaeDOFEgfMlrHpO0viqmqXXF+q6H z8yT4TiVdNesseHDKs5VoV0Je1IDbg4rpItR3f09Xg== X-Google-Smtp-Source: APXvYqz2hh3xf3NNVSMQwnKxLqxoPr5fEA/x4WWO1oTU5T/O29MD4PGWgIppNaZkbdLHJf6ADY0SDRBtGzSuhQYGFEqqag== X-Received: by 2002:a65:500d:: with SMTP id f13mr48703316pgo.151.1563479074121; Thu, 18 Jul 2019 12:44:34 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:52 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 06/29] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Dave Young , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Dave Young Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- include/linux/security.h | 1 + kernel/kexec.c | 8 ++++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 9458152601b5..69c5de539e9a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -105,6 +105,7 @@ enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, + LOCKDOWN_KEXEC, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/kexec.c b/kernel/kexec.c index 1b018f1a6e0d..bc933c0db9bf 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -205,6 +205,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + result = security_locked_down(LOCKDOWN_KEXEC); + if (result) + return result; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d2ef29d9f0b2..6f302c156bc8 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -20,6 +20,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", + [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:43:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049521 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4F3AE13AC for ; Thu, 18 Jul 2019 19:46:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F43428179 for ; Thu, 18 Jul 2019 19:46:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3392B2883B; Thu, 18 Jul 2019 19:46:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D261128179 for ; Thu, 18 Jul 2019 19:46:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391587AbfGRTol (ORCPT ); Thu, 18 Jul 2019 15:44:41 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:56047 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391566AbfGRToh (ORCPT ); Thu, 18 Jul 2019 15:44:37 -0400 Received: by mail-pf1-f201.google.com with SMTP id i26so17159518pfo.22 for ; Thu, 18 Jul 2019 12:44:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Ze1m51/U9qyeKdYZTkURxXHO7/2Jq1vWiS2UsV2hr9c=; b=gJjhUT6gQ/zQNCY6elSDV6M1tQCeC0P5Tp4UAQyfBx3bH4p1ifDoKIdCUkhGhE/+gg 1BYrEJUjZpq1lci7thr1J+jRZPv78zvcXe0wmCNbM+HBWEYXopMbBeSzpPtfVoUzVLk3 pujXzLMr6fRScyxTI3Haqr4j2hTxpLfQ6HsQowNOgyplYLOfo3yUrKFDJokCeo5/2PKy FwUf46Shg+19/eA24HYXmwakU6FgvCH1rsx/twSxIE8e9p1SMqOpYC5sjsn8o8C0psq/ OjMiRQ74r0yKmCrXaugmRON5LDzCp9Ky2OgcvlOWQFtleomMDWsvtTmBy0Cz29VGfC9M iF0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Ze1m51/U9qyeKdYZTkURxXHO7/2Jq1vWiS2UsV2hr9c=; b=getRYpodNixf/hWDbzCu817qUvNQKJGOKAYhRYP26vPFOBXG6XujGB6Trk28GmOip4 ClO8zW4R1HsiA91kv64M8mcfAxu+zpEzx4NS526Z8L6UjWqsLKy0Un92sk6XP1FxoqaK vxSY746P6hgc2u/WG3/sCqvf9p5E6YP7aHf5c2VoVEjx6sCReBrHn3SzJukxGKCfIrda vJpYx0UXMjbdFS8DPI8F3h/wfY6JUK8or6N4qIKBpUAPALbjiY8U50YfrO77sV9M21K4 1T6y/s1qRExllvxMugbnlsWyyarlXIR2EbdBeWPHzzSFyTPTHe4dhbQjRH5wtWm5HscN E3mg== X-Gm-Message-State: APjAAAXscGEBtSMzdyQ+6EEcE59jUQ4jb7lVBiXynbK0+qrWs9n1KqVy UMFknsDlRiDFE/kDeiKWTf8NJunjO8vfQEHtnhH9DQ== X-Google-Smtp-Source: APXvYqzrK8iF6hcgKRXBxAlD2H7TfZZ22Mkvge4q89mEFnRwAMWXxSRoqJN7TQmQtZur9PR4mpbHHV2qq0UGBlX+3fC93g== X-Received: by 2002:a63:1950:: with SMTP id 16mr49329324pgz.312.1563479076972; Thu, 18 Jul 2019 12:44:36 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:53 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-8-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 07/29] Copy secure_boot flag in boot params across kexec reboot From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Dave Young , David Howells , Matthew Garrett , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Dave Young Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 5ebcd02cbca7..d2f4e706a428 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; From patchwork Thu Jul 18 19:43:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049525 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D7D0414DB for ; Thu, 18 Jul 2019 19:46:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C77E428179 for ; Thu, 18 Jul 2019 19:46:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BB1E42883B; Thu, 18 Jul 2019 19:46:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2EE8728521 for ; Thu, 18 Jul 2019 19:46:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391518AbfGRTqi (ORCPT ); Thu, 18 Jul 2019 15:46:38 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:46195 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391581AbfGRTok (ORCPT ); Thu, 18 Jul 2019 15:44:40 -0400 Received: by mail-qk1-f201.google.com with SMTP id c79so24227819qkg.13 for ; Thu, 18 Jul 2019 12:44:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=PCICfIHHpaCEusksfbBew0bfQ3A1o3TIgacS2JftM/8=; b=aWWi2C7T4j/UfEr2zyNt/ze62J9mJqPa0yoViAt7MxrE+gNZsftF3yH5cKxb+XdAF5 gzlZdbIzs+RCmsNi8KoU/E5XziMOjv6yZS2iftLFO6Muo3MMzn/d1niaTrAroKOnh4WO kovL8FWpnaop3NUPXCpQgRhrED2Vfewj39frnqXInErEX3Lj7viAB7/4PzdQxDyocQj6 8QcMZmm9sSEzJ5lJkb/dNtvCyjM+pM1JJobN51yM0wcA19a/fw26hseY17339wPdSwAZ PS9EIumNgHc1JJsfP2iPV/GVEANtDnUqo9Qd9ZGXLQZoEjBaAJHQe1MovN0sXbpgT2X2 Ixbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=PCICfIHHpaCEusksfbBew0bfQ3A1o3TIgacS2JftM/8=; b=RRoKUxhpioO6ghv8rvpSfWvHSYG+UWg+Qu67uffyHmgCDAgR+glxwnYGzD5Y6tbsDQ Pd/x9jlu8A03E3cv+chAufuAmkXxuEZG+INViSFyIluJQ+cJxz2M3gG9g2q7XEf8Eq6H K7pbpXnJXSvYG3ZPV/5Q7CzXA6xa0gX0vGOLqODxXai04RrP3nLZKnItTS+LHkkbk45W RTlznDoF5961DxlxqZciYmR7EhJEpcBXAv620aRFTXhTj8Pb+xEInMkZyjDr7D5lEiyp tAaostg26QUBDleOEXYOYd1O5xIB9PX4DC3FIAVhN2KOp6HQHMVPuf8dkLix2ywUxknO SN7w== X-Gm-Message-State: APjAAAW1dn0RHowOTde16J5lmrfjZ+SwvTkNNvcfNo1Q/+IIhT8VYBEC bxDepI/0tOyAkxyXY9goMwaSpYUguWy1kjvVOD8gmQ== X-Google-Smtp-Source: APXvYqwBpZHcAZP5MhEavHYXlnmXjy/uc3nPiwocdrxJb2RWPYPAts2cfulowZZaCjX9BjGAqkrcgYJi814P69E9lmrRkA== X-Received: by 2002:ae9:ea17:: with SMTP id f23mr13876775qkg.236.1563479079614; Thu, 18 Jul 2019 12:44:39 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:54 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , Dave Young , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac This is a preparatory patch for kexec_file_load() lockdown. A locked down kernel needs to prevent unsigned kernel images from being loaded with kexec_file_load(). Currently, the only way to force the signature verification is compiling with KEXEC_VERIFY_SIG. This prevents loading usigned images even when the kernel is not locked down at runtime. This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG turns on the signature verification but allows unsigned images to be loaded. KEXEC_SIG_FORCE disallows images without a valid signature. Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac Reviewed-by: Dave Young cc: kexec@lists.infradead.org --- arch/x86/Kconfig | 20 +++++++++---- crypto/asymmetric_keys/verify_pefile.c | 4 ++- include/linux/kexec.h | 4 +-- kernel/kexec_file.c | 41 ++++++++++++++++++++++---- 4 files changed, 55 insertions(+), 14 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 9df2d1cb7a9e..104995fd32d0 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2026,20 +2026,30 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE -config KEXEC_VERIFY_SIG +config KEXEC_SIG bool "Verify kernel signature during kexec_file_load() syscall" depends on KEXEC_FILE ---help--- - This option makes kernel signature verification mandatory for - the kexec_file_load() syscall. - In addition to that option, you need to enable signature + This option makes the kexec_file_load() syscall check for a valid + signature of the kernel image. The image can still be loaded without + a valid signature unless you also enable KEXEC_SIG_FORCE, though if + there's a signature that we can check, then it must be valid. + + In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work. +config KEXEC_SIG_FORCE + bool "Require a valid signature in kexec_file_load() syscall" + depends on KEXEC_SIG + ---help--- + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + config KEXEC_BZIMAGE_VERIFY_SIG bool "Enable bzImage signature verification support" - depends on KEXEC_VERIFY_SIG + depends on KEXEC_SIG depends on SIGNED_PE_FILE_VERIFICATION select SYSTEM_TRUSTED_KEYRING ---help--- diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index 3b303fe2f061..cc9dbcecaaca 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, if (!ddir->certs.virtual_address || !ddir->certs.size) { pr_debug("Unsigned PE binary\n"); - return -EKEYREJECTED; + return -ENODATA; } chkaddr(ctx->header_size, ddir->certs.virtual_address, @@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * (*) 0 if at least one signature chain intersects with the keys in the trust * keyring, or: * + * (*) -ENODATA if there is no signature present. + * * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a * chain. * diff --git a/include/linux/kexec.h b/include/linux/kexec.h index b9b1bc5f9669..58b27c7bdc2b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, unsigned long cmdline_len); typedef int (kexec_cleanup_t)(void *loader_data); -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG typedef int (kexec_verify_sig_t)(const char *kernel_buf, unsigned long kernel_len); #endif @@ -134,7 +134,7 @@ struct kexec_file_ops { kexec_probe_t *probe; kexec_load_t *load; kexec_cleanup_t *cleanup; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG kexec_verify_sig_t *verify_sig; #endif }; diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b8cc032d5620..875482c34154 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG static int kexec_image_verify_sig_default(struct kimage *image, void *buf, unsigned long buf_len) { @@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, unsigned long cmdline_len, unsigned flags) { - int ret = 0; + const char *reason; + int ret; void *ldata; loff_t size; @@ -202,14 +203,42 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, if (ret) goto out; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); - if (ret) { - pr_debug("kernel signature verification failed.\n"); + switch (ret) { + case 0: + break; + + /* Certain verification errors are non-fatal if we're not + * checking errors, provided we aren't mandating that there + * must be a valid signature. + */ + case -ENODATA: + reason = "kexec of unsigned image"; + goto decide; + case -ENOPKG: + reason = "kexec of image with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "kexec of image with unavailable key"; + decide: + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + pr_notice("%s rejected\n", reason); + goto out; + } + + ret = 0; + break; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + pr_notice("kernel signature verification failed (%d).\n", ret); goto out; } - pr_debug("kernel signature verification successful.\n"); #endif /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { From patchwork Thu Jul 18 19:43:55 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049465 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8CEBA746 for ; Thu, 18 Jul 2019 19:44:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7A9452883B for ; Thu, 18 Jul 2019 19:44:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6EDF02889C; Thu, 18 Jul 2019 19:44:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 17EC72883B for ; Thu, 18 Jul 2019 19:44:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391571AbfGRTon (ORCPT ); Thu, 18 Jul 2019 15:44:43 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:39361 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391606AbfGRTon (ORCPT ); Thu, 18 Jul 2019 15:44:43 -0400 Received: by mail-qk1-f201.google.com with SMTP id x1so24154584qkn.6 for ; Thu, 18 Jul 2019 12:44:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=9fXbmdfL5KhuvIZCfCGIG29n6zuww7qo8MROnWxS5+E=; b=vaFKk2Q89nA8m9zpY9o5P/RyryqHBdnZpR8gvBpiaUPOc73uQhRke4kFn/wkdzgCxl U2Duhl+4hspB7HHsAUKNt8g59w64Y0FqOLBAqNw3Pl3ej3rwSW/y589QZ6A6ApenF8w2 daVo52oj5ggvqgEbXliWkyAt5Cs7XMh5cwhuDlUHhifbQULkx6UsimX5JAb/C2HZA3tE 9v4X/c4Q4p7oikJ+1P7BAsp1XkYXcYcR5trJpUpZGQes+T6Dbg0lDgBMS7KxMgKrVRS8 wxeppP6Cw5FcMVwd1u0yQsxFPsfRzN6VoauEsS4u/2f0lfU6SeMZf9gUfADnLY8TtFWv o/Rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=9fXbmdfL5KhuvIZCfCGIG29n6zuww7qo8MROnWxS5+E=; b=QE0UR7NoCUf7uosbJGG+fK/qjs3gXPyAtJZJSLbCqQCKqH6oeJriwIe/fST7L6L6Cp ENif60QQh1uGC3S2bsBYKuMJ8nDqpsUBkcnqoH5UXceYjQpQj3Qi/S5cH5vL6F97K1Lz lB+yowJ3PRhq8DYsXybG3ugwVc5pDf7ksL5VxPXimNw2WaA5uP1mF50KOscXjx5L5/mo jSK0JIWgFG+c46xzAOiD361s+9cIiu6XtsYLemsn1ERGr8PuSnlxz/rzpAj61Cv64vto jwlt+rMK6PgpeITBRPHE9x+wpOFUKX8pYevoknyb7O7gAOl6/l63srPyjyZerVtx3ivP 86ag== X-Gm-Message-State: APjAAAW5p8H9GEqoQPPoLWsz3w/QiZa91Ja2xEsTkleUzM8u1E/bsqoR X88UKkVVzvS1EpaOEW6yWVwQbmVHIWrgeyj7RCDeAQ== X-Google-Smtp-Source: APXvYqw1Vt8jWwUEn/Hr2prhO6C8MXEOo0YzibKrMSn4iA+j+KGx0PZu3RjycZEmtM6rOA+IxN/17K2wlDLSPEXZw1FUWw== X-Received: by 2002:a0c:acfb:: with SMTP id n56mr34542609qvc.87.1563479082093; Thu, 18 Jul 2019 12:44:42 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:55 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 09/29] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- kernel/kexec_file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 875482c34154..dd06f1070d66 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -228,7 +228,10 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = 0; + ret = security_locked_down(LOCKDOWN_KEXEC); + if (ret) + goto out; + break; /* All other errors are fatal, including nomem, unparseable From patchwork Thu Jul 18 19:43:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049467 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 20B73746 for ; Thu, 18 Jul 2019 19:44:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 102332883B for ; Thu, 18 Jul 2019 19:44:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 040692889C; Thu, 18 Jul 2019 19:44:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 859192883B for ; Thu, 18 Jul 2019 19:44:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391653AbfGRToq (ORCPT ); Thu, 18 Jul 2019 15:44:46 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:53288 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391627AbfGRTop (ORCPT ); Thu, 18 Jul 2019 15:44:45 -0400 Received: by mail-qt1-f201.google.com with SMTP id h47so25373379qtc.20 for ; Thu, 18 Jul 2019 12:44:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7Fsa5djs+VQ2BrQJC+FUs9YwCCHQQfjCNM9PGrMIw+A=; b=GUfpKO3Ga00Csg4gANFyqY7Cii9zK5UJiC7y7T53XWMHXolPbGtqL3/Y47/RTYgeVm Mi6RCLXrn+mFXqpu5OsWOJKds5n11Pm7/VfKFqyJyZc9yr639fO4YGJKtjbx4J4dg9DS PJwJtApulzrCc0Bgg28sX6Ujl31wRI6PaW5rfHbkzmCSi0hS7nYUQu7E9PQiI4ht1XC+ dnV7J2tcrTwkrO7Sg9e3n9F/+LqTDuw1UdpjFK6nE1GXMcyw2GcsKji4TXEFCm2+pont rqA8db+Ui8EDLoOR90H03Sx1uL/TpWN4SwHCRaaCI4xM2JGV2I8do4YqpvWrigRG+SNK TUUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7Fsa5djs+VQ2BrQJC+FUs9YwCCHQQfjCNM9PGrMIw+A=; b=CDplptlH+9RJZbvniwpq1/uwTYAiEC6UbqdzvduFv/B1IoomAJLJTPjhC/uWDd0a3q HTQu34LJ7xXfHALtfsK2Q6c1f/SlI4xBpAaVZzpG5yHNbtSryblXMxgKbMlfw8jkrnQy lVPc7ZvBXmQy9yMLyS5OqvV8cbmse29Ev1li/EuDM6+SzQZoh0cunp8rkPlOfPwbfsf1 ddgLaxpOMmIyQ8DfgrsDVRYy+niAAaMGg9CcIa0BCugUVGtH3q6UbmqELmGVx/UFQlgi W97flQPOr0CXe40K+/9XcivsYTFknpnI8vTNxwla/hxbLiztWhOtWrH2kSbyy+dJnZnQ lYig== X-Gm-Message-State: APjAAAUchbC5CsUWzBR+D6XpXdExckO3T55+6QAJrywL68V+5YWeHY2a Q7xtGqiwRo9Bd9f+oEFmaqz/YBkb9ddG72oaTT8FAw== X-Google-Smtp-Source: APXvYqy741iSM2u6/mj5HF9mJLUvf4WTxBzk/3jchTmVB1EWeHxmWZcFTfDOtltj6LRSG0GCOtQ7D+jq/zKj0P7CgkdOdQ== X-Received: by 2002:a0c:acab:: with SMTP id m40mr35031284qvc.52.1563479084552; Thu, 18 Jul 2019 12:44:44 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:56 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 10/29] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Josh Boyer , David Howells , Matthew Garrett , Kees Cook , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org --- include/linux/security.h | 1 + kernel/power/hibernate.c | 3 ++- security/lockdown/lockdown.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/security.h b/include/linux/security.h index 69c5de539e9a..304a155a5628 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -106,6 +106,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, + LOCKDOWN_HIBERNATION, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index cd7434e6000d..3c0a5a8170b0 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include "power.h" @@ -68,7 +69,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION); } /** diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 6f302c156bc8..a0996f75629f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", + [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:43:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049517 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 832A9138D for ; Thu, 18 Jul 2019 19:46:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 74B4C28179 for ; Thu, 18 Jul 2019 19:46:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 68A222883B; Thu, 18 Jul 2019 19:46:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CE80428521 for ; Thu, 18 Jul 2019 19:46:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391671AbfGRTot (ORCPT ); Thu, 18 Jul 2019 15:44:49 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:38901 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391639AbfGRTos (ORCPT ); Thu, 18 Jul 2019 15:44:48 -0400 Received: by mail-pg1-f202.google.com with SMTP id w5so17244195pgs.5 for ; Thu, 18 Jul 2019 12:44:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ae+mrOFMmNbS13ze66pnDjDUvUjQtnZm37VMj80uCqw=; b=UJwm5Ga9g54CaLEdGA8QyuIaY7IBpWCVeyIvfD3G6gpAmd8OrcZQ11NeNOk72vl0Sq 6wjmMNJQGYNAg/FeXy9EtrtHU39pYShrIoxJrFoVY4m47FXreOzpUUK4f7/X/3NBgONJ 1b5QxDiNZaf3pYVBSWe/DuMy8XvQxZq4wFSboXSkJoESJLktmqQ4I0pfhjJxJnZeuvzd FJJxaVC3uEviIHFt9Dgm8XelmFqp1s8+4Cx2UXUStKJ4NCHHhZUAtPc5P+uEFjkI/ieR kIqHRYyhaPIswURMQ2tKdACCRPDQl5vL/zGmn7y81WvhXMFtGNrm+//pr3sgZ3n1lzwG 20Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ae+mrOFMmNbS13ze66pnDjDUvUjQtnZm37VMj80uCqw=; b=WgImR/NSnSat7p6tZimOJcevCpW57+tgKtoyK0HbkX8sFBc7gxWqE4tqB0NCHzGThS 6coBSAT8rVVBTsM0YiZAz4OigDHelRd0+EdUTTySlsDzrW1gGVUdUBYMRRiszyS/xVV7 5XwNGyYwuHITeuFgX0uaaSkv3GAWOWsNfdUjwmLq7K1o9pG2QAmgxwTI94W1iZmSuUdV UZl/syoaXHVR/lsvr9LPDgFuh/aJuJfdcF3iLEQtHLAczlh8f6KCCOItFh0laOKCs+6q X0VCd+DSmUSmoRRWosIFo/8YEj14ajFaTYedeQrPjvlO3SvBm9LXnTQuNM9+pHi40QE0 hDiA== X-Gm-Message-State: APjAAAUTKc8+5cX8iQYQby470qSLJrJgifX1fX99cIZPNnwour9dwabs GOzWrH1l65sTAWxOcOqdhJ5BEGZ3Yc1aQTvt/iqxkw== X-Google-Smtp-Source: APXvYqwnWbJfvojxAzuHzIjs3CUWwAAI2M+flGyDkNHJ+WHS4jsnxEpbjNH77559e8zqpp6C91BXoFnbfUEFCWk2Gp2pBg== X-Received: by 2002:a63:c64b:: with SMTP id x11mr49316460pgg.319.1563479087082; Thu, 18 Jul 2019 12:44:47 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:57 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 11/29] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Bjorn Helgaas , Kees Cook , linux-pci@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Bjorn Helgaas Reviewed-by: Kees Cook cc: linux-pci@vger.kernel.org --- drivers/pci/pci-sysfs.c | 16 ++++++++++++++++ drivers/pci/proc.c | 14 ++++++++++++-- drivers/pci/syscall.c | 4 +++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 5 files changed, 33 insertions(+), 3 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 6d27475e39b2..ec103a7e13fc 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -903,6 +903,11 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, unsigned int size = count; loff_t init_off = off; u8 *data = (u8 *) buf; + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (off > dev->cfg_size) return 0; @@ -1164,6 +1169,11 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, int bar = (unsigned long)attr->private; enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1240,6 +1250,12 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 445b51db75b0..e29b0d5ced62 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include "pci.h" @@ -115,7 +116,11 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, struct pci_dev *dev = PDE_DATA(ino); int pos = *ppos; int size = dev->cfg_size; - int cnt; + int cnt, ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (pos >= size) return 0; @@ -196,6 +201,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -238,7 +247,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_PCI_ACCESS)) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..31e39558d49d 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -7,6 +7,7 @@ #include #include +#include #include #include #include "pci.h" @@ -90,7 +91,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + security_locked_down(LOCKDOWN_PCI_ACCESS)) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); diff --git a/include/linux/security.h b/include/linux/security.h index 304a155a5628..8adbd62b7669 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -107,6 +107,7 @@ enum lockdown_reason { LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, + LOCKDOWN_PCI_ACCESS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index a0996f75629f..655fe388e615 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -22,6 +22,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", + [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:43:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049469 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6C4AA138D for ; Thu, 18 Jul 2019 19:44:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C7902883B for ; Thu, 18 Jul 2019 19:44:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 50A6F2889C; Thu, 18 Jul 2019 19:44:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E30922883B for ; Thu, 18 Jul 2019 19:44:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391701AbfGRTow (ORCPT ); Thu, 18 Jul 2019 15:44:52 -0400 Received: from mail-yw1-f74.google.com ([209.85.161.74]:40223 "EHLO mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391660AbfGRTou (ORCPT ); Thu, 18 Jul 2019 15:44:50 -0400 Received: by mail-yw1-f74.google.com with SMTP id r67so21995710ywg.7 for ; Thu, 18 Jul 2019 12:44:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=RqpfjquZ0GE2zpg4eJx3Cd128lI5VFuP5LKKMsWaFSI=; b=qB9l0rlZdf1ZSzaRrkTDiiRPVJ59qbbPv/eC3uB0Eygb7kg3fkemSZwjWZu4/V2e7r RqGqRUuCJJpwr+tC6Eqans0mir3JuYlFXe9OUuCjNjx7dr94sdMzyJssS6GNXaJPaLA2 jLr1mPI6iXVmtCKOQzDzXuWUR9KeIUX1YwugsPZbbx+3aYnwWBr4Tm8dKeznrou7F3zH +6GQwehAYwQ91AzLcAQxko+dJauQHFA+gVoaiM5xlaraqYrmD2AVzvat1ZR2i34hY6F4 vPdulwSobVmL4QVh4zui3Jy23qYxvfpcYiXoLPjoqjIFO9noO62KTo1vNCi8XTqGvDDk JNUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=RqpfjquZ0GE2zpg4eJx3Cd128lI5VFuP5LKKMsWaFSI=; b=tPcMRnlHN5kNcLuQzYXjz9rzuiDJ/6WYwamywrZIQ5t0BiCjA0fSNWc6BCH0AO9FL3 wbWgw/Zb3kBn0UyM5jSrPKaMHMxHxkHw08jZ6sKBDKm5U+ekWxC2yZEdNcoA4UN+rmDF thlggLLE3MaRIsEtVQfJcHC727SPKy7g33IA8Cw/hLklva3TySAtQtFu2Wqq+Ofuu2/D d7TlAWsPjg1q7NvGwmCHoBhrC5EtokP8kMMomhkxyA75rXH7WBvF3ff7ge4umZzzvvf3 8sUre21RoBoOuoqOpPj6SkewCgnwPiHKwH4fQl4K9VFC+62ExXmZ8lqABaaJmETZiBEb 3xfQ== X-Gm-Message-State: APjAAAVAePQ9qoDZrhVMxSisrXqb1bAA3iZro1gnx8x2A9qxb0KMveFi DaU1hbrUst+CjuSTs4ZnggxQu9fPpOTjnHnwGF8CiQ== X-Google-Smtp-Source: APXvYqy/t8VeuQfO2ZAGyoAVYFHwDJHul3AKIzmL6DhaskBsqNip8Z6iUGnuploP6DNyyDk+p2NwIaUJnDyntsETVXfrxw== X-Received: by 2002:a25:2a56:: with SMTP id q83mr27205767ybq.299.1563479089832; Thu, 18 Jul 2019 12:44:49 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:58 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 8adbd62b7669..79250b2ffb8f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -108,6 +108,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 655fe388e615..316f7cf4e996 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:43:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049513 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8F569746 for ; Thu, 18 Jul 2019 19:46:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7D0A328179 for ; Thu, 18 Jul 2019 19:46:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7122A2883B; Thu, 18 Jul 2019 19:46:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0D58728179 for ; Thu, 18 Jul 2019 19:46:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403962AbfGRTqV (ORCPT ); Thu, 18 Jul 2019 15:46:21 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:42500 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391712AbfGRTox (ORCPT ); Thu, 18 Jul 2019 15:44:53 -0400 Received: by mail-pl1-f202.google.com with SMTP id e95so14456054plb.9 for ; Thu, 18 Jul 2019 12:44:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=minBZuRPisw7H2/W4JdDr67L/DoNl62iO6bi7/9H078=; b=BhUTX2qUiiL6RrJB93H+27tuRITeSctfUT6CBbrO9oyZLQ9WchkTXMgKEVUQS1edP+ fnH6lELvdBHrqVkpYSwTLqF4XOqKrWQoWMgiTHJWMlKEr067Nw966u80Wx1wLCmQaYPS 4fSvOVKYEGi+P/fLlUJUPh0qpkgKfhmmqmLwlU0mQWb4CbGE1qzTw3DA82a+SWTbOMXf EZ1hgCpbC2npvG2bdJaXPxv56ovd/haE4mI+ou/oP76+qfKRitD9VOlNSYFwsyhdu8xX pVKq+7iKlxCV7Tca/y2BBcYCWjr5A8jJkpzCvb8Qjm6CRYneVJ6iU4Ku5DQB5jOVVQW0 SBaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=minBZuRPisw7H2/W4JdDr67L/DoNl62iO6bi7/9H078=; b=sJaJfrduNvZjBvqvDv4pvhKPNAAC7U8NhVVQ+8hM/9GiAPPTTcnrEQD9iEErykmVu6 6+s/ZmQuCJ84kvPB/wD43igSF+Se9O8XxI+n2iCgKQj8lTeU3V2UDG8CwXzuFc7xZ2Ch I+y01l0W8KtVYTgaedvhHVcSM+O9BH4sZ0edxpuFfmpbBcOdqz4r7hMOEeyc6lk876YN NxezUM612LR0n/6z0b6BlMKUccvcedlNfumNQ9Is4wvpxivvpAFTLlGP7yE1MB8NGG9+ LvMh10VUwW8QqMphPLoKmNOLf1RhrZUlF96jQhx6r8LSdgXOZTdafZxpK6ybWkYpSasu hzmA== X-Gm-Message-State: APjAAAV8bl8X5k6ORzJwmvd+Pqb9gxpj6Ydo+x86hGCUbq7XzxQGWCeL cYNr3w6GDNGPo/uugZO2yGd1G0KO5egbYQij52eD2g== X-Google-Smtp-Source: APXvYqwDe+hjJ1l+N8oUy6ZAG2SYpCvM6947euWdk10aGOnm3bxMab6zPHzcMIIEn7Y+WkCc0Jsxg/KpVQ7JTli1NY22bw== X-Received: by 2002:a63:593:: with SMTP id 141mr48453401pgf.78.1563479092164; Thu, 18 Jul 2019 12:44:52 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:59 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 13/29] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , Thomas Gleixner , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner cc: x86@kernel.org --- arch/x86/kernel/msr.c | 8 ++++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 3db2252b958d..1547be359d7f 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -34,6 +34,7 @@ #include #include #include +#include #include #include @@ -79,6 +80,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + err = security_locked_down(LOCKDOWN_MSR); + if (err) + return err; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -130,6 +135,9 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + err = security_locked_down(LOCKDOWN_MSR); + if (err) + break; err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; diff --git a/include/linux/security.h b/include/linux/security.h index 79250b2ffb8f..155ff026eca4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -109,6 +109,7 @@ enum lockdown_reason { LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, + LOCKDOWN_MSR, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 316f7cf4e996..d99c0bee739d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -24,6 +24,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", + [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049471 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 97E49746 for ; Thu, 18 Jul 2019 19:45:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 85991288AD for ; Thu, 18 Jul 2019 19:45:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 76EC12889C; Thu, 18 Jul 2019 19:45:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 18A932883B for ; Thu, 18 Jul 2019 19:45:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403828AbfGRTo4 (ORCPT ); Thu, 18 Jul 2019 15:44:56 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:39322 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403817AbfGRTo4 (ORCPT ); Thu, 18 Jul 2019 15:44:56 -0400 Received: by mail-pf1-f202.google.com with SMTP id 6so17219150pfi.6 for ; Thu, 18 Jul 2019 12:44:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=RmH/lQXgmHpT1wDdkDviRnHZue3oZYbqIfCTXvy7fCM=; b=sr+U+0BUhfEnXadfS3Td1uoyOy7MyzT1cfjoaE68UBw1WhRqNJMBFgpLkQFYR8CYek KMLLN+smdCN2smIEcLzxglZftb5hu87OZDSnHoh58j9iUJ9WtMY8gtatqIWRzLoReE4k rOXwOJJUY3pNC9LTVR+45zWViuky5wZ5OsqQmEH21XbkAZ2iczTBIY0BDe0O6ftn+0Nd N8VHxUEL9vzNp13MjZ/HenFMfJvjHjVq4+s9MH40Hv98la5iFc/+chgCT/UbR25vQQo8 f1K5mSd6Q5IDsOeHHgZ8Jj3sZRtyFkxD9BOWOQoOTJwCQ5ZkVLIwSvMUjWHIe2vcYKG3 IrqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=RmH/lQXgmHpT1wDdkDviRnHZue3oZYbqIfCTXvy7fCM=; b=icHRuK/m3iPlP7kIDl3paC9eodZmqzTmsYUgndHoc9f1bO4E0DaSxTQzNk/vBXt3gV lyaYrCijTdr26oDIE+JS2llCMkmzPpb/nMD5D7RXKSnYQywoT61hxiGm7vWsjkBVdqMP lvJjWC/C9veOIjaQG0RvKw6Un1J76J7nQ6lxzr5X5nEfdlZeIT/AdmNY+5nEWWsdm9TX tfwjlD+3ZiI4unpoXr4FyDkoXdZyejet+hoqaWiXAQEkKqhMwws+TEJL8aZNwD8DRR3w 2RO6tP4Dc8fu+t89cKxBWlP0dQs0I0oJg7ydc5Pp7d5RGOvKrVGWctK4BSBoGnCHlzX0 fUeg== X-Gm-Message-State: APjAAAXW1jn7LcO3PRT9nHzfItDzUr1NIFpYxhn1bD60HqBJFqaaoz/u kRdjlIZyg7qaTomnwFCy6SUTSlFYm6Nf6x1VViXQ5g== X-Google-Smtp-Source: APXvYqyeJB/q+rqGISfS2YyA1gmULiVA9NiMn8MYvGu0Kh+AP7Ivcdvfi4JVaIEOuKfNlKBPpuhBRNRFf/1QBiVgkwqkhQ== X-Received: by 2002:a63:460c:: with SMTP id t12mr49204271pga.69.1563479094865; Thu, 18 Jul 2019 12:44:54 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:00 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 14/29] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: linux-acpi@vger.kernel.org --- drivers/acpi/custom_method.c | 6 ++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 8 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index b2ef4c2ec955..7031307becd7 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -9,6 +9,7 @@ #include #include #include +#include #include "internal.h" @@ -29,6 +30,11 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + int ret; + + ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + if (ret) + return ret; if (!(*ppos)) { /* parse the table header to get the table length */ diff --git a/include/linux/security.h b/include/linux/security.h index 155ff026eca4..1c32522b3c5a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -110,6 +110,7 @@ enum lockdown_reason { LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, LOCKDOWN_MSR, + LOCKDOWN_ACPI_TABLES, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d99c0bee739d..ecb51b1a5c03 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -25,6 +25,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", + [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049507 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 496AB14DB for ; Thu, 18 Jul 2019 19:46:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3AC3428179 for ; Thu, 18 Jul 2019 19:46:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2F2332883B; Thu, 18 Jul 2019 19:46:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8ECF828521 for ; Thu, 18 Jul 2019 19:46:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403867AbfGRTpC (ORCPT ); Thu, 18 Jul 2019 15:45:02 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:36722 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403850AbfGRTo7 (ORCPT ); Thu, 18 Jul 2019 15:44:59 -0400 Received: by mail-vs1-f74.google.com with SMTP id j77so7279195vsd.3 for ; Thu, 18 Jul 2019 12:44:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=QgUsNUUoOWb1qYITLAtYCjpLNiaP/rhBuIzLc67xbVM=; b=ACpm/ZS0UjEVRwMKod8+HwvqovYgwKlhWPQPI9dEU9aZL1i1AxdVjHXbqVrMWjzquk 5PmczASCrvmBn3t33/v7Bwh25+HZ3pydWNgyMDoR3pDEPPrJxRtzUY3o4MmByjzuPczz 3wF9+5tKcX4zvQ+DokVwcjFpVlH6WEojl+IRxqD4z4y+ocFkj2Uxs1x9Fb8uZ4q8WJp8 qSdSXdSEO8NFQWYXRtczKe4xk7TyrEHaiYdjAQWaRel4GlLm1ZJEuNh4IwRd0ZKGHBYs H9jfaQm+SrL55lRIbvb06Um8mp5NrlZ1Wpjn18/0JUSIUNqB2Rc+4DPBBSw2c9knblY8 c7aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=QgUsNUUoOWb1qYITLAtYCjpLNiaP/rhBuIzLc67xbVM=; b=Znl4yM4zXONe/qq0w7ZIFm1mDl3HVCHyfn7lXmvRQwQKSJ5TqS3tucGd9v5Ergq+j2 xAQuRweTtvyQWpVg4dO5Zta92c2pOy22Oa/Cn0iPF9xKFk35TDt8NPEU99lGPQBcg7/g wpmb076Ht5Y2fnqTtH9Knxa6+eaDaOUjzqeszF+Lk8o2agqchS0Qg1tnbUYPAAodtizB WoDjMXFnF+9HwOIQCxB32cjZzEa4NRPAUQF9JtFdlmuQp4IWGfBNc6dHs7gg1ayJrBP0 Ls0EpMzxYGqp2sJDnEqNPQ0dGsMScUYLuQYLAs6mvFtG/p4L8KTJPpFcSCY3B8e7+wKa Ni7A== X-Gm-Message-State: APjAAAVqzG11yV8xIyVCRzkcxGfiheld39wV79/rftZRQKnS8hIe7FMn cdVyRerpfnYYvgLE4+rp30QcTYmGV4m2YwrPG59rbA== X-Google-Smtp-Source: APXvYqyVU0I3G/TQncDOTFhzLpxVfpikHOxoVmFQxR5SIK6XBeYA758cISod7hr139gKDK2OgM6Ur6anlduGQ/CBSZs1+w== X-Received: by 2002:a1f:6045:: with SMTP id u66mr19378678vkb.54.1563479097534; Thu, 18 Jul 2019 12:44:57 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:01 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Josh Boyer , David Howells , Matthew Garrett , Kees Cook , Dave Young , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware. Reject the option when the kernel is locked down. This requires some reworking of the existing RSDP command line logic, since the early boot code also makes use of a command-line passed RSDP when locating the SRAT table before the lockdown code has been initialised. This is achieved by separating the command line RSDP path in the early boot code from the generic RSDP path, and then copying the command line RSDP into boot params in the kernel proper if lockdown is not enabled. If lockdown is enabled and an RSDP is provided on the command line, this will only be used when parsing SRAT (which shouldn't permit kernel code execution) and will be ignored in the rest of the kernel. (Modified by Matthew Garrett in order to handle the early boot RSDP environment) Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: Dave Young cc: linux-acpi@vger.kernel.org --- arch/x86/boot/compressed/acpi.c | 19 +++++++++++++------ arch/x86/include/asm/acpi.h | 9 +++++++++ arch/x86/include/asm/x86_init.h | 2 ++ arch/x86/kernel/acpi/boot.c | 5 +++++ arch/x86/kernel/x86_init.c | 1 + drivers/acpi/osl.c | 14 +++++++++++++- include/linux/acpi.h | 6 ++++++ 7 files changed, 49 insertions(+), 7 deletions(-) diff --git a/arch/x86/boot/compressed/acpi.c b/arch/x86/boot/compressed/acpi.c index 15255f388a85..149795c369f2 100644 --- a/arch/x86/boot/compressed/acpi.c +++ b/arch/x86/boot/compressed/acpi.c @@ -26,7 +26,7 @@ struct mem_vector immovable_mem[MAX_NUMNODES*2]; */ #define MAX_ADDR_LEN 19 -static acpi_physical_address get_acpi_rsdp(void) +static acpi_physical_address get_cmdline_acpi_rsdp(void) { acpi_physical_address addr = 0; @@ -278,10 +278,7 @@ acpi_physical_address get_rsdp_addr(void) { acpi_physical_address pa; - pa = get_acpi_rsdp(); - - if (!pa) - pa = boot_params->acpi_rsdp_addr; + pa = boot_params->acpi_rsdp_addr; /* * Try to get EFI data from setup_data. This can happen when we're a @@ -311,7 +308,17 @@ static unsigned long get_acpi_srat_table(void) char arg[10]; u8 *entry; - rsdp = (struct acpi_table_rsdp *)(long)boot_params->acpi_rsdp_addr; + /* + * Check whether we were given an RSDP on the command line. We don't + * stash this in boot params because the kernel itself may have + * different ideas about whether to trust a command-line parameter. + */ + rsdp = (struct acpi_table_rsdp *)get_cmdline_acpi_rsdp(); + + if (!rsdp) + rsdp = (struct acpi_table_rsdp *)(long) + boot_params->acpi_rsdp_addr; + if (!rsdp) return 0; diff --git a/arch/x86/include/asm/acpi.h b/arch/x86/include/asm/acpi.h index aac686e1e005..bc9693c9107e 100644 --- a/arch/x86/include/asm/acpi.h +++ b/arch/x86/include/asm/acpi.h @@ -117,6 +117,12 @@ static inline bool acpi_has_cpu_in_madt(void) return !!acpi_lapic; } +#define ACPI_HAVE_ARCH_SET_ROOT_POINTER +static inline void acpi_arch_set_root_pointer(u64 addr) +{ + x86_init.acpi.set_root_pointer(addr); +} + #define ACPI_HAVE_ARCH_GET_ROOT_POINTER static inline u64 acpi_arch_get_root_pointer(void) { @@ -125,6 +131,7 @@ static inline u64 acpi_arch_get_root_pointer(void) void acpi_generic_reduced_hw_init(void); +void x86_default_set_root_pointer(u64 addr); u64 x86_default_get_root_pointer(void); #else /* !CONFIG_ACPI */ @@ -138,6 +145,8 @@ static inline void disable_acpi(void) { } static inline void acpi_generic_reduced_hw_init(void) { } +static inline void x86_default_set_root_pointer(u64 addr) { } + static inline u64 x86_default_get_root_pointer(void) { return 0; diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h index b85a7c54c6a1..d584128435cb 100644 --- a/arch/x86/include/asm/x86_init.h +++ b/arch/x86/include/asm/x86_init.h @@ -134,10 +134,12 @@ struct x86_hyper_init { /** * struct x86_init_acpi - x86 ACPI init functions + * @set_root_poitner: set RSDP address * @get_root_pointer: get RSDP address * @reduced_hw_early_init: hardware reduced platform early init */ struct x86_init_acpi { + void (*set_root_pointer)(u64 addr); u64 (*get_root_pointer)(void); void (*reduced_hw_early_init)(void); }; diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c index 17b33ef604f3..04205ce127a1 100644 --- a/arch/x86/kernel/acpi/boot.c +++ b/arch/x86/kernel/acpi/boot.c @@ -1760,6 +1760,11 @@ void __init arch_reserve_mem_area(acpi_physical_address addr, size_t size) e820__update_table_print(); } +void x86_default_set_root_pointer(u64 addr) +{ + boot_params.acpi_rsdp_addr = addr; +} + u64 x86_default_get_root_pointer(void) { return boot_params.acpi_rsdp_addr; diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c index 50a2b492fdd6..d0b8f5585a73 100644 --- a/arch/x86/kernel/x86_init.c +++ b/arch/x86/kernel/x86_init.c @@ -95,6 +95,7 @@ struct x86_init_ops x86_init __initdata = { }, .acpi = { + .set_root_pointer = x86_default_set_root_pointer, .get_root_pointer = x86_default_get_root_pointer, .reduced_hw_early_init = acpi_generic_reduced_hw_init, }, diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index 9c0edf2fc0dd..d43df3a3fa8d 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include @@ -180,8 +181,19 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; #ifdef CONFIG_KEXEC - if (acpi_rsdp) + /* + * We may have been provided with an RSDP on the command line, + * but if a malicious user has done so they may be pointing us + * at modified ACPI tables that could alter kernel behaviour - + * so, we check the lockdown status before making use of + * it. If we trust it then also stash it in an architecture + * specific location (if appropriate) so it can be carried + * over further kexec()s. + */ + if (acpi_rsdp && !security_locked_down(LOCKDOWN_ACPI_TABLES)) { + acpi_arch_set_root_pointer(acpi_rsdp); return acpi_rsdp; + } #endif pa = acpi_arch_get_root_pointer(); if (pa) diff --git a/include/linux/acpi.h b/include/linux/acpi.h index 451e7b544342..e826f7311b2b 100644 --- a/include/linux/acpi.h +++ b/include/linux/acpi.h @@ -639,6 +639,12 @@ bool acpi_gtdt_c3stop(int type); int acpi_arch_timer_mem_init(struct arch_timer_mem *timer_mem, int *timer_count); #endif +#ifndef ACPI_HAVE_ARCH_SET_ROOT_POINTER +static inline void acpi_arch_set_root_pointer(u64 addr) +{ +} +#endif + #ifndef ACPI_HAVE_ARCH_GET_ROOT_POINTER static inline u64 acpi_arch_get_root_pointer(void) { From patchwork Thu Jul 18 19:44:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049509 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 02D6D746 for ; Thu, 18 Jul 2019 19:46:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E643A28179 for ; Thu, 18 Jul 2019 19:46:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DA5022883B; Thu, 18 Jul 2019 19:46:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 802ED28179 for ; Thu, 18 Jul 2019 19:46:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403873AbfGRTpC (ORCPT ); Thu, 18 Jul 2019 15:45:02 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:44041 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403860AbfGRTpB (ORCPT ); Thu, 18 Jul 2019 15:45:01 -0400 Received: by mail-vs1-f73.google.com with SMTP id j186so7253971vsc.11 for ; Thu, 18 Jul 2019 12:45:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=8KDC4TFcTV1Qdw2x6JDnGyK/1HMGYSMk6A05DVDwER8=; b=dq01yU/V68RBr2Lu3Ccu8jV81vXcun9dJ22LdvOfwo75XHTlumm+2N75HW/98KlkvM roP9j5uWvt0qI0/ymgD4PJlLxcwHRn1BQmgzycgaUEy261hGKsR0sNCwLnmF3JU2Crt0 mV9LOvlp5DTQnbf+eHXgmQcTf6vdcPYanOndpoSh0UC2Xa9TsLmYlLdHnwaULJeTFFi2 YXrc1GqxAyzeVGlMFUru9/qj6xUccrDwzYoCxO9/bM5n6GGlEw4sYibtTMdnRRhRly3K 7wUgeC16EnLGT0oQl4J1pPuuzR++NAjnCvd3j4ZtED8EVEt4cQqWDREp14+UTkJUly0l 86Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=8KDC4TFcTV1Qdw2x6JDnGyK/1HMGYSMk6A05DVDwER8=; b=l7QkolWX0trrrnZfDqquDeHKFnhzl9d8u1qzQjPKso87hjM4i4EiUDgsxWW9c1bCmp 7TX8HB4EUtv9vHhVriPYoTEQwYbF4BNLuT14wRME0eDoyknS3wsiQ8ayXfKKKDaBGaWm FrvUBVNvmnOnQN2RtO9V/cqXeOwtM8flxKM6726YgNsOdtLpO1bqBL2X61K/KDXsMNeb vy6n1NWV1+NbUI1squxyAtyFcDqMgMw1PljYlkovdPawu6VoObZhMS4WRXLYtEiu7yD3 yZJIC2RyPdEolLmuVjbcZ3vcycCDy+Snh4k6DNM5d50sr/90MByv8+4cqPmnLUyw6B1Y PVhA== X-Gm-Message-State: APjAAAX5gk1x5c7nOj1S+8s5sRaDcEKHxXV0cl+RKHDQAZ8OfU/oMYk1 XQLKJy3u3AAvr60nX61Dq2uG3ZMySPcUuYcOIRA8QQ== X-Google-Smtp-Source: APXvYqwoBuMtJhdfuOUM+HOKTlVvU3+lHPezK3uGPo6GGnVqXOM7R5MHWqWIevMdGYtZWmhwaC7r2yO6XEFK/yaJRVrKLA== X-Received: by 2002:a1f:5945:: with SMTP id n66mr19511174vkb.58.1563479100123; Thu, 18 Jul 2019 12:45:00 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:02 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 16/29] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Linn Crosetto , David Howells , Matthew Garrett , Kees Cook , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index b32327759380..180ac4329763 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "internal.h" #ifdef CONFIG_ACPI_CUSTOM_DSDT @@ -578,6 +579,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (security_locked_down(LOCKDOWN_ACPI_TABLES)) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); From patchwork Thu Jul 18 19:44:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049503 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 37AF8746 for ; Thu, 18 Jul 2019 19:46:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2657628179 for ; Thu, 18 Jul 2019 19:46:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1AA1D2883B; Thu, 18 Jul 2019 19:46:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8CA9A28179 for ; Thu, 18 Jul 2019 19:46:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403924AbfGRTqQ (ORCPT ); Thu, 18 Jul 2019 15:46:16 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:44468 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403805AbfGRTpD (ORCPT ); Thu, 18 Jul 2019 15:45:03 -0400 Received: by mail-pg1-f201.google.com with SMTP id a21so17208839pgh.11 for ; Thu, 18 Jul 2019 12:45:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=/m12V7GtFFETHB33XzQ6fgVMLtCqWgKLhcMJE/WeTig=; b=LX5aIKwFXuP4UXL8ulshAwY566U1sskEr/Wfas2wvpeI6QYdJajJTyuhAbgM8UARfY 09XfL9uMfDEMn9Wi/g16tPbfdpDAUqwrXNGw1cMnbrySCuOKHk1c0MQO8sosiRx8M3Td DXZ+PJtuNAm3T4wGi+2RClGgh9IoBWJrf5p8S0ng6uEClG1Sl6R1w1rYkIRV9XCloG5S hTe6/Tfh5i/ac04mQS/nl/vSRtUnT0va6CTFlrxsnDrhH4MZstKIq0qBAXehTtcSbXIH Ru/1FTNhAQayEnoENFc7/u2037ol51D0LhgcV6HWhz6qZQ8N3vAx6bvUFjdEoC7uk5mC AvMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=/m12V7GtFFETHB33XzQ6fgVMLtCqWgKLhcMJE/WeTig=; b=PxM7ybiyr1ErUuhYIYHeNGCYms+3DjOPlWwDh3mHDlVFxxso7i5mh/oeBtG39rE7gH 4DocR8KIiZPhA1lO+ly0iFQqkdGs60+nrNYbYq2/KqeFyT6k28SEL9v/M0HM1HXebERs 5SnstaZ9SHKsHIo97LC+fixo94G1aFAEqCxeNqNR+qfw+cXAAHrwkeRV/K8Cvj+FLpHo UnJ94ApIhALaSj+xd2mND0zpEt91CYYqC1C1dz7nGmodpMrBFYhgqet3tCjlGfo5oShC PM3xo8frxP/2DKzKHIiOVN1omCPxge902L3TqbFxxYhEcWbKbL2U0K1Jr/b3PTRjtNeH BRGg== X-Gm-Message-State: APjAAAWZz4v337JSiVDKgNFCXI9/3pTPEoxAv7jWxy0vU4W/+qXB/VaH VTiy2901jImvmfhN3vVOrVJMozYoNN+1LqtdOfzxtg== X-Google-Smtp-Source: APXvYqweJz/mcSG09wtj4r4l346wIoy6Cn9FG2qUepklV3b0EHI7QNRxVKXSJh3QzyYxMK1q2HyykdXns3r+RSMJvWEmsA== X-Received: by 2002:a65:4d4e:: with SMTP id j14mr49019897pgt.50.1563479102392; Thu, 18 Jul 2019 12:45:02 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:03 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-18-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Dominik Brodowski , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- drivers/pcmcia/cistpl.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c index abd029945cc8..629359fe3513 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -1575,6 +1576,10 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; + error = security_locked_down(LOCKDOWN_PCMCIA_CIS); + if (error) + return error; + s = to_socket(container_of(kobj, struct device, kobj)); if (off) diff --git a/include/linux/security.h b/include/linux/security.h index 1c32522b3c5a..3773ad09b831 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -111,6 +111,7 @@ enum lockdown_reason { LOCKDOWN_IOPORT, LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, + LOCKDOWN_PCMCIA_CIS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index ecb51b1a5c03..22482e1b9a77 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -26,6 +26,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", + [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049501 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 96D18746 for ; Thu, 18 Jul 2019 19:46:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 85D1A28179 for ; Thu, 18 Jul 2019 19:46:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7A12A2883B; Thu, 18 Jul 2019 19:46:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 150DD28179 for ; Thu, 18 Jul 2019 19:46:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403938AbfGRTpG (ORCPT ); Thu, 18 Jul 2019 15:45:06 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:34867 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403925AbfGRTpG (ORCPT ); Thu, 18 Jul 2019 15:45:06 -0400 Received: by mail-pl1-f202.google.com with SMTP id s21so14452125plr.2 for ; Thu, 18 Jul 2019 12:45:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=1oQBZ5kAfw78ruR17gEno1cNC4m9jAFrzrAqQjxP+4s=; b=bOCM6GL0Ngw8/0ygiEX9zoY9+UeVpwZrC+HYXZNlVCmCNmQeIDTdOr9n5sq3gWDm+B si73WGz9FBMe21fi7q1cgUPVc6UKrNU5czhY45drBnT9fcda2oXVubTUpoYn7CB+THFG NfxtWL3+bwAI+nFPpXR/XYuXylxs0bB6wzi1p59YteoWl4BMGvMhrbg4YA6PkAj+hyO6 JfNKoy8V2yjnRaFgKyjufj7DwMls0NaxqdhxPSGfjq1NGKNn9+15BYW4/frcFLB98ZE/ XmzoxkPX8bn/kJ30VxkaYuMDwmXXo+IAwglnrNTNcTBgbwGY81zwuHuZBABAhx6R/r1L +KlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=1oQBZ5kAfw78ruR17gEno1cNC4m9jAFrzrAqQjxP+4s=; b=B8BziGtYCCwNiggmMUFNfstB5Wi4h8lbjHuHa8H40fFc1vAse7CAmxcfUhaRTQGXsv C1YA0d2ECErW2MFZV6Z1IBk3IxfYOfXmjVA5TzBqzVYoxd4Kb0lgvQv5Q8FP80Nj53N9 CGD42J8F+YwjQl1HtOcdp6ijJDfr311QUF9Qymg1GXPZbvrQsmUehHKRrZOdOxDZT1lQ sazUj2mp2ZhP5fmJ2cE0pZCn4etiFCym+6IeK52QaIEc5IJHZAWknFylGCoinUK54DQm tLtZ+aUkYW+U5y9L3AAFEgH9R0s8CdwZ3I77GkhzKvzL9pUfppM/IuK9MjGhqrZSXvaw Os2w== X-Gm-Message-State: APjAAAWNO5Pa3UrkaUBphZay+XcufYuTKMQfLLItwGIP7DB1VigLMtgJ x+yDlIaKTXth/p9+PMB5YBqD/4zURx4xkc72D1F/Lg== X-Google-Smtp-Source: APXvYqxlQfzj0hot9XOlEEvXsk76ZdqvBcPQcFU/XkEmSUECO78P340Mt+UCgz76BE5DH0Pmt8Ux45GcQe6wETMsLvQxOQ== X-Received: by 2002:a63:2c8:: with SMTP id 191mr48832875pgc.139.1563479105018; Thu, 18 Jul 2019 12:45:05 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:04 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-19-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 18/29] Lock down TIOCSSERIAL From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Greg Kroah-Hartman , Matthew Garrett , Kees Cook , Jiri Slaby , linux-serial@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: Jiri Slaby Cc: linux-serial@vger.kernel.org --- drivers/tty/serial/serial_core.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 4223cb496764..6e713be1d4e9 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -862,6 +863,10 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, goto check_and_exit; } + retval = security_locked_down(LOCKDOWN_TIOCSSERIAL); + if (retval && (change_irq || change_port)) + goto exit; + /* * Ask the low level driver to verify the settings. */ diff --git a/include/linux/security.h b/include/linux/security.h index 3773ad09b831..8f7048395114 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -112,6 +112,7 @@ enum lockdown_reason { LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, + LOCKDOWN_TIOCSSERIAL, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 22482e1b9a77..00a3a6438dd2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -27,6 +27,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", + [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049499 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3AB29746 for ; Thu, 18 Jul 2019 19:46:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2989B28179 for ; Thu, 18 Jul 2019 19:46:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1DCFB2883B; Thu, 18 Jul 2019 19:46:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A61D28179 for ; Thu, 18 Jul 2019 19:46:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403964AbfGRTqK (ORCPT ); Thu, 18 Jul 2019 15:46:10 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:42374 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403962AbfGRTpI (ORCPT ); Thu, 18 Jul 2019 15:45:08 -0400 Received: by mail-pf1-f201.google.com with SMTP id 21so17194439pfu.9 for ; Thu, 18 Jul 2019 12:45:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=RRBZMPW7QAp9NmodVTLU1AXKruLeSmfJqtEU4d2fgdQ=; b=PM4iWh23cboh7pTTqTINE3qbgbZieKP97PqntC4mhWSgTVDlPP3Tu19Hes/MgnZ0ff d8jyHj6X1VRLzfpeSTP05uJbDi5p2mLa705sH0W/D5XFjMeex4AcMdWatG+1iGfB7RnL g0aH0W28tt10yqV1Fi/+rnGkqWMKJWPzgDZMGJonjCYYDqlTvAXyHXivFG7EW+fEjhbE BYq14HbffrVLYWDyOtB8OVZe0tzVKCKWAIyxKmm0kVdTBNLjDpC5vrExWq0fcKgUjl9O WD/PrjMEXVUqf9UzLthr2eWWTZeWMVBMdxRgWSKnNOmoWTg/B03VmeNYjC3AGSfD/56X wUnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=RRBZMPW7QAp9NmodVTLU1AXKruLeSmfJqtEU4d2fgdQ=; b=S27n26q/2ivd1OVcb+npqS6XZ8lSXnrHNa/42mEp/Z5/n0hgGoJozecBWTeJASM/jg HrWPK0c60aBGyLVopWGJly+JD9Vv68VQGPQyqaUMKPvIoGFpi8jF1q8+qK4BjErVIE+8 J800PEOWWkd+d0Fhf2ftF2P9yxlE1N3FRKEf59TwWP3HZGB16AmWlD28kSAoSP0EkPiF 89vMxCv8wGBKoSxwypTcoO9h1G9ptnl++9bcutqVqKix2ICWdXBfSWiyDJK9crur6zYY GcRzSxjRvOozVZ8VLgSeG6CG0cKyDqoenikou3JmmGC2kLbUPY3OYRA9Wy/90s6as2ms vG+w== X-Gm-Message-State: APjAAAU9g16pvvAGEZAZ4qMcZBLfgj5Fcqtl/LiUQwOt+GbGrtnzNQnj uUQdzd5IEgKGRoOTRJ1F0JjEQUeU83A+m+tUrXXQ6A== X-Google-Smtp-Source: APXvYqyuxq14TWeVgh27x5/3o80oK9cyWbyqgkolQ76QSM/rVnF0ch2qx/On89W/J5+HzZE8WUADsEA4zaNpRf0qUEfdjg== X-Received: by 2002:a63:9a51:: with SMTP id e17mr50126681pgo.212.1563479107590; Thu, 18 Jul 2019 12:45:07 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:05 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-20-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 19/29] Lock down module params that specify hardware parameters (eg. ioport) From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alan Cox , Matthew Garrett , Kees Cook , Jessica Yu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Jessica Yu --- include/linux/security.h | 1 + kernel/params.c | 28 +++++++++++++++++++++++----- security/lockdown/lockdown.c | 1 + 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 8f7048395114..43fa3486522b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -113,6 +113,7 @@ enum lockdown_reason { LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, + LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/params.c b/kernel/params.c index cf448785d058..f2779a76d39a 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -12,6 +12,7 @@ #include #include #include +#include #ifdef CONFIG_SYSFS /* Protects all built-in parameters, modules use their own param_lock */ @@ -96,13 +97,20 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + security_locked_down(LOCKDOWN_MODULE_PARAMETERS)) + return false; + if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + return true; } static int parse_one(char *param, @@ -132,8 +140,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -541,6 +551,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) ((mod)->name) +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -553,8 +569,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 00a3a6438dd2..5177938cfa0d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -28,6 +28,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", + [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049497 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E9C231800 for ; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D791928179 for ; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CB01528521; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E8352883B for ; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403984AbfGRTpL (ORCPT ); Thu, 18 Jul 2019 15:45:11 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:53883 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403928AbfGRTpL (ORCPT ); Thu, 18 Jul 2019 15:45:11 -0400 Received: by mail-pg1-f201.google.com with SMTP id t18so7275786pgu.20 for ; Thu, 18 Jul 2019 12:45:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=JVVIIgLtDOBKlqbr3dAhxhQOQv6A3XP76vT4880U/G8=; b=SeXjRzGuTikZ6KQwoTivnohUXmbA9jZtlGvnhbW5Gf6eGO+4VFd29B9NCWSdujqhu/ 8fh2j1Om1PhG29VKxAvPHvHEnsKA9M4CYYYG/Lu9Hp+oZek3BD7S8Mig7S68+6KmwG1c /xo6cEaF8hx9fJlpJ/R/SstDqmbSIAXSy9NQlEtsI+j+VydsrXaPd4V0Beh16tfWRfGg F7FfxfLwPdOpWRZpLyOlY+tC4JNNX68ecbgofIWwHOVea/cuOB6mklZYjtyQQINP37o7 1nsCU4lqB4gv/44OPNg1qrVANEr2JgFG1OziWfA8hG4f0UGUfVWeP4bgBBn0aAiyTeRO foKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=JVVIIgLtDOBKlqbr3dAhxhQOQv6A3XP76vT4880U/G8=; b=rR728YMtal0O0WIBTctL6wCfSJH1QP26FPcz3jx4es8zpEoMNsAzQ79CSY3Eg8XCCl Y2+uHMTvoJl+VK9r5Yqp2V91NPyogpT3XDy1Dl6wEnZQBJRQe5pT1dwkL82A2ACoxHFK xHqy8S7F7Aq+J6NMrRiz+8vkXtWe5rRPda9A/ykB87On5Tkzox40cVVdn8yDGstemcW/ gUf1QC4WPUXnoAcbMzsif/dpbpaix16gAz1BSmdnYHExzBvYxZREeuxrtmwN+MN+8H+h tF1k2LvKuJa3H5l3j/+aw4zu1jt4x/zC5ECvmNzjMPby2JBMGPM/OCiILNifjUHKWVsb vPtg== X-Gm-Message-State: APjAAAUiN1HMMBrguhE/6H8BfFxiSLWeR7z87+hx74bQpU+o5lMNSnVI Fj99yWwtqTx6lEbhHkkSqCuPvSKipBl1uQWw3f7gCw== X-Google-Smtp-Source: APXvYqyrMfaHa+wsv0nlaqRsdZ00CNxJSF2ky+cOy/8f3LYHWhlJwVQ8Qy4eVKCExKgmZMrlPSjOjbjg7/Xdu0/lTFJ7Wg== X-Received: by 2002:a63:20a:: with SMTP id 10mr49075232pgc.226.1563479110182; Thu, 18 Jul 2019 12:45:10 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:06 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 20/29] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Thomas Gleixner , Matthew Garrett , Steven Rostedt , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. This is a runtime check rather than buildtime in order to allow configurations where the same kernel may be run in both locked down or permissive modes depending on local policy. Suggested-by: Thomas Gleixner Signed-off-by: David Howells Acked-by: Steven Rostedt (VMware) cc: Thomas Gleixner cc: Steven Rostedt cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org Reviewed-by: Kees Cook --- arch/x86/mm/testmmiotrace.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index 0881e1ff1e58..a8bd952e136d 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -8,6 +8,7 @@ #include #include #include +#include static unsigned long mmio_address; module_param_hw(mmio_address, ulong, iomem, 0); @@ -115,6 +116,10 @@ static void do_test_bulk_ioremapping(void) static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + int ret = security_locked_down(LOCKDOWN_MMIOTRACE); + + if (ret) + return ret; if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); diff --git a/include/linux/security.h b/include/linux/security.h index 43fa3486522b..3f7b6a4cd65a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -114,6 +114,7 @@ enum lockdown_reason { LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, + LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 5177938cfa0d..37b7d7e50474 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -29,6 +29,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", + [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049495 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 58BB3746 for ; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4786C28179 for ; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3B4C428521; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D54C528179 for ; Thu, 18 Jul 2019 19:46:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404010AbfGRTpP (ORCPT ); Thu, 18 Jul 2019 15:45:15 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:37408 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403850AbfGRTpO (ORCPT ); Thu, 18 Jul 2019 15:45:14 -0400 Received: by mail-pg1-f202.google.com with SMTP id n9so13826106pgq.4 for ; Thu, 18 Jul 2019 12:45:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=mT71xXVMH/YHXOSXzvPL0YxfKiIdabN6lyP5dpCrImQ=; b=vodmcAMnUh0hMddJHJka9lcA79+EsuKYh9jQ/nRDimpHP2j8dNS8ZkNSHnz15Zmqxx 8T5PpWkIyrO0Ihi3lsLVJAiZ97yw/aI99IUsFCTgFUHjyHhUXbNSNcTg9QWvbAzg/tNt L0PHpzxXoK70mVorxkpV8am65v+xyxN+KJAg3OvNkHdHIRddY3OJPlIZqkHhPdmzVq91 ltHihVyene7ZHPNesB5qECUzVqNVMvBNHmTKBQA2VOJBmbaUJKj9vBz4inT8xG7TzG/S HB7ijyroYoriT/1w/4121SWUE7G78gYZB+0NUbyp6tIzdK2uWXRNVrrNFKG1qVdw25Lx fKlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=mT71xXVMH/YHXOSXzvPL0YxfKiIdabN6lyP5dpCrImQ=; b=X4M01BBQf7r+b9imgFp1wFwyJpDBFZqwWcMPRSbqfbNDiyeIVirGNWFJ1v3M8W7DgL SAsaSteJG+OGB5EQRusht0+Q+cFX/dKFJZ5YciyMHke8pgZ0HsYk9sToXL01lTtVeVno 5pxi+TfPl50Au3jfk50PtgCY8mxhU4NPJSMsjkhNWJoHIxp5OOsfgO15OkT/9AWyhCXm vLNPj1w/XwlobLmpHvxuDrKkx3NZXYMRxDnNoHxHjFMabT/SZoCLoUQx47URS/BdForF rGogUaJRCd072chIIiKvQ3xdeapETp7QO/z49mlYALiTnvT3nqphqo7NzcDNkx93WbW5 r23g== X-Gm-Message-State: APjAAAWDVkq8ppOl9vAtoLLZgI8YUdSPhEyMuiO2sDqOmLdAnHM9kFoh tvGXvaKixMvnIABykdBVF65NcRTyxormIzZmx1agmQ== X-Google-Smtp-Source: APXvYqzvoYeByMb8GuABYxGSZRPpcq3M3gaVftP8ooVueZdKIuBRQTXo4VTviDY8kkeRKzQJJaR/UejRFk1iKrC5nLfDZw== X-Received: by 2002:a65:5304:: with SMTP id m4mr48981605pgq.126.1563479112898; Thu, 18 Jul 2019 12:45:12 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:07 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 21/29] Lock down /proc/kcore From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. This is limited to lockdown confidentiality mode and is still permitted in integrity mode. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- fs/proc/kcore.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index f5834488b67d..ee2c576cc94e 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -31,6 +31,7 @@ #include #include #include +#include #include #include "internal.h" @@ -545,6 +546,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + int ret = security_locked_down(LOCKDOWN_KCORE); + + if (ret) + return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; diff --git a/include/linux/security.h b/include/linux/security.h index 3f7b6a4cd65a..f0cffd0977d3 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -116,6 +116,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_KCORE, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 37b7d7e50474..c050b82c7f9f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -31,6 +31,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", + [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049475 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2E7E4138D for ; Thu, 18 Jul 2019 19:45:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1CD1D2883B for ; Thu, 18 Jul 2019 19:45:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0FE582889C; Thu, 18 Jul 2019 19:45:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 537D72883B for ; Thu, 18 Jul 2019 19:45:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404007AbfGRTpR (ORCPT ); Thu, 18 Jul 2019 15:45:17 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:48232 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404024AbfGRTpQ (ORCPT ); Thu, 18 Jul 2019 15:45:16 -0400 Received: by mail-vs1-f73.google.com with SMTP id h3so7274896vsr.15 for ; Thu, 18 Jul 2019 12:45:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ir52NoHfEVr1DjuDuM2cD1YNKYnnMxmS3VGJXLDOV4g=; b=ef0RDKPA6T0RAn9J0sqYw8XkCSknEd2hcD11i6wHXfcPPIvp+kHcQuTKGy6w00SqR+ z9qQt1r4ANYYmWGXYb/zrIS51+rehEPvjiBD8BsoRc85GIJA/5XJ8rEoVbUOvaBsreO5 HyTRleR4vHF/0EKKO7RFGIPxbQT/JxOkuD6jn36TRWyw+aYsuC1hsbY+/ppIQdpCX+7A Sfp97RVIiaitFBHQlbGKZSmJZtsEr2sLie57ZFO9QPxGd7zWTrYiRIKdliEF+0OBm2No qMqVObVBnwecjTSPSJIRrBbq1BHDSIdLi5ITH5lvt+W8FLpJ59I85l/CGi6W3/EFNHxo ypnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ir52NoHfEVr1DjuDuM2cD1YNKYnnMxmS3VGJXLDOV4g=; b=DwevlszVu708do1yd/I39A7++PWtTFcaiYInh32ID177nIWhb+9cqr16o52cmNsXoz hGBYVDOnZ5JUBLtIoeg7/U0UlByCzP+BwVqw3A6tIsb+JjVhbnnEpJmfkCLkR1eP3SFp 0fvfepefvbBHe3yJy0WqmcvVI3XNCmLtL4bvS3xciQee9g1F8e7vSr21tTCyN+cZNVTf +wPoleSEJA2fT8zEpulqPbslQZXIaYLqMkIZindb6dw8i4DJ7xNjatDVfJxr3rb9NlC5 MgmZJgPgI6xUlgPcDFwURFL4g3S84UVuMd+e/kIzaI5QjHx32XBAnRqi+sC1+Fw7o6eS PlAA== X-Gm-Message-State: APjAAAWNRN9FD8bAs9P6l/vKdZk3Ckwk2UBwnoU6fFecC2kZ5zkO1MsO DHnWPEf4PLmMsDLOAwlSzj8wR8hanLh0JbFkreRbSA== X-Google-Smtp-Source: APXvYqzH9MM86nix5yFe0Y1WfhHKn2G3jMnALVHH9DGne7xF3/1Ry4eiLc0uynUN0Z25bXkP2NVqz3B1jWPEaKP4cN480w== X-Received: by 2002:ab0:2442:: with SMTP id g2mr11684721uan.47.1563479115556; Thu, 18 Jul 2019 12:45:15 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:08 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Masami Hiramatsu , Kees Cook , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Masami Hiramatsu Reviewed-by: Kees Cook Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index f0cffd0977d3..987d8427f091 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -117,6 +117,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 7d736248a070..fcb28b0702b2 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "trace_dynevent.h" #include "trace_kprobe_selftest.h" @@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_probe_is_registered(&tk->tp)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index c050b82c7f9f..6b123cbf3748 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049493 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 381C9138D for ; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 230B328521 for ; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 17B65283B2; Thu, 18 Jul 2019 19:46:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 07CD127FA5 for ; Thu, 18 Jul 2019 19:46:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404211AbfGRTqD (ORCPT ); Thu, 18 Jul 2019 15:46:03 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:50839 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404034AbfGRTpT (ORCPT ); Thu, 18 Jul 2019 15:45:19 -0400 Received: by mail-pl1-f201.google.com with SMTP id d6so14430651pls.17 for ; Thu, 18 Jul 2019 12:45:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=+kj/i0peoh/v65WgevbFUm6xG2Y2qR8kjesuSzHy2lw=; b=fUk+ZTcoldUn+2TCtr1PoKSI+zovfN9gKmXjF4DrrDJ2mSIEUWLiWeWLX372f4p7D7 XH47RYmM1fDnYZrXQezARD7Bq4u3XiB7YfGYIBP2lw2CaDaI5pLwSZpqdZVUvMMDZ4a3 Ui6jNsTXZVHxNPcmbFg1EEz62Z2B0DEvIv8WosO1SgJE9k2GlfUb3uP9EEak5G4+pbZU pML3LBLqQq3brER9SrLoE55UgsBTAAID2fkHr3thzYM+waRIXUXdGVRDnkk+LTv0nnt1 R+Zo0PRnopkj51Suj0kOGDZoLZd8t2G0hpiwyTBSuZ6qXwF3WpC3oqf9DSXYLKtkhkIG 6JmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=+kj/i0peoh/v65WgevbFUm6xG2Y2qR8kjesuSzHy2lw=; b=pvSGoqktt/AnR7aarOZJmRBMLkz5GPPlUURgNZtx6LumG8BBHuCbv7fOVJn28eVIZY Ju8MXUTJ3f/BdRxnqYG5y0mwbGRrdcwmhQdfzi7RVyLtywHtl/9kCtLhaNKND1pNsBhM SDtbKnu6E+fq80I6SRAvtR8bm5aBao9JDwsdwLAKajRej4sLFo7mbT2Q4dHgiqsHZV8M Ed6f14kVfCMSyqOQVcgVcRS39NEH5PWPC+k0AXQLMEMnEoN6JVBI6POvX+ELIQworNRs b03f2vaufZ3XSdx4dzjZq5ox3KWeTNglMxZQhRqdvsZFIjhmWZZ8tKvx+T8XGh2ldSU7 nZ8A== X-Gm-Message-State: APjAAAUi9yYNd5KeJNIKa9tgBhwlkdld8FksFSmSSMjtAyhsWkavU23Q hMZsaW25o4+rGUQgWtM2CCAK6x3FZ1uBz8PG8uMfLw== X-Google-Smtp-Source: APXvYqw2sxTZK/+Pp57R6A0PaZfCVXeZ1BWP5no8glAKxdRukIof4kMsddZqmrhFlykd+PpgRIKXIGQ6acGXoyjx5NaKtg== X-Received: by 2002:a63:24c1:: with SMTP id k184mr50552564pgk.120.1563479118172; Thu, 18 Jul 2019 12:45:18 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:09 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells bpf_read() and bpf_read_str() could potentially be abused to (eg) allow private keys in kernel memory to be leaked. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: Matthew Garrett cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann Reviewed-by: Kees Cook --- include/linux/security.h | 1 + kernel/trace/bpf_trace.c | 10 ++++++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 12 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 987d8427f091..8dd1741a52cd 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -118,6 +118,7 @@ enum lockdown_reason { LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, + LOCKDOWN_BPF_READ, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index ca1255d14576..492a8bfaae98 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -142,8 +142,13 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret < 0) + goto out; + ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) +out: memset(dst, 0, size); return ret; @@ -569,6 +574,10 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret < 0) + goto out; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing @@ -580,6 +589,7 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, */ ret = strncpy_from_unsafe(dst, unsafe_ptr, size); if (unlikely(ret < 0)) +out: memset(dst, 0, size); return ret; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 6b123cbf3748..1b89d3e8e54d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", + [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049477 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 02A36746 for ; Thu, 18 Jul 2019 19:45:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E28AF2883B for ; Thu, 18 Jul 2019 19:45:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D3C6E2889C; Thu, 18 Jul 2019 19:45:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 735512883B for ; Thu, 18 Jul 2019 19:45:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404061AbfGRTpW (ORCPT ); Thu, 18 Jul 2019 15:45:22 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:55948 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404023AbfGRTpW (ORCPT ); Thu, 18 Jul 2019 15:45:22 -0400 Received: by mail-vs1-f73.google.com with SMTP id w23so7250290vsj.22 for ; Thu, 18 Jul 2019 12:45:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=GlHyjiKYcevEFIyOZW8SL29SSZvUxPfaX8jHBCGYcts=; b=KjZeWxLzRjaEewcNpBwxH4bE4M0nnZ1BuixJyCLfzZCmjc13Tv1LVmxIlZh2L4CiZN GtxNdz5wNF+CzOZuTHsFYtDsOCj9ZY2bqHZifpLTMjBjqBq00YYNTbIn0Jew8W5q70Vl XTyheqJWhQwlcD8q9h9ZW6ohwqh5wGDGcIUK8H7cpd3liEBEVHpdtMPf+RaVR1KN+z45 1Imx51gl8srUzXKQh0pncST/cmOc7izMujQraVKmwwviPQdZaaB+gINNpZJSjPsOGdcP mb7uDRnKnZEqtmSXwP9DOU1nE59u2XmNfPTfBuGPHJ9Q34GZWiZJOKvcpNYUAZJJaqwZ ouDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=GlHyjiKYcevEFIyOZW8SL29SSZvUxPfaX8jHBCGYcts=; b=lwW2vdVR+Khpvl0S543VklI+sRPtN8ImA/EXj9qTk1c4GUV+NKLJooegbh16kp/kPz c6VZ+0rlJ9tb9d6mIRkDqOzwNWaWRXWEDBI6usZIPK1Ejcv6qLvfW614+uHRwv7cobSD /7OuKTgSeKXDDdRrzNgiwWvcWOTpBEsex00Sejst8zvsEb+2/lfachViQwHD3GMv4DSc g9PWloqhsRZ6aBH/FarZKSif9kXLIbIHBvRX6/U2lrMplfDh5sGTvFUIvUakwxae+P/y AjRfUxlrHxGPjh0Js8qYcsOztFwl2gBwOdFlaKOosVqC/ejCCAR6N7elZJsuYK+uXJve L5Wg== X-Gm-Message-State: APjAAAX7IlChNjEuguHgyAIsPzIK7CUAZq0lRUUTB6iVq9PLXO7xOODm N40ZIzS6T9NmP95+c83vTz9xJP2wCRZcoKC18i55qw== X-Google-Smtp-Source: APXvYqzqfSSnMa83xZI4pbsWAteKtmq2fSntxtFajOxrJ53OslB4e9IXvjgwNQNVpEM39FEfNiu2Is+F0l5fFdtxv4bk1A== X-Received: by 2002:ab0:308c:: with SMTP id h12mr29575921ual.72.1563479120915; Thu, 18 Jul 2019 12:45:20 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:10 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 24/29] Lock down perf when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo --- include/linux/security.h | 1 + kernel/events/core.c | 7 +++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 8dd1741a52cd..8ef366de70b0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -119,6 +119,7 @@ enum lockdown_reason { LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, + LOCKDOWN_PERF, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/events/core.c b/kernel/events/core.c index 785d708f8553..738d6f1cf5ec 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10806,6 +10806,13 @@ SYSCALL_DEFINE5(perf_event_open, perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EACCES; + err = security_locked_down(LOCKDOWN_PERF); + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return err; + + err = 0; + /* * In cgroup mode, the pid argument is used to pass the fd * opened to the cgroup directory in cgroupfs. The cpu argument diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 1b89d3e8e54d..fb437a7ef5f2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", + [LOCKDOWN_PERF] = "unsafe use of perf", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049491 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6D559138D for ; Thu, 18 Jul 2019 19:46:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C8D227FA5 for ; Thu, 18 Jul 2019 19:46:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 50D0F2837D; Thu, 18 Jul 2019 19:46:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C1EC427FA5 for ; Thu, 18 Jul 2019 19:46:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404199AbfGRTpz (ORCPT ); Thu, 18 Jul 2019 15:45:55 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:46374 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404071AbfGRTpY (ORCPT ); Thu, 18 Jul 2019 15:45:24 -0400 Received: by mail-pg1-f202.google.com with SMTP id u1so17233478pgr.13 for ; Thu, 18 Jul 2019 12:45:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7AN62uUjggsGkjuR8QbGPFtdpCdy/nAEaFCETV075VE=; b=sbkZeuL/Mzms7mOAJyUTFwHiXLACcjOravWInLM4UlOv/Jf1C/DdbH85nluYgkTsHQ VseH3ZyKUHYZcOAbSwC2LUOWUqwQGaJPXDzE40yCZsX8m6PRZA0Zd7FwLKD/+V/076Jn 3uYPQvTo2utj0Gw70g+Cc7W4o9sT42WwIyCT7hbiOqQRipCQuxDXTnRgzmWHLQKmlf8z LaLvermZWv9jMz2+h2GV5/qyn9RuyQv8r/Amr+Faa6f6Rwn64WXwx1S7JIgx4w5HP48Y Z2esAX1ukBWDnk/H+N1uIc3JfArzETB4/IhBJE4n4ZlNev5MdDce8Ac32rL6D2ucJPvG AH6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7AN62uUjggsGkjuR8QbGPFtdpCdy/nAEaFCETV075VE=; b=M6NrpnY37kmx3rE53FjYhrLaA06vGb0czv0mclig4xiKpk1Bd2sg2Lzvy4ekhHswOq QsxOAxCavIMvA5b4ANM/WJgdqe2NttrwpPIdHFmzaSnkeZT46gNmBy2UXpLK50NCcHs/ aQwRB37d3ETmE8J419O+KhHUCAzTRrEBhquAm2PYtfWaqOGVx2xtcL3tKz1rsJIdq5F8 kFeMplNr/lZAY/LVzG4X8+r0OdCt70Xr7q3ZL4oBODYz7prhvdffCtSMpHgfvIglcA/o YmB4J/ptIPcAO8w1s98FOhpY+THT55sbbObe3od8qJ3GlSXOmjdNJw9QeSTZDt+ngwJh cAKQ== X-Gm-Message-State: APjAAAWfKqHq/8aN9nCDhld2ngXRswcBr5I7M+bKbfxGqo6nS8NhFh5T 9IvCd7N1M3z0Lo9KsrIKP+z1oXDbSO0Rol0KSQzuHQ== X-Google-Smtp-Source: APXvYqwguFRz8a2O7ZkhUKtJ8E4Nc0LzzfYHnEV57plWrCugjY00nzdLKupqCVZeTV7EOXpo5yRwY8dzNi6al3Dyyr6V+A== X-Received: by 2002:a63:de07:: with SMTP id f7mr11162915pgg.213.1563479123189; Thu, 18 Jul 2019 12:45:23 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:11 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Systems in lockdown mode should block the kexec of untrusted kernels. For x86 and ARM we can ensure that a kernel is trustworthy by validating a PE signature, but this isn't possible on other architectures. On those platforms we can use IMA digital signatures instead. Add a function to determine whether IMA has or will verify signatures for a given event type, and if so permit kexec_file() even if the kernel is otherwise locked down. This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in order to prevent an attacker from loading additional keys at runtime. Signed-off-by: Matthew Garrett Acked-by: Mimi Zohar Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org --- include/linux/ima.h | 9 ++++++ kernel/kexec_file.c | 12 +++++-- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 3 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index a20ad398d260..1c37f17f7203 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -131,4 +131,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index dd06f1070d66..13c9960a5860 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -228,9 +228,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = security_locked_down(LOCKDOWN_KEXEC); - if (ret) + ret = 0; + + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + security_locked_down(LOCKDOWN_KEXEC)) { + ret = -EPERM; goto out; + } break; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 011b91c79351..64dcb11cf444 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -113,6 +113,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 584019728660..b9f57503af2c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -502,7 +502,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 6df7f641ff66..827f1e33fe86 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1456,3 +1456,53 @@ int ima_policy_show(struct seq_file *m, void *v) return 0; } #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ From patchwork Thu Jul 18 19:44:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049487 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9DC6F138D for ; Thu, 18 Jul 2019 19:45:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8CD7727FA5 for ; Thu, 18 Jul 2019 19:45:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7E103283B2; Thu, 18 Jul 2019 19:45:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C071A27FA5 for ; Thu, 18 Jul 2019 19:45:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404036AbfGRTpz (ORCPT ); Thu, 18 Jul 2019 15:45:55 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:51832 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404078AbfGRTp0 (ORCPT ); Thu, 18 Jul 2019 15:45:26 -0400 Received: by mail-pf1-f201.google.com with SMTP id 145so17212865pfv.18 for ; Thu, 18 Jul 2019 12:45:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Qw1hNK3wCX6R4vY8e/8vxPZ6PP8rjnDd+LyVPgBCDkE=; b=pRCV+LiX3uIS6rBZnORlhMPl5flvnryxw9pzdNLnV4RsRiGtXL2vV9B5QRq36fKmZx P+mU/VTMjbfM0ZFiLUdVYr015iychyJ5Mt2SgXuE4WtVg9cLb2kkW+IEdqvZgCHP/HlQ LGFeBS/DvyMIPsFn4NjkYH4bPJlDajjAOtzXkU6uyGcs3wylHTewNonrNZ4fjHlDswgO vHTCu4yzV8YKkmiwXAVvhB+k3ZTVUbbuRpEW3K1V7F8onGzAsUIcrrztKJapBJLGHQLr 0RgVi7zW7oU4uEgd9K9pmjt3pADBRYunWWsKq79demanmkwoOM0CN5YkvoslFXxxdhXh +6sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Qw1hNK3wCX6R4vY8e/8vxPZ6PP8rjnDd+LyVPgBCDkE=; b=l76wbh7hJYktpdqQ7IeuC53+8zEI8GwGa6Mb7YHW3ykMZ5wN+6Xs2aSFmonXnzfSTb v1cJXT/5/E+P3MhkeTOdsasbZSOzH1gdjvvJMCSiL6vmqdcWVEluNDIIlhpPscjyjhv1 7V1BMBq1oUm/WTAF3yeNGQeYEVESKXkBHrJnuaR0sApTyswBoVtx0IJkBiIQC6pSoNrT 5wnddxA+22avi3vywxjvOPlMmhadkXmjjgXMWwL/Oi5gTYUNvsznjmLW6Bsyo7wdEPQj R1ETip7bFZ9nl7M4ZEwV77XbE8Vi12Om7a70TQxp5cZFdClnzDg7VyE5pPjLk7o9+hmC 2hoA== X-Gm-Message-State: APjAAAVrfTiVGRodEuLVUTg01cURhRqTqWEF6hGzKhrHMbZR+1Wkj+Nw L8ySC0X/moKMsPjaFRY+JPT+ntRJXJibRSXi+r3kGQ== X-Google-Smtp-Source: APXvYqw0b3MspFrMrkYngmKsccdvoswjMjLjdWD+7diBBpS6rTe6CSkRrqT9WJALAnmMCF8TE9+Dud/nR24DK1i9snQlGw== X-Received: by 2002:a65:584f:: with SMTP id s15mr33387767pgr.175.1563479125753; Thu, 18 Jul 2019 12:45:25 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:12 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-27-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 26/29] debugfs: Restrict debugfs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Andy Shevchenko , acpi4asus-user@lists.sourceforge.net, platform-driver-x86@vger.kernel.org, Matthew Garrett , Thomas Gleixner , Greg KH , "Rafael J . Wysocki" , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow opening of debugfs files that might be used to muck around when the kernel is locked down as various drivers give raw access to hardware through debugfs. Given the effort of auditing all 2000 or so files and manually fixing each one as necessary, I've chosen to apply a heuristic instead. The following changes are made: (1) chmod and chown are disallowed on debugfs objects (though the root dir can be modified by mount and remount, but I'm not worried about that). (2) When the kernel is locked down, only files with the following criteria are permitted to be opened: - The file must have mode 00444 - The file must not have ioctl methods - The file must not have mmap (3) When the kernel is locked down, files may only be opened for reading. Normal device interaction should be done through configfs, sysfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. I would actually prefer to lock down all files by default and have the the files unlocked by the creator. This is tricky to manage correctly, though, as there are 19 creation functions and ~1600 call sites (some of them in loops scanning tables). Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner Cc: Greg KH Cc: Rafael J. Wysocki Signed-off-by: Matthew Garrett --- fs/debugfs/file.c | 30 ++++++++++++++++++++++++++++++ fs/debugfs/inode.c | 32 ++++++++++++++++++++++++++++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 4 files changed, 62 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 93e4ca6b2ad7..87846aad594b 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -19,6 +19,7 @@ #include #include #include +#include #include "internal.h" @@ -136,6 +137,25 @@ void debugfs_file_put(struct dentry *dentry) } EXPORT_SYMBOL_GPL(debugfs_file_put); +/* + * Only permit access to world-readable files when the kernel is locked down. + * We also need to exclude any file that has ways to write or alter it as root + * can bypass the permissions check. + */ +static bool debugfs_is_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) +{ + if ((inode->i_mode & 07777) == 0444 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && + !real_fops->mmap) + return false; + + return security_locked_down(LOCKDOWN_DEBUGFS); +} + static int open_proxy_open(struct inode *inode, struct file *filp) { struct dentry *dentry = F_DENTRY(filp); @@ -147,6 +167,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = debugfs_is_locked_down(inode, filp, real_fops); + if (r) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not clean up after itself at exit? */ @@ -272,6 +297,11 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = debugfs_is_locked_down(inode, filp, real_fops); + if (r) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not cleanup after itself at exit? */ diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index 042b688ed124..7b975dbb2bb4 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "internal.h" @@ -35,6 +36,32 @@ static struct vfsmount *debugfs_mount; static int debugfs_mount_count; static bool debugfs_registered; +/* + * Don't allow access attributes to be changed whilst the kernel is locked down + * so that we can use the file mode as part of a heuristic to determine whether + * to lock down individual files. + */ +static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) +{ + int ret = security_locked_down(LOCKDOWN_DEBUGFS); + + if (ret && (ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) + return ret; + return simple_setattr(dentry, ia); +} + +static const struct inode_operations debugfs_file_inode_operations = { + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_dir_inode_operations = { + .lookup = simple_lookup, + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_symlink_inode_operations = { + .get_link = simple_get_link, + .setattr = debugfs_setattr, +}; + static struct inode *debugfs_get_inode(struct super_block *sb) { struct inode *inode = new_inode(sb); @@ -369,6 +396,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, inode->i_mode = mode; inode->i_private = data; + inode->i_op = &debugfs_file_inode_operations; inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); @@ -532,7 +560,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) } inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; inode->i_fop = &simple_dir_operations; /* directory inodes start off with i_nlink == 2 (for "." entry) */ @@ -632,7 +660,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, return failed_creating(dentry); } inode->i_mode = S_IFLNK | S_IRWXUGO; - inode->i_op = &simple_symlink_inode_operations; + inode->i_op = &debugfs_symlink_inode_operations; inode->i_link = link; d_instantiate(dentry, inode); return end_creating(dentry); diff --git a/include/linux/security.h b/include/linux/security.h index 8ef366de70b0..d92323b44a3f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -115,6 +115,7 @@ enum lockdown_reason { LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, + LOCKDOWN_DEBUGFS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index fb437a7ef5f2..88064ce1c844 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -30,6 +30,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_MMIOTRACE] = "unsafe mmio", + [LOCKDOWN_DEBUGFS] = "debugfs access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", From patchwork Thu Jul 18 19:44:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049483 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 84007746 for ; Thu, 18 Jul 2019 19:45:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 72C6E27FA5 for ; Thu, 18 Jul 2019 19:45:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6606B2837D; Thu, 18 Jul 2019 19:45:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ECE0C27FA5 for ; Thu, 18 Jul 2019 19:45:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404112AbfGRTpa (ORCPT ); Thu, 18 Jul 2019 15:45:30 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:37410 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404106AbfGRTp3 (ORCPT ); Thu, 18 Jul 2019 15:45:29 -0400 Received: by mail-pg1-f201.google.com with SMTP id n9so13826616pgq.4 for ; Thu, 18 Jul 2019 12:45:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=j3nn5hRZeIqfdvoyAD9pNEqNChax2SmcCFqA2+Cmtpw=; b=XJVURdWVOwgODHxQLMjM3byv8DA2jupZcFnfIHo9SFz06XKCreNWN3m2MtPVhRQ53N SvieYr+5uEDixvvFLj7q00UDVbZdCDEN2VWIVJWawkd8kKHun/R5tp1uQMu3hwN9L2O9 z550LTbUWaWeGSSRSAnlOzpI9Pmcf5FMbL9i2sJM8EH41I6URLd5fL6Z4/T1N7CK5Fst FV3Cn4Tg3DsoZLci0wstfNgk+RmENOzBP2Q8MNk2IhqUA7Cuih1CdHHMeWwBjCcXIX5F WK/UfGuAWKEE000roHFoR6DmPT7Z3E2JnUvBk5PuZeWuYLm7TcDrVJddxAGsRnk4B6sR Dh+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=j3nn5hRZeIqfdvoyAD9pNEqNChax2SmcCFqA2+Cmtpw=; b=JLQVqXhWxWrXHS0HsW6UdG/1uCafqO+c4TjkQUSmW43I/Ht2QGOOtha0NHmjBya4iv Ast4nCiFRMCV5Zb1S8KGgvowPn5V/5mThfBD9QbNLuo1gEHdmQygvuDlh5NQu5UPw4SI TFask+gRcYvytKOG6MU6UhiZKsZ3u1FFR43xCFfRw0eDQn+y2/sd7cUMmSfyU6zi83oY MPUnCTQIPfM31grxc/AQ+pnIqDnK4FcqRG/THUrgrp4aoVl40DmvtIj9aDFkDX/kGqMx YurNFK4uel3Y7z2KAaBOnX2SUD+pvva/o5tRfWNyaBcPHBDKWnr/oH4RIIEk8q4DOfYn 9bzw== X-Gm-Message-State: APjAAAUdFSWmP5snGdfSyR4E7HXcT9j/9W53t9uy83jYZVbHVVEfpTAt pwj9IWjoFF9GMi5Gqy4HBrblwo4emn7tFkJWM5RLuw== X-Google-Smtp-Source: APXvYqwDCQkrtprdzU8GeNmhKe+1ODFIpVY3I637IYrTCiRLMsYudmZs0KuxmblJGsiMtK25EcKySFVFbB7os/Y8v1Za/Q== X-Received: by 2002:a63:dd0b:: with SMTP id t11mr8877353pgg.410.1563479128402; Thu, 18 Jul 2019 12:45:28 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:13 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-28-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 27/29] tracefs: Restrict tracefs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Steven Rostedt Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Tracefs may release more information about the kernel than desirable, so restrict it when the kernel is locked down in confidentiality mode by preventing open(). Signed-off-by: Matthew Garrett Cc: Steven Rostedt --- fs/tracefs/inode.c | 38 +++++++++++++++++++++++++++++++++++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c index eeeae0475da9..8a20137e1d8f 100644 --- a/fs/tracefs/inode.c +++ b/fs/tracefs/inode.c @@ -20,6 +20,7 @@ #include #include #include +#include #define TRACEFS_DEFAULT_MODE 0700 @@ -27,6 +28,23 @@ static struct vfsmount *tracefs_mount; static int tracefs_mount_count; static bool tracefs_registered; +static int default_open_file(struct inode *inode, struct file *filp) +{ + struct dentry *dentry = filp->f_path.dentry; + struct file_operations *real_fops; + int ret; + + if (!dentry) + return -EINVAL; + + ret = security_locked_down(LOCKDOWN_TRACEFS); + if (ret) + return ret; + + real_fops = dentry->d_fsdata; + return real_fops->open(inode, filp); +} + static ssize_t default_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos) { @@ -221,6 +239,12 @@ static int tracefs_apply_options(struct super_block *sb) return 0; } +static void tracefs_destroy_inode(struct inode *inode) +{ + if (S_ISREG(inode->i_mode)) + kfree(inode->i_fop); +} + static int tracefs_remount(struct super_block *sb, int *flags, char *data) { int err; @@ -256,6 +280,7 @@ static int tracefs_show_options(struct seq_file *m, struct dentry *root) static const struct super_operations tracefs_super_operations = { .statfs = simple_statfs, + .destroy_inode = tracefs_destroy_inode, .remount_fs = tracefs_remount, .show_options = tracefs_show_options, }; @@ -387,6 +412,7 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode, struct dentry *parent, void *data, const struct file_operations *fops) { + struct file_operations *proxy_fops; struct dentry *dentry; struct inode *inode; @@ -402,8 +428,18 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode, if (unlikely(!inode)) return failed_creating(dentry); + proxy_fops = kzalloc(sizeof(struct file_operations), GFP_KERNEL); + if (!proxy_fops) + return failed_creating(dentry); + + if (!fops) + fops = &tracefs_file_operations; + + dentry->d_fsdata = (void *)fops; + memcpy(proxy_fops, fops, sizeof(*proxy_fops)); + proxy_fops->open = default_open_file; inode->i_mode = mode; - inode->i_fop = fops ? fops : &tracefs_file_operations; + inode->i_fop = proxy_fops; inode->i_private = data; d_instantiate(dentry, inode); fsnotify_create(dentry->d_parent->d_inode, dentry); diff --git a/include/linux/security.h b/include/linux/security.h index d92323b44a3f..807dc0d24982 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -121,6 +121,7 @@ enum lockdown_reason { LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, LOCKDOWN_PERF, + LOCKDOWN_TRACEFS, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 88064ce1c844..173191562047 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -36,6 +36,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", [LOCKDOWN_PERF] = "unsafe use of perf", + [LOCKDOWN_TRACEFS] = "use of tracefs", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Thu Jul 18 19:44:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049481 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0428C138D for ; Thu, 18 Jul 2019 19:45:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E8AAF27FA5 for ; Thu, 18 Jul 2019 19:45:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DCBF82837D; Thu, 18 Jul 2019 19:45:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8BB4F27FA5 for ; Thu, 18 Jul 2019 19:45:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404167AbfGRTpl (ORCPT ); Thu, 18 Jul 2019 15:45:41 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:46833 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404123AbfGRTpb (ORCPT ); Thu, 18 Jul 2019 15:45:31 -0400 Received: by mail-pl1-f202.google.com with SMTP id k9so14451827pls.13 for ; Thu, 18 Jul 2019 12:45:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=1gkPgS/LUQWYTDhNcm4n5VtrDpueDO81OkRBGTKoxwg=; b=pXA0X1WYESnUxeTUYFiBCooMuuh4vW22b03ZXSm5zMUF8YBE6F9xjLpiSkz32ut3dV sVCzdtElGnDxQykLV1WTTmAb4YgbqMhw/hJhKNId5sf+lP1WkFe0DHEDbRiM4z2hfhLJ iK6U7KPrBHEEp8izpgpV6X73LDyuvV6V+9ToWMovS4380QxL1/U7mzutzATNB8OaZYHm Kh4FpkPv0Fv9auWT8s+aCImHbJyjCZGGXPxuA7yH/Mz+sBDaleVUmj4UhNsPTyHTjynY rYOMdVuEtQROB+t1c2KOrP0kx5v/9LJmd1xN+mRHEQjwWOj18vFW99Kt5KEGb6PYfMR2 S60g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=1gkPgS/LUQWYTDhNcm4n5VtrDpueDO81OkRBGTKoxwg=; b=uUYcr/15w6/Vagx1lfKHIB/hqL/6UegbsBQRljIgFxTCzKi5EfgMFULB74aZtjgyCS H6+1nPmLmNU4ro0ftk6TRazPdUAHv7NvROlb11BPzC3gp6csZ12d5odoI2DlAcV/25uq YmVQn/8zeZ8r7r4OdEtioB171ALqLrxLlj+NrUF1l8jQFvpuCo6EUX8Cv66ltZBP1JTQ CXATktbBhypCWvBNSIqvDlMsS76NeM7+RVxqzEmgeYKNXVQyXvX/d2V5i9qH161qGxDu aVMMgRXCj4l49KtQhkT4ob0exIyHlDs/R5PNeZGlGnc6yCoGAUAodNaQTVoVf7USk1VW CT6g== X-Gm-Message-State: APjAAAWbpHBZuUCJTvLJmmYAFvzPfKK4iejmJBG+QRokpIoZiE/T1kHL S3itkzOZa7Z2hmFkmSUOC/ijotIKgijHTNogwcAtDQ== X-Google-Smtp-Source: APXvYqxwqkDrXVnqXgFX8V2quFdORdqeEDNkSG6F+hbmam7qsgt7IU5OHfo3gKWFROaZ4LnpcXcAdTeF5PDp8QS5kQDg+Q== X-Received: by 2002:a63:24a:: with SMTP id 71mr24650403pgc.273.1563479131021; Thu, 18 Jul 2019 12:45:31 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:14 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-29-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Ard Biesheuvel , Kees Cook , linux-efi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. Signed-off-by: Matthew Garrett Acked-by: Ard Biesheuvel Reviewed-by: Kees Cook Cc: Ard Biesheuvel Cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/efi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index ad3b1f4866b3..776f479e5499 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -30,6 +30,7 @@ #include #include #include +#include #include @@ -242,6 +243,11 @@ static void generic_ops_unregister(void) static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; static int __init efivar_ssdt_setup(char *str) { + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; + if (strlen(str) < sizeof(efivar_ssdt)) memcpy(efivar_ssdt, str, strlen(str)); else From patchwork Thu Jul 18 19:44:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11049479 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 41DBC138D for ; Thu, 18 Jul 2019 19:45:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2E72827FA5 for ; Thu, 18 Jul 2019 19:45:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1FAC52837D; Thu, 18 Jul 2019 19:45:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BD2B727FA5 for ; Thu, 18 Jul 2019 19:45:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404140AbfGRTpk (ORCPT ); Thu, 18 Jul 2019 15:45:40 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:34608 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404141AbfGRTpe (ORCPT ); Thu, 18 Jul 2019 15:45:34 -0400 Received: by mail-pg1-f202.google.com with SMTP id x19so17257900pgx.1 for ; Thu, 18 Jul 2019 12:45:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=hUShFVcCo5z4Vl3457oUOrEoTffedxXk2/9xvS7FuNM=; b=CJD3zXMJRh5tbW+A67mz1tOJy0iCefcuHuCF9CqC00ee5HPWJ+EPTRYHQ8ajqBaBpk On5yctHipOLwatF4emIFuwjwV4cAL/4CHJqeWsraFBTrkYS5b1MYzf8yGymfU0hD7iNY kW6VS8hGFeCkYQyskxGv+nFgLhidXD2Hu5eS9gqPw/vt5pzoyeIrOqfu3bgU3NyBcKIl zU+zCVGeTrV3lqhR4r4KmuJjkRO5PReh2YnByyV4Ds2akzBp83izrunExNbHqoSA9cQ8 O09OnKxXaQt5yUg5K/5hIhJVWUv3q7aUBmQg9Rb3d1QKzQuH31I3UY8gXT2lsOIsIEWu LzZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=hUShFVcCo5z4Vl3457oUOrEoTffedxXk2/9xvS7FuNM=; b=cxN0jmYj1MzKxr+WFZ2Fxe6OOJR5i73lXpK55w0CYanGp0zNn4QDxz2C7H4CltxjHV DboslQT9jKejQ6vSVH/G8TWkuAxFiVQMCqNXDZ4zVsqfNbXwS1NTKNbUHX3oz2B2amE8 dDS9umAUKTMp1LuHr11bIGvzWeB0qZqH4PgwYUxVVT42xc8CmzN53Y0yn0U03FbJ6dyB 7ieTqOR7Lk4OkkeI42ua8NAG/xAfcRtvI1G45pU8yr6kZPek3bLpRfZWtYlfusImPD9l jsnwNHjPvfqtfUSDb/FHALU3psgNkb/82a1Gnn1WPlTa+eajuGtTbUKymuD2YOapO71d 3Skg== X-Gm-Message-State: APjAAAXG3bs7kEw+hJmYJLDzDLC47dj401AKVUlA2P7XJeT8duPKLycC mnCPAz2V7WNWHlxLhvVDUGBocYBJ4dT+hRXYk6jkQw== X-Google-Smtp-Source: APXvYqxRl0m6R5tyypODQDLX5ZwoNGI0xsocAUQ1JRoVVkexFRxjj6K1/Odu3+aEPQS9ZHP7Elcf+U+H3Mj9DB3einjMDw== X-Received: by 2002:a63:1310:: with SMTP id i16mr48823144pgl.187.1563479133401; Thu, 18 Jul 2019 12:45:33 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:15 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-30-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 29/29] lockdown: Print current->comm in restriction messages From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: : is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- fs/proc/kcore.c | 5 +++-- security/lockdown/lockdown.c | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index ee2c576cc94e..e2ed8e08cc7a 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -548,11 +548,12 @@ static int open_kcore(struct inode *inode, struct file *filp) { int ret = security_locked_down(LOCKDOWN_KCORE); - if (ret) - return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; + if (ret) + return ret; + filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL); if (!filp->private_data) return -ENOMEM; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 173191562047..f6c74cf6a798 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param); */ static int lockdown_is_locked_down(enum lockdown_reason what) { + if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX, + "Invalid lockdown reason")) + return -EPERM; + if (kernel_locked_down >= what) { if (lockdown_reasons[what]) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - lockdown_reasons[what]); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, lockdown_reasons[what]); return -EPERM; }