From patchwork Wed Mar  6 23:58:46 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842007
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7074414DE
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E7072E462
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3B3EC2E48E; Wed,  6 Mar 2019 23:59:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A68BF2E462
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725793AbfCFX7V (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:21 -0500
Received: from mail-pf1-f201.google.com ([209.85.210.201]:33410 "EHLO
        mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725747AbfCFX7V (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:21 -0500
Received: by mail-pf1-f201.google.com with SMTP id x23so15467009pfm.0
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=CPSUFA3na+TLT+JtqPFNPs1xF45RX8llg9yvflKWgnM=;
        b=PV3z7Cl9jqY6IDRSsEQiXSr3MLMVxLIJmMswBGcPDvP2kByMmvMTZy/qQ4oNdtXc4Y
         b4bPTTqTDEYzAoiLoaDve00Et9ZyO1xzc8nYOnjfct7JjNCZUdpOb7Qt76YxsrLIU9sl
         XmeBvbvOw9MZj4ZZGh/qDx2Zl+jzVxT5X1j4Tp6JkfL8pOpub7irpQlN5yEK8Qc+yCMM
         h46HrcXz5l8x73BL7ktNPkxDHHVU2AD7B1dW1Wfk12sFYOaxBNVnX1tITkyqbGwRchhj
         ZLIVSHmr2W+NZe6ThqsaaIRTI0HBCVXaUX4LFW+xRDTMFoJDP9jPwSOplkAbP0imSGLf
         I2Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=CPSUFA3na+TLT+JtqPFNPs1xF45RX8llg9yvflKWgnM=;
        b=WUE0hQryOHx/gO0jm/Wfm+O2xsIVP1MdHpKxpb8n9MTqxKcMSIZ/G+YvcirhU+1wx7
         bqBrCUtzqUXhY9nxH8m97esyZhvqGnvCaiQ6G4NrXpmPCbF+DtVoVdzLS8/5oGZAmUSS
         5aZrEdsipw2U+tISgyuIP8DK3A7bP5ZBMygDh8Ux/xXOoeJB9JLS8Hcfy8r+lGOxXbJc
         KpCA56iGe5sCUlHg0cmhLMYLtor7gGJeF02JgcFj5oZms5zDaCtt0vuD7GH2HnaXfr5X
         sgjrMI1FKf5evb+m3ThtyZkt0I5CvpvTZivladDpXtIWi9wxkercsOiiVvTT1Y0XEA6A
         hR0Q==
X-Gm-Message-State: APjAAAWS6kMCcqLJ2/kxR0/NMouQzqaAbn3H8Pt3UObD8h6wLcfUwAWr
        hXPfQhqZuu8EYMKzQ+6Y1+hSmMXKHP/S+boV0Jn4fg==
X-Google-Smtp-Source: 
 APXvYqwNQumdXsBgQdMceSbEzpfebs4A0hvt9sgQ65a/sfxkP9weZNrHnKlgqHJh1GK+jK002rS7mugpTKtlbYPPgO/1rg==
X-Received: by 2002:a62:d2c4:: with SMTP id
 c187mr3877706pfg.133.1551916759835;
 Wed, 06 Mar 2019 15:59:19 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:46 -0800
Message-Id: <20190306235913.6631-1-matthewgarrett@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PULL REQUEST] Kernel lockdown patches for 5.2
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Hi James,

This patchset introduces an optional kernel lockdown feature,
intended to strengthen the boundary between UID 0 and the kernel. When
enabled and active (by enabling the config option and passing the
"lockdown" option on the kernel command line), various pieces of
kernel functionality are restricted. Applications that rely on
low-level access to either hardware or the kernel may cease working as
a result - therefore this should not be enabled without appropriate
evaluation beforehand.

The majority of mainstream distributions have been carrying variants
of this patchset for many years now, so there's value in providing a
unified upstream implementation to reduce the delta. This PR probably
doesn't meet every distribution requirement, but gets us much closer
to not requiring external patches.

This PR is mostly the same as the previous attempt, but with the
following changes:

1) The integration between EFI secure boot and the lockdown state has
been removed
2) A new CONFIG_KERNEL_LOCK_DOWN_FORCE kconfig option has been added,
which will always enable lockdown regardless of the kernel command
line
3) The integration with IMA has been dropped for now. IMA is in the
process of adding support for architecture-specific policies that will
interact correctly with the lockdown feature, and a followup patch will
integrate that so we don't end up with an ordering dependency on the
merge

The following changes since commit 468e91cecb3218afd684b8c422490dfebe0691bb:

  keys: fix missing __user in KEYCTL_PKEY_QUERY (2019-03-04 15:48:37 -0800)

are available in the Git repository at:

  https://github.com/mjg59/linux lock_down

for you to fetch changes up to 3d53449e0ac1df8cfdcc1ec48dc9cb622f220300:

  lockdown: Print current->comm in restriction messages (2019-03-06 13:32:19 -0800)

----------------------------------------------------------------
Dave Young (1):
      Copy secure_boot flag in boot params across kexec reboot

David Howells (12):
      Add the ability to lock down access to the running kernel image
      Enforce module signatures if the kernel is locked down
      Prohibit PCMCIA CIS storage when the kernel is locked down
      Lock down TIOCSSERIAL
      Lock down module params that specify hardware parameters (eg. ioport)
      x86/mmiotrace: Lock down the testmmiotrace module
      Lock down /proc/kcore
      Lock down kprobes
      bpf: Restrict kernel image access functions when the kernel is locked down
      Lock down perf
      debugfs: Restrict debugfs when the kernel is locked down
      lockdown: Print current->comm in restriction messages

Jiri Bohac (2):
      kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE
      kexec_file: Restrict at runtime if the kernel is locked down

Josh Boyer (2):
      hibernate: Disable when the kernel is locked down
      acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down

Kyle McMartin (1):
      Add a SysRq option to lift kernel lockdown

Linn Crosetto (2):
      acpi: Disable ACPI table override if the kernel is locked down
      acpi: Disable APEI error injection if the kernel is locked down

Matthew Garrett (7):
      Restrict /dev/{mem,kmem,port} when the kernel is locked down
      kexec_load: Disable at runtime if the kernel is locked down
      uswsusp: Disable when the kernel is locked down
      PCI: Lock down BAR access when the kernel is locked down
      x86: Lock down IO port access when the kernel is locked down
      x86/msr: Restrict MSR access when the kernel is locked down
      ACPI: Limit access to custom_method when the kernel is locked down

 arch/x86/Kconfig                       |  20 +++++--
 arch/x86/include/asm/setup.h           |   2 +
 arch/x86/kernel/ioport.c               |   6 +-
 arch/x86/kernel/kexec-bzimage64.c      |   1 +
 arch/x86/kernel/msr.c                  |  10 ++++
 arch/x86/mm/testmmiotrace.c            |   3 +
 crypto/asymmetric_keys/verify_pefile.c |   4 +-
 drivers/acpi/apei/einj.c               |   3 +
 drivers/acpi/custom_method.c           |   3 +
 drivers/acpi/osl.c                     |   2 +-
 drivers/acpi/tables.c                  |   5 ++
 drivers/char/mem.c                     |   2 +
 drivers/input/misc/uinput.c            |   1 +
 drivers/pci/pci-sysfs.c                |   9 +++
 drivers/pci/proc.c                     |   9 ++-
 drivers/pci/syscall.c                  |   3 +-
 drivers/pcmcia/cistpl.c                |   3 +
 drivers/tty/serial/serial_core.c       |   6 ++
 drivers/tty/sysrq.c                    |  19 ++++--
 fs/debugfs/file.c                      |  28 +++++++++
 fs/debugfs/inode.c                     |  30 +++++++++-
 fs/proc/kcore.c                        |   2 +
 include/linux/input.h                  |   5 ++
 include/linux/kernel.h                 |  17 ++++++
 include/linux/kexec.h                  |   4 +-
 include/linux/security.h               |   9 ++-
 include/linux/sysrq.h                  |   8 ++-
 kernel/bpf/syscall.c                   |   3 +
 kernel/debug/kdb/kdb_main.c            |   2 +-
 kernel/events/core.c                   |   5 ++
 kernel/kexec.c                         |   7 +++
 kernel/kexec_file.c                    |  54 ++++++++++++++---
 kernel/kprobes.c                       |   3 +
 kernel/module.c                        |  39 +++++++++---
 kernel/params.c                        |  26 ++++++--
 kernel/power/hibernate.c               |   2 +-
 kernel/power/user.c                    |   3 +
 security/Kconfig                       |  24 ++++++++
 security/Makefile                      |   3 +
 security/lock_down.c                   | 106 +++++++++++++++++++++++++++++++++
 40 files changed, 447 insertions(+), 44 deletions(-)
 create mode 100644 security/lock_down.c

From patchwork Wed Mar  6 23:58:48 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842069
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 22C8B1515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:57 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0E31E2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:57 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 028142EA0E; Thu,  7 Mar 2019 00:01:56 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 35DAA2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:56 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726299AbfCGABz (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:01:55 -0500
Received: from mail-io1-f74.google.com ([209.85.166.74]:40740 "EHLO
        mail-io1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726177AbfCFX7Z (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:25 -0500
Received: by mail-io1-f74.google.com with SMTP id 68so11053189iov.7
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=oWdYyyegqGh9dnT7Ur+TRTADwlxgKjQOj5E8Tun8bMQ=;
        b=gqOzKczO47/bhq9tKm001IfUHbPL4/7sXAvN9b8QzoFJ97T0ZaVqSi9+FOYcf2oYIL
         D4pkz8PHcA/NHGA9fGzNKz/JteFILLlU2i1WBUTEBKBDRsXYT8OBMNBWUXhL7qvYm2Dn
         HiouJU1JWLeR9mMldGcKtLk2s3WyRaKS0WIhpXB0lOiFUtatdqP4sUcBrGsvEO2DFpXP
         Z6EbW2KMM0RI2LYEjcu4oUVeTyKBTSXhhfVbqQZW+C3hHTyUZZFXPi61wAruCLqFgMRp
         Vpi+Rj5B8h63nm4FqkDfDuiqdElb7Ftqtmp4AH89EyLl+9ExfdfC/1pwPnbfb1o02T4z
         whGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=oWdYyyegqGh9dnT7Ur+TRTADwlxgKjQOj5E8Tun8bMQ=;
        b=EzZaEawjwKNKs+9z4UwQ75R08yCdTO32b613GlcYf4q3883bFGkr9ih6XNbhOvn9tq
         RKiZq9XPL8rb3E/4UHNnlS/ewpoh1FZapUd8hgZJJb5Bb37XagEGwimFlNA+XXwz2pz4
         u4AMWUPD7shbEBuLJUj1Op6OV+ymdP/bZqUZhjhFAEXZUFUCKT4nf/FU/uY3QyXdT614
         wiRlHXRPkIXP3b9ei7RjcWg1/Yqmbdaz0C3/LL8xk+cKrpBKCRdLMwYiB/G+Yx3VRN04
         YYfdfkBY9FcnbLYVXbH8AXe38BfXTJmO4QWj5D0EQ/NUXNbD/gskmRLVPbM+wbVU23+u
         srKQ==
X-Gm-Message-State: APjAAAUJRVmVoFKaGqUZ+MYwxejWMp7dsPNxT3r2c81jC3HhxXrnDGLV
        zOSFtijZ1k5+cDpck+MgM/tnrf5jd/8WTlUFOhW1Aw==
X-Google-Smtp-Source: 
 APXvYqxs3rNiZuQjtIM8nXlO444w3TylwdPP7zihd7Z9kTD59RmKV3eUNMW/EqrJabgS5Ny38cKVAb5OCAdHM2YjYDMJ2Q==
X-Received: by 2002:a24:cd07:: with SMTP id l7mr7868368itg.22.1551916764991;
 Wed, 06 Mar 2019 15:59:24 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:48 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-3-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 02/27] Add a SysRq option to lift kernel lockdown
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Kyle McMartin <kyle@redhat.com>

Make an option to provide a sysrq key that will lift the kernel lockdown,
thereby allowing the running kernel image to be accessed and modified.

On x86 this is triggered with SysRq+x, but this key may not be available on
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
Since this macro must be defined in an arch to be able to use this facility
for that arch, the Kconfig option is restricted to arches that support it.

Signed-off-by: Kyle McMartin <kyle@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: x86@kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/include/asm/setup.h |  2 ++
 drivers/input/misc/uinput.c  |  1 +
 drivers/tty/sysrq.c          | 19 ++++++++++-----
 include/linux/input.h        |  5 ++++
 include/linux/sysrq.h        |  8 +++++-
 kernel/debug/kdb/kdb_main.c  |  2 +-
 security/Kconfig             |  9 +++++++
 security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++
 8 files changed, 85 insertions(+), 8 deletions(-)

diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
index ed8ec011a9fd..8daf633a5347 100644
--- a/arch/x86/include/asm/setup.h
+++ b/arch/x86/include/asm/setup.h
@@ -9,6 +9,8 @@
 #include <linux/linkage.h>
 #include <asm/page_types.h>
 
+#define LOCKDOWN_LIFT_KEY 'x'
+
 #ifdef __i386__
 
 #include <linux/pfn.h>
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 8ec483e8688b..c2a77dc73fa0 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -365,6 +365,7 @@ static int uinput_create_device(struct uinput_device *udev)
 		dev->flush = uinput_dev_flush;
 	}
 
+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
 	dev->event = uinput_dev_event;
 
 	input_set_drvdata(udev->dev, udev);
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index 1f03078ec352..0a05d336008e 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
 	/* x: May be registered on mips for TLB dump */
 	/* x: May be registered on ppc/powerpc for xmon */
 	/* x: May be registered on sparc64 for global PMU dump */
+	/* x: May be registered on x86_64 for disabling secure boot */
 	NULL,				/* x */
 	/* y: May be registered on sparc64 for global register dump */
 	NULL,				/* y */
@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
                 sysrq_key_table[i] = op_p;
 }
 
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
 {
 	struct sysrq_key_op *op_p;
 	int orig_log_level;
@@ -543,11 +544,15 @@ void __handle_sysrq(int key, bool check_mask)
 
         op_p = __sysrq_get_key_op(key);
         if (op_p) {
+		/* Ban synthetic events from some sysrq functionality */
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+			printk("This sysrq operation is disabled from userspace.\n");
 		/*
 		 * Should we check for enabled operations (/proc/sysrq-trigger
 		 * should not) and is the invoked operation enabled?
 		 */
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
 			pr_cont("%s\n", op_p->action_msg);
 			console_loglevel = orig_log_level;
 			op_p->handler(key);
@@ -579,7 +584,7 @@ void __handle_sysrq(int key, bool check_mask)
 void handle_sysrq(int key)
 {
 	if (sysrq_on())
-		__handle_sysrq(key, true);
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
 }
 EXPORT_SYMBOL(handle_sysrq);
 
@@ -659,7 +664,7 @@ static void sysrq_do_reset(struct timer_list *t)
 static void sysrq_handle_reset_request(struct sysrq_state *state)
 {
 	if (state->reset_requested)
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
 
 	if (sysrq_reset_downtime_ms)
 		mod_timer(&state->keyreset_timer,
@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
 
 	default:
 		if (sysrq->active && value && value != 2) {
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
+					SYSRQ_FROM_SYNTHETIC : 0;
 			sysrq->need_reinject = false;
-			__handle_sysrq(sysrq_xlate[code], true);
+			__handle_sysrq(sysrq_xlate[code], from);
 		}
 		break;
 	}
@@ -1096,7 +1103,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
 
 		if (get_user(c, buf))
 			return -EFAULT;
-		__handle_sysrq(c, false);
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
 	}
 
 	return count;
diff --git a/include/linux/input.h b/include/linux/input.h
index 7c7516eb7d76..38cd0ea72c37 100644
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -42,6 +42,7 @@ struct input_value {
  * @phys: physical path to the device in the system hierarchy
  * @uniq: unique identification code for the device (if device has it)
  * @id: id of the device (struct input_id)
+ * @flags: input device flags (SYNTHETIC, etc.)
  * @propbit: bitmap of device properties and quirks
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
  *	EV_REL, etc.)
@@ -124,6 +125,8 @@ struct input_dev {
 	const char *uniq;
 	struct input_id id;
 
+	unsigned int flags;
+
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
 
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
@@ -190,6 +193,8 @@ struct input_dev {
 };
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
 
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
+
 /*
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
  */
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
index 8c71874e8485..7de1f08b60a9 100644
--- a/include/linux/sysrq.h
+++ b/include/linux/sysrq.h
@@ -29,6 +29,8 @@
 #define SYSRQ_ENABLE_BOOT	0x0080
 #define SYSRQ_ENABLE_RTNICE	0x0100
 
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
+
 struct sysrq_key_op {
 	void (*handler)(int);
 	char *help_msg;
@@ -43,8 +45,12 @@ struct sysrq_key_op {
  * are available -- else NULL's).
  */
 
+#define SYSRQ_FROM_KERNEL	0x0001
+#define SYSRQ_FROM_PROC		0x0002
+#define SYSRQ_FROM_SYNTHETIC	0x0004
+
 void handle_sysrq(int key);
-void __handle_sysrq(int key, bool check_mask);
+void __handle_sysrq(int key, unsigned int from);
 int register_sysrq_key(int key, struct sysrq_key_op *op);
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
 struct sysrq_key_op *__sysrq_get_key_op(int key);
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index 82a3b32a7cfc..efee1abf5e8e 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv)
 		return KDB_ARGCOUNT;
 
 	kdb_trap_printk++;
-	__handle_sysrq(*argv[1], check_mask);
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
 	kdb_trap_printk--;
 
 	return 0;
diff --git a/security/Kconfig b/security/Kconfig
index 47dc3403b5af..8346eb883336 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -244,6 +244,15 @@ config LOCK_DOWN_KERNEL_FORCE
         help
           Enable the kernel lock down functionality automatically at boot.
 
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+	bool "Allow the kernel lockdown to be lifted by SysRq"
+	depends on LOCK_DOWN_KERNEL
+	depends on MAGIC_SYSRQ
+	depends on X86
+	help
+	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
+	  combination on a wired keyboard.
+
 source "security/selinux/Kconfig"
 source "security/smack/Kconfig"
 source "security/tomoyo/Kconfig"
diff --git a/security/lock_down.c b/security/lock_down.c
index 13a8228c1034..cfbc2c39712b 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -11,8 +11,14 @@
 
 #include <linux/security.h>
 #include <linux/export.h>
+#include <linux/sysrq.h>
+#include <asm/setup.h>
 
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+static __read_mostly bool kernel_locked_down;
+#else
 static __ro_after_init bool kernel_locked_down;
+#endif
 
 /*
  * Put the kernel into lock-down mode.
@@ -57,3 +63,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
 	return kernel_locked_down;
 }
 EXPORT_SYMBOL(__kernel_is_locked_down);
+
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+
+/*
+ * Take the kernel out of lockdown mode.
+ */
+static void lift_kernel_lockdown(void)
+{
+	pr_notice("Lifting lockdown\n");
+	kernel_locked_down = false;
+}
+
+/*
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
+ * echoing the appropriate letter into the sysrq-trigger file).
+ */
+static void sysrq_handle_lockdown_lift(int key)
+{
+	if (kernel_locked_down)
+		lift_kernel_lockdown();
+}
+
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
+	.handler	= sysrq_handle_lockdown_lift,
+	.help_msg	= "unSB(x)",
+	.action_msg	= "Disabling Secure Boot restrictions",
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
+};
+
+static int __init lockdown_lift_sysrq(void)
+{
+	if (kernel_locked_down) {
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
+	}
+	return 0;
+}
+
+late_initcall(lockdown_lift_sysrq);
+
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */

From patchwork Wed Mar  6 23:58:49 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842067
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4133A1515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:52 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2E64A2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:52 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 22FC22EA0E; Thu,  7 Mar 2019 00:01:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD94F2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726297AbfCFX73 (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:29 -0500
Received: from mail-pf1-f201.google.com ([209.85.210.201]:36427 "EHLO
        mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726134AbfCFX72 (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:28 -0500
Received: by mail-pf1-f201.google.com with SMTP id w16so15441639pfn.3
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=on0K5RsXZCuQ1MSHm3bzRhjjZRQoobIGEx9Qfo8mw4g=;
        b=BRJHSCTT5HXLhMtX9ZhNlkKo0cDQm7AcgfOZcUu0aVzbksY2LE+NzHcIcivLi8bvmr
         QVIr11Kz9ZMgAarXVz8pGyLrX4PgOilfxs+OxOumql0mEeSGAhZTIitLv+vpyA9FsDxR
         PkXbU8I/n23+DS+uuWh190cNWlx2abMh6wXCuXn5ib5BLnreSIOVpRc6d6TEdFfLjXnd
         Mc3scLQdBEsEUyRSZMkV9pl3zGQtDXrZ84RTwmtCCwU9Vnm+wltQA/Plox9G5aTc4g7R
         66+o6J0+C+fCe9Ez6FZ/Vk481nzH2qjQrrLzVyjGya50CvNhzziWyreF85q2LAMcEgby
         dowA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=on0K5RsXZCuQ1MSHm3bzRhjjZRQoobIGEx9Qfo8mw4g=;
        b=fRb5C4vGQ+SxyGIKWKi4+3ez8FNPR2saztXu3Ea2kxJSdrs/KEmSGTtJoVE2xIicD4
         d/+u0je3ddfG8aya87kDyOhdTwHVcVma7yjv5h0e/OO/quWeosBxfsT+pgDguNxSZqV5
         5g9KZBwQlhj4OdhMtni3Y402t5m+IElwhHxC89J61ExlvDVdm+EIPFf0AicSudW9x4ln
         KewYsSern4/SoVtZ+dc2YNlKBkoHSNDZ4lVco/7Nl31RfyRcgSjLeiTqdxsHXP3PPI6l
         g15l0Llg9M7hHVilbbA0vV8RTfN2sZDTaDsOPYnRYJTOWKDp0ZHGduXjl15iVAswveT+
         krAA==
X-Gm-Message-State: APjAAAWXK7XaLHVh37szVgmdoX7U6BkH6D+2x/K5+xkTNUsXV2Lf5R94
        BerS2dfc7v+apJ59lmj54ZO0ZcOcRhnGbyX3o6qBkw==
X-Google-Smtp-Source: 
 APXvYqxcWasyCCaYPhVYEfqiCvDF53otXQ/MyvgFH2qxeaaDZ8tzGek3/QhJs6plqMr+BqfthgxyQUs9xtWbIXvMXd0J2A==
X-Received: by 2002:a62:5206:: with SMTP id g6mr3844743pfb.58.1551916767462;
 Wed, 06 Mar 2019 15:59:27 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:49 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-4-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 03/27] Enforce module signatures if the kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

If the kernel is locked down, require that all modules have valid
signatures that we can verify.

I have adjusted the errors generated:

 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
     ENOKEY), then:

     (a) If signatures are enforced then EKEYREJECTED is returned.

     (b) If there's no signature or we can't check it, but the kernel is
	 locked down then EPERM is returned (this is then consistent with
	 other lockdown cases).

 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
     return the error we got.

Note that the X.509 code doesn't check for key expiry as the RTC might not
be valid or might not have been transferred to the kernel's clock yet.

 [Modified by Matthew Garrett to remove the IMA integration. This will
  be replaced with integration with the IMA architecture policy
  patchset.]

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
cc: "Lee, Chun-Yi" <jlee@suse.com>
cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/module.c | 39 ++++++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index 2ad1b5239910..9a377c6ea200 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2767,8 +2767,9 @@ static inline void kmemleak_load_module(const struct module *mod,
 #ifdef CONFIG_MODULE_SIG
 static int module_sig_check(struct load_info *info, int flags)
 {
-	int err = -ENOKEY;
+	int err = -ENODATA;
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+	const char *reason;
 	const void *mod = info->hdr;
 
 	/*
@@ -2783,16 +2784,40 @@ static int module_sig_check(struct load_info *info, int flags)
 		err = mod_verify_sig(mod, info);
 	}
 
-	if (!err) {
+	switch (err) {
+	case 0:
 		info->sig_ok = true;
 		return 0;
-	}
 
-	/* Not having a signature is only an error if we're strict. */
-	if (err == -ENOKEY && !is_module_sig_enforced())
-		err = 0;
+		/* We don't permit modules to be loaded into trusted kernels
+		 * without a valid signature on them, but if we're not
+		 * enforcing, certain errors are non-fatal.
+		 */
+	case -ENODATA:
+		reason = "Loading of unsigned module";
+		goto decide;
+	case -ENOPKG:
+		reason = "Loading of module with unsupported crypto";
+		goto decide;
+	case -ENOKEY:
+		reason = "Loading of module with unavailable key";
+	decide:
+		if (is_module_sig_enforced()) {
+			pr_notice("%s is rejected\n", reason);
+			return -EKEYREJECTED;
+		}
 
-	return err;
+		if (kernel_is_locked_down(reason))
+			return -EPERM;
+		return 0;
+
+		/* All other errors are fatal, including nomem, unparseable
+		 * signatures and signature check failures - even if signatures
+		 * aren't required.
+		 */
+	default:
+		return err;
+	}
 }
 #else /* !CONFIG_MODULE_SIG */
 static int module_sig_check(struct load_info *info, int flags)

From patchwork Wed Mar  6 23:58:50 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842065
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE6D0139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CBE932E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C037E2E9FC; Thu,  7 Mar 2019 00:01:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 716BD2ECFA
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:50 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726329AbfCFX7d (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:33 -0500
Received: from mail-ua1-f73.google.com ([209.85.222.73]:39536 "EHLO
        mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726250AbfCFX7b (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:31 -0500
Received: by mail-ua1-f73.google.com with SMTP id l26so1962861uar.6
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=kn7ZudvBI/03PKgGXw1nMgRojbgZaoMdjyO+S6moRI0=;
        b=f2Vz+bmb72rU8TXAbQUVHV/BS0XxQR8BaDpblMSQJPvqTAWAo8FH6rjvvkmty1lXVN
         SzbdDgeM7GDCN25rpO5I6dfPl172rEj48Xad3Rn1rWnePrIISwkcDNMZIJmSIebAXse+
         XsVqdOdk6J8igYLtIHxW3P/+wEq3nZluCfBLzTbUCUGfEXzDRA1DVrey/hGgFxWjydo3
         Br/WOcIb/h3fwOLZ2puu0+j4YYS73MJj2SVkJvV2a2cVei0ql1giXtp6b0EqMo9Pcxzl
         jYU7HM0VYldodlzN4As8zcXSrmqAaZohjTwKA7+CtISN8JHqDUXoLL6uQwYuEijyqLYM
         4KPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=kn7ZudvBI/03PKgGXw1nMgRojbgZaoMdjyO+S6moRI0=;
        b=aM+di826hpU2BaLmEbWLN7rgdpGIptT2JaMrbgJmdyqW6GdDz5CgLHD1uCkwSsyupc
         xUBeIJYX5dGfNLSH1roRMIpZZ2EDEtnp97OJvYvQ2CK2sfMg1ayEkb1hju+mWP51aChu
         wvjliEceausXZCgv7AdLf4v0GUkvwayFi6uzZIOAsmihjzY8BrEyWz4LxjtqWcvko21P
         KBpo88Rw0osUS0yk7QefwfZKDTdMP1vmkyzhT5cELQFN0vA+wsjncn12NYRMKT/9SEkk
         x6iz75I/pWjpqbUfZn5Kiroyzo3ZoQERAPugmpkyXvCnSPW0qVgptenEtl9lyncBY84P
         U0cw==
X-Gm-Message-State: APjAAAUymPpXc1vGWV2V8fELylKus1eXlsbngidppJwRXTW61ftmWOY3
        M6YUcZ94ZDmEfF8+BduhUn0QKXY0zNsCtJzChUOL8A==
X-Google-Smtp-Source: 
 APXvYqwyBc76ufuJgNf8QJakf/yJtUfkEIU7N/GIlS1vx/hEpjh3/Zv/RjQsP/AVVZEJ5HM0N9SUhN/riL25JNLsYMv5wA==
X-Received: by 2002:ab0:641a:: with SMTP id x26mr6875819uao.12.1551916770265;
 Wed, 06 Mar 2019 15:59:30 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:50 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-5-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 04/27] Restrict /dev/{mem,kmem,port} when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.

Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.

Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 drivers/char/mem.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index b08dc50f9f26..0a2f2e75d5f4 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
 
 static int open_port(struct inode *inode, struct file *filp)
 {
+	if (kernel_is_locked_down("/dev/mem,kmem,port"))
+		return -EPERM;
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
 }
 

From patchwork Wed Mar  6 23:58:51 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842009
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7F5A31669
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C2A62E77F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 608FA2E7E9; Wed,  6 Mar 2019 23:59:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0B7372E77F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726355AbfCFX7h (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:37 -0500
Received: from mail-vk1-f202.google.com ([209.85.221.202]:50974 "EHLO
        mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726318AbfCFX7g (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:36 -0500
Received: by mail-vk1-f202.google.com with SMTP id v123so7256128vkv.17
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=KKKYFBHbBMb9DlNvNVTDrUs10yWe2S8P/IItgj6dN2A=;
        b=uKlleygvjUMu0CZK8wWnXDD7l1l67NNJNeOSKFJK+V2wTAcUjiyenGRE5P2wrxne9Q
         02bgm5U3OFFXfiJkN4XhPpSZ2KHfwRe1bHljwcmMSOCdBOTS+Fyzi1QjvcS7aOSeFeNt
         apxcV8clriCVsbuz5ETKf8LBktpAwVGPsVMSqxm2HY+oPFHStshNNS613RV/o2jPnu9z
         c8XxFhxGCuZvOEewoCz8/vUIYzwqutWSk0UTbjcUkAGNSOQRdF+I1+Pbf5zz+rq93PUw
         fFefZg3+vEBOuNlXvEazOUuWVraHPbtFiOQNjEKh3i5qnICTeGZGbY/QSN5V7/1oIHO+
         nYFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=KKKYFBHbBMb9DlNvNVTDrUs10yWe2S8P/IItgj6dN2A=;
        b=KRYoVcp1k/Mi9mgX1EUx8Ipe47JLugRFruk+b6T4HY+KS4/QBtikVHHhpsms/zrBpX
         07Rjw9iYr5mXcu2wIS9pSV1COAEuU3HTTcT9hVX7ZCls7QR7eJ/xbncOJKXLCPyk5afJ
         NlRPzFZyIc+XpuiHo9CyCqsTlGh2SaFs5GQ2bLoQrb+zE5oBGIR7QFKB7nAd/qKv6fef
         RNxRqxlJYx6Xlw5OoyE3H2Kz8wLPEDiz9yQvfR2IWhiSlAbPTUI7Oczci+KaxJ8nm/Zg
         Xq8Msc3flo+splEbRztXUbMc0BQiqXvL+6cAbt6fgdGwX9Sjo/afTXTktEeseigEEuIC
         SPTg==
X-Gm-Message-State: APjAAAV1Lbixy1gRLn0AjMZVDpRZehCBYdF8O8mbP1l+NFifAQlot29K
        AoTdx7tl8+TavNoEx02QGrs8Yu1ZuzKblbdw6dRcrg==
X-Google-Smtp-Source: 
 APXvYqxpqAYiGWAFMmW1jxOfnE9F1x72ycLS3u1FKaUh5FvX2m7smCfePhhUH5HjIkm3CpPAZH4XwpHEknNnPBPNr/mzHQ==
X-Received: by 2002:ab0:6455:: with SMTP id j21mr6864734uap.11.1551916775048;
 Wed, 06 Mar 2019 15:59:35 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:51 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-6-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 05/27] kexec_load: Disable at runtime if the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

The kexec_load() syscall permits the loading and execution of arbitrary
code in ring 0, which is something that lock-down is meant to prevent. It
makes sense to disable kexec_load() in this situation.

This does not affect kexec_file_load() syscall which can check for a
signature on the image to be booted.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Dave Young <dyoung@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: kexec@lists.infradead.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/kexec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/kexec.c b/kernel/kexec.c
index 68559808fdfa..8ea0ce31271f 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -207,6 +207,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
 	if (result < 0)
 		return result;
 
+	/*
+	 * kexec can be used to circumvent module loading restrictions, so
+	 * prevent loading in that case
+	 */
+	if (kernel_is_locked_down("kexec of unsigned images"))
+		return -EPERM;
+
 	/*
 	 * Verify we have a legal set of flags
 	 * This leaves us room for future extensions.

From patchwork Wed Mar  6 23:58:52 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842063
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7C8EE1515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 688612E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5A4912EA0E; Thu,  7 Mar 2019 00:01:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 018132E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:50 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726351AbfCFX7m (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:42 -0500
Received: from mail-pg1-f202.google.com ([209.85.215.202]:36447 "EHLO
        mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726352AbfCFX7m (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:42 -0500
Received: by mail-pg1-f202.google.com with SMTP id h68so14124553pgc.3
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=J9HskZ77OUFICI41Y6vWx6qjidmwsaOE6tSBtlsEq6A=;
        b=PcOpK9azISxtDIMoSR8lrqsGa2jzKe5DpkkVwC2lvPLouHJ+vxS0aioyTJZIJTIalp
         l2w1dyY3icZy5F2BbXRiOSOF6JKLNx6ZDSl4jPxhtjlbkeUmAGR5NLhNY/jl0Yj/UyKx
         Ky/L1DecjxO0eL/TXC88bCzSUQPTJnVc0yxiluRZyQ6euvebM9bQTAM+Pi2ngMPQSNvu
         /qWm8mUzjhDcr5Dbeapg9eZmk+eoR06cg69/g4BBxK6tvxx1NASQpRZHlPkLQxPniMJm
         RMDQslYkVwE9UPxpgtmv+vZEoFMyZdYlMcn1sN68WeheHf4ybL5NvgLvkJlAvtuNrobN
         Oo+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=J9HskZ77OUFICI41Y6vWx6qjidmwsaOE6tSBtlsEq6A=;
        b=r1dI4Jq5mtRW8bnDkYqydGEZjW4uaL7OeJ/fbCmTqkwPhzoj8ELR5cwbb1aDs5hRJE
         y+LtjNqoUW5ENOCnz7bnAi+67PE/Ku0okLOlYo8bc6H1ybQl/Qg+8X2jXe05moS5qGfX
         HYkv+XfidMqu/jkdWUYF7H6miKQ3nd51c46IaQEpUJZaa2fFnMsnaLn2WhYH8ahTvxAU
         7QXdZGJMAGnonzEC1p67drz6J61Ug1WVVjZ0iVjFJQWiwwxKoH/pX1j3WXZiPK/aO5jJ
         qVecGj/wZq6genDcpBDKvqvVXuhyylG8DMjbFl1dVRwPK6Jensk5TUopUZEuBph/lPd6
         q1Hw==
X-Gm-Message-State: APjAAAVwAru9TVl6DgYFeqyinS/Nud4TnzGCNXKBo1jdbi2ZMo65n2vm
        d3jXUAzYxBGF1GN5Pth/4fCqZUFEZR/q8rRGNLK0tg==
X-Google-Smtp-Source: 
 APXvYqxJI9YBy3Tx4TeP2k8b5JTYfjwF/BZZOjH1sXAgR2zDWSwPhEvf3n0YHoxi6RUqjKeGDYELgoSp30Xy4R9fLnYRpQ==
X-Received: by 2002:a62:b401:: with SMTP id h1mr3868938pfn.61.1551916781465;
 Wed, 06 Mar 2019 15:59:41 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:52 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-7-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 06/27] Copy secure_boot flag in boot params across kexec
 reboot
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Dave Young <dyoung@redhat.com>

Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load.  In this state, the system is missing the protections provided
by secure boot.

Adding a patch to fix this by retain the secure_boot flag in original
kernel.

secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub.  Fixing this issue by copying secure_boot flag across kexec reboot.

Signed-off-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: kexec@lists.infradead.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 278cd07228dd..d49554b948fd 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
 	if (efi_enabled(EFI_OLD_MEMMAP))
 		return 0;
 
+	params->secure_boot = boot_params.secure_boot;
 	ei->efi_loader_signature = current_ei->efi_loader_signature;
 	ei->efi_systab = current_ei->efi_systab;
 	ei->efi_systab_hi = current_ei->efi_systab_hi;

From patchwork Wed Mar  6 23:58:53 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842061
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F0DBB1515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:48 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DCF6B2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:48 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D18B82EA0E; Thu,  7 Mar 2019 00:01:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2F5982E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726446AbfCGABr (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:01:47 -0500
Received: from mail-qk1-f201.google.com ([209.85.222.201]:49285 "EHLO
        mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726410AbfCFX7p (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:45 -0500
Received: by mail-qk1-f201.google.com with SMTP id s65so11510028qke.16
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=mjiY8WT/VNhEKSEYpCcvEqwE1bl9vD/GNzqDx9qSJkE=;
        b=mQOSTdRfZ68Up9x1czYyBhG4NgddY/tBqS87U7D6oaDzjOGfycnoj1f/KSTjjj9do3
         l3FYdmRbcOvOyPTbxPbewULhoX2ntcTTXDq0hq541dTA6oIMKZErGk86P4hQVfsCIcM7
         fKUqR0Wbd3GMLSOOuLl8VPTVPYECzRC8wnvICoNKhCBoG3kwKv7bRczIGdVjjOp2NlpP
         +NhQ1hroNwjnvzBR0dbMWlpCYlAqnKOfccuZXUn5qsa5rwHbBOIUiEVZk5QQyrD+KEgq
         Pzr5eD93hw3SN/jFmU740c4aY07UVULtPZx0p3wCuwNeaah/hQdpl5NvskVYVeTfrhve
         BmlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=mjiY8WT/VNhEKSEYpCcvEqwE1bl9vD/GNzqDx9qSJkE=;
        b=H19NryHXUxTPOL3N++PhT3AQlCYeF3SOmm18G+fn9z6tUHVmtq2WoFqw4TNYuqrMVd
         ip/Nkuv3mn8ldMUW2mx0EiP9kpERvPfQMwuXaHxD8smAhQSaV7JpUGYeNrJkUVZHBkS/
         ZZx1Dl1d5Ox/d8OjjXdk8zXtMcQyZQ+CozY8RN2eCrV0SeiVK86ut8ro3Thv3BfQCBN6
         vPFekHbwD8q5DbSGCiuv/6CKcJ62TFTK2nEZvM5Z9/Yv7N0EXI2B2vXrtlKcNIfLNxB9
         sRXFB7mVKoMKsJnD/wzA5ujAHGO+LWNKLTPsoy1S2B6Jow/qe2pGs3Kavnf0ateNfct1
         USEQ==
X-Gm-Message-State: APjAAAVI8uFUuhdIiSsSnmOSvRZdppVjaMLLCR2+Pc76C4Bsv02f1oBe
        ctDR0Wr77dWPctgeKbe364RaTxqIVLLaUzsUUivy6g==
X-Google-Smtp-Source: 
 APXvYqxhyKMTqSAh6jP0t6sWTKltXvgDRZ/5tIhZiElTtT1045wd85tEt54bbUND/hdn5ShQr3DK+7HMTckGXNLQZHqsPg==
X-Received: by 2002:a0c:b8a3:: with SMTP id y35mr6013293qvf.25.1551916783944;
 Wed, 06 Mar 2019 15:59:43 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:53 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-8-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 07/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
 KEXEC_SIG_FORCE
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Jiri Bohac <jbohac@suse.cz>

This is a preparatory patch for kexec_file_load() lockdown.  A locked down
kernel needs to prevent unsigned kernel images from being loaded with
kexec_file_load().  Currently, the only way to force the signature
verification is compiling with KEXEC_VERIFY_SIG.  This prevents loading
usigned images even when the kernel is not locked down at runtime.

This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.
Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG
turns on the signature verification but allows unsigned images to be
loaded.  KEXEC_SIG_FORCE disallows images without a valid signature.

[Modified by David Howells such that:

 (1) verify_pefile_signature() differentiates between no-signature and
     sig-didn't-match in its returned errors.

 (2) kexec fails with EKEYREJECTED and logs an appropriate message if
     signature checking is enforced and an signature is not found, uses
     unsupported crypto or has no matching key.

 (3) kexec fails with EKEYREJECTED if there is a signature for which we
     have a key, but signature doesn't match - even if in non-forcing mode.

 (4) kexec fails with EBADMSG or some other error if there is a signature
     which cannot be parsed - even if in non-forcing mode.

 (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
     the signature - even if in non-forcing mode.

]

Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
cc: Matthew Garrett <mjg59@srcf.ucam.org>
cc: Chun-Yi Lee <jlee@suse.com>
cc: kexec@lists.infradead.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/Kconfig                       | 20 ++++++++---
 crypto/asymmetric_keys/verify_pefile.c |  4 ++-
 include/linux/kexec.h                  |  4 +--
 kernel/kexec_file.c                    | 48 ++++++++++++++++++++++----
 4 files changed, 61 insertions(+), 15 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 4b4a7f32b68e..735d04a4b18f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2016,20 +2016,30 @@ config KEXEC_FILE
 config ARCH_HAS_KEXEC_PURGATORY
 	def_bool KEXEC_FILE
 
-config KEXEC_VERIFY_SIG
+config KEXEC_SIG
 	bool "Verify kernel signature during kexec_file_load() syscall"
 	depends on KEXEC_FILE
 	---help---
-	  This option makes kernel signature verification mandatory for
-	  the kexec_file_load() syscall.
 
-	  In addition to that option, you need to enable signature
+	  This option makes the kexec_file_load() syscall check for a valid
+	  signature of the kernel image.  The image can still be loaded without
+	  a valid signature unless you also enable KEXEC_SIG_FORCE, though if
+	  there's a signature that we can check, then it must be valid.
+
+	  In addition to this option, you need to enable signature
 	  verification for the corresponding kernel image type being
 	  loaded in order for this to work.
 
+config KEXEC_SIG_FORCE
+	bool "Require a valid signature in kexec_file_load() syscall"
+	depends on KEXEC_SIG
+	---help---
+	  This option makes kernel signature verification mandatory for
+	  the kexec_file_load() syscall.
+
 config KEXEC_BZIMAGE_VERIFY_SIG
 	bool "Enable bzImage signature verification support"
-	depends on KEXEC_VERIFY_SIG
+	depends on KEXEC_SIG
 	depends on SIGNED_PE_FILE_VERIFICATION
 	select SYSTEM_TRUSTED_KEYRING
 	---help---
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
index d178650fd524..4473cea1e877 100644
--- a/crypto/asymmetric_keys/verify_pefile.c
+++ b/crypto/asymmetric_keys/verify_pefile.c
@@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
 
 	if (!ddir->certs.virtual_address || !ddir->certs.size) {
 		pr_debug("Unsigned PE binary\n");
-		return -EKEYREJECTED;
+		return -ENODATA;
 	}
 
 	chkaddr(ctx->header_size, ddir->certs.virtual_address,
@@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
  *  (*) 0 if at least one signature chain intersects with the keys in the trust
  *	keyring, or:
  *
+ *  (*) -ENODATA if there is no signature present.
+ *
  *  (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
  *	chain.
  *
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index b9b1bc5f9669..58b27c7bdc2b 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
 			     unsigned long cmdline_len);
 typedef int (kexec_cleanup_t)(void *loader_data);
 
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 typedef int (kexec_verify_sig_t)(const char *kernel_buf,
 				 unsigned long kernel_len);
 #endif
@@ -134,7 +134,7 @@ struct kexec_file_ops {
 	kexec_probe_t *probe;
 	kexec_load_t *load;
 	kexec_cleanup_t *cleanup;
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 	kexec_verify_sig_t *verify_sig;
 #endif
 };
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index f1d0e00a3971..67f3a866eabe 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
 	return kexec_image_post_load_cleanup_default(image);
 }
 
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
 					  unsigned long buf_len)
 {
@@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 			     const char __user *cmdline_ptr,
 			     unsigned long cmdline_len, unsigned flags)
 {
-	int ret = 0;
+	const char *reason;
+	int ret;
 	void *ldata;
 	loff_t size;
 
@@ -207,15 +208,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 	if (ret)
 		goto out;
 
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
 					   image->kernel_buf_len);
-	if (ret) {
-		pr_debug("kernel signature verification failed.\n");
+#else
+	ret = -ENODATA;
+#endif
+
+	switch (ret) {
+	case 0:
+		break;
+
+		/* Certain verification errors are non-fatal if we're not
+		 * checking errors, provided we aren't mandating that there
+		 * must be a valid signature.
+		 */
+	case -ENODATA:
+		reason = "kexec of unsigned image";
+		goto decide;
+	case -ENOPKG:
+		reason = "kexec of image with unsupported crypto";
+		goto decide;
+	case -ENOKEY:
+		reason = "kexec of image with unavailable key";
+	decide:
+		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
+			pr_notice("%s rejected\n", reason);
+			ret = -EKEYREJECTED;
+			goto out;
+		}
+
+		ret = 0;
+		break;
+
+		/* All other errors are fatal, including nomem, unparseable
+		 * signatures and signature check failures - even if signatures
+		 * aren't required.
+		 */
+	default:
+		pr_notice("kernel signature verification failed (%d).\n", ret);
 		goto out;
 	}
-	pr_debug("kernel signature verification successful.\n");
-#endif
+
 	/* It is possible that there no initramfs is being loaded */
 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,

From patchwork Wed Mar  6 23:58:54 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842011
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EF6E31515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC75E2E746
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:51 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D106A2E7D1; Wed,  6 Mar 2019 23:59:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 74CC62E746
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726432AbfCFX7u (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:50 -0500
Received: from mail-io1-f74.google.com ([209.85.166.74]:32865 "EHLO
        mail-io1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726414AbfCFX7r (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:47 -0500
Received: by mail-io1-f74.google.com with SMTP id e1so11196116iog.0
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=rcoY9tEENkPaxN2uc2H4A3TvvTCasWpC/2OBy6PWjj0=;
        b=JRB6MFnI6CPHKumtls+v+QBW7huDdcHgUo+9G6jnfMgtqnoDu+NHyFBZ3cUbo632t2
         PlyEn7WDWbPymbRpkF3y3nrGsSdRqjr6WuE0wI5aQpoDoJtOPImZywpluRwMVNUtzYnv
         vr8adGb/tSGxj/r/6bBGVZYEhsyms0OeDTa+7aU7+SmwYVp224csVMQWZUWLnSPI0P4K
         udeBcAK3Ti48QozUBr3XOz3jl02KsXDgn3AOjVOj03xEtm8S7aLowHKVDYj6l5OL6cLW
         rYZtqPka5Y+F/WjoAzm6m9vHA8cgp3v6by7Z5TBVbSp/uAEjvbwkH3xvVDBUX5flQAGx
         qC5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=rcoY9tEENkPaxN2uc2H4A3TvvTCasWpC/2OBy6PWjj0=;
        b=Yszu9hgLpENJkfqFCNl+vmRdgyOle1g6tVVlIOooOkxvZnI2Pdjg/H81KdTNO0ObwG
         L82wyFLRcGRoZwbJJqmqrRe2uRpAds0ZJditwPfLgzzECBcuUuuYbHq8vl1dcQQDI+5q
         PU5my0xA+uWYAXkCCjubL4ilJf+DSeTasIUxAo1zStiC4+W/Ml+T0Zcz4pmzedOZKW8W
         PIyROewHxSa1H6XGiDsFjE8FD3ZeaYSeucRFM05LR7KQvhH2gSpjXWXCxvHqOZajM3bT
         KmbZaMVXGrLK9L0kHnj1sYAtvjLl8Q5KBl2E1IjBBgbl5HVX6seeglzqNWPLhqmlkL/g
         oVOA==
X-Gm-Message-State: APjAAAW9R+KT3braHvmMxb8hnF/ZMtp8VOFiB1WprD8/D5ybC2DhfTnp
        HtVeC3fCWwNzMDfHtuqqNz9jEZc9j5NgDrXfrXeKXg==
X-Google-Smtp-Source: 
 APXvYqxGw8B9EHptHkokWDqZZE64N4QJSY8ps2Pub8k3OebCUGaqCst4r3RFxG/Nq8WYbm1W63x0ibE/nq1ckHdCxbwYTw==
X-Received: by 2002:a05:660c:48:: with SMTP id
 p8mr7384486itk.31.1551916786498;
 Wed, 06 Mar 2019 15:59:46 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:54 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-9-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 08/27] kexec_file: Restrict at runtime if the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Jiri Bohac <jbohac@suse.cz>

When KEXEC_SIG is not enabled, kernel should not load images through
kexec_file systemcall if the kernel is locked down.

[Modified by David Howells to fit with modifications to the previous patch
 and to return -EPERM if the kernel is locked down for consistency with
 other lockdowns. Modified by Matthew Garrett to remove the IMA
 integration, which will be replaced by integrating with the IMA
 architecture policy patches.]

Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
cc: Chun-Yi Lee <jlee@suse.com>
cc: kexec@lists.infradead.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/kexec_file.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 67f3a866eabe..0cfe4f6f7f85 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -239,6 +239,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 		}
 
 		ret = 0;
+
+		if (kernel_is_locked_down(reason)) {
+			ret = -EPERM;
+			goto out;
+		}
+
 		break;
 
 		/* All other errors are fatal, including nomem, unparseable

From patchwork Wed Mar  6 23:58:55 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842059
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 30E49139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:46 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1D8BC2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:46 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1216D2EA0E; Thu,  7 Mar 2019 00:01:46 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD4CA2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:45 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726414AbfCFX7u (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:50 -0500
Received: from mail-vk1-f201.google.com ([209.85.221.201]:50980 "EHLO
        mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726429AbfCFX7u (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:50 -0500
Received: by mail-vk1-f201.google.com with SMTP id v123so7256371vkv.17
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=7CZJafxJx5K8s0KTAGx/cb0COJjD1VsMHrphX4q9xHc=;
        b=TwYXtqg92i8rtVNs3UFbQo0S5dqxiJRdLg7OmvpgqdBn2thEpiMDx7+y3OiyBCyVIK
         5bQ5Zlyojb7UvS7jwwD1ssl42j3Z4qHdQQ0UsmCC5Q43XsxM/W8h9yY3LeXnRnx5tTG3
         vgxfRjf0bpwIaBBiUmESuUDGqk2QcWgC759lLgs+CAryqFzz3Wpf9NA5dfw2NFyyeKR0
         YhQpCufdemS8shSLjEqi9Ak9Wp3laaLwEpjJs9AuK6biLJuyh19Pm60FHWCNSA/D17Z+
         N38omPB+Twprj9bOBJGuWP09sRitBmX8+4c0LNb+Yx6osYSt5Zv+q2moX06QpkVc33kW
         U5GA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=7CZJafxJx5K8s0KTAGx/cb0COJjD1VsMHrphX4q9xHc=;
        b=OgWLmoXOt4wuKV7vI5EFqW9yZpj7HC+82tnyVsYwzHQKasGVgloTaGLaA+5ItOotmN
         eQ955rxrutIFezVWKBxNCgwnjUMyLxsEa33G9mGVQ5kAQOAXvjKLRss8OFbeCy7prEKr
         d1wIsmMejQ/LpsC3NOR2LBI32YsOhG3+ndwGhOgLpmQSe3s+MulK8CqZatUdj2ZPED1Q
         m4uMeC5QYnlrZzWz5q6+dOplYOYy05l/BzRS85TydFQH/AGkMMKo4RPxIeIocY+vfJS2
         YkivwdZ8N/gaz2bkGh8z3qsxtJXV+9Zxwc+3fcWuQXQ+ca9p3vlrEKxe+06FEuwly67M
         ANjw==
X-Gm-Message-State: APjAAAWm9mNkoGCNrAbKdiN1SUQqcsUzSCLYTgpvUGicSvvI0NNyaXC9
        aC0NL9mqso+41dzwZnhTPqqnZNuU9VJxgotLkYw5Hg==
X-Google-Smtp-Source: 
 APXvYqyEyqxCfr/0CcoThrN8sYnOFddoPmHNo3SSBCt3q9qooH4LMAn+PUgqnonjxmvruYh7L6YbUj4snzJoNfX2IuxTAA==
X-Received: by 2002:a9f:2d84:: with SMTP id v4mr6876735uaj.22.1551916789062;
 Wed, 06 Mar 2019 15:59:49 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:55 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-10-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 09/27] hibernate: Disable when the kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Josh Boyer <jwboyer@fedoraproject.org>

There is currently no way to verify the resume image when returning
from hibernate.  This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-pm@vger.kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/power/hibernate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..802795becb88 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
 
 bool hibernation_available(void)
 {
-	return (nohibernate == 0);
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
 }
 
 /**

From patchwork Wed Mar  6 23:58:56 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842057
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F05F8139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:42 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD6EE2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:42 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D220F2EA0E; Thu,  7 Mar 2019 00:01:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 77D7D2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726452AbfCFX7w (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:52 -0500
Received: from mail-yw1-f74.google.com ([209.85.161.74]:43100 "EHLO
        mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726446AbfCFX7w (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:52 -0500
Received: by mail-yw1-f74.google.com with SMTP id r8so20859038ywh.10
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=JJMzCu+QpYD9Z8bckP0m6/xbjWctPMS7pd0b7hNmVSQ=;
        b=tLboHTMMoMV+yRf3rMjN1/hTQNg/8muTL2AwsTexQzcvw3NgdeYfhtTcpiJqFfIUB0
         37eVsZnj2OHgLGKYMUaoTIjBxEyPUDRdn+d4GtnwAuLkNDndOXzUxAneLXi5m0ocs9cY
         8/iiGPiCS4IHrBXgVjfoNrehXn58s6SKrlaQq3Xp0VQD95pUZPnZlBX14hu9F4J4qocJ
         CL8cUZvbqaAj3lvvbYvEjZJowX1ZxeAAF9iJEJmMZs2yLtbDwFrM5iQE+n7t0zy8lPyv
         Abr86iUavjIxK/vFIqmKm4uxNNaO2dosOCi/oMgW+ZL1joZj0fOxNgjte+HsXLqPjvGF
         BpKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=JJMzCu+QpYD9Z8bckP0m6/xbjWctPMS7pd0b7hNmVSQ=;
        b=bfNq/T+PxMcht7rsdkis6H4e6DVaqpAJCaU/gB73XFrN4CjWud+V11aR3NWV4ozOu5
         tR3A1HoBos1sT5kn0Uz8jFszix9yO8CHsJ8eB1v1gUZyoupWKgFxohZPGVJXYUTrw+cg
         BfaRHLMPEPL5q9Kj1kaOi+8GwyPypJl4TH/2vDjrCGB1utgZ7mNMqtIuhhKlbAF2zhjw
         eGH2rpFmz38xdrK+pUaabNcFpFBQX1teBPZp1U2QcQqpmcszjVCmV98kPC2mLp822dnf
         qjWDhiuttJIahdvmjeCFUwawNa0Ly0Z6ialhlzK8oaWzm+xWLqqT2Bfb4UcdCiMM8Lih
         QX8w==
X-Gm-Message-State: APjAAAXmNHxYvh+q2HG8rCNeYA+Wy5LVh8Uc4niIgGo82Bqni7ewg+Bk
        mz2yUyRrTMGF8ph+9/BgEYsHjElFYM7fuTuJhw1FTg==
X-Google-Smtp-Source: 
 APXvYqytdTMYqNrVlhZkwaY3/u8OMYHj1aQSIB663TPgr1lcKmQ3eCVuz1JuFTVE8od0nbZkPQ9oXCKDc3obGrQfsUF4ew==
X-Received: by 2002:a5b:44e:: with SMTP id s14mr1091714ybp.55.1551916791554;
 Wed, 06 Mar 2019 15:59:51 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:56 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-11-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 10/27] uswsusp: Disable when the kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel.  Disable this if the kernel
is locked down.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: linux-pm@vger.kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/power/user.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/power/user.c b/kernel/power/user.c
index 2d8b60a3c86b..0305d513c274 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
 	if (!hibernation_available())
 		return -EPERM;
 
+	if (kernel_is_locked_down("/dev/snapshot"))
+		return -EPERM;
+
 	lock_system_sleep();
 
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {

From patchwork Wed Mar  6 23:58:57 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842013
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7821A14DE
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 64A392E746
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:59 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 58A5B2E7D1; Wed,  6 Mar 2019 23:59:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E16F82E746
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed,  6 Mar 2019 23:59:58 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726445AbfCFX75 (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:57 -0500
Received: from mail-vk1-f201.google.com ([209.85.221.201]:49133 "EHLO
        mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726487AbfCFX7z (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:55 -0500
Received: by mail-vk1-f201.google.com with SMTP id j1so7389546vkj.15
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=ACqFRhtJUfbHBZBPOu5dDkAx0/TaxY9Rwhxh4VD+UBs=;
        b=fgEDghp9aUPPq5LIQbGaL6nEH0coUYCSyYuTyRdQ1gO7leMx3wv+kvJFbiZsfJbaov
         pklDS/Qt+yxsTTHks6MoVO6lWCuAdTGqQMzj/XCnPMZ5UPnexaPpwiiChv19uM9BCsLb
         n9YirvJwxBiFfS9eJUPeX1s7SaKQQ2dx44MkksoVzcAyWjumoAoWdn1t2PQ4sFbpQjQv
         v6PPsY0oLcsXMY6ctV6rr7aTkf2/sZpJgGo917exFXjIF4tDC6TPaOHRkVBab0nCoNQe
         KYu6vYBfWFa8zDnkCuY6BcGyBAU7/dXYU0DzBrLh18YqVlZ8UvtOrAE4Sd4uraIBBuDv
         8uQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=ACqFRhtJUfbHBZBPOu5dDkAx0/TaxY9Rwhxh4VD+UBs=;
        b=tRV0eiJ7E0YvXh11gaT5OMgRH+eIZiUUocpYd6mRX/glfTBkAkxqJy51zK1dFe+Y01
         bbTPQK8fDe6IPHgmK7E/SE/1EAgxiAqoHuQ8joaCXxUBtbAysY1jV85AnrmuLZa3wxzp
         7FWNDxg29b4xOui6ROTF8bJW6zEqAKyaxb8WqpbcKmHyK79lSy1C90xUqtHWPQLMT74T
         omt53MPJQczYL0LO5C4N9HF2uE5vDtZ4RxbvxQIMlAomfkvcu58CrdyqxuFU+o7HTIfn
         30z0jWcHruOL/hjgJ37QiKOTQsh3hf/uMWrffFY2xMEortZU5pgXjowsKge7+f6zIqCw
         QNGg==
X-Gm-Message-State: APjAAAVJIySdemTjjYgZbskQui5VhnK5n/VJK0wv4oYqfo9xLTO9O3sa
        Y8/bbQ3b/+ji/rRXcp8hWUsDmj5xGQHn3svv3bMEkA==
X-Google-Smtp-Source: 
 APXvYqzUBqNd8/YUx2fDLnRpZCWhP0/NfK79PxMtzpWY5W8/fAB2exucG4GxQ+dIl9GStj1lAczoDSn+eRiRXxQ2c8jgmQ==
X-Received: by 2002:ab0:778d:: with SMTP id x13mr6862246uar.7.1551916794166;
 Wed, 06 Mar 2019 15:59:54 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:57 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-12-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 11/27] PCI: Lock down BAR access when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
allowing them to circumvent disabled module loading or module signing.
Default to paranoid - in future we can potentially relax this for
sufficiently IOMMU-isolated devices.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-pci@vger.kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 drivers/pci/pci-sysfs.c | 9 +++++++++
 drivers/pci/proc.c      | 9 ++++++++-
 drivers/pci/syscall.c   | 3 ++-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 9ecfe13157c0..40c14574fcf8 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
 	loff_t init_off = off;
 	u8 *data = (u8 *) buf;
 
+	if (kernel_is_locked_down("Direct PCI access"))
+		return -EPERM;
+
 	if (off > dev->cfg_size)
 		return 0;
 	if (off + count > dev->cfg_size) {
@@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
 	enum pci_mmap_state mmap_type;
 	struct resource *res = &pdev->resource[bar];
 
+	if (kernel_is_locked_down("Direct PCI access"))
+		return -EPERM;
+
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
 		return -EINVAL;
 
@@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
 				     struct bin_attribute *attr, char *buf,
 				     loff_t off, size_t count)
 {
+	if (kernel_is_locked_down("Direct PCI access"))
+		return -EPERM;
+
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
 }
 
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 6fa1627ce08d..1549cdd0710e 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 	int size = dev->cfg_size;
 	int cnt;
 
+	if (kernel_is_locked_down("Direct PCI access"))
+		return -EPERM;
+
 	if (pos >= size)
 		return 0;
 	if (nbytes >= size)
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
 #endif /* HAVE_PCI_MMAP */
 	int ret = 0;
 
+	if (kernel_is_locked_down("Direct PCI access"))
+		return -EPERM;
+
 	switch (cmd) {
 	case PCIIOC_CONTROLLER:
 		ret = pci_domain_nr(dev->bus);
@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
 	struct pci_filp_private *fpriv = file->private_data;
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
 
-	if (!capable(CAP_SYS_RAWIO))
+	if (!capable(CAP_SYS_RAWIO) ||
+	    kernel_is_locked_down("Direct PCI access"))
 		return -EPERM;
 
 	if (fpriv->mmap_state == pci_mmap_io) {
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
index d96626c614f5..b8a08d3166a1 100644
--- a/drivers/pci/syscall.c
+++ b/drivers/pci/syscall.c
@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
 	u32 dword;
 	int err = 0;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable(CAP_SYS_ADMIN) ||
+	    kernel_is_locked_down("Direct PCI access"))
 		return -EPERM;
 
 	dev = pci_get_domain_bus_and_slot(0, bus, dfn);

From patchwork Wed Mar  6 23:58:58 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842015
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 44DB9139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:03 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2ECBF2E77F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:03 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2059B2E841; Thu,  7 Mar 2019 00:00:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 100DF2E77F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:02 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726528AbfCFX76 (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 18:59:58 -0500
Received: from mail-pg1-f202.google.com ([209.85.215.202]:49739 "EHLO
        mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726512AbfCFX76 (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:58 -0500
Received: by mail-pg1-f202.google.com with SMTP id e5so14121197pgc.16
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 15:59:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=QDpkt2iLJaW7UQwtu1XuZ4vl79/9VRxhowqTd8n/Fpc=;
        b=jvy9XixYDMESBeGWm629iKWhW8u6ZS+rbPdR5wFtrAIoXp8X0Beq3w6n9KyLdUkrEq
         U63Xvyad7Y2Q/32lkLHR03jfxaTv1aMM6jOMrm+qmSWsxn6HOXHbRagx+eFwYySF+REa
         UvvUtrvxZCVpZjqOjHgIRFt3+/RVxukTl1nBAOBD3QTYdcuOr1gkmHZLxOR1/uxXUCUB
         XKOw9aEXXoB43Je4RTizkOm1OKKJ6GtN4jTQwKuHHOnEq8cLkxcX/rJCOdt7uTjtegeQ
         BUrVwanlHU9YJL5/dubEUv3r1m1tGqaggbRYbI2azMRSGJ5r+iChhYPnXncDsifN1LDg
         GaUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=QDpkt2iLJaW7UQwtu1XuZ4vl79/9VRxhowqTd8n/Fpc=;
        b=dhKW8bzdG2S5qNFl2yIuQ4BHraAhY+zmqdHMFdA0hvnkfPi32LSE4qewDNIXEH2juF
         KjCeHBQlY7zua4jnZL0pKNH31tAULjP8RtagM76CUlXftZdBYZ9eMDvGm/+jTNMhMBlf
         P8FHaafa/iV5wEcBD1Mh4EMiqDMocjFT/voYc+Bd3LF4DYymBwIY5mRRHOpgPOppvpUG
         /hVWEBpVHEtTwsqlP0i8QgF43CDxJ7IqCaaFh0RhJ2+pJgYlgMzDh8jx4948fnAee4Wx
         2A+kdKai8w3w+6+ymhp20gWIy3T1FUglnzajJNgaNwrlgJlKfpd1e9CbKmq1ev4zqndN
         MFfg==
X-Gm-Message-State: APjAAAWTdEhgsww6n6sXNtTF/XRbXtwCCoYoYw/obDacfZ3Y1x9P+N1s
        9kT9MEcGyRwaG0vLgt6RhYH9l9FUJlCBV4d98w09Jg==
X-Google-Smtp-Source: 
 APXvYqzP27Yw1c4zS2hcP/6cmjCGlIABHINNbraOKET3ZcjSfIyP182tA8NHcR009uulMu0sFX+he9ulke/XQacya2FjMA==
X-Received: by 2002:aa7:8259:: with SMTP id e25mr3957696pfn.99.1551916797433;
 Wed, 06 Mar 2019 15:59:57 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:58 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-13-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 12/27] x86: Lock down IO port access when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.

This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/kernel/ioport.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 0fe1c8782208..abc702a6ae9c 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
 		return -EINVAL;
-	if (turn_on && !capable(CAP_SYS_RAWIO))
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+			kernel_is_locked_down("ioperm")))
 		return -EPERM;
 
 	/*
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
 		return -EINVAL;
 	/* Trying to gain more privileges? */
 	if (level > old) {
-		if (!capable(CAP_SYS_RAWIO))
+		if (!capable(CAP_SYS_RAWIO) ||
+		    kernel_is_locked_down("iopl"))
 			return -EPERM;
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |

From patchwork Wed Mar  6 23:58:59 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842017
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A869D1669
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:03 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93F4B2E77F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:03 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 880AA2E841; Thu,  7 Mar 2019 00:00:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C25C2E7D1
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:02 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726508AbfCGAAB (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:01 -0500
Received: from mail-qk1-f201.google.com ([209.85.222.201]:54588 "EHLO
        mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726488AbfCGAAA (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:00 -0500
Received: by mail-qk1-f201.google.com with SMTP id i66so11512756qke.21
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=EgD7M29mELKbRq1NWt6DNZZmbYMYEW26ecUsjbEvlVs=;
        b=gYTOWof+SnJgMS2LMqTCUBSp6zvC0gCXrCSqXNr50gmxewWj8i1zMYIleOGZoVxMPQ
         LF37ClnmwpqbzLw2xE8kWW8XNteLVIsCet67X232y7QE+kb57re8nGck768NviwV1t5l
         fJecS05fRNQ9WKgzKmIbkiqL82Z1S8X8Npca0z9r7YkeAgAo8zFrxNeTjgbZqXxrCkcm
         d5+Jr2N6cwpx+0SPxEEmQS6+b1WW3yrKkoGtM7svV8BvQzcAOUIWyFSYyYDHqfdpPkB7
         D/Mk96oFbG+YOC/1Yyf5ws/IFrQ2VPf7EEq49q2+f/jbjKa3lmOtkfTb8PWvjD0Pp2pF
         U5mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=EgD7M29mELKbRq1NWt6DNZZmbYMYEW26ecUsjbEvlVs=;
        b=GGD3/gam34FCNHNhVqRS64JZbsSYwgQ9c31tHvEyiDi3qZbkEqP2NO6t5OwsV/lwk4
         nWWZJaW8Tp5nuNoMrW96L17ZrUILuwBLKUj7dYIbEsL3gMNji2jyerw+yJ0XEzjWF+L5
         7dWDTy+oS18sKwZtJN3B/KleigNaF2SZyFXCOyGph0DCKELZqpatgBUNZy7zyYP7Q5Ei
         oDc2lcnOVxK4QzOk8wt+q5lsxvBAiho31xR5DfwVkZFW1BOB5DYqNABMnoUlcloh/zBV
         g0tQXT/tZ/U51oqRzxeGngbgtRXtYwDWzcVfuvdjOd0W14EpUduk2FzrPcBggVDYiYEi
         M0xQ==
X-Gm-Message-State: APjAAAVliM431jxwP7fIgvzhEEW/BXxAwIU9SfUfSIfKBs8d5WJ3DXQ8
        UQdQB1mk9fzYi9j0l68AN6uhGlBYT4kIstnCtRzUkw==
X-Google-Smtp-Source: 
 APXvYqyMy1TJIWtN1222VFXuk/FGDSDNyZ8044iMtqYU3Zf07qKmx+B/7/pJqqNoAqGr0x0JLQBdkjn8lvYBk6GwiigknA==
X-Received: by 2002:aed:37c4:: with SMTP id j62mr5900910qtb.19.1551916799883;
 Wed, 06 Mar 2019 15:59:59 -0800 (PST)
Date: Wed,  6 Mar 2019 15:58:59 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-14-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 13/27] x86/msr: Restrict MSR access when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode.  Based on a
patch by Kees Cook.

MSR accesses are logged for the purposes of building up a whitelist as per
Alan Cox's suggestion.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/kernel/msr.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 4588414e2561..f5a2cf07972f 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
 	int err = 0;
 	ssize_t bytes = 0;
 
+	if (kernel_is_locked_down("Direct MSR access")) {
+		pr_info("Direct access to MSR %x\n", reg);
+		return -EPERM;
+	}
+
 	if (count % 8)
 		return -EINVAL;	/* Invalid chunk size */
 
@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
 			err = -EFAULT;
 			break;
 		}
+		if (kernel_is_locked_down("Direct MSR access")) {
+			pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
+			err = -EPERM;
+			break;
+		}
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
 		if (err)
 			break;

From patchwork Wed Mar  6 23:59:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842051
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 05850139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:15 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E748C2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DAB6F2EA0E; Thu,  7 Mar 2019 00:01:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 845522E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:14 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726558AbfCGAAF (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:05 -0500
Received: from mail-qk1-f202.google.com ([209.85.222.202]:35192 "EHLO
        mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726537AbfCGAAD (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:03 -0500
Received: by mail-qk1-f202.google.com with SMTP id 207so11648754qkl.2
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=RLZYCznt91X7Gql2FLJuA+D6Xq8z59q436/ddkparrE=;
        b=i/MjTXb7CbOG6UdkkS0vRNZvfV6iqT+SJUy26kVbxvGCwjfn8jRCtI1zQO9vj5H2ak
         apfgI4/baSkKebqMBSvCMvYYCd4lYbo5ztim2Tyika6/fTfhgxfiyzwCe6U8SXuxUH/A
         QMXQD8oXCYd6+d5dhpHO9MT8ekx8Nhcac8L3GeVKmleZ3xJNOFmMJqTs6o1aMOa/SvMi
         gfGhsbLGZLzEnc36jFQIkNfeaKcX77AgJBYVu2/DvzZJ1oXI4NCpFzcTHoMVU38SfSl7
         DH+AH9U/Yw0/Mu1nSxhw0CQM0XKEcmhK6zNTjbEdD41qts+TJNBsuwJNo9oPQByKvGkt
         DkxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=RLZYCznt91X7Gql2FLJuA+D6Xq8z59q436/ddkparrE=;
        b=uGjDYAnt9H4xM6LyquCzocjb90+oezhyQDJ8hxbFtL2xTTVlNqhxuSZYoHsu8lTSlI
         2r1pQOV8LeEbne8KF7JbMdYcE5K1OE32DCSI59iQ6xZGc/ljC7kIreGjBxyrkWWD82FV
         OF081wnXSjC1Sxwuqx+lYNA8j72GxJ845Qwx9GaOZjU9+QeFV2QSzC46lPEO2Rm+nGOG
         lWGhbwDyXavk8xw2SjDYawqWbWHAEgUxVOkouQzq1IiuDp2INdao9roubBWf/XT3rye5
         nO5v8Pml/TpNzfxfsqtouD5F6X/NH5F2EuOvJeuYK+EJh+/Rgb3mu9SwCxee6m32P5OU
         RZrA==
X-Gm-Message-State: APjAAAWCqihGbnLJdz9qQB7bpL9fYGtUCfdwh+oJCzqp3ZyK6IIosx9a
        +YzQtWvslPUaUQzgE77/k1Fj2u5NglPpCz/U9eOk0A==
X-Google-Smtp-Source: 
 APXvYqyg65IJHTLLH/dejwTsjoNanUPirYo+pqDWCoJN7KCkY2ggEVBCzFT/3DLvioXGAP9kW6hrdz8OII58UGrorWamGQ==
X-Received: by 2002:a0c:b91c:: with SMTP id u28mr5950718qvf.45.1551916802349;
 Wed, 06 Mar 2019 16:00:02 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:00 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-15-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 14/27] ACPI: Limit access to custom_method when the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Matthew Garrett <mjg59@srcf.ucam.org>

custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 drivers/acpi/custom_method.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index 4451877f83b6..ac8a90dc7096 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
 	struct acpi_table_header table;
 	acpi_status status;
 
+	if (kernel_is_locked_down("ACPI custom methods"))
+		return -EPERM;
+
 	if (!(*ppos)) {
 		/* parse the table header to get the table length */
 		if (count <= sizeof(struct acpi_table_header))

From patchwork Wed Mar  6 23:59:01 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842055
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B33B7139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9EBB22E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9281C2EA0E; Thu,  7 Mar 2019 00:01:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 432FF2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:30 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726104AbfCGABO (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:01:14 -0500
Received: from mail-pg1-f201.google.com ([209.85.215.201]:43339 "EHLO
        mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726532AbfCGAAF (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:05 -0500
Received: by mail-pg1-f201.google.com with SMTP id t6so14129214pgp.10
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=UFGeS7+xruZP4sn4Tn07AerSriOPiGRkhy6cYT13zbQ=;
        b=nf5PyV7J5TjGLSrz1snkW5lN8yaR5isc/9tBuhM/tahXRhF2gThjaVYqfeVruaHQFt
         qW2UjDI7At2H/XB0rystIOSTqsowEIFewHXGRkGJFDqOA4quy6fmdJ6jQ7R/OPLBZ7vr
         DSFGpDml+Z24jD2zVecZEVOYDF7uu5ghdhlqYY7rNnKB09Eq+OE+pC6I+0bh7kobCWae
         caVhYDOn2j82QZ4tdjD4+2zg+ciNvfq9HHni+bbj67pSHQTr5lS9kSrmT/Xi9BIxZU3B
         t5tbNCqRUBF5R77M+twcWSg8IXhZXAmXAlATd8+4aiHncxDJIq1XwR0N4gNFFQI8kjdI
         m4Uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=UFGeS7+xruZP4sn4Tn07AerSriOPiGRkhy6cYT13zbQ=;
        b=NsNl886TROk3gjQCtrGooRVnDg6r/ToD/4X8Np8MMx4HK+b5RiQT5G7NSw5gF4Sju6
         8ksO/+fcOXQkC6RGi/f3znamyGSYOhjrY+xKGbPVnBJEIoPKugJFigJLbYlASz8ZoEz2
         UUKduMF53alKMjqfYzCkhNq86Y3o1En7JITtJ20NIq+I1rHoI85gtHDaUcyKWbUoGyKR
         9DRaO2JKH4BzEo3c5GxG6madD/Rcahj5EY6sb1kQ9PbpxHgxmfplLGz4ZVsb11uK9pKg
         Q1ppkvbidrgJ8IZRqJL9DgOs5uV+X85CQWPsPZOsCyC9BE/hGgCLmlhFosdY/yOnbQZV
         NXmA==
X-Gm-Message-State: APjAAAXQZTtb1G00u1Fk3mc/iMTw6zxvprI0pkQcoSy10SPkL5KfHx17
        hxdhPMNlvuglc2p2oJNhqCTj8pw5tse7v7KTfTpfJA==
X-Google-Smtp-Source: 
 APXvYqwJBsGUaIGqFR3CJSWo/i0FpDRirNWONamjbWrJaTKAzfV5w3fQjS/fE5bbN9GDU1+wkgSr0HNKitEjh64tjjEshQ==
X-Received: by 2002:a62:e706:: with SMTP id s6mr3820429pfh.87.1551916805075;
 Wed, 06 Mar 2019 16:00:05 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:01 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-16-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has
 been locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Josh Boyer <jwboyer@redhat.com>

This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to modify the workings of hardware .  Reject
the option when the kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: Dave Young <dyoung@redhat.com>
cc: linux-acpi@vger.kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 drivers/acpi/osl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index f29e427d0d1d..3e44cef7a0cd 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -194,7 +194,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
 	acpi_physical_address pa;
 
 #ifdef CONFIG_KEXEC
-	if (acpi_rsdp)
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
 		return acpi_rsdp;
 #endif
 	pa = acpi_arch_get_root_pointer();

From patchwork Wed Mar  6 23:59:02 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842049
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AFE03139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:12 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9F7422E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:12 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 93BAE2EA0E; Thu,  7 Mar 2019 00:01:12 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4262E2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726586AbfCGAAJ (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:09 -0500
Received: from mail-oi1-f201.google.com ([209.85.167.201]:51235 "EHLO
        mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726582AbfCGAAI (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:08 -0500
Received: by mail-oi1-f201.google.com with SMTP id n205so2051695oif.18
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=VGdoKwvSOpDfBZXQlfYkzECG5jzVJCUvh3oP5CjQxIk=;
        b=RTrNjVLxRZTgAOBWsuKxkprHBBIqH7DjzBBpSZ7zQaQvDgTODrf7K0sFB9SUJRlT7e
         nrhZ2WsILQ0S8qG1E11K49GiC0Ap915AQ3z07gV7UXjsAVQsZQGCrnM/EauC6Kr9jLQm
         1jMsZ8KUgIipeXp3iPgZURAieKlLWPBY/rRglPTe5asNog9rVGmQpJZ9A+RiSfA5S4sH
         QmzdOSdUvGjhm+mK9M7CoaoT0v+Gixaz5/+r4AaO/ypu1URtdl2Bh09k+mVxnj8YFqoF
         XA3qj2pwgStFGwNo6JJx84TB9t/L1s4Wjjc+fs07jfWOK+UD2/JHe26Bzm+zQ2MwR6qO
         JT3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=VGdoKwvSOpDfBZXQlfYkzECG5jzVJCUvh3oP5CjQxIk=;
        b=jitehabJjE1saW79k2FYq1hlWT4X55vHRy73PG6Zb8PFF/bFQgZyH7tkBlM5IOEY1w
         953xlK85URGjxYROibD9+MxAk5HhrTG59vgH0fH0AWJfiKS9Vj8XfghzE1RadcgHuXsd
         ggbnjuWVl+rCw6dHVbv9v8en+Y4E8oK255oVKJKmAnWRKRyGltqoLffcnxeKSTg7GXDH
         7YCL7cU5tyS9uasJsQARRJJd/1FGtK1lvPshc7gZ412pEFjjm2p/FDPnv8qVcoFbL1C3
         TPyywN0yYLK5veq3SBDPR4yp8KOy8ZhMU3m1HwshrW8crxJ5PQg3UrixuUTXaQ9aFLFQ
         AbrA==
X-Gm-Message-State: APjAAAVEDDduH2sB1kCkK29Kv4nus0s3ABECSHnqUiN2x8r3Slo+Vu1I
        JPmiSd/78ViI9ArPJN8fPUltmnuCh1vTGKkz6R5PkQ==
X-Google-Smtp-Source: 
 AHgI3IbIQfs+qlNy04rRIbGGwZDV+GAve/Dbcrar2+5Zcfjm3N+32fWe55odB5OSUTGnTk7bWqpelKzk1jsptguY8gxWHg==
X-Received: by 2002:aca:4e93:: with SMTP id
 c141mr18809217oib.27.1551916807574;
 Wed, 06 Mar 2019 16:00:07 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:02 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-17-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Linn Crosetto <linn@hpe.com>

From the kernel documentation (initrd_table_override.txt):

  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
  to override nearly any ACPI table provided by the BIOS with an
  instrumented, modified one.

When securelevel is set, the kernel should disallow any unauthenticated
changes to kernel space.  ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 drivers/acpi/tables.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index 48eabb6c2d4f..f3b4117cd8f3 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void)
 	if (table_nr == 0)
 		return;
 
+	if (kernel_is_locked_down("ACPI table override")) {
+		pr_notice("kernel is locked down, ignoring table override\n");
+		return;
+	}
+
 	acpi_tables_addr =
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
 				       all_tables_size, PAGE_SIZE);

From patchwork Wed Mar  6 23:59:03 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842047
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 253391515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:12 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 11A112E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:12 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 062AA2EA0E; Thu,  7 Mar 2019 00:01:12 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C49362E9FC
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:10 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726585AbfCGAAM (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:12 -0500
Received: from mail-ua1-f74.google.com ([209.85.222.74]:48569 "EHLO
        mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726604AbfCGAAL (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:11 -0500
Received: by mail-ua1-f74.google.com with SMTP id y19so1990856uap.15
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=PqjENvzleKHq5r7VnPhuqFw2a2C+H2yOqXdiGG7oaFo=;
        b=UKz3VNDTrFINv1Zw1JIFlqxV6jtbW7ksegxAkGlnfJsvZM35PiRWCSDU3Foos2uiey
         19kv+vj6oA5hcbIwcgitp8WcFyB64OdSGSJ/jVFTor6v9eKAvxBalM5dQZBERK/hVX/K
         F3OfCSW1PtffLcFO9mRmYFX1aJamjaEvbYwb0uULRCQmdb1uVatPgt7rAIiBcIfcOpew
         UQYi0FtKWccFFwG/ALEqEyjM3VfvjODjBz/ir7sywBOSGb+/7kr67LQr6Z2/bKTgIdAB
         xx5E2HnliBJTFtriJjYVkSBtEJYM5VtBjvOJFlDe6NuVu8GdwK+i01HjUm+aiz26RW6f
         z7oQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=PqjENvzleKHq5r7VnPhuqFw2a2C+H2yOqXdiGG7oaFo=;
        b=VQMAG4hZBfolgQWOumqbtO9y08HznQLmdBgCWE/6ikQsbz7F8BjHg+0Z9IxBIc8CHE
         d3neqEZzQEEK8ylLgRREJigJYSNDVvgMiyzkXFbh1Tz+IgohrQidhhfxlZCITHZZk9Da
         olgvjImjh3geQnpmw1n2Yj2oApliTGxc4i2OtTmAH4a4KvDFM5ClKRdgIVf6UXvLw22+
         QkzNa5fpoBGxpil0JRiyM0yX8ipDNzyVsQeqitNPXAegG31DahywE78IzVBHG6Kwu5f4
         pEqoa57MUFWIjcg+YBbVIzz6ggdR4vuw4Cku4ndKOmHE0DM4TTSUECP9wNsGZQ1AQ88g
         8Bgw==
X-Gm-Message-State: APjAAAW1NufiSF2uQ2HisZ67wSvhJFbvFr5H/o+X3YG+PlzAu+dMvi1g
        nm6ZVConFxCZEXcLIuSbv0Mctqj+fojegGrYZpiy0w==
X-Google-Smtp-Source: 
 APXvYqz4xl5JcRRYnkdfh5b5R4DGoQ7iBnjDI80Ifuo8n1LWoBqkTumYb8oFwWgTadiqg8qVnykG8rL9vu6Uy49JuXnWkw==
X-Received: by 2002:ab0:b98:: with SMTP id c24mr6860349uak.19.1551916810289;
 Wed, 06 Mar 2019 16:00:10 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:03 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-18-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 17/27] acpi: Disable APEI error injection if the kernel is
 locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Linn Crosetto <linn@hpe.com>

ACPI provides an error injection mechanism, EINJ, for debugging and testing
the ACPI Platform Error Interface (APEI) and other RAS features.  If
supported by the firmware, ACPI specification 5.0 and later provide for a
way to specify a physical memory address to which to inject the error.

Injecting errors through EINJ can produce errors which to the platform are
indistinguishable from real hardware errors.  This can have undesirable
side-effects, such as causing the platform to mark hardware as needing
replacement.

While it does not provide a method to load unauthenticated privileged code,
the effect of these errors may persist across reboots and affect trust in
the underlying hardware, so disable error injection through EINJ if
the kernel is locked down.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 drivers/acpi/apei/einj.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
index fcccbfdbdd1a..9fe6bbab2e7d 100644
--- a/drivers/acpi/apei/einj.c
+++ b/drivers/acpi/apei/einj.c
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
 	int rc;
 	u64 base_addr, size;
 
+	if (kernel_is_locked_down("ACPI error injection"))
+		return -EPERM;
+
 	/* If user manually set "flags", make sure it is legal */
 	if (flags && (flags &
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))

From patchwork Wed Mar  6 23:59:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842045
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8B77E139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:11 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 76DD12E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:11 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 696FB2EF72; Thu,  7 Mar 2019 00:01:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 690002E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:10 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726101AbfCGABJ (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:01:09 -0500
Received: from mail-qt1-f202.google.com ([209.85.160.202]:49322 "EHLO
        mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726610AbfCGAAN (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:13 -0500
Received: by mail-qt1-f202.google.com with SMTP id q11so13383324qtj.16
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=EeAsNLooacMCIyQQG8kjyYl9LfYTYq2OlHNVaSq+jF4=;
        b=BXibPNAU2kBLKi0tjOaBoATPK4GSG9rdLOziADGyltDJLflexEotgn/YIOIEl1Fm1H
         yMKiAZuRKAYyc2wi9Z9d4o35i6BvJDlVbS0M3iQvUIZits5qZwr7R60IUQGPdO6d5eWg
         oqY4UJoLQdmZJ2B0X2IxvA0M9/CXZx0HcS1UqVad8pRlnNi2MHHBlTg276gQPOoUjJVU
         jXR9xzzJ/1LnMTEgqx6l/1wlLediq2tk6EewVxCYv9Ajdlki6r3EAt3+eXpztFNwMs93
         3/hzDEIcglR4a8m9b8Zr9hyDIA0YZdse4rBnWiIpPApIuSjtOjoQUODVtRMhiygVCjIw
         lwFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=EeAsNLooacMCIyQQG8kjyYl9LfYTYq2OlHNVaSq+jF4=;
        b=PdfzB4fp+Kgawjb++Fc0ywleAi1lIUDQ3QnXFl0XB8XU1g5n549/1Ev8VQ/pOKfK6y
         pRP40xziz4sWnehUDOnXJOJ/JW5VwDDQXo1GC8VYxkHhfVlc6g3F7n6zi4qE2cMzYxS1
         FnDVpFKbsQYqd+ufBKP9eyptSY3O8OIcZDPQLUNbRh7y0TCoYa0xAixI4a5l1ERpGra6
         CEYCPLq3oi3z5Bpzz4aCRcL1z4Sqy3hgUSRWYETj62jn1ls8b4zcBoY+wR9xM8N7AqKc
         MnC01OsHh0riP9joGOe9kHAbrjmwLkV2d29Q14s08P4azldVuyUphp4sp3pOfuU5Mgc/
         DLbQ==
X-Gm-Message-State: APjAAAV4KNf2pWlXIHmJj+WT5PiKdgmYkm0Dikyxt1y9xfajDMfMUTj5
        pmY3ZfcZf5NZ9KkhjqocfV074Egl9p90PTpYo33a0Q==
X-Google-Smtp-Source: 
 APXvYqyyHqurNEQcATvX9vuJ/DA66of6NpknXBwulCWr+CZ2zas04bUFP1eObLNYb/FpEk+eXfimYgny1hYZiiVpm2mLag==
X-Received: by 2002:a0c:b10f:: with SMTP id q15mr6331977qvc.0.1551916812836;
 Wed, 06 Mar 2019 16:00:12 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:04 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-19-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 18/27] Prohibit PCMCIA CIS storage when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Prohibit replacement of the PCMCIA Card Information Structure when the
kernel is locked down.

Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-pcmcia@lists.infradead.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 drivers/pcmcia/cistpl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
index ac0672b8dfca..8adf092d0e18 100644
--- a/drivers/pcmcia/cistpl.c
+++ b/drivers/pcmcia/cistpl.c
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
 	struct pcmcia_socket *s;
 	int error;
 
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
+		return -EPERM;
+
 	s = to_socket(container_of(kobj, struct device, kobj));
 
 	if (off)

From patchwork Wed Mar  6 23:59:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842043
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9C8E5139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:06 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 888C12E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:06 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7A9B82EA0E; Thu,  7 Mar 2019 00:01:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1A6902E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:06 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726612AbfCGAAR (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:17 -0500
Received: from mail-vk1-f201.google.com ([209.85.221.201]:37678 "EHLO
        mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726635AbfCGAAR (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:17 -0500
Received: by mail-vk1-f201.google.com with SMTP id q65so7401905vkd.4
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=e2I9s9eqW/pXhDtnWHYZKjtstIRBgNmOxa3j3Xgurck=;
        b=v0tBa2sQbOTLb/utAQ2jny2osFBJ/ZHvmthqYWL8mOmUeYd3yB3hOM9kXvC58IMMKc
         iVeQ1IpvYNjWwnQllc4Nd3mLWcxLuR1Xpp0LYZk5Nz0pdJWgwOPXwb0BmboZwisQ2fBU
         ykU8Abjk4JdNj7+gWWyzdjcA9tSZSIcDOagC6sb+4jlYIXSTAYR5Qzk6U3w7WzxOoUWi
         iTAnXLEUhWL4rwGZQsFEpYE5MRfIs7KSC5mxtEhOz3tRConSFneIBvZ26r0n0P4Pun5M
         OkQnYbfX56BwMRQl/la7dXKkpI/h2zE5PLHg44xE128DgK7eVWqvGZblKSbyKV9stUhJ
         tRmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=e2I9s9eqW/pXhDtnWHYZKjtstIRBgNmOxa3j3Xgurck=;
        b=g/Llvs1x4WxzMtBWqL9nN+OEydtqF1bvVAsW0NyVXVRfPeW1Z2QtfY+K4cyWovMsQ7
         qkfwfb84nY/IiKGA0HTnyv937l3y0rdYvaSJDECc8VImwuT7SkjWsjH8/Q3ldWRdyYqL
         Dmakf9AlIyeY9I1e7gH4+z8HakcbepTHbdSma+tZt3esUQJjZiYOyRnblxC8vMZt7DV9
         KTkHyxR7WR2idgtCPtXQX15wY2+1cekqXTKpv0BGIjssm7GaTnPcUdsrtVAStpeA7y7f
         c9WHImmE9SfEffxoS3D0SW3fE4D4qUTx7YFRPBQzd3a7KnUvozOlKFNsGcXvOHgCKCvj
         3lRA==
X-Gm-Message-State: APjAAAW/xNs5YHSaqiWGX/f20p2O7FMoOAhdbVLGRz6VTzIkYkVQbwLY
        kvyK8I+ozfx4tUpO9aAX0T7nD9j9ToMrVzUtaiGvVw==
X-Google-Smtp-Source: 
 APXvYqw5w89OaCptTN2iiXxIkQF11FyJzVUWh6zTtwJcfZIsI7QxC6CeyvSs7FQFJgAEb1+tvYwixgrs5L3jcy4cST9fdg==
X-Received: by 2002:ab0:2495:: with SMTP id i21mr6864138uan.9.1551916815988;
 Wed, 06 Mar 2019 16:00:15 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:05 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-20-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 19/27] Lock down TIOCSSERIAL
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Lock down TIOCSSERIAL as that can be used to change the ioport and irq
settings on a serial port.  This only appears to be an issue for the serial
drivers that use the core serial code.  All other drivers seem to either
ignore attempts to change port/irq or give an error.

Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jiri Slaby <jslaby@suse.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 drivers/tty/serial/serial_core.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index d4cca5bdaf1c..04534877b575 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
 	new_flags = (__force upf_t)new_info->flags;
 	old_custom_divisor = uport->custom_divisor;
 
+	if ((change_port || change_irq) &&
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
+		retval = -EPERM;
+		goto exit;
+	}
+
 	if (!capable(CAP_SYS_ADMIN)) {
 		retval = -EPERM;
 		if (change_irq || change_port ||

From patchwork Wed Mar  6 23:59:06 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842023
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E69041669
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D3DE22E77F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C79812E841; Thu,  7 Mar 2019 00:00:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3CD162EA3A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:22 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726661AbfCGAAU (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:20 -0500
Received: from mail-pf1-f201.google.com ([209.85.210.201]:38876 "EHLO
        mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726656AbfCGAAT (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:19 -0500
Received: by mail-pf1-f201.google.com with SMTP id d5so15454712pfo.5
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=IdVfFnhFbXtJ1p9edmpEjpXYYyA3kgeVT7S8ioUS5wI=;
        b=miWti6BjaJ9xhyuyzcg9fulsDcsx5hrWoVxexTNUp6cG96sXJZg2aJm3xzAMwTzM0f
         yom5fwu85Oc3gbfqvU4MT9rIJu4yzS5y6yH6FGVLOtRP5ifcxbp+GJS0lU7mvX3a/rr5
         eEIteTb76gg0LnPklB2z14hPboM4l8q2QPLUN0X1NAWX1VzzxvfM6qSimMKgVouLlqDn
         CjpRLUJp/eA/akAxu9BdNlgYzIQKKwc7bdtAsvhFE6A/Q5IVz1lvSYUEN6nzjO8A2L3V
         x2BgK2d4yd55qCvx3Dk9iAI+5sGtbaMuSg0wCmgXmsVcIMumaQd66hbX2fTEpyUZdNOs
         X1Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=IdVfFnhFbXtJ1p9edmpEjpXYYyA3kgeVT7S8ioUS5wI=;
        b=aNDfBl/x3aQbS/Szy9eOYz5apUYoG+bH0s4Yy/GnAO5WqieQAbi8fI7RIks795fJJm
         fNQ/2+H82ZIWAGpeKHhoQqjmoEW52yjCvTQyAX1jt1k0G2eYeM1CY54CnVk+69z5zfel
         +JAP1c4TXc1s7VTl0ddfHqnd4voPqmpKroI4VeHy4oLEfHP+s0ZA8rBR7Ja/hZtINrxw
         k9uXDHJtvl+EueYU8QFfTSJ/HXCvv6fuqm+9bQAOqOxLyW1s6Iqrb8TDycX8KvKLurxj
         +09bv1WQe4fGXlnW1OuzdmTvFJ3xbk/tQsh/JQggAF0zzIUxmPM5lnS9XI+JeVC1jdcX
         LEPg==
X-Gm-Message-State: APjAAAU/PiYGNkrrRctQbUAO/FZpYmjMtNdNnB/a7lbL6/4k71Sm6Ama
        ax8jS9pOVL+hEvtqTENEQuMGilGBJ2B/sJgv+532LQ==
X-Google-Smtp-Source: 
 APXvYqzuMdXhB+JQDhn/jZvkysiN7UpsUi+51+G/P1uyrCn2dFNevUmM8fPQ7LjRFpo4VAJuXceadCsJ/fcgh0w80TFhaQ==
X-Received: by 2002:aa7:9313:: with SMTP id 19mr3840216pfj.101.1551916818945;
 Wed, 06 Mar 2019 16:00:18 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:06 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-21-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 20/27] Lock down module params that specify hardware
 parameters (eg. ioport)
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).

Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/params.c | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/kernel/params.c b/kernel/params.c
index ce89f757e6da..8ac751c938f8 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
 	return parameqn(a, b, strlen(a)+1);
 }
 
-static void param_check_unsafe(const struct kernel_param *kp)
+static bool param_check_unsafe(const struct kernel_param *kp,
+			       const char *doing)
 {
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
 		pr_notice("Setting dangerous option %s - tainting kernel\n",
 			  kp->name);
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
 	}
+
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
+		return false;
+	return true;
 }
 
 static int parse_one(char *param,
@@ -144,8 +150,10 @@ static int parse_one(char *param,
 			pr_debug("handling %s with %p\n", param,
 				params[i].ops->set);
 			kernel_param_lock(params[i].mod);
-			param_check_unsafe(&params[i]);
-			err = params[i].ops->set(val, &params[i]);
+			if (param_check_unsafe(&params[i], doing))
+				err = params[i].ops->set(val, &params[i]);
+			else
+				err = -EPERM;
 			kernel_param_unlock(params[i].mod);
 			return err;
 		}
@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
 	return count;
 }
 
+#ifdef CONFIG_MODULES
+#define mod_name(mod) (mod)->name
+#else
+#define mod_name(mod) "unknown"
+#endif
+
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
 static ssize_t param_attr_store(struct module_attribute *mattr,
 				struct module_kobject *mk,
@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
 		return -EPERM;
 
 	kernel_param_lock(mk->mod);
-	param_check_unsafe(attribute->param);
-	err = attribute->param->ops->set(buf, attribute->param);
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
+		err = attribute->param->ops->set(buf, attribute->param);
+	else
+		err = -EPERM;
 	kernel_param_unlock(mk->mod);
 	if (!err)
 		return len;

From patchwork Wed Mar  6 23:59:07 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842041
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D0813139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:01 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BCD302E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:01 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B12192EA0E; Thu,  7 Mar 2019 00:01:01 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A5B92E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:01 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726655AbfCGAAX (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:23 -0500
Received: from mail-pf1-f201.google.com ([209.85.210.201]:50477 "EHLO
        mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726672AbfCGAAW (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:22 -0500
Received: by mail-pf1-f201.google.com with SMTP id q21so15418942pfi.17
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=Slizqb5/EuTPaUwcXF3KMpeQ4PrQTQCbKq0uAOfUYTM=;
        b=oDpvVEqXJpIrSthsVtrG1ShhFNsu55AnYk1HsI+XwYF/iW9kwSA2kBAvPZw+7yQjfw
         vzSxG4bd1r2co7712oCcMqt74ttgVvINiMXH2LrnEfxsC4EDf5f61m15hsOZGc8wurdo
         z6ZJHSMjH/LZX7w3vZkraygwiuGz5NTi58N3Acqfjmle8xv12Sll71j3ifjGa63q/qlQ
         gchCUqX0bdhLA2vxyqg9QdSl6LJ/vHnekwBmOl8If6OxlO2ffb/B1kyfZHeRiHVFHwfz
         eRYI39TbxMswh6rAd0+mFAm9dDOPwVdoNwsAl4QTQpyBtiPMO+KPc50P2B8V0cHzf08F
         IMuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=Slizqb5/EuTPaUwcXF3KMpeQ4PrQTQCbKq0uAOfUYTM=;
        b=qtO4USnm9byub1gLRAVneuJrRZzcGBgYTkxT95DjTKl9+mR/WizfjI3hT0m+iRYMLc
         s/Kp6lMP4oINw7T5qlGEJQgS2uXlZQh6ddQO2mz8L2+xepBfBL3hf4gH50amHi7nA0pN
         jGa9FlI7+jX1kEgI5qkBEOwuesnZDJV3qqVh5Z3pW/NBVGYTak0fFZIn5ELOS+HZsovC
         dmJwHsHdtE2W7moa7TNTnEi1NZaLr/zJ4dLj6Dkq//MKdFXPX4JtMbLnjWiRI6J5IbPE
         Iw8XdM2jKRTDtp6XaZ2qtKYYGFFLgyFU7UCnS4DB0QiaLvk7zEbxzos8e8ODon0jvEXk
         vC+Q==
X-Gm-Message-State: APjAAAUkR0GOpnB2GglcZPTgmPXhlEbNR+5n5sKleA/UcpE77qwMGN1K
        x5aQSDVR619gRpog0WekvcL0kqUe2uAN2jXE7PddUQ==
X-Google-Smtp-Source: 
 APXvYqzfz1Mm6zPNOwyLTXv7LVSJYhgRqpTmBGV1FsT7o7dpYl1eV0/IRR3lSRHTQ2w2htmMx8UY+sNjaz8NhBbQOd9Png==
X-Received: by 2002:aa7:8215:: with SMTP id k21mr3854968pfi.78.1551916821402;
 Wed, 06 Mar 2019 16:00:21 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:07 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-22-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 21/27] x86/mmiotrace: Lock down the testmmiotrace module
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

The testmmiotrace module shouldn't be permitted when the kernel is locked
down as it can be used to arbitrarily read and write MMIO space.

Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: David Howells <dhowells@redhat.com
cc: Thomas Gleixner <tglx@linutronix.de>
cc: Steven Rostedt <rostedt@goodmis.org>
cc: Ingo Molnar <mingo@kernel.org>
cc: "H. Peter Anvin" <hpa@zytor.com>
cc: x86@kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/mm/testmmiotrace.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
index f6ae6830b341..bbaad357f5d7 100644
--- a/arch/x86/mm/testmmiotrace.c
+++ b/arch/x86/mm/testmmiotrace.c
@@ -115,6 +115,9 @@ static int __init init(void)
 {
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
 
+	if (kernel_is_locked_down("MMIO trace testing"))
+		return -EPERM;
+
 	if (mmio_address == 0) {
 		pr_err("you have to use the module argument mmio_address.\n");
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");

From patchwork Wed Mar  6 23:59:08 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842039
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 732E41515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:00 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 60B102E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:00 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 54CA12EA0E; Thu,  7 Mar 2019 00:01:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0E10C2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:01:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726686AbfCGAAZ (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:25 -0500
Received: from mail-qk1-f201.google.com ([209.85.222.201]:43176 "EHLO
        mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726677AbfCGAAZ (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:25 -0500
Received: by mail-qk1-f201.google.com with SMTP id a11so11537132qkk.10
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=zcieI5+oJsXOBRD2KKmNlRR+gsKSY7mBPeZzRy6NCSc=;
        b=O1ibSFciJav1PBiNgfW7eudRgTugTEl+TugUvK9qs+q2PFX0lyPloPkpzQwzw61I64
         Q2zx5/02BIZdytE7FQiwVUDn2df256UDJt3cpW+z1UhfXc+rC+66FD0K/p4em9inKb8J
         /XFuvm5TXkQ6iT7dbSpy6iXTYwfeRN0PYs6etedNN5+u7UuUuogetkzOVadi+RL0eXft
         opqc9XF0yWDwaofLK3Zuk8uGos6c9ZFIxHG3yQ1SW4U/+mUBQBslM9ZYHjnaB77B3jQD
         Nw0yLYzxPB66JJn3zzoVdET/cQayg7nSTwBR75/2YCgJarOi/6b98ytYorvyqE+K2ES0
         dS0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=zcieI5+oJsXOBRD2KKmNlRR+gsKSY7mBPeZzRy6NCSc=;
        b=Nf2Lll52mOjHtlt9xOgP60v30yBwX09fIx9EW2t7sMSrJ/j2mktrwW4KTQ4Pp8yjki
         OdkEtEAurErNbY/87UaQzsVKI4FxYSlXjvG9fYC+mOSmO5XD5B3bzowl1IBrYBLrGgIe
         DzCXmWmlcJoXXXrPl08X2CDcjotEmY6D4BHrTOxRx/QCgt7H4aQq/WRyMzIU9y3oNY+k
         lLSrR4aXTwqRaAByu1CKoBuO+R19nBaxfKJmOaM+8Il6vHCQ9kCYQRA6meC4/6wR4LmD
         VU5nyp7gdF3IFjwvkyp6jBjlu/ixFDToxEBdTKbrVpzBQNYCn1LBzg2uTRqA9KcFStEB
         GrBA==
X-Gm-Message-State: APjAAAWFFDGYD6m95Eueo/lYeLRYTW1QrLUyWhK4uMh0AGd8oonnzZvb
        jwhfgmyEpzHgFQch3k7BpegIrNy1Ek6IiA5cKDe6+Q==
X-Google-Smtp-Source: 
 APXvYqzsrsMnuTp4pilucBGFtnRzrjGoHO9C4n2TLsODhv9zqdR3Iv8B2UbdukqEA3eTSRrBVF3kQ1EWF724z+8y5G/9BA==
X-Received: by 2002:aed:37c4:: with SMTP id j62mr5902579qtb.19.1551916824091;
 Wed, 06 Mar 2019 16:00:24 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:08 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-23-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 22/27] Lock down /proc/kcore
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Disallow access to /proc/kcore when the kernel is locked down to prevent
access to cryptographic data.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 fs/proc/kcore.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index bbcc185062bb..d50ebfbf3dbb 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
 
 static int open_kcore(struct inode *inode, struct file *filp)
 {
+	if (kernel_is_locked_down("/proc/kcore"))
+		return -EPERM;
 	if (!capable(CAP_SYS_RAWIO))
 		return -EPERM;
 

From patchwork Wed Mar  6 23:59:09 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842037
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 86FD31515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:57 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73CB32E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:57 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 67DAC2EA0E; Thu,  7 Mar 2019 00:00:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1FB062E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:57 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726706AbfCGAAa (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:30 -0500
Received: from mail-pg1-f202.google.com ([209.85.215.202]:45599 "EHLO
        mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726679AbfCGAA3 (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:29 -0500
Received: by mail-pg1-f202.google.com with SMTP id 17so14122341pgw.12
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=1/Q9WI1yRVatQ/yQs+U4SWm6wGnrwBw/w693pRoFvME=;
        b=Ja0HNHllquwFqNG1YcYRVsIuOz1GquTrJ6u28a+VNVnXPhxF0/mfK/FHq09suoplle
         7JqwJEgcdxpohcoOyj26m2vvd2O3DWaqqVJfBENoEsmPBIwdu9vxrBtRnHwgBn5u4uMz
         CGvyoeNzOQApATOK1KARCskkWxz6Zkg83BIqJ8sf7ZnfQ+y6DbqwKfs1rA5Lsw1IO0Yn
         86ZEJt3E1SPzRbvLNtuYph5p1H02Q+kVt115/5FBrrpN9ok4axreUzF+V4aHGUXoKvcY
         PoXpEbSBn/qn3twrhP+7BhbzPl6dPIAt0jvQxIn5hP4UbXMvUAaKhgGorMQDWn7McRPd
         22TA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=1/Q9WI1yRVatQ/yQs+U4SWm6wGnrwBw/w693pRoFvME=;
        b=j1sTL7PhkuHncWaRNqN2mUZYwKOH14q7DtH+tzZLfevoAedHqwl0+Qhzb1iY//uWFi
         yG36p4LMJdf8tuD9bhVE5pweCNNkzbzLFAmxIqAccqbt3jlDgPgHcQVYBJwZHcNtvHID
         oAcL77OLbNpXah0mJQkodGG8lbPN1laDg79RgQzBZV8Mnx8Uu6tVdysLiDx0XRBQPd7m
         jdp0MFOjPEi7Z7LuoYUoDajsZdNjxgR3HhM2m7hWN8nGRh5WWbccIEEfgz5RCn8LoXMJ
         y/uzpIZYK8wbdugTEdPef3tnyH4XyHsHBUF6OzyUsb/rFYe2K4X2UVUahOdb11diqmlI
         xcMA==
X-Gm-Message-State: APjAAAXDPWIVJFTOk//b/ldnEubEpfcY4kYp9hxRx2bgEmgBVlkJjGMf
        BMV8erxOClhGm/9k/efVE8iVjJP5kDpeR+OaGwI4bA==
X-Google-Smtp-Source: 
 APXvYqzJGpcTZFiJ60Kt07J6NBi126oe9ezITe7lm1I1QgqAXsalOHpVGI9OZnjH4Zin/mrlx94uy1Z6ewP1nF8X/XrI7w==
X-Received: by 2002:a63:a506:: with SMTP id n6mr37123pgf.98.1551916826638;
 Wed, 06 Mar 2019 16:00:26 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:09 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-24-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 23/27] Lock down kprobes
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Disallow the creation of kprobes when the kernel is locked down by
preventing their registration.  This prevents kprobes from being used to
access kernel memory, either to make modifications or to steal crypto data.

Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/kprobes.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index f4ddfdd2d07e..6f66cca8e2c6 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p)
 	struct module *probed_mod;
 	kprobe_opcode_t *addr;
 
+	if (kernel_is_locked_down("Use of kprobes"))
+		return -EPERM;
+
 	/* Adjust probe address from symbol */
 	addr = kprobe_addr(p);
 	if (IS_ERR(addr))

From patchwork Wed Mar  6 23:59:10 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842035
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 301DB139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:55 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B5C92E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:55 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0FC2E2EA0E; Thu,  7 Mar 2019 00:00:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B08DE2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726716AbfCGAAc (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:32 -0500
Received: from mail-qk1-f201.google.com ([209.85.222.201]:56190 "EHLO
        mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726720AbfCGAAb (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:31 -0500
Received: by mail-qk1-f201.google.com with SMTP id v67so11520565qkl.22
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=q6GDvRzzqJ3B5qJkvllHotglBKQhGGP0snG7GKJPXnw=;
        b=ZYZ2dcvFODLgDGpfqBJrUFSMC14W0zW/v9LGNR5tj/HLP32OYfhhxK+Qk2jWmzBhHh
         fD0lWZtBnBa8FU0tBiHQdUkFOSuMpN8OnDKhOgnSSwokIumQ5B1rAic14XtmbxwoKcp0
         T/DAeLDBpCvbG392L0WuUZqkzrMF54pbJzA4/5HyQiIKhtn/3CPk0U2n1QTbX7EG99E7
         BHQlX6U3dWAlMz6NWe/h4qEydE2ivUwg/Knf81MCzgaTOpRvylWBO+KNfut/iscvFkh6
         06NUxz9LG8t4XjkO06JTu6xKFZiA0RzmvHpKsWctGwnhpyW7KBo28Jccu01eLCyVQ2kY
         nNIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=q6GDvRzzqJ3B5qJkvllHotglBKQhGGP0snG7GKJPXnw=;
        b=Q5WUNDE8tK+WPu2sYeTasdiQQE0pzoAuPcmUEOB/b6NxB606Uj8vf6S2pD9K73UY8K
         rZrCX0vFNcquIzbtkdVhNs9PuNDxsRFacl1l1iQRrlSID8n3enYxdS4HVKCRBzvuT8oT
         TL9Qom26tJ0o7TuWhxbiYTNThzn7FYOT+mmM7QiIADfzYy9/HkDITcEKf30ft2LDjxkA
         mh+DBPTtLrMhQCihnXpkD5m5etaksCQ5RMnNM2Xfw/KMrjWOCDZ+wnLl0JytkVp/Er/U
         2xrDUWDzQsF4mY+GoE1fYYyE5N+irsp7v0trMNQBQP6kaFKs+1OvCY1lAp6xLQleRH/+
         TIkQ==
X-Gm-Message-State: APjAAAWeMBXJ6Dwwi6EL6jHsvYSzv0zcAYUDbSjjGYe8PMFU3kp3DOnU
        tVH5ZZTwSvGIPHQmettB/UjzbK7ymV7ajy+mneZ0zA==
X-Google-Smtp-Source: 
 APXvYqxBVZyLnxryEzxwDF1gzsHdvGrc99r5jJU/gjHf4YB4rW2YM9ulw3R1GygBB2M2xIaOh/9oc9tuEPUyt9xGuSAmwQ==
X-Received: by 2002:a0c:d238:: with SMTP id m53mr6292264qvh.30.1551916831188;
 Wed, 06 Mar 2019 16:00:31 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:10 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-25-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 24/27] bpf: Restrict kernel image access functions when the
 kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction.

Completely prohibit the use of BPF when the kernel is locked down.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/bpf/syscall.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index b155cd17c1bd..2cde39a875aa 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2585,6 +2585,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
+	if (kernel_is_locked_down("BPF"))
+		return -EPERM;
+
 	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
 	if (err)
 		return err;

From patchwork Wed Mar  6 23:59:11 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842029
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E36FD1515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:36 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D10F62E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:36 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C55892EA0E; Thu,  7 Mar 2019 00:00:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 698982E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726718AbfCGAAf (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:35 -0500
Received: from mail-io1-f73.google.com ([209.85.166.73]:42420 "EHLO
        mail-io1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726733AbfCGAAe (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:34 -0500
Received: by mail-io1-f73.google.com with SMTP id f10so11294447ioj.9
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=2ZzvoWSyW5HTZoeTqFWgg34ixTiNCj89jLrYIWViRl0=;
        b=joKpMu8ZGY15PM01/2KwGjHB3xEMV66i1KxgvTSL+1mba0Ycnp54vvwcsr5147kbND
         HcmViD1WphwEuzoWcJ4H1/sv96EAylP80mqoUg0iOZfvL+dzMavW3U1OAEyTa1YWH4Vn
         GUJyN4qGi22LgMAOY/b7ZppRgmDrY7lAgA3zJPCf8y1mlCHfBZ/w4PZmdHsrArINQSUO
         +O0CMFhaKttpJXlUG0g8EejPBD3z+u4R/iTnyzrtCwu7XKbYpELQmoWInlNQFRH8S82c
         /lgwwBJE78+C/d91iDKyGYt4HyCEtrQm3ZbbpNfUQ1BisJ/tNxPXHUnrJvVsOZy35ShU
         CwDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=2ZzvoWSyW5HTZoeTqFWgg34ixTiNCj89jLrYIWViRl0=;
        b=ZE9ENTVO/lTVjGVkvhhWmKxn1ZDIDUBGQjsQtuq1BGKpd4FN+plk3WUOjo+G/Et67G
         zb1VTLAEUuWrQVQ/mWC07bqcOf6tW0K2hVgPukmkhWKGGB8ijvmmxWt8ZhuxIDkUkBgA
         CA3BkouX32xvuoGPvMIHm2jG9Akk6Rmy6NY1bosXWM8YAlTsMD5QP+8I+swG6zmtSLz/
         DqA+08dIbyXvp8pjMnorP43U8T1dra1sGOj5XkyLj+3vmK/VfXJgmU/o1Ryd+splZWoK
         zv5BrBXDM3yze2iEnz/O/ELdq/0XfpaQvkUN1vyRllOySeCy5x8BdhkZ0CwQEuDr1eUs
         PYVQ==
X-Gm-Message-State: APjAAAUXE34wsRFd3ps1ovXDSdO6mbjmIrOFoKClFCsu2CoRl+Sh1Nji
        y1azKzMI7Q1F9VP0N4Oxibhyzlk/lKRbIPv5P1wD9g==
X-Google-Smtp-Source: 
 APXvYqzNE5CE6nTSGaldcUru/FCAR+lWhmANgOrDY049Tzeob4ckhzRzZiu3wCfqmDEK4LS3gEU6Do3cC6cmiNqK/hjmHQ==
X-Received: by 2002:a24:c1:: with SMTP id 184mr7378710ita.21.1551916833546;
 Wed, 06 Mar 2019 16:00:33 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:11 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-26-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 25/27] Lock down perf
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Disallow the use of certain perf facilities that might allow userspace to
access kernel data.

Signed-off-by: David Howells <dhowells@redhat.com>

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/events/core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3cd13a30f732..7748c6f39992 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10461,6 +10461,11 @@ SYSCALL_DEFINE5(perf_event_open,
 			return -EINVAL;
 	}
 
+	if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
+	    kernel_is_locked_down("PERF_SAMPLE_REGS_INTR"))
+		/* REGS_INTR can leak data, lockdown must prevent this */
+		return -EPERM;
+
 	/* Only privileged users can get physical addresses */
 	if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))

From patchwork Wed Mar  6 23:59:12 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842033
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DCC33139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:52 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C8C122E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:52 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BC9282EA0E; Thu,  7 Mar 2019 00:00:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2C11B2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:52 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725747AbfCGAAu (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:50 -0500
Received: from mail-vk1-f202.google.com ([209.85.221.202]:36244 "EHLO
        mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726703AbfCGAAg (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:36 -0500
Received: by mail-vk1-f202.google.com with SMTP id b202so7436380vke.3
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=PgWFbOvfoB6c+12vVAFa3Lz4ErLVnkwWwwAyfBQPr2w=;
        b=broUSFPSUir25lqoupd3OxHTv04+SWv+B4euIHyqYPNAv1jJ9BiFpknVyEGmdyRBKc
         t28Mt56SZPb+37huuxcCEBUnqsc58DABkCZeTZCrflnWKxFv7n33obb9y1+PxFpuXGz+
         Nr1dIPhKUadyForwMY93MiZMCml5LL/kg4xS9rw7aolnCuVpval623I52ne3t9qqkWnU
         j2wMAsXvMY4XXuhTQlzD+GLO96oWQqAP+VTLIFhYrGd6nXOiLpTwajWihZPkoSwkpAG4
         KMb1wBR8gQ6k3vZny6HJPL5H7pdfU273SLQgvwVDMmo+ItskAioYOvKEawlCaxyoFpm/
         roHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=PgWFbOvfoB6c+12vVAFa3Lz4ErLVnkwWwwAyfBQPr2w=;
        b=NGo8IvHr4fmkM0V1c7PTobMB85evAlAIkfzM7KdJIv6nI1+R5ujiajPhE5b/lV2aVI
         QRGQZ9/VoLuuxrTNHylw3J4GcfFMlAcPXgsCB2/Jp1wmAdgu36d/D5Aj95fBiMZ7v2V3
         q/Rb1IuQgJDtjbsrLWHxE8fh22XmWjOz0Fnm9m6VWhd8jla8BFuqUhuGO0NHkL/ceFf2
         01NioUwBm4c4grQYkA6eGibHGb54n/3brrWf6vKjydm1ZeGOiduHxis+2mraNG7ai7hW
         mz4tv+R8ep26kV/H67SVnzSYA8Totac5Fl32hjjIe7ulWnL3rjVyahHNyAqNIjMze9Cn
         egjg==
X-Gm-Message-State: APjAAAUHvU/3uQmwAqUwHs5Y/s4uF09rPXdivb8xlK6d7dluEwJqcLJ1
        QOXsCudF1gpK3t2qrmpmPtKgzoGLU4cbdbS6hBU5xg==
X-Google-Smtp-Source: 
 APXvYqyMhqSuOVvCy2mYHkotvzLlzfM6S4VAXJU1751iNhcCNNdficiu/XkVc/UOoNqcnGb4uRK1twiTmtxe8XHDpzgOCg==
X-Received: by 2002:ab0:1a5:: with SMTP id 34mr6865486ual.15.1551916836116;
 Wed, 06 Mar 2019 16:00:36 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:12 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-27-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 26/27] debugfs: Restrict debugfs when the kernel is locked
 down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Disallow opening of debugfs files that might be used to muck around when
the kernel is locked down as various drivers give raw access to hardware
through debugfs.  Given the effort of auditing all 2000 or so files and
manually fixing each one as necessary, I've chosen to apply a heuristic
instead.  The following changes are made:

 (1) chmod and chown are disallowed on debugfs objects (though the root dir
     can be modified by mount and remount, but I'm not worried about that).

 (2) When the kernel is locked down, only files with the following criteria
     are permitted to be opened:

	- The file must have mode 00444
	- The file must not have ioctl methods
	- The file must not have mmap

 (3) When the kernel is locked down, files may only be opened for reading.

Normal device interaction should be done through configfs, sysfs or a
miscdev, not debugfs.

Note that this makes it unnecessary to specifically lock down show_dsts(),
show_devs() and show_call() in the asus-wmi driver.

I would actually prefer to lock down all files by default and have the
the files unlocked by the creator.  This is tricky to manage correctly,
though, as there are 19 creation functions and ~1600 call sites (some of
them in loops scanning tables).

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
cc: acpi4asus-user@lists.sourceforge.net
cc: platform-driver-x86@vger.kernel.org
cc: Matthew Garrett <mjg59@srcf.ucam.org>
cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 fs/debugfs/file.c  | 28 ++++++++++++++++++++++++++++
 fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
 2 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 4fce1da7db23..c33042c1eff3 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
 }
 EXPORT_SYMBOL_GPL(debugfs_file_put);
 
+/*
+ * Only permit access to world-readable files when the kernel is locked down.
+ * We also need to exclude any file that has ways to write or alter it as root
+ * can bypass the permissions check.
+ */
+static bool debugfs_is_locked_down(struct inode *inode,
+				   struct file *filp,
+				   const struct file_operations *real_fops)
+{
+	if ((inode->i_mode & 07777) == 0444 &&
+	    !(filp->f_mode & FMODE_WRITE) &&
+	    !real_fops->unlocked_ioctl &&
+	    !real_fops->compat_ioctl &&
+	    !real_fops->mmap)
+		return false;
+
+	return kernel_is_locked_down("debugfs");
+}
+
 static int open_proxy_open(struct inode *inode, struct file *filp)
 {
 	struct dentry *dentry = F_DENTRY(filp);
@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
 		return r == -EIO ? -ENOENT : r;
 
 	real_fops = debugfs_real_fops(filp);
+
+	r = -EPERM;
+	if (debugfs_is_locked_down(inode, filp, real_fops))
+		goto out;
+
 	real_fops = fops_get(real_fops);
 	if (!real_fops) {
 		/* Huh? Module did not clean up after itself at exit? */
@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
 		return r == -EIO ? -ENOENT : r;
 
 	real_fops = debugfs_real_fops(filp);
+	r = -EPERM;
+	if (debugfs_is_locked_down(inode, filp, real_fops))
+		goto out;
+
 	real_fops = fops_get(real_fops);
 	if (!real_fops) {
 		/* Huh? Module did not cleanup after itself at exit? */
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 13b01351dd1c..4daec17b8215 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount;
 static int debugfs_mount_count;
 static bool debugfs_registered;
 
+/*
+ * Don't allow access attributes to be changed whilst the kernel is locked down
+ * so that we can use the file mode as part of a heuristic to determine whether
+ * to lock down individual files.
+ */
+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
+{
+	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
+	    kernel_is_locked_down("debugfs"))
+		return -EPERM;
+	return simple_setattr(dentry, ia);
+}
+
+static const struct inode_operations debugfs_file_inode_operations = {
+	.setattr	= debugfs_setattr,
+};
+static const struct inode_operations debugfs_dir_inode_operations = {
+	.lookup		= simple_lookup,
+	.setattr	= debugfs_setattr,
+};
+static const struct inode_operations debugfs_symlink_inode_operations = {
+	.get_link	= simple_get_link,
+	.setattr	= debugfs_setattr,
+};
+
 static struct inode *debugfs_get_inode(struct super_block *sb)
 {
 	struct inode *inode = new_inode(sb);
@@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
 	inode->i_mode = mode;
 	inode->i_private = data;
 
+	inode->i_op = &debugfs_file_inode_operations;
 	inode->i_fop = proxy_fops;
 	dentry->d_fsdata = (void *)((unsigned long)real_fops |
 				DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
@@ -513,7 +539,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
 		return failed_creating(dentry);
 
 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
-	inode->i_op = &simple_dir_inode_operations;
+	inode->i_op = &debugfs_dir_inode_operations;
 	inode->i_fop = &simple_dir_operations;
 
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
@@ -608,7 +634,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
 		return failed_creating(dentry);
 	}
 	inode->i_mode = S_IFLNK | S_IRWXUGO;
-	inode->i_op = &simple_symlink_inode_operations;
+	inode->i_op = &debugfs_symlink_inode_operations;
 	inode->i_link = link;
 	d_instantiate(dentry, inode);
 	return end_creating(dentry);

From patchwork Wed Mar  6 23:59:13 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10842031
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE72E1515
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:42 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CBADB2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:42 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BFA702EA0E; Thu,  7 Mar 2019 00:00:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7714E2E9F5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu,  7 Mar 2019 00:00:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726121AbfCGAAl (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 6 Mar 2019 19:00:41 -0500
Received: from mail-io1-f74.google.com ([209.85.166.74]:40749 "EHLO
        mail-io1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726764AbfCGAAj (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 6 Mar 2019 19:00:39 -0500
Received: by mail-io1-f74.google.com with SMTP id 68so11056550iov.7
        for <linux-security-module@vger.kernel.org>;
 Wed, 06 Mar 2019 16:00:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=Sa+SgQnAHCfBo1mo2uJRDE5jhlzcMXQqHsZYr3YiEB0=;
        b=XHVjtwKczBVt6maHMDsBdQD040XvH2+tNtSVuU/nCfJ3PvcWW6Bmf9bvU+Tzoa+W4R
         FCbE0UrP5nNV1jU5XjJOZkqnPv4x8ko6PJzMBy4FlEKFmjjVjxqmkjJCAzcJTFvEnrsw
         Un33zXRpj5Edgxlf98Lt0dcO/fZfeodDmrbtLvSJZJUXfyz0FNW2iHBLnNV13g+qlrrT
         Nq6DCE8jBi4q/GiJCJ2yZyIcUV0AkF4YICved/SAe8Y82vMT0X5J2Gp4dWSpra1gXiOc
         s+QbGBDccRLIxR+/sSp8jSFkaLhOBcXALLPuavGxyzenZ2EnYEFK759MKEqj781jAqsV
         A0ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=Sa+SgQnAHCfBo1mo2uJRDE5jhlzcMXQqHsZYr3YiEB0=;
        b=ni64pqo1AIveyN/HjyBYlgQrCB0smvCSA35NJi/2NBxsxbHvM4v9FsuAkGld//71sP
         lqdAZcZVtCYv1ZHtbw0nDYRJrtLn+GfHPEh/VHjoKjKMnDL/DXe6av144h0z0sIsBwNE
         KIJJHUe3PP3rD7QbnYP9QJKaHAE0JRzgYmjHOUGGWoKYtpPI+DRk+CrxaNW/BiUi2pgl
         tiipccfwiJfD3Ll5LhzwGwbic3YtTgJJOfQwkOhtGXHKf/Ipm/K2oC2ZrkTamn/ALeV8
         zjKr7TLBUd+nAjlJJK5VyKo8uRd7bS3IcX8bswbp/y+VryRo3vd13Yd6qTwhGlwfFEDC
         24HQ==
X-Gm-Message-State: APjAAAVjjHrcvT+DXNJ8mpoHW8RzPOXdjbmj9HG6hMtEtQf5Gu2CoDkm
        3hEAz6vzdHXtLLYkvJ/Y9z1xRIgDNq2/6S/6wYcTDA==
X-Google-Smtp-Source: 
 APXvYqwpf/k9ytvmRK8pEBfgH+rGfGX9tBiGZnv5J8A3JTXkOKnucGqv1lYF3oc3q6Kgmw5CV+qN08xhnulPEYAW9mB65g==
X-Received: by 2002:a24:6cd5:: with SMTP id w204mr7949254itb.16.1551916838783;
 Wed, 06 Mar 2019 16:00:38 -0800 (PST)
Date: Wed,  6 Mar 2019 15:59:13 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-28-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 27/27] lockdown: Print current->comm in restriction messages
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

Print the content of current->comm in messages generated by lockdown to
indicate a restriction that was hit.  This makes it a bit easier to find
out what caused the message.

The message now patterned something like:

	Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 security/lock_down.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/lock_down.c b/security/lock_down.c
index cfbc2c39712b..5243b55b3c1f 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -58,8 +58,8 @@ void __init init_lockdown(void)
 bool __kernel_is_locked_down(const char *what, bool first)
 {
 	if (what && first && kernel_locked_down)
-		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-			  what);
+		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
+			  current->comm, what);
 	return kernel_locked_down;
 }
 EXPORT_SYMBOL(__kernel_is_locked_down);