From patchwork Wed Jul 31 22:15:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069637 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D23C2912 for ; Wed, 31 Jul 2019 22:16:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C12AB27DA4 for ; Wed, 31 Jul 2019 22:16:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B4F0627F3E; Wed, 31 Jul 2019 22:16:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 207E027DA4 for ; Wed, 31 Jul 2019 22:16:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731139AbfGaWQa (ORCPT ); Wed, 31 Jul 2019 18:16:30 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:43887 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730378AbfGaWQ3 (ORCPT ); Wed, 31 Jul 2019 18:16:29 -0400 Received: by mail-pg1-f202.google.com with SMTP id p29so35514754pgm.10 for ; Wed, 31 Jul 2019 15:16:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=51dHsz2VCo9w+VP1Zvpve034pgyEZM98AQeW9IXg4Ow=; b=qVVH+OGRsMSn/LGHzMNz4COc3ENzyPmA4GDLlB9FJxKixdjiPTxaiI4Bpeo7+TfX7P 4ug4SCfAWimEMtk20uAkeQu7bqBEcBLWUbR0SHXY9qUruSQDsL6YF9JxvmS/+5sL8eOi ZzzWlZ2iMAbN6b4IkLzBZPPGC/WbXY5iQu68P81I5MZbdJo1d4f0eOMTOJqIOCWmnDM/ 2CkSweNuMx6OV2v+fJuPDS+gfg/gTw/QNERZZmIJC3lDT0RROgFmwWoIbVnX8uegbNfr sr439LCuNbSq3JPmKhqoUMd+rz16eUxkhZ6i+PlwOd5hdIVDr1M4uG2tmCznIvRH9Qx1 Axlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=51dHsz2VCo9w+VP1Zvpve034pgyEZM98AQeW9IXg4Ow=; b=P5qtgkfw6kMV4H0JG6z9SJMbvl098ns0XTy7Qz9sddJh8V7rBvAdefw3En1JBYq76E wFHDvV/0WUSk8cHjvqyFpq6uFuMZPXZ4/oJAdhzvaACNdinhBwJiAbTMQ1sgL24/M+IJ EjATirWT03K8js28ojE6KN9X9CBAJdPkWDKxxZm98ESL/KvmLJw3ZR06M/od93omV4Zw vNbph1cry9p1d6hjNXaYqpvAphVmQ3dGmJjHTbGxHCK71aCax2kO/6E0yu45dS3xtNk/ 8UAFxbRyfN9DYP/AM0+qiFd3HV4GD9lwrBUk7Dn1bO5CGD8JGd2AvlN1ijFRL8Umjw+y dTxg== X-Gm-Message-State: APjAAAWBszX9T2PQGzzbb/FjP5uYJoCRRiDlgNtqP16MyhH3M3/BcSE/ 2nk8dHwCm8U5iYSSydEyz9iE12vgniz+jCaDbcQpWg== X-Google-Smtp-Source: APXvYqx84GYrBq6uqjqWf+y6nnPUb8miYjP7zdRnus3qjBKLCgc727OBJ0v2dqkTra6tifRXqgzB0LNbi4gBfBT/r2GC6g== X-Received: by 2002:a63:cb4b:: with SMTP id m11mr42081768pgi.49.1564611388704; Wed, 31 Jul 2019 15:16:28 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:49 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-2-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 01/29] security: Support early LSMs From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook , Casey Schaufler Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The lockdown module is intended to allow for kernels to be locked down early in boot - sufficiently early that we don't have the ability to kmalloc() yet. Add support for early initialisation of some LSMs, and then add them to the list of names when we do full initialisation later. Early LSMs are initialised in link order and cannot be overridden via boot parameters, and cannot make use of kmalloc() (since the allocator isn't initialised yet). Signed-off-by: Matthew Garrett Acked-by: Kees Cook Acked-by: Casey Schaufler --- include/asm-generic/vmlinux.lds.h | 8 ++++- include/linux/lsm_hooks.h | 6 ++++ include/linux/security.h | 1 + init/main.c | 1 + security/security.c | 50 ++++++++++++++++++++++++++----- 5 files changed, 57 insertions(+), 9 deletions(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index cd28f63bfbc7..dae64600ccbf 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -215,8 +215,13 @@ __start_lsm_info = .; \ KEEP(*(.lsm_info.init)) \ __end_lsm_info = .; +#define EARLY_LSM_TABLE() . = ALIGN(8); \ + __start_early_lsm_info = .; \ + KEEP(*(.early_lsm_info.init)) \ + __end_early_lsm_info = .; #else #define LSM_TABLE() +#define EARLY_LSM_TABLE() #endif #define ___OF_TABLE(cfg, name) _OF_TABLE_##cfg(name) @@ -627,7 +632,8 @@ ACPI_PROBE_TABLE(timer) \ THERMAL_TABLE(governor) \ EARLYCON_TABLE() \ - LSM_TABLE() + LSM_TABLE() \ + EARLY_LSM_TABLE() #define INIT_TEXT \ *(.init.text .init.text.*) \ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index df1318d85f7d..aebb0e032072 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2104,12 +2104,18 @@ struct lsm_info { }; extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; +extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; #define DEFINE_LSM(lsm) \ static struct lsm_info __lsm_##lsm \ __used __section(.lsm_info.init) \ __aligned(sizeof(unsigned long)) +#define DEFINE_EARLY_LSM(lsm) \ + static struct lsm_info __early_lsm_##lsm \ + __used __section(.early_lsm_info.init) \ + __aligned(sizeof(unsigned long)) + #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* * Assuring the safety of deleting a security module is up to diff --git a/include/linux/security.h b/include/linux/security.h index 5f7441abbf42..66a2fcbe6ab0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -195,6 +195,7 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb); /* prototypes */ extern int security_init(void); +extern int early_security_init(void); /* Security operations */ int security_binder_set_context_mgr(struct task_struct *mgr); diff --git a/init/main.c b/init/main.c index 96f8d5af52d6..565af7b963e1 100644 --- a/init/main.c +++ b/init/main.c @@ -593,6 +593,7 @@ asmlinkage __visible void __init start_kernel(void) boot_cpu_init(); page_address_init(); pr_notice("%s", linux_banner); + early_security_init(); setup_arch(&command_line); mm_init_cpumask(&init_mm); setup_command_line(command_line); diff --git a/security/security.c b/security/security.c index 250ee2d76406..90f1e291c800 100644 --- a/security/security.c +++ b/security/security.c @@ -33,6 +33,7 @@ /* How many LSMs were built into the kernel? */ #define LSM_COUNT (__end_lsm_info - __start_lsm_info) +#define EARLY_LSM_COUNT (__end_early_lsm_info - __start_early_lsm_info) struct security_hook_heads security_hook_heads __lsm_ro_after_init; static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); @@ -277,6 +278,8 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) static void __init lsm_early_cred(struct cred *cred); static void __init lsm_early_task(struct task_struct *task); +static int lsm_append(const char *new, char **result); + static void __init ordered_lsm_init(void) { struct lsm_info **lsm; @@ -323,6 +326,26 @@ static void __init ordered_lsm_init(void) kfree(ordered_lsms); } +int __init early_security_init(void) +{ + int i; + struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + struct lsm_info *lsm; + + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); + i++) + INIT_HLIST_HEAD(&list[i]); + + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { + if (!lsm->enabled) + lsm->enabled = &lsm_enabled_true; + prepare_lsm(lsm); + initialize_lsm(lsm); + } + + return 0; +} + /** * security_init - initializes the security framework * @@ -330,14 +353,18 @@ static void __init ordered_lsm_init(void) */ int __init security_init(void) { - int i; - struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + struct lsm_info *lsm; pr_info("Security Framework initializing\n"); - for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); - i++) - INIT_HLIST_HEAD(&list[i]); + /* + * Append the names of the early LSM modules now that kmalloc() is + * available + */ + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { + if (lsm->enabled) + lsm_append(lsm->name, &lsm_names); + } /* Load LSMs in specified order. */ ordered_lsm_init(); @@ -384,7 +411,7 @@ static bool match_last_lsm(const char *list, const char *lsm) return !strcmp(last, lsm); } -static int lsm_append(char *new, char **result) +static int lsm_append(const char *new, char **result) { char *cp; @@ -422,8 +449,15 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, hooks[i].lsm = lsm; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); } - if (lsm_append(lsm, &lsm_names) < 0) - panic("%s - Cannot get early memory.\n", __func__); + + /* + * Don't try to append during early_security_init(), we'll come back + * and fix this up afterwards. + */ + if (slab_is_available()) { + if (lsm_append(lsm, &lsm_names) < 0) + panic("%s - Cannot get early memory.\n", __func__); + } } int call_blocking_lsm_notifier(enum lsm_event event, void *data) From patchwork Wed Jul 31 22:15:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069707 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 469781395 for ; Wed, 31 Jul 2019 22:19:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 37F4827F17 for ; Wed, 31 Jul 2019 22:19:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2C2B327F81; Wed, 31 Jul 2019 22:19:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9B5A527F17 for ; Wed, 31 Jul 2019 22:19:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731159AbfGaWQd (ORCPT ); Wed, 31 Jul 2019 18:16:33 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:35223 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731144AbfGaWQc (ORCPT ); Wed, 31 Jul 2019 18:16:32 -0400 Received: by mail-vs1-f73.google.com with SMTP id 66so12932172vsp.2 for ; Wed, 31 Jul 2019 15:16:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=WTiH4YTrH3kpcM05qpaK8fMoTjQf+8p0ghLlYf37sU8=; b=DERqYxz9wX0gHlQoGUJX0WknuNtCqhZOzrWycP+02aBufd6T659MgVCUVR5uC5/ByF v6eRY622zylM2F6tr3INtUyu+wE7R/907q/SSHHYUIYJRqc0m+zkLAX1/XHQjQLjy8Ss sE8JzGxbw+jOhyOLmLNF3PMNS4G0zEjzA1gw5Hq4gc6O8YHPliYN91vG8cQQJBwaf+2S u+3Ax6g7to46lAJRbMq7lMSe/jBas85IdWh6vxqiedomVTSl8mOvelUC3XrsmFtJkk3F nK1T4QgBHrtZAzA3LY5RSF+fLp1J2p0Lvog2tekRVJxNavlh4KolInczFKp5SP1J5z4c BK3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=WTiH4YTrH3kpcM05qpaK8fMoTjQf+8p0ghLlYf37sU8=; b=Ku/MdNeVFBeZj8s+GWMsmyTh0jqjHRJkSlm/G22OPy7saBxS0sr/q6lAZVDGE0wXfP vC8MC/8XFj3dtb5+Rtj4uLNc83e+qwH1fHcFBrK0oGGoJu1Hv/7uK2SlABvs+5nuJuTE yplZaIn5fg1a0627Ux13WLLbHBQGdAU0VaJpxS5VDS1YaXzAL7CPYuejg6VpNUYnwUlx D2EBUh19zJqwC8CCMFxnqio5QSQwR6d54B5q2A8PqWbGlCRaivaDCu+F4vaHfOQN+J9f 4K04DTGGXxujj4MsLA4zfNsqL0XVbDk4pm1KHEK07n29HpEpK+lHrN1fcDtTzIe02Q1Q JCpA== X-Gm-Message-State: APjAAAWrdLTtfPt/UyZ/bG73IvNgwc9J6b5O4nfjHWAVkLhxUmykMK/a kpPzSA9WzIN28V7s6Hi6M7i3m+44/+kTSPBoh+uHzw== X-Google-Smtp-Source: APXvYqzAe54T0QiTUuxksPpviValfZJ3QvQR/H1/B1wsbrIBwM6cGdu9A0LY0uYRsuLqgvSRg078qub8agvdkMHIxjQx+A== X-Received: by 2002:a67:f618:: with SMTP id k24mr80982528vso.66.1564611391373; Wed, 31 Jul 2019 15:16:31 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:50 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 02/29] security: Add a "locked down" LSM hook From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook , Casey Schaufler Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Add a mechanism to allow LSMs to make a policy decision around whether kernel functionality that would allow tampering with or examining the runtime state of the kernel should be permitted. Signed-off-by: Matthew Garrett Acked-by: Kees Cook Acked-by: Casey Schaufler --- include/linux/lsm_hooks.h | 2 ++ include/linux/security.h | 32 ++++++++++++++++++++++++++++++++ security/security.c | 6 ++++++ 3 files changed, 40 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index aebb0e032072..29c22cf40113 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1807,6 +1807,7 @@ union security_list_options { int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux); void (*bpf_prog_free_security)(struct bpf_prog_aux *aux); #endif /* CONFIG_BPF_SYSCALL */ + int (*locked_down)(enum lockdown_reason what); }; struct security_hook_heads { @@ -2046,6 +2047,7 @@ struct security_hook_heads { struct hlist_head bpf_prog_alloc_security; struct hlist_head bpf_prog_free_security; #endif /* CONFIG_BPF_SYSCALL */ + struct hlist_head locked_down; } __randomize_layout; /* diff --git a/include/linux/security.h b/include/linux/security.h index 66a2fcbe6ab0..c2b1204e8e26 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -77,6 +77,33 @@ enum lsm_event { LSM_POLICY_CHANGE, }; +/* + * These are reasons that can be passed to the security_locked_down() + * LSM hook. Lockdown reasons that protect kernel integrity (ie, the + * ability for userland to modify kernel code) are placed before + * LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel + * confidentiality (ie, the ability for userland to extract + * information from the running kernel that would otherwise be + * restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX. + * + * LSM authors should note that the semantics of any given lockdown + * reason are not guaranteed to be stable - the same reason may block + * one set of features in one kernel release, and a slightly different + * set of features in a later kernel release. LSMs that seek to expose + * lockdown policy at any level of granularity other than "none", + * "integrity" or "confidentiality" are responsible for either + * ensuring that they expose a consistent level of functionality to + * userland, or ensuring that userland is aware that this is + * potentially a moving target. It is easy to misuse this information + * in a way that could break userspace. Please be careful not to do + * so. + */ +enum lockdown_reason { + LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_CONFIDENTIALITY_MAX, +}; + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -393,6 +420,7 @@ void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_locked_down(enum lockdown_reason what); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1205,6 +1233,10 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 { return -EOPNOTSUPP; } +static inline int security_locked_down(enum lockdown_reason what) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #ifdef CONFIG_SECURITY_NETWORK diff --git a/security/security.c b/security/security.c index 90f1e291c800..ce6c945bf347 100644 --- a/security/security.c +++ b/security/security.c @@ -2392,3 +2392,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) call_void_hook(bpf_prog_free_security, aux); } #endif /* CONFIG_BPF_SYSCALL */ + +int security_locked_down(enum lockdown_reason what) +{ + return call_int_hook(locked_down, 0, what); +} +EXPORT_SYMBOL(security_locked_down); From patchwork Wed Jul 31 22:15:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069639 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 73C0114DB for ; Wed, 31 Jul 2019 22:16:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6230527F17 for ; Wed, 31 Jul 2019 22:16:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5683127F94; Wed, 31 Jul 2019 22:16:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6E23F27F17 for ; Wed, 31 Jul 2019 22:16:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731167AbfGaWQf (ORCPT ); Wed, 31 Jul 2019 18:16:35 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:56774 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731161AbfGaWQf (ORCPT ); Wed, 31 Jul 2019 18:16:35 -0400 Received: by mail-pf1-f201.google.com with SMTP id x10so44196088pfa.23 for ; Wed, 31 Jul 2019 15:16:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=8bsfxMGI0ih4pMPPTAd5DGb7PjaX6MOPHshFINx/tPw=; b=T8uBhn8F/ebCXCZz2jG/dmMBma/ouENxi0HKWAV964xKK73heHQ5Ra/HzG/HvRQwlg B4JKuzhKDXFW75XvHPJix48g3361z/2MwfwidKZ2ktXR1eq+O0ilRgQgCssdwO8U+RKc 3n2dswQwFvDauZmmoe7gX+lo8nh34Acf1SdsBk4sHFr3HzEdoCX7pVfuVIGGOzwgzEQm dvNawHjayohqrMVboebjhR1NcnR9g2i/V3Ll66Pe4ot+DdTUNqc6/zJ9Em3eSKos+tmV 127ExBYZ4BuOvK1e0Bb1ANPHPPcEb1W2XphOYtxNIQBTyPme9OwpRSxqv9t0T3WrNXpo 1hsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=8bsfxMGI0ih4pMPPTAd5DGb7PjaX6MOPHshFINx/tPw=; b=EdIL1nK/8Bf9IYtdvepdqPjZxy+PbvoNdec3ODBBrEmgKVjCdmgA6CdoNAb6KbPoDN skTxikiTeVPjSDLCk3xwiCtQ8qx20BO70RJkB3sw+KdMLYoAgY9M6iVZHwhNhQuxb5gg WzMQxbvFFf1QGJvbu4HpMdFnsZWbIe+DX+Y4zXvBb7KyI9tXxDi1EdoyO2rwVS59VTjL tA8DRbFoy+rQ0JQw+FNRXYMwTkN0/e+YpTepTbbNjbizqxRcyGaYYfLEPXTOQthLK/93 aaTVQD2CRgX7fq/M448gPuNAJXOEaGUkFRBlINdV1CAEnK6ejv4xgOvwEBYjBxmOKn88 jvkg== X-Gm-Message-State: APjAAAXZDugcecu4P6OkcFK0JrnCU8+v84UhT1cgwGGR7eB20XCOStQs XrpioAVz16Ww/eG5LmyFhGs7rjAl9/FQAbAVTMZuyA== X-Google-Smtp-Source: APXvYqyDtr49MmYBTKFlbKYjg7EQeCqIVdXTvKdl9KZF4JUS8Zi+2yH0uSkl3nFdWiWd4/qUFgElR5qHaJCW1NxybxnT2Q== X-Received: by 2002:a63:204b:: with SMTP id r11mr75966516pgm.121.1564611393620; Wed, 31 Jul 2019 15:16:33 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:51 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-4-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 03/29] security: Add a static lockdown policy LSM From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook , David Howells Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP While existing LSMs can be extended to handle lockdown policy, distributions generally want to be able to apply a straightforward static policy. This patch adds a simple LSM that can be configured to reject either integrity or all lockdown queries, and can be configured at runtime (through securityfs), boot time (via a kernel parameter) or build time (via a kconfig option). Based on initial code by David Howells. Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: David Howells --- .../admin-guide/kernel-parameters.txt | 9 + include/linux/security.h | 3 + security/Kconfig | 11 +- security/Makefile | 2 + security/lockdown/Kconfig | 47 +++++ security/lockdown/Makefile | 1 + security/lockdown/lockdown.c | 172 ++++++++++++++++++ 7 files changed, 240 insertions(+), 5 deletions(-) create mode 100644 security/lockdown/Kconfig create mode 100644 security/lockdown/Makefile create mode 100644 security/lockdown/lockdown.c diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index ef52d01524af..0b962844ac2a 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2267,6 +2267,15 @@ lockd.nlm_udpport=M [NFS] Assign UDP port. Format: + lockdown= [SECURITY] + { integrity | confidentiality } + Enable the kernel lockdown feature. If set to + integrity, kernel features that allow userland to + modify the running kernel are disabled. If set to + confidentiality, kernel features that allow userland + to extract confidential information from the kernel + are also disabled. + locktorture.nreaders_stress= [KNL] Set the number of locking read-acquisition kthreads. Defaults to being automatically set based on the diff --git a/include/linux/security.h b/include/linux/security.h index c2b1204e8e26..54a0532ec12f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -97,6 +97,9 @@ enum lsm_event { * potentially a moving target. It is easy to misuse this information * in a way that could break userspace. Please be careful not to do * so. + * + * If you add to this, remember to extend lockdown_reasons in + * security/lockdown/lockdown.c. */ enum lockdown_reason { LOCKDOWN_NONE, diff --git a/security/Kconfig b/security/Kconfig index 0d65594b5196..2a1a2d396228 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -237,6 +237,7 @@ source "security/apparmor/Kconfig" source "security/loadpin/Kconfig" source "security/yama/Kconfig" source "security/safesetid/Kconfig" +source "security/lockdown/Kconfig" source "security/integrity/Kconfig" @@ -276,11 +277,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK - default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR - default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO - default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC - default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" + default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK + default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR + default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO + default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC + default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/Makefile b/security/Makefile index c598b904938f..be1dd9d2cb2f 100644 --- a/security/Makefile +++ b/security/Makefile @@ -11,6 +11,7 @@ subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid +subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown # always enable default capabilities obj-y += commoncap.o @@ -27,6 +28,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig new file mode 100644 index 000000000000..7374ba76d8eb --- /dev/null +++ b/security/lockdown/Kconfig @@ -0,0 +1,47 @@ +config SECURITY_LOCKDOWN_LSM + bool "Basic module for enforcing kernel lockdown" + depends on SECURITY + help + Build support for an LSM that enforces a coarse kernel lockdown + behaviour. + +config SECURITY_LOCKDOWN_LSM_EARLY + bool "Enable lockdown LSM early in init" + depends on SECURITY_LOCKDOWN_LSM + help + Enable the lockdown LSM early in boot. This is necessary in order + to ensure that lockdown enforcement can be carried out on kernel + boot parameters that are otherwise parsed before the security + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. + +choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE + depends on SECURITY_LOCKDOWN_LSM + help + The kernel can be configured to default to differing levels of + lockdown. + +config LOCK_DOWN_KERNEL_FORCE_NONE + bool "None" + help + No lockdown functionality is enabled by default. Lockdown may be + enabled via the kernel commandline or /sys/kernel/security/lockdown. + +config LOCK_DOWN_KERNEL_FORCE_INTEGRITY + bool "Integrity" + help + The kernel runs in integrity mode by default. Features that allow + the kernel to be modified at runtime are disabled. + +config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY + bool "Confidentiality" + help + The kernel runs in confidentiality mode by default. Features that + allow the kernel to be modified at runtime or that permit userland + code to read confidential material held inside the kernel are + disabled. + +endchoice + diff --git a/security/lockdown/Makefile b/security/lockdown/Makefile new file mode 100644 index 000000000000..e3634b9017e7 --- /dev/null +++ b/security/lockdown/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown.o diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c new file mode 100644 index 000000000000..d30c4d254b5f --- /dev/null +++ b/security/lockdown/lockdown.c @@ -0,0 +1,172 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Lock down the kernel + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include + +static enum lockdown_reason kernel_locked_down; + +static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { + [LOCKDOWN_NONE] = "none", + [LOCKDOWN_INTEGRITY_MAX] = "integrity", + [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", +}; + +static enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_CONFIDENTIALITY_MAX}; + +/* + * Put the kernel into lock-down mode. + */ +static int lock_kernel_down(const char *where, enum lockdown_reason level) +{ + if (kernel_locked_down >= level) + return -EPERM; + + kernel_locked_down = level; + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", + where); + return 0; +} + +static int __init lockdown_param(char *level) +{ + if (!level) + return -EINVAL; + + if (strcmp(level, "integrity") == 0) + lock_kernel_down("command line", LOCKDOWN_INTEGRITY_MAX); + else if (strcmp(level, "confidentiality") == 0) + lock_kernel_down("command line", LOCKDOWN_CONFIDENTIALITY_MAX); + else + return -EINVAL; + + return 0; +} + +early_param("lockdown", lockdown_param); + +/** + * lockdown_is_locked_down - Find out if the kernel is locked down + * @what: Tag to use in notice generated if lockdown is in effect + */ +static int lockdown_is_locked_down(enum lockdown_reason what) +{ + if (kernel_locked_down >= what) { + if (lockdown_reasons[what]) + pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", + lockdown_reasons[what]); + return -EPERM; + } + + return 0; +} + +static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), +}; + +static int __init lockdown_lsm_init(void) +{ +#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_INTEGRITY_MAX); +#elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX); +#endif + security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks), + "lockdown"); + return 0; +} + +static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count, + loff_t *ppos) +{ + char temp[80]; + int i, offset = 0; + + for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) { + enum lockdown_reason level = lockdown_levels[i]; + + if (lockdown_reasons[level]) { + const char *label = lockdown_reasons[level]; + + if (kernel_locked_down == level) + offset += sprintf(temp+offset, "[%s] ", label); + else + offset += sprintf(temp+offset, "%s ", label); + } + } + + /* Convert the last space to a newline if needed. */ + if (offset > 0) + temp[offset-1] = '\n'; + + return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); +} + +static ssize_t lockdown_write(struct file *file, const char __user *buf, + size_t n, loff_t *ppos) +{ + char *state; + int i, len, err = -EINVAL; + + state = memdup_user_nul(buf, n); + if (IS_ERR(state)) + return PTR_ERR(state); + + len = strlen(state); + if (len && state[len-1] == '\n') { + state[len-1] = '\0'; + len--; + } + + for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) { + enum lockdown_reason level = lockdown_levels[i]; + const char *label = lockdown_reasons[level]; + + if (label && !strcmp(state, label)) + err = lock_kernel_down("securityfs", level); + } + + kfree(state); + return err ? err : n; +} + +static const struct file_operations lockdown_ops = { + .read = lockdown_read, + .write = lockdown_write, +}; + +static int __init lockdown_secfs_init(void) +{ + struct dentry *dentry; + + dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, + &lockdown_ops); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + + return 0; +} + +core_initcall(lockdown_secfs_init); + +#ifdef CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +DEFINE_EARLY_LSM(lockdown) = { +#else +DEFINE_LSM(lockdown) = { +#endif + .name = "lockdown", + .init = lockdown_lsm_init, +}; From patchwork Wed Jul 31 22:15:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069641 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EB0EB912 for ; Wed, 31 Jul 2019 22:16:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB84227F17 for ; Wed, 31 Jul 2019 22:16:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D023B27F94; Wed, 31 Jul 2019 22:16:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F21C27F17 for ; Wed, 31 Jul 2019 22:16:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731175AbfGaWQi (ORCPT ); Wed, 31 Jul 2019 18:16:38 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:51462 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731169AbfGaWQh (ORCPT ); Wed, 31 Jul 2019 18:16:37 -0400 Received: by mail-pg1-f201.google.com with SMTP id p15so132947pgl.18 for ; Wed, 31 Jul 2019 15:16:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=u2905WeoBzsTcUqrWVSX7p6zMJ6qFdPBK2S0ptkFjO4=; b=u51IK7rm5PXjX+fuzwbwKYHh7z82TiYvcoisKg+mw4dPfi537EDtpJlHb76TtTHgFv vjevqlCVpTIEf22kAsMGnz4NvYb86Gl3aaZQ7/L505uG3YhegqctpP0VO697Qg91mgDg M5ywjgGoguWLtgYdI+0kwbkbWSgDaSrnCP43WUSkiaX1YlO/EkbVGJb/RMkgPpF7PFaZ p3DxrCKXrxnUKluUrp0ln4c4E06Efrj/BhiYxtBNH5VKYSkQOpVg8FFhnIreEfA/8oNd cAnWttGxFRdm5bq72j2e42G36uPkg9YEYwn/BC3539tTHq4v3L8llkrFCJNdd0ZPP/PK VYaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=u2905WeoBzsTcUqrWVSX7p6zMJ6qFdPBK2S0ptkFjO4=; b=A2PSWaXFSTxir2RGIJYi2FMbonzKMmS8R5CYUHSLtKoHrpiZLnSeA1fm/TCmFe7Nw+ SyQ4Gx+pe5TEAsJ2neZHP6tWC8XocEI0H4iOV/5+WdDEiFKB0xCenwsHBiZEJDR6w8UB t87x6Y6XjNeDjPVwi5T5t8LkIfX6xLRhk4+l1fVke3LdOUlZH4VqX7xa+E5cV5jobuYQ PmR74EOHoVaBQDfpq7JlXyWcD+3S1PZd1ideMiaUdkyVmYQ9z+yfyQkI2fOqvStHaSf2 OdOVRNXE3x52eWGGiyU1o8fE5mWWvWJPLdWKpXiubA/8VoOsvrJF31wuWvuO/l2pwzLC oHzQ== X-Gm-Message-State: APjAAAWKP7DF3nK66uOAghm1J8J41rbFqv8LubYgPEdTtYclDRE1r3ou ZcVNmaa+8u8Lm4wc+W+zNH/kx/XUQUf0sc7m5bG8eA== X-Google-Smtp-Source: APXvYqz9nvN6pLViGUJfhDU7XrmbV1ThI84+OES+YdosYp86dZSWqyXpxYB8/pHdM0JLrTFBZ3J3PT7o5Op4B7wSckVznA== X-Received: by 2002:a63:b20f:: with SMTP id x15mr6925516pge.453.1564611396278; Wed, 31 Jul 2019 15:16:36 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:52 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook , Jessica Yu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.] Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Jessica Yu --- include/linux/security.h | 1 + kernel/module.c | 37 +++++++++++++++++++++++++++++------- security/lockdown/lockdown.c | 1 + 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 54a0532ec12f..8e70063074a1 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -103,6 +103,7 @@ enum lsm_event { */ enum lockdown_reason { LOCKDOWN_NONE, + LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/module.c b/kernel/module.c index cd8df516666d..318209889e26 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2771,8 +2771,9 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, int flags) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2787,16 +2788,38 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d30c4d254b5f..2c53fd9f5c9b 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -18,6 +18,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", + [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:15:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069705 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0A8981395 for ; Wed, 31 Jul 2019 22:19:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF50D27F17 for ; Wed, 31 Jul 2019 22:19:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E2A5927F81; Wed, 31 Jul 2019 22:19:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8171D27F17 for ; Wed, 31 Jul 2019 22:19:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731187AbfGaWQl (ORCPT ); Wed, 31 Jul 2019 18:16:41 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:55029 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731169AbfGaWQk (ORCPT ); Wed, 31 Jul 2019 18:16:40 -0400 Received: by mail-pf1-f201.google.com with SMTP id y66so44179473pfb.21 for ; Wed, 31 Jul 2019 15:16:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=BtsXIa2eTEgrtDB3YoZh0Vr0MqF3zG2HREwRJPT9j0PLXfgg2j3hG32IB5dfHPMy/2 rm0uDDUk38QtwLylkx1PGSeLlU64Nva0fuH1JwNUQQUtkhm7QfgTLm2TKTf/7+OlZbSE fMXuJiJQwb9yTj6TCX6++29P/Sr4XGuR2UAS6+U8dUUzVj4VaEGg/YflN76TaB4J/tiX 9P2rzS75rZnOJtKNVpeLvatDRMWkjQSQe5lvohC6vizpCaIU2VSR6OYNm/FVr5BdlKXj 3mBodw3Mi95WtWxKxlSO4spjGTI5UzD68Uck0JfqLAxfMZdWLWt5aR3iMBTcoph2ExUE Px0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=QAvUT/fF9WbKES2LtUrfUguQZzbFwmuq7qyDmpexXlQXrUVjdW9fzf5IcNqwW7vP8D lt6gj3PDw4nJazMXe2bGPtf/E+0th00pXHJ9DggHeV53N5e9DNvNV797Fdczbk0aXMLi 3tpYIFdYkjqArawINtWEc1H9tdT3gqFyewSNnaT8w0TdBKNii03XVzWupoQt6GCtvxYi FHzO29fUQNKGvewU9hBcx4+3Rhhoa1WTINr1jxylB/eHR1432g6Gl0suCGmHaQ5+0fMi Xwr8Iw5o7zUwfifP4hpy04s/ItaFuAjYLdEGKbAwzbG9qfeEtw09LyAUl6Ua1ScBPOy5 IFjQ== X-Gm-Message-State: APjAAAWAjXiGdVUUrfwg4O+K9YF/6G+hcdkgi1wEuli//MzdkAv/Xer+ WKfzNosKkCATgbdwl5Z1zo4Xnx9nlSPaGNtdrWSdIw== X-Google-Smtp-Source: APXvYqym1pasXsOwhBqWzoGZgVhOVBlOvMeVYgs8AnlFQw7KxjvustScOG1wWEkF3l3iPObYZMa3I6zo5k9FCZj91H7lgg== X-Received: by 2002:a65:44cb:: with SMTP id g11mr69696974pgs.288.1564611398925; Wed, 31 Jul 2019 15:16:38 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:53 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: x86@kernel.org --- drivers/char/mem.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..d0148aee1aab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + + return security_locked_down(LOCKDOWN_DEV_MEM); } #define zero_lseek null_lseek diff --git a/include/linux/security.h b/include/linux/security.h index 8e70063074a1..9458152601b5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -104,6 +104,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2c53fd9f5c9b..d2ef29d9f0b2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:15:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069703 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 990BF13A4 for ; Wed, 31 Jul 2019 22:19:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8935C27F17 for ; Wed, 31 Jul 2019 22:19:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7D38727F81; Wed, 31 Jul 2019 22:19:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 20FF427F17 for ; Wed, 31 Jul 2019 22:19:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731195AbfGaWQn (ORCPT ); Wed, 31 Jul 2019 18:16:43 -0400 Received: from mail-ua1-f73.google.com ([209.85.222.73]:44120 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731189AbfGaWQm (ORCPT ); Wed, 31 Jul 2019 18:16:42 -0400 Received: by mail-ua1-f73.google.com with SMTP id p13so7231405uad.11 for ; Wed, 31 Jul 2019 15:16:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=F1VsQKe1CvGe90szBrckBeIyG/tsASbX2ypyWhc14LE=; b=OA/ewO2STl/8HuS0PxOzP53cqnJU4I2To46Ls2zbIPrZrcu6dWb3BWrs8Gv7I+OTa/ 8YbrIh1IYkmK0OtcTqi75E137+aNk2E/WFI/YsvmZnzcOaaf98xzsMoisWzYfDfLC2B7 JN2b+P5R1eLpJX4dG9c9oeCWku4dL7sYsIrkTSNq5KSAuZFriPHkloD2Eg+XpfaeK/Ui hlokk/dSOm/77WEK1BNNuhO3N3lFKkSgLy8FYH8Z9lCWel6MAa8V17P6MG633C4Wxbb8 b+F00xixmbEGqv+LwFArWUhV5ybH8n5Yo5qa0k/kDIAOJb71ElqEWbgXe+hHxUS3Ryct U9GQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=F1VsQKe1CvGe90szBrckBeIyG/tsASbX2ypyWhc14LE=; b=ox+GfZJbFXDGNiW/wekAQOJ2Wi9xL87U8xZZmt+dAkidefdk1LcXc2ghehmYyODMZi tGNDBXqWKdXaTVk+jG4ZtnGDXhqQpuZAnF0sVsvmU0rsgB8pvqtN9dtmK4C4LWydLan6 hvAtCwVe0RM9fF/GFhGdbIgUgmy/xwLxL893FvgSA22HkB9EiFkJS/d4T2A/kN0FzVUu Plag6zZnuzElfshVTaSocHNY8ez+W4HheARv51TIjfnGO16fvfrz9onBubYVXBDsbhBx ny3TNtNU9D3XwnJCagQAMcMDFPWSOQ0r6/0Hf8Rpi7MmeZG9PL1dP3wm8JE31yQJWLA+ Ef/Q== X-Gm-Message-State: APjAAAUswZexn0DNs/bUcvg6e8hcLqDQTv9u03cRjJlc1t6iVALx/i5F 7VKPOB17FXadx6QMowzCraIUUFP5xzvHIQYeWJz95A== X-Google-Smtp-Source: APXvYqx6UQL2kVcMcSAcMfiNdlcC1RYlaghiMf1GsQfTNxHzAwOnaMO09aJRTxLnk22BC2WML6UwPWYSOTr5JgeP2S6utw== X-Received: by 2002:a05:6102:3c5:: with SMTP id n5mr42332847vsq.56.1564611401552; Wed, 31 Jul 2019 15:16:41 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:54 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 06/29] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Dave Young , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Dave Young Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- include/linux/security.h | 1 + kernel/kexec.c | 8 ++++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 9458152601b5..69c5de539e9a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -105,6 +105,7 @@ enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, + LOCKDOWN_KEXEC, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/kexec.c b/kernel/kexec.c index 1b018f1a6e0d..bc933c0db9bf 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -205,6 +205,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + result = security_locked_down(LOCKDOWN_KEXEC); + if (result) + return result; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d2ef29d9f0b2..6f302c156bc8 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -20,6 +20,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", + [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:15:55 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069701 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B45AD13A4 for ; Wed, 31 Jul 2019 22:19:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A50BC27F17 for ; Wed, 31 Jul 2019 22:19:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 98E7827F81; Wed, 31 Jul 2019 22:19:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4636727F17 for ; Wed, 31 Jul 2019 22:19:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731206AbfGaWQq (ORCPT ); Wed, 31 Jul 2019 18:16:46 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:37607 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731204AbfGaWQp (ORCPT ); Wed, 31 Jul 2019 18:16:45 -0400 Received: by mail-pl1-f202.google.com with SMTP id n4so37817954plp.4 for ; Wed, 31 Jul 2019 15:16:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=I/5rlFVBONd1Ka7/QUlhE63dhV+4TxEgC7HKPRr7Vsc=; b=gMSAts35o/wnPODCro9DydMZX5y7p1KI0EhPMUuNYbyd5Q6Xxxy0tL/90yw+6/qQMj l9giTy0CijDgmA/xNQp8tpz9dJXEq7ZHBw3gHX4fMKITsYLeBVXKVVIfdulVbq3Peg3w 1TyRbM+Rhhp85lz2YXYM+pwcYW01E767r909bQZxS1gcHPQc7p/oodSsz0ThkQlOlKHm ZbG6AATiMeGGcbzOk7aKYt2t/PNN56kMp7qxsWj5tSxTcaZIr/FUg24BjVgqRi3tVaLa ecwG54oEFOZzMaQ088eNT1XtbXcxzLAhwq7fC+roMT/tuZTDal1sDiD3x3VDkDdvwB4A d6Pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=I/5rlFVBONd1Ka7/QUlhE63dhV+4TxEgC7HKPRr7Vsc=; b=ak0nwklEGVdToQvY0EgH9zQOweCWZDGrh8Lc+RGQAOmIRvWuqpFnrEIN3WeSBWeSs6 6QhrAjiD46Wp67CqsWimFCoJ6cOgDcOQfv7fcjyUEmDq3i9+MAss+dFmySdTjLvhymrZ A8mrwqA3i+iHY96neRtARfV+AjxCObxtLF7Hvk3QZkVnkAxhJFaZ8+i6trQsZQ+4Gl+o c76ZwgN4NMLGS4nW1W4nmpyGbUdA35bETMS2IWHpEaon8QLTcLJ/aGSDE9Fc+f2yhQQm HDIIJZrqw2kBvrPW6DsBP/CVj83909mNL0tauNlU4Z5nvLwgcyh4qq7ZUI3tii/eUW8+ POKw== X-Gm-Message-State: APjAAAUc3h+jucUMczEpiefC7JeG7BeE6b40+jxGjhjeEnWSnk1cMXM6 EB5LDS2+GSheNxhpApu7/zHgzXFQ2hkOFmAJueVbaA== X-Google-Smtp-Source: APXvYqyTX+qLDnmSpQam3pjkGQYBiZyG7S1znrHAEzFD0MX+bZTxK74CZsUoHaPZuUmDe6v6/5kjbS4vOej9Zu44WrYy9g== X-Received: by 2002:a63:125c:: with SMTP id 28mr62619278pgs.255.1564611403845; Wed, 31 Jul 2019 15:16:43 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:55 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-8-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 07/29] Copy secure_boot flag in boot params across kexec reboot From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Dave Young , David Howells , Matthew Garrett , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Dave Young Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 5ebcd02cbca7..d2f4e706a428 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; From patchwork Wed Jul 31 22:15:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069699 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8E46D1395 for ; Wed, 31 Jul 2019 22:19:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7E7A627F17 for ; Wed, 31 Jul 2019 22:19:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 724D327F81; Wed, 31 Jul 2019 22:19:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D150627F17 for ; Wed, 31 Jul 2019 22:19:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731222AbfGaWQs (ORCPT ); Wed, 31 Jul 2019 18:16:48 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:57235 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731205AbfGaWQr (ORCPT ); Wed, 31 Jul 2019 18:16:47 -0400 Received: by mail-qk1-f202.google.com with SMTP id j81so59138736qke.23 for ; Wed, 31 Jul 2019 15:16:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=0e260YowI9CRqgpWSZnFK5vaM3jseidaVbkh9lNaqp8=; b=T5C8KJDUx9azZLWdpz1dHN6vsdvRR0gZKEvl1PMRoFDAxYz1C/GdcPLsBTRtv5f+k7 0PZFkLysDpcsZI2GwWei196H24omcqyCGqeDCyNYwlo1EJ8smCGY+kcW0aN/eX2v+NSn BzbnuAGd88Ma2SyQpR2/aNBQqv+K5Y3eOwbDNfaBPe++D/TNGaCZgXS4gCmO7zaC3Sir G2vpIg9hxBRdq8Cf3Hs2DTze1dsoLwnyBDQo5NxYqLCuideJROAzDShG01EjjNIAl/Hi nvy/2m63KxhFJfEy7yherX07YMF/H6HXuHuDQx+K9SfbwUNYYDtzsEi4sdnyvlCPb6uR rvLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=0e260YowI9CRqgpWSZnFK5vaM3jseidaVbkh9lNaqp8=; b=Lq9YEvNc1Jf+EFOvW2/wVbY0Pop4Yd/nDgtQwVzrjqeZMCdohHE62gUewQM4P0Rcw6 aQANgSmAQjjZzMfvehI7iXLUCqwUYKEhARsyhnm1gJgwDkixagnJ2su2ZBU9A+l3oU9R iRhLSlqZBjGSard4GSoGUjnCxefEXoICGYIG0a19KdvY560OLoOmSQgRrFG8oeRl1gNZ eNxIudO0yMTDEGwA4ZUjst7hXAJkEh2XEyPjjVy6g06faojVYhqOdxYBUm9/49PQ+Im8 fRezKcQFegKgqCL584azZ7KkdFrDph8OCNiu46ecyYbYZOYnW6vQwrhtEXCm8dcCl00S ym6Q== X-Gm-Message-State: APjAAAUptkH1/Ex/QfTD/NwVKOnwrWS7A82fEnsCseJjbO6e3gm1N+kU nyfHvTB6tw4ZopvWBVTlUBECs9XVke2ArzkeGUMVxw== X-Google-Smtp-Source: APXvYqyJUnnorO6RaYqdVA4leMv9/vkz+VLu5iZqhjqCYiop90bsNCQLhJOVeAcyeDFFs4DZBc9czNFiTXL/aOkJ/yauyQ== X-Received: by 2002:a0c:8b49:: with SMTP id d9mr87945356qvc.178.1564611406707; Wed, 31 Jul 2019 15:16:46 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:56 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , Dave Young , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac This is a preparatory patch for kexec_file_load() lockdown. A locked down kernel needs to prevent unsigned kernel images from being loaded with kexec_file_load(). Currently, the only way to force the signature verification is compiling with KEXEC_VERIFY_SIG. This prevents loading usigned images even when the kernel is not locked down at runtime. This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG turns on the signature verification but allows unsigned images to be loaded. KEXEC_SIG_FORCE disallows images without a valid signature. Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac Reviewed-by: Dave Young cc: kexec@lists.infradead.org --- arch/x86/Kconfig | 20 +++++++++---- crypto/asymmetric_keys/verify_pefile.c | 4 ++- include/linux/kexec.h | 4 +-- kernel/kexec_file.c | 41 ++++++++++++++++++++++---- 4 files changed, 55 insertions(+), 14 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 05e78acb187c..fd2cd4f861cc 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2032,20 +2032,30 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE -config KEXEC_VERIFY_SIG +config KEXEC_SIG bool "Verify kernel signature during kexec_file_load() syscall" depends on KEXEC_FILE ---help--- - This option makes kernel signature verification mandatory for - the kexec_file_load() syscall. - In addition to that option, you need to enable signature + This option makes the kexec_file_load() syscall check for a valid + signature of the kernel image. The image can still be loaded without + a valid signature unless you also enable KEXEC_SIG_FORCE, though if + there's a signature that we can check, then it must be valid. + + In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work. +config KEXEC_SIG_FORCE + bool "Require a valid signature in kexec_file_load() syscall" + depends on KEXEC_SIG + ---help--- + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + config KEXEC_BZIMAGE_VERIFY_SIG bool "Enable bzImage signature verification support" - depends on KEXEC_VERIFY_SIG + depends on KEXEC_SIG depends on SIGNED_PE_FILE_VERIFICATION select SYSTEM_TRUSTED_KEYRING ---help--- diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index 3b303fe2f061..cc9dbcecaaca 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, if (!ddir->certs.virtual_address || !ddir->certs.size) { pr_debug("Unsigned PE binary\n"); - return -EKEYREJECTED; + return -ENODATA; } chkaddr(ctx->header_size, ddir->certs.virtual_address, @@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * (*) 0 if at least one signature chain intersects with the keys in the trust * keyring, or: * + * (*) -ENODATA if there is no signature present. + * * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a * chain. * diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 305f6a5ca4fe..998f77c3a0e1 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, unsigned long cmdline_len); typedef int (kexec_cleanup_t)(void *loader_data); -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG typedef int (kexec_verify_sig_t)(const char *kernel_buf, unsigned long kernel_len); #endif @@ -134,7 +134,7 @@ struct kexec_file_ops { kexec_probe_t *probe; kexec_load_t *load; kexec_cleanup_t *cleanup; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG kexec_verify_sig_t *verify_sig; #endif }; diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b8cc032d5620..875482c34154 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG static int kexec_image_verify_sig_default(struct kimage *image, void *buf, unsigned long buf_len) { @@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, unsigned long cmdline_len, unsigned flags) { - int ret = 0; + const char *reason; + int ret; void *ldata; loff_t size; @@ -202,14 +203,42 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, if (ret) goto out; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); - if (ret) { - pr_debug("kernel signature verification failed.\n"); + switch (ret) { + case 0: + break; + + /* Certain verification errors are non-fatal if we're not + * checking errors, provided we aren't mandating that there + * must be a valid signature. + */ + case -ENODATA: + reason = "kexec of unsigned image"; + goto decide; + case -ENOPKG: + reason = "kexec of image with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "kexec of image with unavailable key"; + decide: + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + pr_notice("%s rejected\n", reason); + goto out; + } + + ret = 0; + break; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + pr_notice("kernel signature verification failed (%d).\n", ret); goto out; } - pr_debug("kernel signature verification successful.\n"); #endif /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { From patchwork Wed Jul 31 22:15:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069643 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 782B6186E for ; Wed, 31 Jul 2019 22:16:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6902427DA4 for ; Wed, 31 Jul 2019 22:16:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5B60727F3E; Wed, 31 Jul 2019 22:16:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E792A27DA4 for ; Wed, 31 Jul 2019 22:16:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728513AbfGaWQu (ORCPT ); Wed, 31 Jul 2019 18:16:50 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:52523 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731234AbfGaWQu (ORCPT ); Wed, 31 Jul 2019 18:16:50 -0400 Received: by mail-vs1-f73.google.com with SMTP id g189so18238096vsc.19 for ; Wed, 31 Jul 2019 15:16:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=gySahCCzgGb/Q58L8c20Lrjjix8qIZkrCOd+PLUQfB8=; b=cmIx1daqZEKRBkMW2JYQfOqzUiRs2oBlgGsfJ136BcTbgFMR1CJl2NqSDVgDe896Bx mpbcsPT67i243WQ4vLJxFNcPA4oGZ3Cz6MDwB0lBJSVHyXdZ+LTkkVhocNH63pmKpNYi jzKaCCH1ri5of7nbJCrFDV2szkQzQ4/IyfgIxl0y5Pz8cdpCVYSWtX3QdnT/0R1pxHJ8 86aVpuAguhOmGJFr5DCnDbgOLeH53KoQruXbdg8fiqbjwqEj4qIljZP/1qVz6Wc3j62q w8/FDQdrnu0IDQzCJ94OCBvj1zAWNGFs45jfQtd1ADYZiLLYm6kZQGlGm22DObG2SgD+ u1qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=gySahCCzgGb/Q58L8c20Lrjjix8qIZkrCOd+PLUQfB8=; b=MHFRCxkaeJlCZ3RoGEn+0Jyx2vID97ySbEUF6uxveMTlv5nHhSsc3B0EefkAgaJpgw h8fQm9iGDB2vAMJ9xvleRWWRpG569rRRKxS7ocW2835brlZo7gW4lVelZPlSo23zaSOz jeP8rhOdLL/V9XtjyBZfI1etaqlJtK9/Hs+Ez7WIUwGdQh2+jFG3OIYrArrOJCiXMqnz kJxahmTUyc/i8DlckDocPhrsUT1ZOi+z1PmBxVQXYig74tyHWrhrlYlbYvkMAb7BcXqx mEmAnzmzaBev9LS+ESLYn9bLkypZC1Z5eg7FEJsW6KeRsoEHPb5beZS2x5HNrjMBn11d Bzmw== X-Gm-Message-State: APjAAAWLtx2DPH+S7zkKAVyv+mGLfRbKthNppnmWU96z4HDj3utpsGXm taxoQZlcC1u05Q+ofPG1KQbkOzBg3uUkm7C+ih/+6Q== X-Google-Smtp-Source: APXvYqwxxFBGuXs7H0AALmQP7lKFkyE/Ao0WUi2DN+KhehbfvyAwH2M8AeJB6/9kmo67vl8W4RHQYCsqQBB2qu0nAvlB4Q== X-Received: by 2002:ab0:60b9:: with SMTP id f25mr62470698uam.111.1564611409165; Wed, 31 Jul 2019 15:16:49 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:57 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 09/29] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , Kees Cook , kexec@lists.infradead.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- kernel/kexec_file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 875482c34154..dd06f1070d66 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -228,7 +228,10 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = 0; + ret = security_locked_down(LOCKDOWN_KEXEC); + if (ret) + goto out; + break; /* All other errors are fatal, including nomem, unparseable From patchwork Wed Jul 31 22:15:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069695 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EDF2A13A4 for ; Wed, 31 Jul 2019 22:19:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DDB5127F17 for ; Wed, 31 Jul 2019 22:19:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D17E927F94; Wed, 31 Jul 2019 22:19:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BBC2127F17 for ; Wed, 31 Jul 2019 22:19:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731242AbfGaWQy (ORCPT ); Wed, 31 Jul 2019 18:16:54 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:33104 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731240AbfGaWQw (ORCPT ); Wed, 31 Jul 2019 18:16:52 -0400 Received: by mail-pl1-f202.google.com with SMTP id f2so38311059plr.0 for ; Wed, 31 Jul 2019 15:16:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=mRx6DvobeAgz9fXiYoI+VAmx830kBHXoGc7G6A5EVd0=; b=IXsxtFi3dTqKB+o/Wp7s083XS7SjUbQMcCgIsd0WIzzMtZmNaSQKck9SZk8/LV/tKW iauqc9Sh1AIluynW7+PR4PhpczN6yRdIv953ynjwuwFWHa/UVnQ72sULwrXjNjS6e/rU 9B58SiL1PCO7x+gwtiCfLRDcFLfHYqJckXhIxs7f7BmC/OAWPsSihkTtRDo4hMCslWC4 DcbbsuYXQYGwOfMS+1sE0Xp813o+0VO5tuwgaPAWsIiBTlDFJ2yTuhzH/viPVcMxtFXv PCDiNz31TQAFo2c/g5gz4FxUjGG5qNoYLTvZVJc1/xMrVhVCF6vii+6Ml1XW+QkFPzAs w83w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=mRx6DvobeAgz9fXiYoI+VAmx830kBHXoGc7G6A5EVd0=; b=XAXYrYUsQFO5mKJeWvnUNj2yXy8fbGOS0tMfq3Tc2Dssm4Ho8ap3oVjJ20PLNgaTCm BHPH7ZpZozQK13N+0+RcZv1+HoPetgBPv4xgtdT5/wolLa4vXKVcRmgBMEpjmJHPmBv8 s1nqeDlQHHK4rwrEUHXZnUYQOW0A+XYRGJQDNL7u7Av+nE0/cjW+mq/nBcyI0iIuKvPb 3L2p6tBunEs/tNHAOpF9JX1JjOYrVoIk2pOq+7QGAJlwKtvSYdCdSbtC66/2we0G4lNn BjI0R3Gf4GE592Xp29DZWkP50kOWwYUNqNQpv+p71Fb7tFFarwXjBPPbHojWNRwZ8NB/ 17sw== X-Gm-Message-State: APjAAAWdGS/DycmKVze/hl5E8tR5qc3MMNn+Uv3TX6/GYTx9hVC+lb/z uGLuPPtTp/EMJXQbSmxdFOqD78Tx3DzBK7BEOpamYA== X-Google-Smtp-Source: APXvYqwPUST8bcWEuK6wPg2C/0aVphd5/eFEPuRhKx/A1xJZobcujQxWD9xlWlFEjxq639LtyRci3WWJHAF+9qOzVRDrpA== X-Received: by 2002:a65:44cc:: with SMTP id g12mr37784362pgs.409.1564611411719; Wed, 31 Jul 2019 15:16:51 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:58 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 10/29] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Josh Boyer , David Howells , Matthew Garrett , Kees Cook , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org --- include/linux/security.h | 1 + kernel/power/hibernate.c | 3 ++- security/lockdown/lockdown.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/security.h b/include/linux/security.h index 69c5de539e9a..304a155a5628 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -106,6 +106,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, + LOCKDOWN_HIBERNATION, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index cd7434e6000d..3c0a5a8170b0 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include "power.h" @@ -68,7 +69,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION); } /** diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 6f302c156bc8..a0996f75629f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", + [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:15:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069693 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6C3C51395 for ; Wed, 31 Jul 2019 22:19:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F21027F17 for ; Wed, 31 Jul 2019 22:19:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5342027F81; Wed, 31 Jul 2019 22:19:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDA5727F17 for ; Wed, 31 Jul 2019 22:19:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728511AbfGaWTV (ORCPT ); Wed, 31 Jul 2019 18:19:21 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:43064 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731256AbfGaWQz (ORCPT ); Wed, 31 Jul 2019 18:16:55 -0400 Received: by mail-pl1-f202.google.com with SMTP id t2so38328936plo.10 for ; Wed, 31 Jul 2019 15:16:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=IqUClIssxa6D6MoIAE+ms+qpgX9OHdd3voCN/TpeHYo=; b=OSQfdUjsKNzN31+bhcUXLr2H8Ocf38HBXPBklzHGY4NHM5jtawY+aqnedkfaXFZ0CH bnrxhckspK+Dl2WO5zPvm4mIVlAqzNa6JXDwRhYEqAg0nADrIuzMJ99IW7CBMC0z06cT XaVM5l2ElJjj+URRBbOga5Os28t1bLbOtSwQtIE+ij9v4hybvyoiXs5ll9mxRs6PlMpq /vN8vAqK0ZDwqqLRWoXnIfLPbUjKbN7YPC21GMErPsgBxVLl25dtev+CZ42wiW3SO7lZ oSgtUizV2FJn8NR5XwBoh3M6bWa7Pal2CGantvm3rpWwH0EEOGsg7Y4ap6b13GTY89ZS 5RVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=IqUClIssxa6D6MoIAE+ms+qpgX9OHdd3voCN/TpeHYo=; b=rsXB4h0Ih37hjpz0v17pBLtfGulSP8CLKKJbISqw2Yq1Ufv8c1xJUhLxhJzkZXHJ9m l3JfjogyBD+6hJhWxYPMfkvzq25XGr2pB8iHhahaGx+/kFBh54Oee/dT4crnzosK8akS Cylej/EGhMb2jCqKoyuuO60NyFn4MPQxU9J9zBDv5yBfZJKqU+2Note7xoVdCNIghFFH SImg7waMFBkFJNaD0iVjCsDHqF14YEr+lOBAKq29PB4TfQgr4Xqh9uBaPX/+ByqJhLFQ /k3JdqlNhTcCFtvVGUOjGs8ClkW2mUkQGqrndIktC+TkuSzpzvDP/C6bnMAP2f4+rAdG iQLg== X-Gm-Message-State: APjAAAUh+SMEZ6++LzeZjuyaudkAOBXgFMfCMydLPzXZXi92An2RQRwB th8NRqRR45sTgZ+t7Z45d6KfUQJfkTRUoQZEkVVO8g== X-Google-Smtp-Source: APXvYqyS6YBKB93OOHHm+oxngalxRdvpUX2H1ET3d0/GBi0Heyba67cmqacKd5xZ/ghnAHwFoSGfoLlRBb6KosWk16Qoqg== X-Received: by 2002:a65:6850:: with SMTP id q16mr80028747pgt.423.1564611414229; Wed, 31 Jul 2019 15:16:54 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:59 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 11/29] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Bjorn Helgaas , Kees Cook , linux-pci@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Bjorn Helgaas Reviewed-by: Kees Cook cc: linux-pci@vger.kernel.org --- drivers/pci/pci-sysfs.c | 16 ++++++++++++++++ drivers/pci/proc.c | 14 ++++++++++++-- drivers/pci/syscall.c | 4 +++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 5 files changed, 33 insertions(+), 3 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 965c72104150..396c1a90c0e1 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -906,6 +906,11 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, unsigned int size = count; loff_t init_off = off; u8 *data = (u8 *) buf; + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (off > dev->cfg_size) return 0; @@ -1167,6 +1172,11 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, int bar = (unsigned long)attr->private; enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1243,6 +1253,12 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + int ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index fe7fe678965b..5495537c60c2 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include "pci.h" @@ -115,7 +116,11 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, struct pci_dev *dev = PDE_DATA(ino); int pos = *ppos; int size = dev->cfg_size; - int cnt; + int cnt, ret; + + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; if (pos >= size) return 0; @@ -196,6 +201,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + ret = security_locked_down(LOCKDOWN_PCI_ACCESS); + if (ret) + return ret; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -238,7 +247,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_PCI_ACCESS)) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..31e39558d49d 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -7,6 +7,7 @@ #include #include +#include #include #include #include "pci.h" @@ -90,7 +91,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + security_locked_down(LOCKDOWN_PCI_ACCESS)) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); diff --git a/include/linux/security.h b/include/linux/security.h index 304a155a5628..8adbd62b7669 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -107,6 +107,7 @@ enum lockdown_reason { LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, + LOCKDOWN_PCI_ACCESS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index a0996f75629f..655fe388e615 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -22,6 +22,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", + [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069645 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BECE914DB for ; Wed, 31 Jul 2019 22:17:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AF84827DA4 for ; Wed, 31 Jul 2019 22:17:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A3A4727F81; Wed, 31 Jul 2019 22:17:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 60A9427DA4 for ; Wed, 31 Jul 2019 22:17:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729172AbfGaWQ7 (ORCPT ); Wed, 31 Jul 2019 18:16:59 -0400 Received: from mail-vk1-f202.google.com ([209.85.221.202]:48749 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731077AbfGaWQ5 (ORCPT ); Wed, 31 Jul 2019 18:16:57 -0400 Received: by mail-vk1-f202.google.com with SMTP id x71so21163536vkd.15 for ; Wed, 31 Jul 2019 15:16:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=+lxhGCdajZtpWA+WbiP8jppyBQ25CBPRuMFm1CLt5nU=; b=j4MKFnGU7X99YI5wLcfXrhbOFDvuZvPJ8DeJhyJvAsxAIFQzgYt+EFTnWPv0qMmkqR RG0mjKzeZVlqOwakSykYJYD4KlJ6ZRROwgtz1cp0jWXaki3qCH9YM8h6Kql3AgjbTz3t 7UnMOKbyWLe96otjDVG+dPr1R4wuC89qSfNHZvEltYLDw8qpgwmXL88G1rNcHSh8Ucbo ch/Jb5eC737kJjy3xmYpy0cGNVYHfTX0wvJfVwGTLzHiYfpNJAZHSMZhxoPG3QCTu+0+ AAWnCM2SF0ibefGRIEsGmypEVjUHwxuhFVw1+MxxB9icrlIFugrsv66o4wI0DPZ0k6yJ OJ7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=+lxhGCdajZtpWA+WbiP8jppyBQ25CBPRuMFm1CLt5nU=; b=dqrDxqz0ctWIzBgI3ZqCGIFRGqxppusicylz0mxO1grAzCtQapfBiFecCJlMNcBT8D OwJ7MMC9UKZAjM9ot2Y8TK40PACVPgg3kXiN6+uVTBsfTB8ggIn3MmOSneDIS5/355zx oXDDuqCRi57bURyayRth0KhZaHKP2ut/Xbv14WSbKEgWDWdnKGn0r1Q2mGYnzXC1LQzo k+1ai+lfGD3XSh8EIESZNFrc4ZmhKsHPiQuxMPurGnj/pt9+4g/Kuug3AZ9SemyuEPLI OYH6R1o8EFtDRjQSfPfLIsQvTdqUNFZXpyGXeslMbluqfvyRvspMVl1BYK9b3Ycgvhyd 1p6A== X-Gm-Message-State: APjAAAUiRdXo3OXlz7y0rwyPFzNEZVNhGARh3ftahk7hETOc9eMBD39l Os76YzM65K+kK2eiiaVqzYYewKLqL7+nM+ApvCUtzw== X-Google-Smtp-Source: APXvYqxwKJQQ8ekyXiq1k3fR6hTec9hMbAJGRiOniCHDcosaUUyGqhUT6qBrA15i3/RsTk4jytW4bKpkShWzY+8vWDLwpA== X-Received: by 2002:a1f:3692:: with SMTP id d140mr49563787vka.88.1564611416854; Wed, 31 Jul 2019 15:16:56 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:00 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 8adbd62b7669..79250b2ffb8f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -108,6 +108,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 655fe388e615..316f7cf4e996 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069689 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D825713A4 for ; Wed, 31 Jul 2019 22:19:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C778627F17 for ; Wed, 31 Jul 2019 22:19:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BB4F027F81; Wed, 31 Jul 2019 22:19:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8FD5727F17 for ; Wed, 31 Jul 2019 22:19:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729694AbfGaWTO (ORCPT ); Wed, 31 Jul 2019 18:19:14 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:51467 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731277AbfGaWRA (ORCPT ); Wed, 31 Jul 2019 18:17:00 -0400 Received: by mail-pg1-f201.google.com with SMTP id p15so133551pgl.18 for ; Wed, 31 Jul 2019 15:16:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=q3etb4lqcpfoYcLMBUBDWWlC5fl/teVFWCZH3Y1QNdw=; b=quGzWel87vKpTW4m4ti6UC5lPNM8poQ5r/5Gcx2k+UB1of3DzW/ygjWMG+qe/Fd4uM cDTpYU+PDwUIfPSRoB6CQIQj14vfKG771ql+UsouBTpmPik0ygjY67XRnFdi9Kxcg7ZS +bQ9M+2CNh/LhLV+HYPRlRvvArey+z6EEfT82xg/+VTjZ6i//Lq5auWIhNehcWDM1krg UtiiHS1J2R7eUNf8pXRVBs907DgLQKa70qAYzpZJfVOFrM+OBJyVIDoMThdLqXErL6Do Um1IJ+0Apei97QMgGp8BKBMTadz8Hvrz8eHjCdW6y1/DwlwDIl4hwCQ7BCxBPWQ+qcdb GZIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=q3etb4lqcpfoYcLMBUBDWWlC5fl/teVFWCZH3Y1QNdw=; b=SbTkTGK9pwl8qRYHQPVeHhgj8cPjjjY16Lre/cgWpu45Btj4S9foJDZp16BTmRisB7 gxC5zZPaxMEkZ/o718U4VIdPDwKmKhLtlRYbkO+f0I/DwutdxWqcYct03hOcSYT95S8n R47Y+8VFqxv6psWT62a5Zsy37WRPVZOwPajnJp4PsuKqaRAjy1YxCX5Ykuu5gDcf7iAf 96CYwOdp0erx2UzFxFmFq/9oQeoY9fUTz/Ui23/ExquNKA3w5iz8GZI+BFssPOYqbubv z7Ya31PESH0//1VthTv1ctSNxrVdnDzK3tw/llE4aHc6uNNiCec8NAO83QNwSI+oZW9Y Op9Q== X-Gm-Message-State: APjAAAV7GDpeLccZ6w3ymW13KEuCctULXDi7EUnorXjGyRVXAJlUsSvu BTPyTv/lNZhSiBWYfNkQL20EEYX71Knge9B0p3vBNg== X-Google-Smtp-Source: APXvYqy4ds11BOZ1ZwNIDQc3p6kAWpXPQHkBqVxVp8RzbiUM4j34Y4iiH1c07QLZF/c58qzuumf7YAJNTWdC2BSj0z0cCw== X-Received: by 2002:a63:ab08:: with SMTP id p8mr26982787pgf.340.1564611419264; Wed, 31 Jul 2019 15:16:59 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:01 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 13/29] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , Thomas Gleixner , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner cc: x86@kernel.org --- arch/x86/kernel/msr.c | 8 ++++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 3db2252b958d..1547be359d7f 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -34,6 +34,7 @@ #include #include #include +#include #include #include @@ -79,6 +80,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + err = security_locked_down(LOCKDOWN_MSR); + if (err) + return err; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -130,6 +135,9 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + err = security_locked_down(LOCKDOWN_MSR); + if (err) + break; err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; diff --git a/include/linux/security.h b/include/linux/security.h index 79250b2ffb8f..155ff026eca4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -109,6 +109,7 @@ enum lockdown_reason { LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, + LOCKDOWN_MSR, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 316f7cf4e996..d99c0bee739d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -24,6 +24,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", + [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069647 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 88A2714DB for ; Wed, 31 Jul 2019 22:17:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7918C27DA4 for ; Wed, 31 Jul 2019 22:17:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6D19327F3E; Wed, 31 Jul 2019 22:17:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 10BC627DA4 for ; Wed, 31 Jul 2019 22:17:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731272AbfGaWRD (ORCPT ); Wed, 31 Jul 2019 18:17:03 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:51685 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731287AbfGaWRD (ORCPT ); Wed, 31 Jul 2019 18:17:03 -0400 Received: by mail-pf1-f201.google.com with SMTP id 145so44208028pfv.18 for ; Wed, 31 Jul 2019 15:17:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=HYGYby6crp40dCLBmhgwCvdnfCZZwxit6AHkXOrrVgc=; b=vEIr33UIHvwt3NqWIeZrb/59ulOIkcz7rfoXwf/T7Bm7ES4NLBQqA6eXizkSfE5vv3 FVEAfneKoLgNu2aaC4bzbB6LYw3f5NFnjVqP9s+oObZTrYzSawiE4g5T+5pK9LWkPzUl 7xNScG5swOXfYyB94pVc7cUTPklTEBfex/kk3GW9Dg8+hjfhm1+QG3rYI58FWSo1tnd4 UeCcXHE0/5Ni3ftiD+G+C/RFLw00Rz2lckGBrmAO/B7jRyjVzhQxOkSNAX9TQgQB3NmR 7rl0+tiA/WMA9OSfgrZdMhc7qhOUYeikze2HYm/uZdry/tyxh+9xAwJQvnLL40YFd70T P3sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=HYGYby6crp40dCLBmhgwCvdnfCZZwxit6AHkXOrrVgc=; b=c/AkLVD4/TpKDlR3pv+H1vZ6wLRx9AmdEvrZcpkwggCo4c2JksL1Xb3koQ/nOdczjM 4iwcoftBG+cYToIVNJT8qHqm7ib3IoP18jzdfKC3CLg0eYEL5nOZiiKsfBSSS/TRaROl 58zD8b0Kr3yBEurOY11VdKctPWbc0fEZbB+/1SabbrYRuDFK49nm7sf1JUvWvuAF8yzQ k6WSys4sdLmB5Y1GhhWLi/ZCgnx9eIxXQQkz9NzUdh3QpD0P7oX+UPQPCf/OAloYBXXH 1Aou3QNPwmKer2SlPF8HZ+n2o96qqNTbanAZZqfQGIjcYvMuhDwSwn9layI9JTpv/bSB 9Mlw== X-Gm-Message-State: APjAAAWYdPw8Lzh9VrUWNOUcsHaARqEQq1KBYhkr/CMCEBQKOyJgB7nl 9JQAtAG1JheUqApZikx1GytPCq6uXbIRXnbKtQZDzQ== X-Google-Smtp-Source: APXvYqyQZy9xxO83dP4iiWV5yfSeSzijFuI+zHtpaDtjdJ7UzaPhV7163QoMF0NcR4Ie34IrDesajYUwC/D45vF1v4y3aQ== X-Received: by 2002:a65:458d:: with SMTP id o13mr114131617pgq.34.1564611421758; Wed, 31 Jul 2019 15:17:01 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:02 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 14/29] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: linux-acpi@vger.kernel.org --- drivers/acpi/custom_method.c | 6 ++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 8 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index b2ef4c2ec955..7031307becd7 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -9,6 +9,7 @@ #include #include #include +#include #include "internal.h" @@ -29,6 +30,11 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + int ret; + + ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + if (ret) + return ret; if (!(*ppos)) { /* parse the table header to get the table length */ diff --git a/include/linux/security.h b/include/linux/security.h index 155ff026eca4..1c32522b3c5a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -110,6 +110,7 @@ enum lockdown_reason { LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, LOCKDOWN_MSR, + LOCKDOWN_ACPI_TABLES, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d99c0bee739d..ecb51b1a5c03 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -25,6 +25,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", + [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069685 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 58C5A1395 for ; Wed, 31 Jul 2019 22:19:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4B30E27F3E for ; Wed, 31 Jul 2019 22:19:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3F56527F81; Wed, 31 Jul 2019 22:19:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 96AD827F17 for ; Wed, 31 Jul 2019 22:19:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727887AbfGaWTM (ORCPT ); Wed, 31 Jul 2019 18:19:12 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:47843 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731297AbfGaWRF (ORCPT ); Wed, 31 Jul 2019 18:17:05 -0400 Received: by mail-pf1-f201.google.com with SMTP id f25so44122283pfk.14 for ; Wed, 31 Jul 2019 15:17:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=klghF8F9jCh3lGq1PlqD6+/L30+aHC8n0RDXrpkxL3I=; b=g+gTa4LqQH20zCJciwnO6YvWGBXEyfQjUBh3mqCVmw1D2WwnyD7eDIi1PTLDUahdRS Sx7iq/LZKSbS9dJ5AGYtxi6didXdD1VqvqzMT01foMBaxKkBcqQ6+jzwprZzErkXWRS1 3msMg+zlu8cnKO2j0mCX1FzYi5O/lBlFW9/ld0+ZAzJ7Kb/rthD++w2R8wuy5/PKcmOi kT45zAK03gPDl4Ir2fxNNFowqMkKPf9F3nWOgVmXS12tNwHpicptJZTdZI+4Ol7OJVbB Btmm2ih+cO2vy83JVfQqPrpzBKTCis6Bw0V+esANuhr9WaB2xzyxGau6Ug+osZLKHSUx 3/1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=klghF8F9jCh3lGq1PlqD6+/L30+aHC8n0RDXrpkxL3I=; b=UrpifJ+O49l0eCrIsu/dBWRi9zI1YeqNpBw2il3Z3SAm+qc3sBXHFRaX0TpZ8x5TA4 qIc6FPi9MplIWbS2udF57DsqRWfmSUpqS68BP4C8cNtoZfEpF00lU8r+P+tLK0bWK/5B n3302+5yHpxLHGvBgYTPKb5IkYubuFCEHuVfnm/ejvweEg6/p6NZxBeaff5tuFcPqNak NiHhGE6bTIFDtwJXflx18evKnjP+YJaKz+9VhXqGooXFEQ11NGKnzFT5fIESsl+VrE9i fcnkmq99p4ZP9e5edCRewYJS0QLY+a3m9YULV9/XX2ri2Mh7XpHtSHMqSPl9faXGECHt rWmw== X-Gm-Message-State: APjAAAW+IzJtEf5CxGGO1QMBhUL1B9ap49iSUfEr2ky0exzvsFTGJoJA 5RpnSiY4gSBIqB3WboHn7+WtjpcPLH64mNnDcp5nOw== X-Google-Smtp-Source: APXvYqwzPMtpkPbGUc3NZc/t84m5E7WL6Vl9kAHyPM7B+anR7yHljemMiz+5eHdeRSf8CpDeFvAuKhmN+Lgp6mUjCukA+w== X-Received: by 2002:a63:1e05:: with SMTP id e5mr259333pge.153.1564611424198; Wed, 31 Jul 2019 15:17:04 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:03 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Josh Boyer , David Howells , Matthew Garrett , Kees Cook , Dave Young , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware. Reject the option when the kernel is locked down. This requires some reworking of the existing RSDP command line logic, since the early boot code also makes use of a command-line passed RSDP when locating the SRAT table before the lockdown code has been initialised. This is achieved by separating the command line RSDP path in the early boot code from the generic RSDP path, and then copying the command line RSDP into boot params in the kernel proper if lockdown is not enabled. If lockdown is enabled and an RSDP is provided on the command line, this will only be used when parsing SRAT (which shouldn't permit kernel code execution) and will be ignored in the rest of the kernel. (Modified by Matthew Garrett in order to handle the early boot RSDP environment) Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: Dave Young cc: linux-acpi@vger.kernel.org --- arch/x86/boot/compressed/acpi.c | 19 +++++++++++++------ arch/x86/include/asm/acpi.h | 9 +++++++++ arch/x86/include/asm/x86_init.h | 2 ++ arch/x86/kernel/acpi/boot.c | 5 +++++ arch/x86/kernel/x86_init.c | 1 + drivers/acpi/osl.c | 14 +++++++++++++- include/linux/acpi.h | 6 ++++++ 7 files changed, 49 insertions(+), 7 deletions(-) diff --git a/arch/x86/boot/compressed/acpi.c b/arch/x86/boot/compressed/acpi.c index 15255f388a85..149795c369f2 100644 --- a/arch/x86/boot/compressed/acpi.c +++ b/arch/x86/boot/compressed/acpi.c @@ -26,7 +26,7 @@ struct mem_vector immovable_mem[MAX_NUMNODES*2]; */ #define MAX_ADDR_LEN 19 -static acpi_physical_address get_acpi_rsdp(void) +static acpi_physical_address get_cmdline_acpi_rsdp(void) { acpi_physical_address addr = 0; @@ -278,10 +278,7 @@ acpi_physical_address get_rsdp_addr(void) { acpi_physical_address pa; - pa = get_acpi_rsdp(); - - if (!pa) - pa = boot_params->acpi_rsdp_addr; + pa = boot_params->acpi_rsdp_addr; /* * Try to get EFI data from setup_data. This can happen when we're a @@ -311,7 +308,17 @@ static unsigned long get_acpi_srat_table(void) char arg[10]; u8 *entry; - rsdp = (struct acpi_table_rsdp *)(long)boot_params->acpi_rsdp_addr; + /* + * Check whether we were given an RSDP on the command line. We don't + * stash this in boot params because the kernel itself may have + * different ideas about whether to trust a command-line parameter. + */ + rsdp = (struct acpi_table_rsdp *)get_cmdline_acpi_rsdp(); + + if (!rsdp) + rsdp = (struct acpi_table_rsdp *)(long) + boot_params->acpi_rsdp_addr; + if (!rsdp) return 0; diff --git a/arch/x86/include/asm/acpi.h b/arch/x86/include/asm/acpi.h index aac686e1e005..bc9693c9107e 100644 --- a/arch/x86/include/asm/acpi.h +++ b/arch/x86/include/asm/acpi.h @@ -117,6 +117,12 @@ static inline bool acpi_has_cpu_in_madt(void) return !!acpi_lapic; } +#define ACPI_HAVE_ARCH_SET_ROOT_POINTER +static inline void acpi_arch_set_root_pointer(u64 addr) +{ + x86_init.acpi.set_root_pointer(addr); +} + #define ACPI_HAVE_ARCH_GET_ROOT_POINTER static inline u64 acpi_arch_get_root_pointer(void) { @@ -125,6 +131,7 @@ static inline u64 acpi_arch_get_root_pointer(void) void acpi_generic_reduced_hw_init(void); +void x86_default_set_root_pointer(u64 addr); u64 x86_default_get_root_pointer(void); #else /* !CONFIG_ACPI */ @@ -138,6 +145,8 @@ static inline void disable_acpi(void) { } static inline void acpi_generic_reduced_hw_init(void) { } +static inline void x86_default_set_root_pointer(u64 addr) { } + static inline u64 x86_default_get_root_pointer(void) { return 0; diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h index ac0934189017..19435858df5f 100644 --- a/arch/x86/include/asm/x86_init.h +++ b/arch/x86/include/asm/x86_init.h @@ -134,10 +134,12 @@ struct x86_hyper_init { /** * struct x86_init_acpi - x86 ACPI init functions + * @set_root_poitner: set RSDP address * @get_root_pointer: get RSDP address * @reduced_hw_early_init: hardware reduced platform early init */ struct x86_init_acpi { + void (*set_root_pointer)(u64 addr); u64 (*get_root_pointer)(void); void (*reduced_hw_early_init)(void); }; diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c index 17b33ef604f3..04205ce127a1 100644 --- a/arch/x86/kernel/acpi/boot.c +++ b/arch/x86/kernel/acpi/boot.c @@ -1760,6 +1760,11 @@ void __init arch_reserve_mem_area(acpi_physical_address addr, size_t size) e820__update_table_print(); } +void x86_default_set_root_pointer(u64 addr) +{ + boot_params.acpi_rsdp_addr = addr; +} + u64 x86_default_get_root_pointer(void) { return boot_params.acpi_rsdp_addr; diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c index 1bef687faf22..18a799c8fa28 100644 --- a/arch/x86/kernel/x86_init.c +++ b/arch/x86/kernel/x86_init.c @@ -95,6 +95,7 @@ struct x86_init_ops x86_init __initdata = { }, .acpi = { + .set_root_pointer = x86_default_set_root_pointer, .get_root_pointer = x86_default_get_root_pointer, .reduced_hw_early_init = acpi_generic_reduced_hw_init, }, diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index 9c0edf2fc0dd..d43df3a3fa8d 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include @@ -180,8 +181,19 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; #ifdef CONFIG_KEXEC - if (acpi_rsdp) + /* + * We may have been provided with an RSDP on the command line, + * but if a malicious user has done so they may be pointing us + * at modified ACPI tables that could alter kernel behaviour - + * so, we check the lockdown status before making use of + * it. If we trust it then also stash it in an architecture + * specific location (if appropriate) so it can be carried + * over further kexec()s. + */ + if (acpi_rsdp && !security_locked_down(LOCKDOWN_ACPI_TABLES)) { + acpi_arch_set_root_pointer(acpi_rsdp); return acpi_rsdp; + } #endif pa = acpi_arch_get_root_pointer(); if (pa) diff --git a/include/linux/acpi.h b/include/linux/acpi.h index e40e1e27ed8e..6b35f2f4cab3 100644 --- a/include/linux/acpi.h +++ b/include/linux/acpi.h @@ -643,6 +643,12 @@ bool acpi_gtdt_c3stop(int type); int acpi_arch_timer_mem_init(struct arch_timer_mem *timer_mem, int *timer_count); #endif +#ifndef ACPI_HAVE_ARCH_SET_ROOT_POINTER +static inline void acpi_arch_set_root_pointer(u64 addr) +{ +} +#endif + #ifndef ACPI_HAVE_ARCH_GET_ROOT_POINTER static inline u64 acpi_arch_get_root_pointer(void) { From patchwork Wed Jul 31 22:16:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069683 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0A28813A4 for ; Wed, 31 Jul 2019 22:19:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F0C1127F17 for ; Wed, 31 Jul 2019 22:19:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E4E3627F81; Wed, 31 Jul 2019 22:19:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 918F027F17 for ; Wed, 31 Jul 2019 22:19:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729407AbfGaWTJ (ORCPT ); Wed, 31 Jul 2019 18:19:09 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:32891 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731304AbfGaWRI (ORCPT ); Wed, 31 Jul 2019 18:17:08 -0400 Received: by mail-vs1-f73.google.com with SMTP id x140so18308244vsc.0 for ; Wed, 31 Jul 2019 15:17:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Tmn4zMTjEPlUC2x7KbFrZqCSBZYi0Bx5tDyyMiSTkHI=; b=KNtYwwW10pBzgMhIxkJCS/uENsLSdnfeR4Sv0jIZjE/kqgEDSSHm7qFmZbYcYGhoW6 ah/D6endKWnFZUJYaYj7c4Z+Ww90IGwhNDxIsN8ddpHHjZu1K7WMe4g+HC9ErAOL+Oan P+BwGpuxFHwb5gLspVTRu+6V+KSMYrvGqWk/8uA5Bh2vAksZ/MPON9EHcNcYaMbAc+XA C8a2S8I67YkszaV+R1icsFv0U0LpSf3kIpJXXD+cQD5wRZp78DzPMYAZY0V+NEYlQnJJ vgeuo4JK2gW0U5FN7kBmSeEw1cE/vN5M3uTg1hBFh/FZ4R94jpLxHeYydBoPJgYD3CRN TwlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Tmn4zMTjEPlUC2x7KbFrZqCSBZYi0Bx5tDyyMiSTkHI=; b=ukFGYYGqVmpbwMkKPbRvhyACoNhz9cR1oVslwUFIxYi873NCTTQLHU/2aYALqj02Tz bLYRndRirJ49R604xmMkQAiPRbXtCYLa8bql9rLJSYkRFh35HO4GuCqN7HmMCmU+QKJA 7739maDeDdQ6GJhoVAdS2aG3o5uRvi+WsTYlWx8TpOf4YRPXZEqgeHR8VDFVyQhVfX5D 1GpdN1O7IXd/i32fj35Yj1d7qdSUjIlgsDrLC7DWTE2F5QLOZNHX75PtDheDefRUn+eF qLKlwJZefYN3EXX1CMGKXtX/gzHncki7FCzGV23XHels92Q95tJ9LTj6FhNfwx3YbVrH kLeA== X-Gm-Message-State: APjAAAU7EIgxQVCNdERL05P3mNdro9NgrXqEd+0vBkZwCijf+hZZ/VnW Hbb89J3YNCXcbmuvcL+LY6z/1yZneEWBVEIj5ZAtCg== X-Google-Smtp-Source: APXvYqyn7wWBd2XqZE1SpADBue93B65mbiHUDF9eDEu3R6HN098MIwjsGaS2ZfwdCHJzwoGqIuAtZDoBJTZs2wCzIwTnOA== X-Received: by 2002:ab0:4307:: with SMTP id k7mr12696958uak.45.1564611426939; Wed, 31 Jul 2019 15:17:06 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:04 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 16/29] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Linn Crosetto , David Howells , Matthew Garrett , Kees Cook , linux-acpi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index b32327759380..180ac4329763 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "internal.h" #ifdef CONFIG_ACPI_CUSTOM_DSDT @@ -578,6 +579,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (security_locked_down(LOCKDOWN_ACPI_TABLES)) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); From patchwork Wed Jul 31 22:16:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069679 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 881111395 for ; Wed, 31 Jul 2019 22:19:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7672927F17 for ; Wed, 31 Jul 2019 22:19:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6A9EF27F81; Wed, 31 Jul 2019 22:19:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BF84727F17 for ; Wed, 31 Jul 2019 22:19:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728938AbfGaWTC (ORCPT ); Wed, 31 Jul 2019 18:19:02 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:56781 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731317AbfGaWRK (ORCPT ); Wed, 31 Jul 2019 18:17:10 -0400 Received: by mail-pf1-f201.google.com with SMTP id x10so44197134pfa.23 for ; Wed, 31 Jul 2019 15:17:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=dLYiAr9hqix+w29Ej2S74ESH31+c2YOxCuX5zuQe/lQ=; b=J+R9NUO+EGzhsAS+m7c7T6iL5dyKw3ljJgj6BiTleClCqjtCkL+kDdezdvcfJsGDJ3 4cZ/Pja44HS7lRZcjKwU+essKoGJAGX49BZChnDX5eS3gUwv132EaOLiDNO5ingG5GjE Hltl6luJSw70OVN8qxNs+3AsY1u8GWtW5bBKTx6/LtlzUyenj1VnNDQo5j53whvNvE5S 3f/HX7+8T9WT81XFNhC83MGeSW2rLzVeUBBdJUwfOrA1GWSDXG+SZizQGxgdAofeB7+V 5mqdOiQZj3P1HA5clhctegxqzkvrJ15LJWEBdBUrocyOqFQzzQSuDIddJnpvNnIkBYoO sD2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=dLYiAr9hqix+w29Ej2S74ESH31+c2YOxCuX5zuQe/lQ=; b=jPJxQvKSCePHKdmFk86nb9Fe908Ai/N3Bw//RkC3QSY6dY2gcSA9RjlIwhVQxO6phe IOL+xJrDz7m9t3o9+dEDyIRfaJSNzD3jLY6CnBJReaK+7/2bY5HVVHN7IOBsDuatpKT0 79eybL4TCy5h8RUmtJ3H+mhGdeYleF5c+qqI9K4gtqfXxbon4edjcsDsY5/Z3tFasgyB xMzcynONpP7OANPvDQR9JRxMvlln4ZpEzJuDnfKonF1kpUCutd6I7g5f496FqahLWk3F 25Trw6R/M1Cn7GDGkEPS2Y/XpY6k8S73W+fS1StD2B7zn9cz/qRHabNq6IzU+vyyw49L TUpg== X-Gm-Message-State: APjAAAUvo8Bx/Qc7xe/z1r3jwbOect9ADRpVtBiyZEdqCB33GPXCIhlc cn36qa4186nMXmqIiEXv0sMc6Pnb3xO5iZChbFX0NQ== X-Google-Smtp-Source: APXvYqwQus0lJGImYcSy61wdfORdev9zJKBsUr+9s8EamtAjx/4lM5SZqKuI6SuBut2QwhBzvMi/sB17oQh+vRzaoIESNQ== X-Received: by 2002:a63:6c46:: with SMTP id h67mr107976504pgc.248.1564611429249; Wed, 31 Jul 2019 15:17:09 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:05 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-18-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Dominik Brodowski , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- drivers/pcmcia/cistpl.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c index abd029945cc8..629359fe3513 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -1575,6 +1576,10 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; + error = security_locked_down(LOCKDOWN_PCMCIA_CIS); + if (error) + return error; + s = to_socket(container_of(kobj, struct device, kobj)); if (off) diff --git a/include/linux/security.h b/include/linux/security.h index 1c32522b3c5a..3773ad09b831 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -111,6 +111,7 @@ enum lockdown_reason { LOCKDOWN_IOPORT, LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, + LOCKDOWN_PCMCIA_CIS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index ecb51b1a5c03..22482e1b9a77 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -26,6 +26,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", + [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069677 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D2DC91395 for ; Wed, 31 Jul 2019 22:19:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C11A827F3E for ; Wed, 31 Jul 2019 22:19:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B266E27F81; Wed, 31 Jul 2019 22:19:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 47F6027F17 for ; Wed, 31 Jul 2019 22:19:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730012AbfGaWTB (ORCPT ); Wed, 31 Jul 2019 18:19:01 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:35344 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731328AbfGaWRM (ORCPT ); Wed, 31 Jul 2019 18:17:12 -0400 Received: by mail-pl1-f201.google.com with SMTP id s21so38298314plr.2 for ; Wed, 31 Jul 2019 15:17:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=AYLtZ41z1RHlFpOZnl+JGLaHaK4EJ2Av6xB01tUKIjQ=; b=vvpeXRKyc5OhHv4Gr/tukOYbwIwjOYYXtqIP/Io9iIGtPO3Kve6jw/W7bz2rF/pLv1 RlW5o4cGWbTXLPdROo8nSoKA3X7rpN7sDIwV1d/Fkm3vpj5fFKlODN732XeUwRiYz3Ke TW9ChBbAGCWNTBdcbOZ73xw4f5kes2Emo/1AT/+3MfhQ8BoEcrnKZHlAFFwFtqt85uMv Hrp+989qk4cKlnGSLSV1ao/ObzrMwaeocP0iHhwU4p9uXakErgQiaqLm3O0VzWsyNNyY 9CqLjrTvWM8AjYlNkYT/fe066FOTrmczakFGWc6cjFSFGLsLIYYWVoFByBrYFECbZTDO MNew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=AYLtZ41z1RHlFpOZnl+JGLaHaK4EJ2Av6xB01tUKIjQ=; b=aF6CXDjY5DYlErjNLx4RotJ3KStnYfsxib669OygTuzmxAa3DukmLrJgsHdRm2GluM 2rC0x1FxWX5DB3328m0Vj0ibYd5P94O3OWpXA6u5Z0/NMxJ10yaoW9WoC2df6if4CBp7 0+Qafiku7ipMcsq9Gwc2izkFgg7AKKW+JL22MgP1VXj6lKcXYUJNO3VObEUayK8uOXxP jC2iW981BBtmfMEzn5Ot0GCUCi9i5yQufGwMZlhlonA1dKE6D3gwhp14TqJKdBaY61GA 866zywryqTQGigK90hynv0mSmu5B9Mr1Lu2w7eft8ClEt4hT/zwpDv0sC3DdzAGjTVWt 0GBA== X-Gm-Message-State: APjAAAX+UoXRJBcjPJF+r8FFbW7DGfL9wlqOKpwjw5JZyfbs960gwW0h suKFAQZEa5m5P1zhMxWWUJBvaO1doJRICq/Z7r5B2w== X-Google-Smtp-Source: APXvYqzkiW7uEdQQUtaZ0YHcWPNEQQcr9wR/H4mTJIlJ8xEUbv8Q5RP5zNIsLLGkfkAO0eul945srgorH4QzlUVn11pgkg== X-Received: by 2002:a63:5402:: with SMTP id i2mr88751122pgb.414.1564611431661; Wed, 31 Jul 2019 15:17:11 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:06 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-19-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 18/29] Lock down TIOCSSERIAL From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Greg Kroah-Hartman , Matthew Garrett , Kees Cook , Jiri Slaby , linux-serial@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: Jiri Slaby Cc: linux-serial@vger.kernel.org --- drivers/tty/serial/serial_core.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 4223cb496764..6e713be1d4e9 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -862,6 +863,10 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, goto check_and_exit; } + retval = security_locked_down(LOCKDOWN_TIOCSSERIAL); + if (retval && (change_irq || change_port)) + goto exit; + /* * Ask the low level driver to verify the settings. */ diff --git a/include/linux/security.h b/include/linux/security.h index 3773ad09b831..8f7048395114 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -112,6 +112,7 @@ enum lockdown_reason { LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, + LOCKDOWN_TIOCSSERIAL, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 22482e1b9a77..00a3a6438dd2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -27,6 +27,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", + [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069675 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B99681395 for ; Wed, 31 Jul 2019 22:18:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AA5C927F17 for ; Wed, 31 Jul 2019 22:18:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9E9BA27F3E; Wed, 31 Jul 2019 22:18:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CC79927F81 for ; Wed, 31 Jul 2019 22:18:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731369AbfGaWS4 (ORCPT ); Wed, 31 Jul 2019 18:18:56 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:35346 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731335AbfGaWRP (ORCPT ); Wed, 31 Jul 2019 18:17:15 -0400 Received: by mail-pl1-f201.google.com with SMTP id s21so38298364plr.2 for ; Wed, 31 Jul 2019 15:17:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ar9F1ezXL3PnxEqF0y9aMqfwFMY9y395H3iSelAOa90=; b=KWryge+ybANXRbNwbUlERn6tPnwObLcAGOMqHbxqjgpCmsk/Mut4arFhCyIb2hfV9o EB8iIwoveNQHMvvNvyxTyS/VzhNO7cqfI1jcH5rLsrEgZtM0txb1f5q8bGplFaDdTsci Hs5qgHmgKnDAxCCreraAX4kWLdnl9aI+/ysG9zmGFWxnMHaI7YpHKqGUYXKrNByUNwLA IYXzRZxeDx2m8D5owUvvR/boWpHMxnOTFIEe9l3Ogpxti1aHnVn8g4VRwrDHOBdXGeqH q8NuCf8RuwoDuvwll7S3PdWmI2wr9oFVVsM7EWoWcwcvLfKfMVMHOmO20T0SXWJ7JDzD mTOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ar9F1ezXL3PnxEqF0y9aMqfwFMY9y395H3iSelAOa90=; b=ScjTYV2Mqx4qCXt2KEvOL3EnnthZB2Hi6GfXs4MedNtLKqNeIYqc+jVRlNSnuXJUVc yNU1oOSFPtzWG9R2WSHqHOfKrpB1Ov6tRzQvjJJJI8u8QjwZOTpViZ1cLKVnL3WNopG1 VRXZCB6Fwd1lObamLeLo44mDfyDdN8gavESjbKT49HMcL7stsb74+2dapTFG4XUWDKfM kGCCecJS8WxIFp4bO0dNbN0OjUho7BlMCTtNx7Hy7MfwVz+xsCunZfyExOotzzP5J90t DiCfmnCKMHtNBdqgWTPPOqLK+AgfApsHs2lSyNt+G4T/U4vpeygayXoedwLqdupKZhV9 NkjQ== X-Gm-Message-State: APjAAAV9VP5FPR94Gm2DPJxpMSnF97s83a491STVjSw/pBqv26oyB/bF ZQ2+994/zBuE1rEhMjlsttgTTSTatY21P/bZOmvDPg== X-Google-Smtp-Source: APXvYqwJSSTh2CmEEh9mZY1CZ3A0484iF1hyOxUMQ7arAImv2uOzpLvnEyasM52OJEs0/dbgDoUYiDnStbZtl54N/RNuwQ== X-Received: by 2002:a65:5342:: with SMTP id w2mr31174414pgr.261.1564611434315; Wed, 31 Jul 2019 15:17:14 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:07 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-20-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 19/29] Lock down module params that specify hardware parameters (eg. ioport) From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alan Cox , Matthew Garrett , Kees Cook , Jessica Yu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Jessica Yu --- include/linux/security.h | 1 + kernel/params.c | 28 +++++++++++++++++++++++----- security/lockdown/lockdown.c | 1 + 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 8f7048395114..43fa3486522b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -113,6 +113,7 @@ enum lockdown_reason { LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, + LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/params.c b/kernel/params.c index cf448785d058..f2779a76d39a 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -12,6 +12,7 @@ #include #include #include +#include #ifdef CONFIG_SYSFS /* Protects all built-in parameters, modules use their own param_lock */ @@ -96,13 +97,20 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + security_locked_down(LOCKDOWN_MODULE_PARAMETERS)) + return false; + if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + return true; } static int parse_one(char *param, @@ -132,8 +140,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -541,6 +551,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) ((mod)->name) +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -553,8 +569,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 00a3a6438dd2..5177938cfa0d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -28,6 +28,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", + [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069651 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8F46A14DB for ; Wed, 31 Jul 2019 22:17:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F3B627F17 for ; Wed, 31 Jul 2019 22:17:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 72D5227F81; Wed, 31 Jul 2019 22:17:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7AE6127F17 for ; Wed, 31 Jul 2019 22:17:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729127AbfGaWRT (ORCPT ); Wed, 31 Jul 2019 18:17:19 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:40512 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731348AbfGaWRS (ORCPT ); Wed, 31 Jul 2019 18:17:18 -0400 Received: by mail-qk1-f202.google.com with SMTP id c1so59248357qkl.7 for ; Wed, 31 Jul 2019 15:17:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=0wvr7l0OfQCpncv5jcw0tGNb43fa+c615YU3AwXBobQ=; b=JtMG+7GfDdoaoq8E+Gpj5xUJvOyHAHIBQYN/5LMZv06DTj6ZvlEm2cJUCONAwzGUbP GK36LK9w+ftPnukYabwQIKWRmVwDi4Pl1KEKPEDvl7Fo3u/OJlTVhn3iV1fWGbjoy7QN s/HadNGszchMetFyBlbfiOchIuq8Tjvbgfm9Za5ZK20lXUFd79+hX5IE0h7NK+KIe4Xk jS4zcSBFQ3AEbVpTjuh/miN5rqBsVs1zzhXIKrsVVIkKzgVZZc6DQOgKMnowxWxNcRV4 gvGcQMZ9j9NkVGd9ArI82+xY/6cbbO0HFaHWXRZ+aEgjjS7Ix3QR6oGrnLeWOcVNfSTA uruw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=0wvr7l0OfQCpncv5jcw0tGNb43fa+c615YU3AwXBobQ=; b=I5c5RW1NP8xxWxEmBzJ8je2rtPS/EKrZOCOLWYAHvRKqwXE0sNVjiArUpWfJCTj0Ma zwY9JLHkduLEkyvac9EzWxwMgdCeaD+ByuUG6JDLSFBj0SSzulCs5fAWpJdMA2iPw50s 70U0iaSA/jjVwv26pFl+v4YVb5xDn5ApNLv8PhGqQWWDliGsILipuA5F5gBS0vjnNnMh QveZbE9f7xOWZjO/8CPVdNP5uHsk+RD3u+N439+Z9uzfm6Xg3DBV6DVBHdqFTDj3XXz8 oHleU9qcXITBG8xqqE/oJys+UiVeb9+s4idtkfjD7TmU2gojTcgn+MD0X2MaPf3DJmRV Hw+w== X-Gm-Message-State: APjAAAVpo+FnFZksskZUNlvgT0GgaxyNe3fBN+FReehi+jvvE9yawro1 DsZmycr5GuWk5cpBd6YD8My/5mnr80+zh/sud4naAQ== X-Google-Smtp-Source: APXvYqxUoO/oavOOyoTYQRAm2XiiclbrazlFt1RtxZDfQMp3ob+EXXLfNSnGBHTCU7U7KZPBAfTvul8eCr2Xy8uirW8VdQ== X-Received: by 2002:a37:d95:: with SMTP id 143mr52836481qkn.132.1564611437244; Wed, 31 Jul 2019 15:17:17 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:08 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 20/29] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Thomas Gleixner , Matthew Garrett , Steven Rostedt , Kees Cook , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. This is a runtime check rather than buildtime in order to allow configurations where the same kernel may be run in both locked down or permissive modes depending on local policy. Suggested-by: Thomas Gleixner Signed-off-by: David Howells Acked-by: Steven Rostedt (VMware) Reviewed-by: Kees Cook cc: Thomas Gleixner cc: Steven Rostedt cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org --- arch/x86/mm/testmmiotrace.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index 0881e1ff1e58..a8bd952e136d 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -8,6 +8,7 @@ #include #include #include +#include static unsigned long mmio_address; module_param_hw(mmio_address, ulong, iomem, 0); @@ -115,6 +116,10 @@ static void do_test_bulk_ioremapping(void) static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + int ret = security_locked_down(LOCKDOWN_MMIOTRACE); + + if (ret) + return ret; if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); diff --git a/include/linux/security.h b/include/linux/security.h index 43fa3486522b..3f7b6a4cd65a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -114,6 +114,7 @@ enum lockdown_reason { LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, + LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 5177938cfa0d..37b7d7e50474 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -29,6 +29,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", + [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069673 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0700F1395 for ; Wed, 31 Jul 2019 22:18:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB22627F17 for ; Wed, 31 Jul 2019 22:18:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DE62027F94; Wed, 31 Jul 2019 22:18:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3901A27F17 for ; Wed, 31 Jul 2019 22:18:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728174AbfGaWSt (ORCPT ); Wed, 31 Jul 2019 18:18:49 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:36986 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731351AbfGaWRV (ORCPT ); Wed, 31 Jul 2019 18:17:21 -0400 Received: by mail-qk1-f202.google.com with SMTP id k13so59407416qkj.4 for ; Wed, 31 Jul 2019 15:17:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=FIo2fvd2ZRzAOCkOenwujWvUsEXtgcv+etTkEkyg1xI=; b=ZhaBOeUn+nS6E4T1+sBKPnygtWezzpdPerEqfA5uqkD0XE7ajx1N3BtNS+gYIFvTMv m5/OTl8rt5TML9cNVvxzr00+WM4rpnQh6KtnkCsy852F9N/KziU4WPdi4AoTxbrZOIGD ZOFwSYsTuejxhPisUAE8hIyWXaA2sjlt5OXBzdmnDWJ5pncwcDuVfcYf0NntTSKlpQjp rKKZtgFGHKjLXws/EcubYglXFByM0y93MDCDhUiun16sMe93nN1WtD4on0KReHoc1RCd b6udBfRpp4S+HJiB9HNdkFhA4hO9S++7vB0TtCj9NlX8THX3Qm4rDqKyBqdn1siC5g4u RUoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=FIo2fvd2ZRzAOCkOenwujWvUsEXtgcv+etTkEkyg1xI=; b=q2+3A5ejU0hRwTjaWZ45jmr+cgEAy9D+2Qjp6ehyB8RpZKy6LyGsY8/E7l/Yp6CFzL nRoSNDHDPELQnPCqJIdBi3W/NKSIxZvhp2lg1Zq2B7LdDOvXRXjpstmX27BJFgX+QyqL LuyTCKlJnV/MyjNt+1KNG/QeSP0pG+0aVwLzBxlXnTh1DLLKzz0NO6sJlfpYAljD0Krh zkyMTW+tjpDeEPZUZPA7dZH97+0fLlaMNJyMw7owwxOKaKgM84n/c61wNx6F+vYfoa29 m6NvqF9PvCFRGzczZFTx38Q7WAL4+K9VxOw7cK0fJX5lX3vx/M6Zj5WAfMhax9m3A1Gj 2ubw== X-Gm-Message-State: APjAAAU/lWtvOHb9ofS+twOdLVnfe1ELsRovat10t+aOLChHnmBxXaSB LCzxHulC05F4JmKdyeilQUkeoY5YMC0qHtPbkEAPxQ== X-Google-Smtp-Source: APXvYqxuoZZS41br52XXtB1It9wntwqv+gu5vKv5JgSETNL3oo/Kz9hO3JnuMiwnS1ORMBDzqM9a9+iQGWlIZZ9K5OtTDA== X-Received: by 2002:a0c:8690:: with SMTP id 16mr91555482qvf.228.1564611439834; Wed, 31 Jul 2019 15:17:19 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:09 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 21/29] Lock down /proc/kcore From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. This is limited to lockdown confidentiality mode and is still permitted in integrity mode. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- fs/proc/kcore.c | 5 +++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index f5834488b67d..ee2c576cc94e 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -31,6 +31,7 @@ #include #include #include +#include #include #include "internal.h" @@ -545,6 +546,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + int ret = security_locked_down(LOCKDOWN_KCORE); + + if (ret) + return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; diff --git a/include/linux/security.h b/include/linux/security.h index 3f7b6a4cd65a..f0cffd0977d3 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -116,6 +116,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, + LOCKDOWN_KCORE, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 37b7d7e50474..c050b82c7f9f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -31,6 +31,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", + [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069653 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 22F2514DB for ; Wed, 31 Jul 2019 22:17:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 13CCF27F17 for ; Wed, 31 Jul 2019 22:17:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 07B3D27F81; Wed, 31 Jul 2019 22:17:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9A20927F17 for ; Wed, 31 Jul 2019 22:17:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731366AbfGaWRX (ORCPT ); Wed, 31 Jul 2019 18:17:23 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:44322 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731347AbfGaWRX (ORCPT ); Wed, 31 Jul 2019 18:17:23 -0400 Received: by mail-pg1-f201.google.com with SMTP id i134so6518940pgd.11 for ; Wed, 31 Jul 2019 15:17:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=XvMhL8IcfVDNreN9SwFKf8wrtWYtjyv1vRVRyj1buwk=; b=W9cI3RPflL4c24ovch/52afOAvuq1DhLW6d+6JcVypuSEDBi+/161uWz7FOWeu7l4o uuYOAnN5evOgfmJXgdhaUbz2WJptg4yJiMR6Wwye9GuFVZ5Ps5yrdZkg6keJgh9ul0gA k/ByRAD38a/Ih7GV117hNLB0q0GSb29kFiM8p989TjI8wClGYyeKbp9V4iNkueKeEbyo PcmSQDUbYAAcXEWtWMO6R5czWcQ8/y/bPH9coyx4WgrjoiKhBp0/D6Yrod5WE0sy4+Pa 38NNF2OHvq8iNfaw5+k7mRWujpt5sGnyv1dCGMfXJeZddS4XAMRCPd+QFTLcyT1XdYtM px1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=XvMhL8IcfVDNreN9SwFKf8wrtWYtjyv1vRVRyj1buwk=; b=KndfsV85DMT5ALK7ZWl7qgFuiq861eLq9ZnXLl84YrrOy1D/20Sy604CwPltfeW95O yh+BawfWA4N/Bjn1SgtX0ncipGPJRCd74H4BzF/yU4VVFairS1eSXNRktS2SfO2fIdq4 s+sug7E+p+69h/gA3CYdmN+UfKSZo3pHDzffeVsr6ZtJGL4dM1eRI2JghoqjJeI53EF3 uPGQH4Xjie1pXbKbQhbDhQ+Jna7Gc/6/x8GWTvsL4cOj13TmmMV4x+yFAWDh0tmAgIWP gD5Lp0C9RU9o41FkQj28aZDl7Y0yraANPEarunNmIxNcozUCYdhjeBpEidU2iIiOHA42 flPw== X-Gm-Message-State: APjAAAWHyQDkW5fz8C1AYL2oYXD4Ygo6SmDhJxWok2hw5oXhfLca/4AJ 8UykNfP01xWVibeGk83s7yO8WuGCzOqjYnF1H1iPDA== X-Google-Smtp-Source: APXvYqx17wXe+gpNAd3o3lTDSw6EZOYhYK2Ai9SHQvAutywjVDyQNvDTWItFuoT51ck80sN/Cs6cCWRrqFeirbm1QX5o+w== X-Received: by 2002:a63:b20f:: with SMTP id x15mr6928111pge.453.1564611442370; Wed, 31 Jul 2019 15:17:22 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:10 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Masami Hiramatsu , Kees Cook , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Masami Hiramatsu Reviewed-by: Kees Cook Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index f0cffd0977d3..987d8427f091 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -117,6 +117,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 9d483ad9bb6c..d5fbade68b33 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include /* for COMMAND_LINE_SIZE */ @@ -389,6 +390,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_kprobe_is_registered(tk)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index c050b82c7f9f..6b123cbf3748 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069671 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E6BA91395 for ; Wed, 31 Jul 2019 22:18:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D561D27F17 for ; Wed, 31 Jul 2019 22:18:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C6F6427F94; Wed, 31 Jul 2019 22:18:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1567D27F54 for ; Wed, 31 Jul 2019 22:18:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728268AbfGaWSs (ORCPT ); Wed, 31 Jul 2019 18:18:48 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:38669 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731369AbfGaWRZ (ORCPT ); Wed, 31 Jul 2019 18:17:25 -0400 Received: by mail-qk1-f202.google.com with SMTP id n190so59404248qkd.5 for ; Wed, 31 Jul 2019 15:17:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=8yt0J0pt8aHuQPT7nXOB+XR/9vHKjGA14LTvJs583ko=; b=qaM4FD9hTiJEd2YW/5LgkZdUqi2/uuM8SnVUWfcL6vnIqCHEq9Taa7iUdxqe18Wcrv Dn5SENlGYiQb0xgBozezRWkkgmae8+cqjo4xKs+XBU5VuB4o2O4mEJYQN2SMj5IHuPRQ 8EsLmPOLnfbYXxE7Ti3pwPdUjYl3YcH6psOQ0YEk/eHV/9MfDH4OCRrZWN7oH+tXz54z voYa91Ir+BPbk87GQE4+ZorXx+Ti3PMkr5HzwhFEcTN7Y9r+zUuqu5nA+tfF94JVAuoS BqVZgERJ2tAMvDEkAQ1ixhEEXkVZePif6MlzDRDj7Qs/9/iaAfY2jlUrvPyPKYtpgf9E kloA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=8yt0J0pt8aHuQPT7nXOB+XR/9vHKjGA14LTvJs583ko=; b=jff28E9qSs/qAvxv1Xnj+avaRfN0CRqOqYMT7SgW1qa0sP6iibDyoRJ3DV/t7EDE7d 9jGY9YYn2eympN7OYW3nC/ldxHRHP6FKMA6p9moS/vB9f/THwANYrgX9zaolKFRY7+4s CV7AxWPnl4HdfCu01gGD3K/+JOx+H4U5e2uUZ+R3f7nu+KGpLaV/ClL3X29KhGdRWTgA i/4+r2spJ/CSY+KpPRhtkhvvJWWxuY9TxuHudSKdYp1RoyBB0UCBoYSiQiM7Lb+PXwj9 BKSgl7lT8oKXob6Ybslfm6p4Y1PZsa7tTF07dLraG3FStkI+65ZYsoWvRfkhbd1UxCvB w3zw== X-Gm-Message-State: APjAAAU33umwS3JRQ4DMX/RC9hjiy0aD03XGsHU+P39SzOdPv8w/sjAY VCXbhaNcEFGTGj+Wq6+Yta3IghxPFOl5opbgz9GbfQ== X-Google-Smtp-Source: APXvYqwLPyN9ICwBuxsioIaCMSDc+sjgw+9DOmPZDaLdUXEdwglGnut4x/i0sqM0yeNXyF3d3VIqg/ebEP/4bEpy/PTuPg== X-Received: by 2002:a37:b0c6:: with SMTP id z189mr81991658qke.208.1564611444988; Wed, 31 Jul 2019 15:17:24 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:11 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Kees Cook , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells bpf_read() and bpf_read_str() could potentially be abused to (eg) allow private keys in kernel memory to be leaked. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann --- include/linux/security.h | 1 + kernel/trace/bpf_trace.c | 10 ++++++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 12 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 987d8427f091..8dd1741a52cd 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -118,6 +118,7 @@ enum lockdown_reason { LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, + LOCKDOWN_BPF_READ, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index ca1255d14576..492a8bfaae98 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -142,8 +142,13 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret < 0) + goto out; + ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) +out: memset(dst, 0, size); return ret; @@ -569,6 +574,10 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + ret = security_locked_down(LOCKDOWN_BPF_READ); + if (ret < 0) + goto out; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing @@ -580,6 +589,7 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, */ ret = strncpy_from_unsafe(dst, unsafe_ptr, size); if (unlikely(ret < 0)) +out: memset(dst, 0, size); return ret; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 6b123cbf3748..1b89d3e8e54d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", + [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069669 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BC8C413A4 for ; Wed, 31 Jul 2019 22:18:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ACDBC27F17 for ; Wed, 31 Jul 2019 22:18:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A0BCC27F81; Wed, 31 Jul 2019 22:18:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 373FA27F17 for ; Wed, 31 Jul 2019 22:18:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731388AbfGaWR3 (ORCPT ); Wed, 31 Jul 2019 18:17:29 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:41641 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731370AbfGaWR2 (ORCPT ); Wed, 31 Jul 2019 18:17:28 -0400 Received: by mail-pl1-f201.google.com with SMTP id i3so38352803plb.8 for ; Wed, 31 Jul 2019 15:17:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=wWUVtXS/AXD8335Dh0MfmfyjjxhSNslzhtjFi/unWYg=; b=WgfOcd+GV4OVtIno0HQyfo43vO+tBTJBq9QqE6rV1M2zqAcxD7E/ZD5NsA7EhpUuc5 45s7M16pcxOi4rEVdkQ+9hFbF71/H6IROYSjAGIzuKO3KcbZyB0V3asJufea/KwGp5SW Z5kUm/+pkMmllKBYgzvd1zuvdvEQsG3UHwOFfRGPsF4UA4yAvWSSZ/cFiWPX2+FziZc5 2Mv9La03pwKvRun/H4eTMcwUSq9nm2Nn4rUedo3V1XrZcfmbQ1J6qPvC2pkSFmY0UYmb CH900MEmb5G5qo33u9sHDlHQbBiVKeDw/9aqsLb9CfjGVDzAeu+88OEkv0NPeG9L5okI 3UNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=wWUVtXS/AXD8335Dh0MfmfyjjxhSNslzhtjFi/unWYg=; b=nYIg4Q9T3zMypyGd/YT4FelEXOuBSckuqXJsYzbvM7ipZ6xXSAtl9RfsTTwjDFA8Eh NTlzLhzPcsJkzHnfA+DPFM854wBvC6rBpDRErV8+Vg/8ItUA+brtLZ9qH8CUL9OQzouD VJ4erD2mGTu2RqtsA19kSpF/BfL+BJsAJZWeYLmjmSAK5d7drsnWyrCyL7H1fDEFFDz0 1PsdevVailWHZqumb1jWAwPZHCv5BcH5cQhsJG+zeqqCt/Rpje2kuGzCtfT7uPNY8bI9 RxxWyAfx5WUI4R/7wwX2YSscZ+DWv246gFoWTn2x9/8/pj1wzurN+7+xNDl3kTeEt3wS zSLA== X-Gm-Message-State: APjAAAXPYs+N7ViiquCmcRJObmY9Ma+0/hBQPcZBvaW2SWOgiM3+T/zJ 2Wb/uU2TTKpNCmr7V+OgimVQ9u80OS1NjfIH5v8VpA== X-Google-Smtp-Source: APXvYqy+X2dzCHtRPst4ysDD9BbNu7qMVvFfzAyzKqmC9bYr5tZu+RgvWdURQcxGPILgA+Sxs9/P5zStyGUFpMScbfDltQ== X-Received: by 2002:a63:d30f:: with SMTP id b15mr114671377pgg.341.1564611447877; Wed, 31 Jul 2019 15:17:27 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:12 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 24/29] Lock down perf when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo --- include/linux/security.h | 1 + kernel/events/core.c | 7 +++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 8dd1741a52cd..8ef366de70b0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -119,6 +119,7 @@ enum lockdown_reason { LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, + LOCKDOWN_PERF, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/events/core.c b/kernel/events/core.c index c1f52a749db2..5c520b60163a 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10826,6 +10826,13 @@ SYSCALL_DEFINE5(perf_event_open, perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EACCES; + err = security_locked_down(LOCKDOWN_PERF); + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return err; + + err = 0; + /* * In cgroup mode, the pid argument is used to pass the fd * opened to the cgroup directory in cgroupfs. The cpu argument diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 1b89d3e8e54d..fb437a7ef5f2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", + [LOCKDOWN_PERF] = "unsafe use of perf", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069655 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EA6B813A4 for ; Wed, 31 Jul 2019 22:17:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DAFE427F17 for ; Wed, 31 Jul 2019 22:17:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CF19327F81; Wed, 31 Jul 2019 22:17:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 491A627F17 for ; Wed, 31 Jul 2019 22:17:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731397AbfGaWRc (ORCPT ); Wed, 31 Jul 2019 18:17:32 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:38867 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731396AbfGaWRb (ORCPT ); Wed, 31 Jul 2019 18:17:31 -0400 Received: by mail-pf1-f202.google.com with SMTP id e25so44214466pfn.5 for ; Wed, 31 Jul 2019 15:17:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Ogy4z5xXdkGcZVx/gotBD44dFgIvUZxytASg1dmnrz4=; b=Bajk5gYeO0raa2iJAXLUTeo1rNux2thWTyxy5cP2BZX9rVUFcLLwBM1Ihyr4IW6Uxu OVe2hKqMjonh2PlJah6B/xRvCxOEBYAVBGbGtG5SxGXbvgbox/ljX9f23uTjmk8CdtHj OpACdBgg8QTDRBPMzNVaG3NusYWPWtzuSDBMG1K3yU06iS9f0IVwyo5+DUjxp1ZaqLKn 2PqUsKDMn3y2VNU/ELITmp+dzRb2ku3sU7bSFIAZC3m3mAJLzfVbP0Edc+IQpH/qk47X 2UowsAKC5Wju2BwdPCp4ZZhOFCQRE0tSdOQOXnHroYpPv2eDlt8O+buvUZBVcS1GIREQ Qz/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Ogy4z5xXdkGcZVx/gotBD44dFgIvUZxytASg1dmnrz4=; b=IIUG9SDEPjSqPRIs3QCLTg+UQUVggc64IkvPpWWaLuFlRFiipF/9EflF59QUP+cuVa 25BkgbuL8ZLi31gfumc7ttrBVoLKwOrmKGYi2QJkvGv6/qJMhXlU7fZcb7UqZGBtNAL4 2Auf6qi0d1Kb5k77udSX+VnbIdHclsuCiV5yzt22nOfVYOguou5i60yuRC46tEnwgR4R UDmaq9gEfJBwVP1JOqHr+EwvFax9sF83Wa/ZfAkwQP8fhwzIOvAnGL8AT3tOCccFma21 XxZ0lIc9FPb99l1UcV+HjItZq+vU/Q4xIgRwYn9WSfRXmr5RY5Kz8VJ5piU7MWOdpsd7 Tdkw== X-Gm-Message-State: APjAAAVnnh+s2RBmW4C96ABb4ispdf8cO3VDVZQmTBO6JWO8GPZ/yB2d KDgsyIHmg64vwg2Ke2pWvZMEJZ9gEp8YJgyIaMJorw== X-Google-Smtp-Source: APXvYqxZSsn4zOtqAMIbC8IIUJ8BgotlRvfyfmjrcz+Kzfba+ryUsIe0e+54iON0Ue9ORs3wFILRx4yWxTev9k6Xexi4Gg== X-Received: by 2002:a63:6c7:: with SMTP id 190mr114475501pgg.7.1564611450073; Wed, 31 Jul 2019 15:17:30 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:13 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Systems in lockdown mode should block the kexec of untrusted kernels. For x86 and ARM we can ensure that a kernel is trustworthy by validating a PE signature, but this isn't possible on other architectures. On those platforms we can use IMA digital signatures instead. Add a function to determine whether IMA has or will verify signatures for a given event type, and if so permit kexec_file() even if the kernel is otherwise locked down. This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in order to prevent an attacker from loading additional keys at runtime. Signed-off-by: Matthew Garrett Acked-by: Mimi Zohar Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org --- include/linux/ima.h | 9 ++++++ kernel/kexec_file.c | 12 +++++-- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 3 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index a20ad398d260..1c37f17f7203 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -131,4 +131,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index dd06f1070d66..13c9960a5860 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -228,9 +228,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = security_locked_down(LOCKDOWN_KEXEC); - if (ret) + ret = 0; + + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + security_locked_down(LOCKDOWN_KEXEC)) { + ret = -EPERM; goto out; + } break; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 011b91c79351..64dcb11cf444 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -113,6 +113,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 584019728660..b9f57503af2c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -502,7 +502,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 6df7f641ff66..827f1e33fe86 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1456,3 +1456,53 @@ int ima_policy_show(struct seq_file *m, void *v) return 0; } #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ From patchwork Wed Jul 31 22:16:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069665 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5F16813A4 for ; Wed, 31 Jul 2019 22:18:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4EE0B27F17 for ; Wed, 31 Jul 2019 22:18:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4306427F81; Wed, 31 Jul 2019 22:18:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 87A7627F17 for ; Wed, 31 Jul 2019 22:18:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729459AbfGaWSZ (ORCPT ); Wed, 31 Jul 2019 18:18:25 -0400 Received: from mail-pg1-f202.google.com ([209.85.215.202]:42589 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731396AbfGaWRd (ORCPT ); Wed, 31 Jul 2019 18:17:33 -0400 Received: by mail-pg1-f202.google.com with SMTP id q10so20566833pgi.9 for ; Wed, 31 Jul 2019 15:17:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ntXMs3tuU1WJWAT2FcG/TTitDVr73WJt0FGo+YbSY68=; b=HrqnGgT/Kx9hNGqVlVUgxnIYl8rTBybQ5Ifj2bggLCtzemtg2blYVGJnWffbszo0G4 UjpHxW7HkBRdo+INLWhc2IdjCbhXZgEQAyRDJP7VOCjca5XaX8JP3xsW4cw3/ItmAR9w dVVXTLsma167hFq93lDweBzp0DSst3nDGEQiAB+UsZcWxpj4hB4YeI6Zfw9m7aScye1X BHjkyJyHMgUbuhXo35blKaHLa1jtFfEaLkQtn1NloMxZSDPrmPucX8FaypPD045qIOk/ GmM0qi5ox7Ho4Xicn1IuSwqboZe5rlqLPYk/gJ+2MJxFFO9+ROiNLWDI4+Zot70/0RUU db6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ntXMs3tuU1WJWAT2FcG/TTitDVr73WJt0FGo+YbSY68=; b=domstpHxMsvJsuWQb1Ths0dR6kSeXqXWPTdngjZe6H4g+MG2aUZx0NBETwRP7G4Xqw W0Y5uYTdjuwQnlLLTJ1ydNvCZ8EmcLP+dVvpgYj5aRPRd5SvPWWd8C5YTQ8ex/L6d58r GrUc2EQ4AgbkSXTfOlSDVPcFOiIN5WOLgq/4Ub/jR7RzVTagPAYl4gdiTpGvGQ0MqI5G npsqDaBDfBp7wcCPdAOJaYRI/hG+YJymRhDAv7vgMP/wwuz47SwUYAYsZjTW6C/6J3bQ /RGynvbDd9e3KS6GtPRmX/ArqF1lkNGuzHZ94m4yd2H80sra8MMc6RU2Di++gxzDfg/A vhJA== X-Gm-Message-State: APjAAAV60PJ/r37vojRi13o7Ek4LCeMHpmnM8E+YfLJBNHsUfzf1EaUZ +a57h6MPdv5rzN4zETavzqSLq+eTVGB5nzK64M+gLA== X-Google-Smtp-Source: APXvYqx9DA2EjjfkcwjhE4budPDyV07tqbfVAJJzleENfVZUWm3i3nqE3fBnVJrX9ObnRu9QWiOGVhTVLL4ak7oB/pRHyg== X-Received: by 2002:a63:e54f:: with SMTP id z15mr115321144pgj.4.1564611452695; Wed, 31 Jul 2019 15:17:32 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:14 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-27-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 26/29] debugfs: Restrict debugfs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Andy Shevchenko , acpi4asus-user@lists.sourceforge.net, platform-driver-x86@vger.kernel.org, Matthew Garrett , Thomas Gleixner , Greg KH , "Rafael J . Wysocki" , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow opening of debugfs files that might be used to muck around when the kernel is locked down as various drivers give raw access to hardware through debugfs. Given the effort of auditing all 2000 or so files and manually fixing each one as necessary, I've chosen to apply a heuristic instead. The following changes are made: (1) chmod and chown are disallowed on debugfs objects (though the root dir can be modified by mount and remount, but I'm not worried about that). (2) When the kernel is locked down, only files with the following criteria are permitted to be opened: - The file must have mode 00444 - The file must not have ioctl methods - The file must not have mmap (3) When the kernel is locked down, files may only be opened for reading. Normal device interaction should be done through configfs, sysfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. I would actually prefer to lock down all files by default and have the the files unlocked by the creator. This is tricky to manage correctly, though, as there are 19 creation functions and ~1600 call sites (some of them in loops scanning tables). Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner Cc: Greg KH Cc: Rafael J. Wysocki Signed-off-by: Matthew Garrett --- fs/debugfs/file.c | 30 ++++++++++++++++++++++++++++++ fs/debugfs/inode.c | 32 ++++++++++++++++++++++++++++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 4 files changed, 62 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 93e4ca6b2ad7..87846aad594b 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -19,6 +19,7 @@ #include #include #include +#include #include "internal.h" @@ -136,6 +137,25 @@ void debugfs_file_put(struct dentry *dentry) } EXPORT_SYMBOL_GPL(debugfs_file_put); +/* + * Only permit access to world-readable files when the kernel is locked down. + * We also need to exclude any file that has ways to write or alter it as root + * can bypass the permissions check. + */ +static bool debugfs_is_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) +{ + if ((inode->i_mode & 07777) == 0444 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && + !real_fops->mmap) + return false; + + return security_locked_down(LOCKDOWN_DEBUGFS); +} + static int open_proxy_open(struct inode *inode, struct file *filp) { struct dentry *dentry = F_DENTRY(filp); @@ -147,6 +167,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = debugfs_is_locked_down(inode, filp, real_fops); + if (r) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not clean up after itself at exit? */ @@ -272,6 +297,11 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = debugfs_is_locked_down(inode, filp, real_fops); + if (r) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not cleanup after itself at exit? */ diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index ec5c197985ec..51ced4ae9280 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -27,6 +27,7 @@ #include #include #include +#include #include "internal.h" @@ -36,6 +37,32 @@ static struct vfsmount *debugfs_mount; static int debugfs_mount_count; static bool debugfs_registered; +/* + * Don't allow access attributes to be changed whilst the kernel is locked down + * so that we can use the file mode as part of a heuristic to determine whether + * to lock down individual files. + */ +static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) +{ + int ret = security_locked_down(LOCKDOWN_DEBUGFS); + + if (ret && (ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) + return ret; + return simple_setattr(dentry, ia); +} + +static const struct inode_operations debugfs_file_inode_operations = { + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_dir_inode_operations = { + .lookup = simple_lookup, + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_symlink_inode_operations = { + .get_link = simple_get_link, + .setattr = debugfs_setattr, +}; + static struct inode *debugfs_get_inode(struct super_block *sb) { struct inode *inode = new_inode(sb); @@ -353,6 +380,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, inode->i_mode = mode; inode->i_private = data; + inode->i_op = &debugfs_file_inode_operations; inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); @@ -516,7 +544,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) } inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; inode->i_fop = &simple_dir_operations; /* directory inodes start off with i_nlink == 2 (for "." entry) */ @@ -616,7 +644,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, return failed_creating(dentry); } inode->i_mode = S_IFLNK | S_IRWXUGO; - inode->i_op = &simple_symlink_inode_operations; + inode->i_op = &debugfs_symlink_inode_operations; inode->i_link = link; d_instantiate(dentry, inode); return end_creating(dentry); diff --git a/include/linux/security.h b/include/linux/security.h index 8ef366de70b0..d92323b44a3f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -115,6 +115,7 @@ enum lockdown_reason { LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, + LOCKDOWN_DEBUGFS, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index fb437a7ef5f2..88064ce1c844 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -30,6 +30,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", [LOCKDOWN_MMIOTRACE] = "unsafe mmio", + [LOCKDOWN_DEBUGFS] = "debugfs access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", From patchwork Wed Jul 31 22:16:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069661 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 880BB1395 for ; Wed, 31 Jul 2019 22:18:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 781CC27F17 for ; Wed, 31 Jul 2019 22:18:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6B6BB27F81; Wed, 31 Jul 2019 22:18:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E945927F17 for ; Wed, 31 Jul 2019 22:18:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728590AbfGaWSU (ORCPT ); Wed, 31 Jul 2019 18:18:20 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:52554 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731414AbfGaWRg (ORCPT ); Wed, 31 Jul 2019 18:17:36 -0400 Received: by mail-vs1-f74.google.com with SMTP id g189so18238696vsc.19 for ; Wed, 31 Jul 2019 15:17:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=lAGo2XEfN1Kmsxc7Q91nfXTi8fMC4u4EK30rK7PWIbE=; b=FZCV7mLbwgIyfiHg2Uw26K8PzqMs/1VlHh76kTcAH9mnfXS7n/oSsgvblYsFl5auM4 mBOEFvy28hQLGkmT1c4BZLYH7v0L6tIeCyxfgskIB9st8ur99CzAHj8VpYbqEbfSOcgl oNMJxPh+CGcNjgIEiDCLThuyt+DuYEJYYzkozB83eyoL4EAUcqzDzyngBZUHN+Ek+/PA fUKYK3gyCrm+tV2dSghSL+ScFBI8kxrLV4nzm9O9pD8hvu++Msi8X++zQZPaeQ3nJIkA h1/DwalZk7aHIIyrFM19hqg0RzU6W9pRu+1CCfgn8mlcEsjj1T68cKwEyFLcPECS5+Le q39Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=lAGo2XEfN1Kmsxc7Q91nfXTi8fMC4u4EK30rK7PWIbE=; b=VZ2Uf6i+e+mzy6emasuGLpkuNhVf3Q06Hgz0ksNwyIfMrZIDJFUVMBIG+jH9bokf/x G72u9+6rifxuRgk4IQwujipjnEF+EecDMJ4LfUn6zXty3xYpW0QW/0HZHzn0jSRCcP4q XZ1f52ay+pkieB+P6M+t2P5xPLPb8VGJ9wx7e1L7f7jZmjRMwYhzy2vrRijjcVS0veM0 95vBfVGn6r3XweqiU/2/CwqR8Kbu4VOunSeaqqK6gJWMNlaG070WBBMDklgKRkSxkKWo cKp023uNG1w5mEf1tlXJkT83bjSv1Jt6gBaeyTNM+bprEGbVu8tbVNFGYWT4PQAxKWY0 DIfA== X-Gm-Message-State: APjAAAVnCfciziMJ4PkzYIyVamOvPXxXQASZjUMby7xepHBd8HVVkB2U nZO9Wuy4Wo0l6wFDmy4i0qPwkVYazjQEd9pydt5PEA== X-Google-Smtp-Source: APXvYqwG4y0stuCufR4GwC5aczm36WyzPrpRc/G81/aIXNuWHFNCNG8/CzGPDwcxg7tCNmwEPDieuxg7TVbFr1nO5czu5w== X-Received: by 2002:a67:f1d6:: with SMTP id v22mr78230446vsm.178.1564611455461; Wed, 31 Jul 2019 15:17:35 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:15 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-28-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 27/29] tracefs: Restrict tracefs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Steven Rostedt Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Tracefs may release more information about the kernel than desirable, so restrict it when the kernel is locked down in confidentiality mode by preventing open(). Signed-off-by: Matthew Garrett Reviewed-by: Steven Rostedt (VMware) --- fs/tracefs/inode.c | 40 +++++++++++++++++++++++++++++++++++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c index 1387bcd96a79..12a325fb4cbd 100644 --- a/fs/tracefs/inode.c +++ b/fs/tracefs/inode.c @@ -21,6 +21,7 @@ #include #include #include +#include #define TRACEFS_DEFAULT_MODE 0700 @@ -28,6 +29,23 @@ static struct vfsmount *tracefs_mount; static int tracefs_mount_count; static bool tracefs_registered; +static int default_open_file(struct inode *inode, struct file *filp) +{ + struct dentry *dentry = filp->f_path.dentry; + struct file_operations *real_fops; + int ret; + + if (!dentry) + return -EINVAL; + + ret = security_locked_down(LOCKDOWN_TRACEFS); + if (ret) + return ret; + + real_fops = dentry->d_fsdata; + return real_fops->open(inode, filp); +} + static ssize_t default_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos) { @@ -210,6 +228,12 @@ static int tracefs_apply_options(struct super_block *sb) return 0; } +static void tracefs_destroy_inode(struct inode *inode) +{ + if (S_ISREG(inode->i_mode)) + kfree(inode->i_fop); +} + static int tracefs_reconfigure(struct fs_context *fc) { struct super_block *sb = fc->root->d_sb; @@ -236,6 +260,7 @@ static int tracefs_show_options(struct seq_file *m, struct dentry *root) static const struct super_operations tracefs_super_operations = { .statfs = simple_statfs, + .destroy_inode = tracefs_destroy_inode, .show_options = tracefs_show_options, }; @@ -372,6 +397,7 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode, struct dentry *parent, void *data, const struct file_operations *fops) { + struct file_operations *proxy_fops; struct dentry *dentry; struct inode *inode; @@ -387,8 +413,20 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode, if (unlikely(!inode)) return failed_creating(dentry); + proxy_fops = kzalloc(sizeof(struct file_operations), GFP_KERNEL); + if (unlikely(!proxy_fops)) { + iput(inode); + return failed_creating(dentry); + } + + if (!fops) + fops = &tracefs_file_operations; + + dentry->d_fsdata = (void *)fops; + memcpy(proxy_fops, fops, sizeof(*proxy_fops)); + proxy_fops->open = default_open_file; inode->i_mode = mode; - inode->i_fop = fops ? fops : &tracefs_file_operations; + inode->i_fop = proxy_fops; inode->i_private = data; d_instantiate(dentry, inode); fsnotify_create(dentry->d_parent->d_inode, dentry); diff --git a/include/linux/security.h b/include/linux/security.h index d92323b44a3f..807dc0d24982 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -121,6 +121,7 @@ enum lockdown_reason { LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, LOCKDOWN_PERF, + LOCKDOWN_TRACEFS, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 88064ce1c844..173191562047 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -36,6 +36,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", [LOCKDOWN_PERF] = "unsafe use of perf", + [LOCKDOWN_TRACEFS] = "use of tracefs", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; From patchwork Wed Jul 31 22:16:16 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069659 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0B65213A4 for ; Wed, 31 Jul 2019 22:18:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF0C227F17 for ; Wed, 31 Jul 2019 22:18:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E336327F81; Wed, 31 Jul 2019 22:18:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8F93827F17 for ; Wed, 31 Jul 2019 22:18:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731433AbfGaWRj (ORCPT ); Wed, 31 Jul 2019 18:17:39 -0400 Received: from mail-vk1-f201.google.com ([209.85.221.201]:46458 "EHLO mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731431AbfGaWRj (ORCPT ); Wed, 31 Jul 2019 18:17:39 -0400 Received: by mail-vk1-f201.google.com with SMTP id j63so29956503vkc.13 for ; Wed, 31 Jul 2019 15:17:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=BzJTfX0sYPsZSKyjJWnAiNewKfNmb8++vKsSknaZcxY=; b=NQeE8brzaM3nBKem2ZVyyY3FlEol8+CrHwKsZLyG2nOLqNXrqwU1ggJ6taMJBGtcvu u7ivnCOY/vCLH1PL1/ogOR1ufcUTaOZ5A/mx04CAwV3BoOuxIBirZiRs95dk3JRblihh tXPBxMpECDPUl9yY6d9SLCc2j/+TY7PF7+dohxG/zRAacI1a3PqRwnerhdX3/TNysAoS v/R6NSDtkIvFt4+d+hrBiGHwm3+8hQa3NyNj3mVZY9VVwj/L7gOlu1B21IDKaq5Gi8qX tOMgZItvzzSlRYr4GQVKc1U79UZPz8SKxqxaYhkJRhn4p2NfwVnpKyTpZK6Vvz1uJwiT QjVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=BzJTfX0sYPsZSKyjJWnAiNewKfNmb8++vKsSknaZcxY=; b=fOWyrJy8vm5fG/1vxXGNAH1jIk69QS3SEsKQtwbZAj9dRdpw9sKAIb1OfAzyHO+TOf wwStZahySpJi/blgfbyyhBOdmzyJelrrLSQZl0jw/hTf34to8ExL6tI1OfQfQ9Qepx21 PXENMxNfEz0slfGQjVMb/fba2OaZQ6HU7aj9R2zhN/W2xB8Yr4k4Md+rlIK1vSDsgteX z8/xYRtYkrgN5qF4C4Xr+QFAnPs399oN8K1DCWbb6zP+MRdTViwFhGdAAuUhlaB4BQeY P3HuQzfBVE7bKaAXrals43n1JnvlnfL237LKgGx9j11wEdGr1RA+4AwwFnDRmJidWGF7 e/6A== X-Gm-Message-State: APjAAAUjibi3BgRsXmwy30e5qNLhKOY7RKQKsZ490lT4VV4tgHwAZ6E3 xvO+uGTsNKIPdmnbrhXMYNlnbNihHKYq7P3Re1SE7A== X-Google-Smtp-Source: APXvYqxXL/N38PSOgMKwgKt2xZvaRoxQEDDLyN7w15v7c2XIakO5nBHL6rYO8tJ55Q7U2Z/pstfcpGH7UN4+XC4dCW0dhQ== X-Received: by 2002:a67:8907:: with SMTP id l7mr80628361vsd.194.1564611458042; Wed, 31 Jul 2019 15:17:38 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:16 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-29-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , Ard Biesheuvel , Kees Cook , linux-efi@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. Signed-off-by: Matthew Garrett Acked-by: Ard Biesheuvel Reviewed-by: Kees Cook Cc: Ard Biesheuvel Cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/efi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index ad3b1f4866b3..776f479e5499 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -30,6 +30,7 @@ #include #include #include +#include #include @@ -242,6 +243,11 @@ static void generic_ops_unregister(void) static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; static int __init efivar_ssdt_setup(char *str) { + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; + if (strlen(str) < sizeof(efivar_ssdt)) memcpy(efivar_ssdt, str, strlen(str)); else From patchwork Wed Jul 31 22:16:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069657 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 48E2A1395 for ; Wed, 31 Jul 2019 22:17:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 399FD27F54 for ; Wed, 31 Jul 2019 22:17:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2DF6727F97; Wed, 31 Jul 2019 22:17:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CE7A427F81 for ; Wed, 31 Jul 2019 22:17:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731448AbfGaWRn (ORCPT ); Wed, 31 Jul 2019 18:17:43 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:39886 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731442AbfGaWRm (ORCPT ); Wed, 31 Jul 2019 18:17:42 -0400 Received: by mail-vs1-f74.google.com with SMTP id p62so18219178vsd.6 for ; Wed, 31 Jul 2019 15:17:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=QAOtO6nDHkYJ9N49TmHslQT3rCi9zyycpSkmU2B1+ww=; b=vsBNHav/9gjDzuC/p4k/ehf5+i2a6WpWSYUinwPcIuMUWwom487dxrSyQaeEFjlILD GuWeQYzRIr7AcvrVQ6N9OjJnHtUFW82QbCHblLe/DE5ZDgEbMkl9yz0XaBQlkK3hIrhE CRaE81+xyV8pKZV+03bT3FOuVQrkl25+woHlOuMHJqrrquF/lkqyUH+uVl4t0zaG1fPI pRfyY6anyqwruTQIYELP/0HE2XyrhE4MuNhGIKY4Yp9/6ptTxjVu3BL6dZdyvYJLtW+2 iV2zl7xFM87zPbJFwuFGcMhESUot7F/OBzXyBtK/6fgmn8xSe1xZhY/BGloJWxbrUgS/ jeyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=QAOtO6nDHkYJ9N49TmHslQT3rCi9zyycpSkmU2B1+ww=; b=QqOHOUZ0vF0s2qVpFp1PZ4GNPCRkw4J7SL3NVpu7lJB24yRgDlorJzRlxjn/xn5Gas vcgVzDKMzkBuk/zpE5wIo781tQoZVy01oQihqoSBFUFhNQ1wpQF+4Sqi6I0e2NY7405X SfkSP+dz8SFCi5WUHMI/X+5he8+na8kv1Q1zQ+jT6dn9vx9EAU6z5R4UZWGrF56DM+10 qDmOm5z2oHZxlVuji/Gm4q5OeKepl3+/g3PH71gxaoeAbX9jshlE85RbIuan7h7scC2x lXLQM5D069O91pgp5y1k4Fggxw/SPhOquTLegoeE3/OBYPxmujDZS309yA7okZCA6wfN 509A== X-Gm-Message-State: APjAAAUTaIXhCtDUstgcbYUD0ZfR02BBu3AszAIoA7Cx1yj1pT2KpQuq fTDwj4xiNVAeAndg8jorDiUUQvO6bDXRB9yjw/0SSg== X-Google-Smtp-Source: APXvYqxUkdmcNxJs0oiJsLLUnAtxrUaESFBqxq+3RtL2nKYerZv5EnzIdcZz6oLV9x/tGowxt8hi1N3I0JS7+k+vkc4ihw== X-Received: by 2002:ac5:c4cc:: with SMTP id a12mr27573495vkl.28.1564611460638; Wed, 31 Jul 2019 15:17:40 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:17 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-30-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 29/29] lockdown: Print current->comm in restriction messages From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: : is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook --- fs/proc/kcore.c | 5 +++-- security/lockdown/lockdown.c | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index ee2c576cc94e..e2ed8e08cc7a 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -548,11 +548,12 @@ static int open_kcore(struct inode *inode, struct file *filp) { int ret = security_locked_down(LOCKDOWN_KCORE); - if (ret) - return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; + if (ret) + return ret; + filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL); if (!filp->private_data) return -ENOMEM; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 173191562047..f6c74cf6a798 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param); */ static int lockdown_is_locked_down(enum lockdown_reason what) { + if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX, + "Invalid lockdown reason")) + return -EPERM; + if (kernel_locked_down >= what) { if (lockdown_reasons[what]) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - lockdown_reasons[what]); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, lockdown_reasons[what]); return -EPERM; }