From patchwork Mon Mar 25 22:09:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870173 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BBBAA14DE for ; Mon, 25 Mar 2019 22:10:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A768128C1D for ; Mon, 25 Mar 2019 22:10:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9B8BA2905C; Mon, 25 Mar 2019 22:10:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2660628C1D for ; Mon, 25 Mar 2019 22:10:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730545AbfCYWJ7 (ORCPT ); Mon, 25 Mar 2019 18:09:59 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:54660 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729681AbfCYWJ7 (ORCPT ); Mon, 25 Mar 2019 18:09:59 -0400 Received: by mail-pl1-f202.google.com with SMTP id o61so768015pld.21 for ; Mon, 25 Mar 2019 15:09:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=pjR7XJ1OmZTtPJuTlRY67FxbWdfau1kaTCZsV7dUOy0=; b=tuxR87J9eko5+/swYDPa7REUCxy/XSGQWj7oH+FPB4sAx8wGeFKkBbB5280wXw2XLv sxK+BIRPlaEpyBRJPFGHwJASfP4iipvLj9KiVxANN9eyxfswDWDCH5lLVtzdCyTQ2eU7 7k5VtCJM0OkRsQpozwz6qcL++p4aTFWmUOCtvBTBFUdWCThfDi3YbdjEr4+CkY45fulY trztmkZrZoeesBhU5FLbw4tgsinqIXZ0O23A1L3X3w8wQn8W/epsfVMgXO5KfZfEsiaG czbKxlaqpS5/UoZgleX5GljpWVNMxR0e4oM0qJ/Jt7K3NfrxctPEBCsQfcFParX0fkp+ 2JYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=pjR7XJ1OmZTtPJuTlRY67FxbWdfau1kaTCZsV7dUOy0=; b=VizAIri9M7LYlBP5weYwhIwh62sg2UeXRUEq0OJWMbTR+RW7hOTQUTirf+3BXNGfbh ugce0VQ5pmhix/JEkwx10vVCf9piz+pNAjvA+Evv0egN1di8lWu49ZwZcMUhomU40R2g BtiJb+sWfzNhnJ07wRRkrw4dTPXRi9n4T1MfS2BrAlXTWJ5kL6bmLxCRPUwiBvGiB7/c ZjR/nCK3Yj1FnLTkaJ/28ib/Re8r1fFAh73AhhzJXWVn2LljThOWf3HPio0bZTa2VUnb ExVscDI0ptdwdNOeBtnokt9LyP8W7XAZ97FmrINcN/hXeFocVlAdAFSpYbKIyvyVuMhG 27fQ== X-Gm-Message-State: APjAAAXJAsC5joxhGINoBv8z4LfxSAm01KRx1xbHrXnhqKD0A1D6qQNw b7G9BxsBYwRYEm5CP8ditjm0eWj0XtxL00HNDs8aKQ== X-Google-Smtp-Source: APXvYqzp7oGGkdO08lKfxZ3iui0OKnsZFCoKpHEmSjGqdkxJSssavU4ToTdO3E4p1p+hNLLwXobbZPbmJpEFeR5iOzG7Pw== X-Received: by 2002:a63:dc50:: with SMTP id f16mr1767198pgj.396.1553551798234; Mon, 25 Mar 2019 15:09:58 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:27 -0700 Message-Id: <20190325220954.29054-1-matthewgarrett@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PULL REQUEST] Lockdown patches for 5.2 From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The following changes since commit 468e91cecb3218afd684b8c422490dfebe0691bb: keys: fix missing __user in KEYCTL_PKEY_QUERY (2019-03-04 15:48:37 -0800) are available in the Git repository at: https://github.com/mjg59/linux lock_down for you to fetch changes up to 1c57935ab108280aa79fe4420d4bc13e19bd38e2: kexec: Allow kexec_file() with appropriate IMA policy when locked down (2019-03-25 15:00:35 -0700) This version replaces the original IMA integration with a new approach tied to IMA architecture policy. It also drops the sysrq patch for now, since that primarily makes sense in the context of lockdown policy being automatically enabled based on boot state. ---------------------------------------------------------------- Dave Young (1): Copy secure_boot flag in boot params across kexec reboot David Howells (12): Add the ability to lock down access to the running kernel image Enforce module signatures if the kernel is locked down Prohibit PCMCIA CIS storage when the kernel is locked down Lock down TIOCSSERIAL Lock down module params that specify hardware parameters (eg. ioport) x86/mmiotrace: Lock down the testmmiotrace module Lock down /proc/kcore Lock down kprobes bpf: Restrict kernel image access functions when the kernel is locked down Lock down perf debugfs: Restrict debugfs when the kernel is locked down lockdown: Print current->comm in restriction messages Jiri Bohac (2): kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE kexec_file: Restrict at runtime if the kernel is locked down Josh Boyer (2): hibernate: Disable when the kernel is locked down acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down Linn Crosetto (2): acpi: Disable ACPI table override if the kernel is locked down acpi: Disable APEI error injection if the kernel is locked down Matthew Garrett (8): Restrict /dev/{mem,kmem,port} when the kernel is locked down kexec_load: Disable at runtime if the kernel is locked down uswsusp: Disable when the kernel is locked down PCI: Lock down BAR access when the kernel is locked down x86: Lock down IO port access when the kernel is locked down x86/msr: Restrict MSR access when the kernel is locked down ACPI: Limit access to custom_method when the kernel is locked down kexec: Allow kexec_file() with appropriate IMA policy when locked down arch/x86/Kconfig | 20 +++++++++--- arch/x86/kernel/ioport.c | 6 ++-- arch/x86/kernel/kexec-bzimage64.c | 1 + arch/x86/kernel/msr.c | 10 ++++++ arch/x86/mm/testmmiotrace.c | 3 ++ crypto/asymmetric_keys/verify_pefile.c | 4 ++- drivers/acpi/apei/einj.c | 3 ++ drivers/acpi/custom_method.c | 3 ++ drivers/acpi/osl.c | 2 +- drivers/acpi/tables.c | 5 +++ drivers/char/mem.c | 2 ++ drivers/pci/pci-sysfs.c | 9 +++++ drivers/pci/proc.c | 9 ++++- drivers/pci/syscall.c | 3 +- drivers/pcmcia/cistpl.c | 3 ++ drivers/tty/serial/serial_core.c | 6 ++++ fs/debugfs/file.c | 28 ++++++++++++++++ fs/debugfs/inode.c | 30 +++++++++++++++-- fs/proc/kcore.c | 2 ++ include/linux/ima.h | 9 +++++ include/linux/kernel.h | 17 ++++++++++ include/linux/kexec.h | 4 +-- include/linux/security.h | 9 ++++- kernel/bpf/syscall.c | 3 ++ kernel/events/core.c | 5 +++ kernel/kexec.c | 7 ++++ kernel/kexec_file.c | 59 +++++++++++++++++++++++++++++---- kernel/kprobes.c | 3 ++ kernel/module.c | 39 ++++++++++++++++++---- kernel/params.c | 26 ++++++++++++--- kernel/power/hibernate.c | 2 +- kernel/power/user.c | 3 ++ security/Kconfig | 15 +++++++++ security/Makefile | 3 ++ security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 50 ++++++++++++++++++++++++++++ security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++ 38 files changed, 430 insertions(+), 37 deletions(-) create mode 100644 security/lock_down.c From patchwork Mon Mar 25 22:09:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870253 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BECCA1708 for ; Mon, 25 Mar 2019 22:12:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A93542905C for ; Mon, 25 Mar 2019 22:12:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9D14C28C1D; Mon, 25 Mar 2019 22:12:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3131828C1D for ; Mon, 25 Mar 2019 22:12:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730260AbfCYWKE (ORCPT ); Mon, 25 Mar 2019 18:10:04 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:53746 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730515AbfCYWKE (ORCPT ); Mon, 25 Mar 2019 18:10:04 -0400 Received: by mail-pf1-f202.google.com with SMTP id o67so10568399pfa.20 for ; Mon, 25 Mar 2019 15:10:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7kY2QswyjJGeL+pn4tYPdCA7RsaJvP9HYM3SbJBAroA=; b=fH0qiocHX6D+ppy2Eb2sLQX8da74DNy4n+Yf3JdgbVVnZVss6gDkp1UF1+MGC2phbK 2NBWddi7f2z/Wu3m54i5eKH/R4ZFC0dfsbWbsi7wjjvdiXztgfcwoANfoRbKTWGV11Ox O7ujjDZ+mouLArSBowSQ4PA+vt20BnzkqiisjM/P8QlkDazsrGEnu22inRsXUFU58SKo npGx7kKT6YGhJ5/PFGUpQNyqmLnNdDrYsK6YhukC5jDlhucYthSguWENoUMr1AxXeOQL 7F5RzqoGTTPj6r5z8tby7xgqZCjecOc7zlaPi/sKuGLihdVXmTOAnj3cDW/s0XM89yz/ XjJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7kY2QswyjJGeL+pn4tYPdCA7RsaJvP9HYM3SbJBAroA=; b=aR/TZmUm2GrhesaxPQiRqj8Tsnkee63xnollbsqJDlQXwBXuQzxEsHZOOjCmJPP7Ar LAGS+iFLW6EguxBe9jtmvkrYs4/yG8MBZVksG4m85tanxdNnlgq7NCGidmEcyIMnDRgk aXbWuuJrseWIabRVJkYFJDkj/EQkpfzDOFpXWD8Me0cEo/Fb+1MBbH2Kfm/ZGflShBug vqQsIYDuoh2bbvKEgM1KLBZ774w7SbvrPMMwvTri0nAagcPqBLhKjEkoV1LJcdWyabQq JpsjRMgdU0UdXOEgHjNVvUvTiU3HTDCpG8nZyZ0m8e3SkS0lMdESzuX1xGCAmsuWj6VI LcDA== X-Gm-Message-State: APjAAAVanYwRz6OPcWgYvn1tx2sShE0le4SJSb+kKnA17N6bi0tQ40pO gC02NEPtyHJhdyrczhLNbPfgHyZ2UXyswpR9JU5xug== X-Google-Smtp-Source: APXvYqwAjwGZ2XuHEZMf2N4nC+utrAZ0fFynLHMvG+jRgiNluH5cNZofkgpugK8PHpKGPY6luT5eHt7GND8ndB/OLW+FpQ== X-Received: by 2002:a65:4547:: with SMTP id x7mr24808022pgr.350.1553551803393; Mon, 25 Mar 2019 15:10:03 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:29 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 02/27] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Jiri Bohac , Matthew Garrett , Jessica Yu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. This does not yet integrate with setups that pin module loading to dm-verity backed filesystems. If lockdown is enabled, loading unsigned modules from an integrity-assured filesystem will fail. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.] Signed-off-by: David Howells Reviewed-by: Jiri Bohac Signed-off-by: Matthew Garrett Cc: Jessica Yu --- kernel/module.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 2ad1b5239910..9a377c6ea200 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2767,8 +2767,9 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, int flags) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2783,16 +2784,40 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + if (kernel_is_locked_down(reason)) + return -EPERM; + return 0; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) From patchwork Mon Mar 25 22:09:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870245 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E29A14DE for ; Mon, 25 Mar 2019 22:12:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6847D28C1D for ; Mon, 25 Mar 2019 22:12:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5C8D82905C; Mon, 25 Mar 2019 22:12:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0D95728C1D for ; Mon, 25 Mar 2019 22:12:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730642AbfCYWKH (ORCPT ); Mon, 25 Mar 2019 18:10:07 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:47437 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730605AbfCYWKG (ORCPT ); Mon, 25 Mar 2019 18:10:06 -0400 Received: by mail-ot1-f73.google.com with SMTP id f103so7286931otf.14 for ; Mon, 25 Mar 2019 15:10:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ygaOrSdGppBoGAldn3hUkJE8lcWsQcCZCWtpw82yF68=; b=i+RZtfwaKLR130wCLRb0HRymzdLNQBWhz+srVgbkCp9K8LknbtrDAqydUBeEgC5PYu fnT3mEAivXx9uic+ygjbI3e5pxjK1yV/0DcAuNdWX9OPgA6g6gO9YbexTjTND6xoxCFf zr+Kp0VN5iTtYFaLXddfDrhpjuz5OGaWd+luD86y0OZt0+BmMPy90A72xF102YLr3S9C FWNjkgqE/opaoDSRU6COJmi3j4Bsvaf4Zm7Cv1CU5n2uDHBIL0dnftmouTyuQCLZOnPV HpaEeKMZ3XXG7u7ehSia+ZDkEtj0nyzYCPhlmGR9E2S5yToBdfc6Bfkj749OaiJmWGqX V5jA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ygaOrSdGppBoGAldn3hUkJE8lcWsQcCZCWtpw82yF68=; b=uPqZ0E0jtu1ppDDu9/OylLyAagPN1xnXg83S/q8uI7D32dQ+Ls1D6MvpKiBfJcQ0DF ge90eOLE+PsG/BopmkeeBldQUdQGbhNBaoMVA8p4BwsNL+i1QRLdpaTj/sCpAo4whuLj xN7aUKj7HrYHlDQpYOLkXZORCiG55B+MbIJyQjAXV0FsAaz/CrLyXW5FihFYijIjJLyd 6dRBqBlNqVvTw6K4Wz2Vdxy2x3sKsmA/+ZPYOoVrwzGF/eKxPnSlgVmhmXOsiiXTytq3 JbZ/bFGhZcQf2ZUSjgqR1CN9jzzbqVZLFThcBEcjeOhlz3fpp5Z6Y+uMglqC9McMVwsl ZQsw== X-Gm-Message-State: APjAAAWGhxlADV88j0vNRP4NdnxqF/44YilpNRO286alwoWxdv0zoE9A 42CwDBEOCFxYotLLfB3UfnMpekgv2ZO1HGnWvqMmfw== X-Google-Smtp-Source: APXvYqxWRxJS0tYMf4ijmDG93Tsc3sg3PK4wbeYvffPhJv83p8zt89FWps1s8R7sAC0k7avkHGTndLwNZWuBzSLisWNS9g== X-Received: by 2002:aca:c3cc:: with SMTP id t195mr12721683oif.151.1553551805976; Mon, 25 Mar 2019 15:10:05 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:30 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-4-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 03/27] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Matthew Garrett , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: x86@kernel.org --- drivers/char/mem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..0a2f2e75d5f4 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port")) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } From patchwork Mon Mar 25 22:09:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870241 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 811DD1708 for ; Mon, 25 Mar 2019 22:12:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6BADD28C1D for ; Mon, 25 Mar 2019 22:12:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6002E2905C; Mon, 25 Mar 2019 22:12:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F310728C1D for ; Mon, 25 Mar 2019 22:12:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730696AbfCYWKL (ORCPT ); Mon, 25 Mar 2019 18:10:11 -0400 Received: from mail-qt1-f202.google.com ([209.85.160.202]:41123 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730674AbfCYWKJ (ORCPT ); Mon, 25 Mar 2019 18:10:09 -0400 Received: by mail-qt1-f202.google.com with SMTP id d49so11672700qtk.8 for ; Mon, 25 Mar 2019 15:10:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=fDig7kZw4F64jZ3glkaJ4FkOKfyo+66KlbXAoLiDIK8=; b=dURQ4cQZveYMOaE8wiQxqpQBPWN0bOzFc/OMjfuVpV/SpRxVkciThZh/XQp7aJUIoY Hpjqu1ojnBarr+Vb7V4twmoEaE7jZMFYiLZ/ruIcSSjRQCqleuF93UWWx27BMhJA+9MD GySbwDLTsb3iBPgkvE33DDYr0Qieqhpl+/c4AvqimN8UbCQbMGRoZr4Wx8wECE/sdcAS nyXqXomtgd+aaUVqkQ8WMRYNYXSU1Vh5CyrjW2uWtZEsUGxoJsZ20Z4rUrECYdswgZ1Q +iYF25aCFRUm8cNep9ZTuSi2XDOzYU0ae47vBLiSJEvCoYGBZ9CNJ8PLYsPrYNXQnTVn /A2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=fDig7kZw4F64jZ3glkaJ4FkOKfyo+66KlbXAoLiDIK8=; b=nV7gqG07vdg/s2apn5OmshL8HwNgRcii7wTuEyAm1ddOn200YYheNqXXdp9412uhSP uacVfsJzwVfr75Nuusn22AM/zPYZAkEpyIbwhhvY/iTp8T+uiv/bmC8h34A72utC37yd gbi141dkYRxQKZmBLAY5+TIAIrB5PJPGx8SrwfyTugwKt9FDXeqLmuvuVXeijtVI8dLA ixsY9RfnW3lu1gdU5JjjmWCv3ooorTtDDiGq2fnSnyxsehfz7OqVSRPjbUx+8l1h1dZ0 ZMPfEoU6IOl0O/bWlPR7ukI5oS6Wr+Yf4S91m96UJhumMu1L88GiMm54bXvHzqeuDaYJ Ay/A== X-Gm-Message-State: APjAAAUo2eiF9HdT4nhE5n2opU5UdaFoCjXajOz2rfueW26AUWoeNxso OG4iTKhM5jj6T5A5RDb3/syn7l+6QBzVlxCNKOakQA== X-Google-Smtp-Source: APXvYqyYDbDjyIPsgtUkV7wYTNzsy9uc81+oc0MTtB1XElESzz+HhRURfIWwdxwJKz8FQcYg85rNE3LjoQkSu+eLuDBVsQ== X-Received: by 2002:ac8:3092:: with SMTP id v18mr23438957qta.41.1553551808486; Mon, 25 Mar 2019 15:10:08 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:31 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 04/27] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Dave Young , kexec@lists.infradead.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Dave Young cc: kexec@lists.infradead.org Signed-off-by: Matthew Garrett --- kernel/kexec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..8ea0ce31271f 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,13 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down("kexec of unsigned images")) + return -EPERM; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. From patchwork Mon Mar 25 22:09:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870243 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 02767186D for ; Mon, 25 Mar 2019 22:12:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DEB4828C1D for ; Mon, 25 Mar 2019 22:12:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D2F0D2905C; Mon, 25 Mar 2019 22:12:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 84DF429053 for ; Mon, 25 Mar 2019 22:12:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730733AbfCYWMh (ORCPT ); Mon, 25 Mar 2019 18:12:37 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:36011 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730700AbfCYWKL (ORCPT ); Mon, 25 Mar 2019 18:10:11 -0400 Received: by mail-ot1-f73.google.com with SMTP id i4so7325534otf.3 for ; Mon, 25 Mar 2019 15:10:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=zcfKxdpFss4fpHHRB0+Lld7eiBsD+1c7SytE6cVbYAQ=; b=pU/fGwEeJo9W057Fiz2WhB5YvIlTU26ECcXPrtXpWYJgVMbu/bjoyYznMie0JvzhO/ RMWldH0Yt0MU7YLBeDyWytBHuMzqJERlwFdmfJJbi+ZbOAUjxFR/HBN5ujwrCkiJxwOL VRT4+Jfgx18zSIZ6t/4LruqHwEooU53sBrBvTqizKQLihltKb4R4UhhHC2dT1e03v6tw ba42wMht7Dbvh018RXehhlCnq6oZpGQ5iQRkbDEaHPGBfbFXqo2WGwghiUe0Z2ELy1q+ qDbcd2uG+W2swTs872ukoJgbdOqFSd9dVTBjUcrMZelQnG/pbmRs7A9z1NDqna2/ivZI SSfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=zcfKxdpFss4fpHHRB0+Lld7eiBsD+1c7SytE6cVbYAQ=; b=E+XZZ7tM2t3UecKQvkc2SS38ai8/jvnE5qXq3rBE30nWip4dqNH19xVI8bP4Hv+bIB MwymYRJCOacio8d7asTCr7MLtBLrN6Uu+KNWS6PyLV/R6Dn0OD0xRCWnky5u9TuAx3jv KAss1mWdUJT1yllDGFyYbpEMh+PzgYG2vnFYPKIYvLy9g1gnJ+0V5IQIqAA0xFXCBGbm 8OeQa6D9mU+cEYVUy94+u+45I7CwnLoAoUNbp1h5t2F2SjmLqAbQEGkVZDXhpfAWvfz1 hvOySRzgjlvT7DJTyzlF9M50ua7mP7Sb2Wm2xqGPrMViZzv951HTCSq2/EY3K4DfEEDG t7cw== X-Gm-Message-State: APjAAAUV5V6YhCNpOIn6KJIbE4FCqJwWP5zq/wAq/mH/FVbb/rZ3fM8a FEZ2U+MMQ8oQob0YoNgAJ+QV+yHnRsf1b9GkQAMKmw== X-Google-Smtp-Source: APXvYqwktqdQX/p1H08SM6z/cXSn1zOYuT+GzSkXGL8oTth/89sdx8ETR6kIXHqW7yX4nGJrq537WoWTTNpL5yyI3e2xdQ== X-Received: by 2002:aca:ed4e:: with SMTP id l75mr13734881oih.62.1553551810951; Mon, 25 Mar 2019 15:10:10 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:32 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 05/27] Copy secure_boot flag in boot params across kexec reboot From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Dave Young , kexec@lists.infradead.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Dave Young Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells cc: kexec@lists.infradead.org Signed-off-by: Matthew Garrett --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 278cd07228dd..d49554b948fd 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; From patchwork Mon Mar 25 22:09:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870239 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 03E2014DE for ; Mon, 25 Mar 2019 22:12:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E214328C1D for ; Mon, 25 Mar 2019 22:12:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D667A2905C; Mon, 25 Mar 2019 22:12:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B665D28C1D for ; Mon, 25 Mar 2019 22:12:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730760AbfCYWMc (ORCPT ); Mon, 25 Mar 2019 18:12:32 -0400 Received: from mail-yw1-f74.google.com ([209.85.161.74]:41330 "EHLO mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730733AbfCYWKO (ORCPT ); Mon, 25 Mar 2019 18:10:14 -0400 Received: by mail-yw1-f74.google.com with SMTP id a75so15917183ywh.8 for ; Mon, 25 Mar 2019 15:10:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Wrlirp/5skz2k3YV77PK9EbITIa9gMQotRhFBQD0/eE=; b=HMQGlZRa7WtxQcj837FiPDVBP/uDzZe2RbkRieKiQetZR9PmV+QrATOpOfn7trF0+l 2s+ENjmh/C82u9JRY+LoxpzOzUqDvoJw7IzsO/uwJkv551J/OEgQUA2RFxZrW1TpXWf1 bz55nmbLn+kYDP5xHHZI2VKKQ8U3Pi+LAd0fyo+zTVuDUOpberSt9nmLVs0Jdmrj21j+ z/z/QXDPNFE2xVTlGxrs6wFy8ntsayjOxHy6ANghhdz0e182Li7SD5GJk2TiZW2ij58W OkmbQ0ulKDVgrMLuwrFNCXuTcU57sRxmZ5rOPlRZQR4UkbtoP86cikr3T/ot/fiU8vh7 StBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Wrlirp/5skz2k3YV77PK9EbITIa9gMQotRhFBQD0/eE=; b=o1jK+X7R0hiYk6AcwB7TJN69RYC9uY8XIa2OG2nx9HZVy2hm4geXWMHYe95shZERCh MJx9XrLckzGCm6RelmYyJxZFrM0+U8SYdNh/gOHK+gi1+EFweVF35R6JRsg7IAhwYRq8 ir2d+cO5Gb2kxi7/Rb6YVjbHSC3U8SdtPUQJ5i4ee87Hzm8akSZ3LsVfrVJv2HT9d2dc s85jFpkAZG9qpCLRYqA0XyPggDpMhz7Lai7i+7G1gJk1KlOCqjtCnJxoVw90gkDfMU+Y KN3ad5tEM5ITetxftG+JdbPRpeQ5AQpCQQWGgvXXQAqkhjG9bFLUwuPVwJXfvLX3rpaS HrTQ== X-Gm-Message-State: APjAAAUbdbcg2ELcbUZKN8CXPS51qgNO8ddEVpBtj3PItqfqlEtHoaaH AkLg8W4nSdsSKlKI+mBt29i2IA8cQeuU57kCjIBpqg== X-Google-Smtp-Source: APXvYqx1M11zIN0O3FKM+eb7JUV/023FXKipgUZhNhgJYDhz3w8KT9vRnAW467vnVgWZmbi/qToIazXkpCH6cyVVRfJBbg== X-Received: by 2002:a81:6c04:: with SMTP id h4mr22325641ywc.170.1553551813514; Mon, 25 Mar 2019 15:10:13 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:33 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 06/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Jiri Bohac , kexec@lists.infradead.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac This is a preparatory patch for kexec_file_load() lockdown. A locked down kernel needs to prevent unsigned kernel images from being loaded with kexec_file_load(). Currently, the only way to force the signature verification is compiling with KEXEC_VERIFY_SIG. This prevents loading usigned images even when the kernel is not locked down at runtime. This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG turns on the signature verification but allows unsigned images to be loaded. KEXEC_SIG_FORCE disallows images without a valid signature. [Modified by David Howells such that: (1) verify_pefile_signature() differentiates between no-signature and sig-didn't-match in its returned errors. (2) kexec fails with EKEYREJECTED and logs an appropriate message if signature checking is enforced and an signature is not found, uses unsupported crypto or has no matching key. (3) kexec fails with EKEYREJECTED if there is a signature for which we have a key, but signature doesn't match - even if in non-forcing mode. (4) kexec fails with EBADMSG or some other error if there is a signature which cannot be parsed - even if in non-forcing mode. (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract the signature - even if in non-forcing mode. ] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Reviewed-by: Jiri Bohac cc: kexec@lists.infradead.org Signed-off-by: Matthew Garrett --- arch/x86/Kconfig | 20 ++++++++--- crypto/asymmetric_keys/verify_pefile.c | 4 ++- include/linux/kexec.h | 4 +-- kernel/kexec_file.c | 48 ++++++++++++++++++++++---- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 4b4a7f32b68e..735d04a4b18f 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2016,20 +2016,30 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE -config KEXEC_VERIFY_SIG +config KEXEC_SIG bool "Verify kernel signature during kexec_file_load() syscall" depends on KEXEC_FILE ---help--- - This option makes kernel signature verification mandatory for - the kexec_file_load() syscall. - In addition to that option, you need to enable signature + This option makes the kexec_file_load() syscall check for a valid + signature of the kernel image. The image can still be loaded without + a valid signature unless you also enable KEXEC_SIG_FORCE, though if + there's a signature that we can check, then it must be valid. + + In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work. +config KEXEC_SIG_FORCE + bool "Require a valid signature in kexec_file_load() syscall" + depends on KEXEC_SIG + ---help--- + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + config KEXEC_BZIMAGE_VERIFY_SIG bool "Enable bzImage signature verification support" - depends on KEXEC_VERIFY_SIG + depends on KEXEC_SIG depends on SIGNED_PE_FILE_VERIFICATION select SYSTEM_TRUSTED_KEYRING ---help--- diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index d178650fd524..4473cea1e877 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, if (!ddir->certs.virtual_address || !ddir->certs.size) { pr_debug("Unsigned PE binary\n"); - return -EKEYREJECTED; + return -ENODATA; } chkaddr(ctx->header_size, ddir->certs.virtual_address, @@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * (*) 0 if at least one signature chain intersects with the keys in the trust * keyring, or: * + * (*) -ENODATA if there is no signature present. + * * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a * chain. * diff --git a/include/linux/kexec.h b/include/linux/kexec.h index b9b1bc5f9669..58b27c7bdc2b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, unsigned long cmdline_len); typedef int (kexec_cleanup_t)(void *loader_data); -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG typedef int (kexec_verify_sig_t)(const char *kernel_buf, unsigned long kernel_len); #endif @@ -134,7 +134,7 @@ struct kexec_file_ops { kexec_probe_t *probe; kexec_load_t *load; kexec_cleanup_t *cleanup; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG kexec_verify_sig_t *verify_sig; #endif }; diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index f1d0e00a3971..67f3a866eabe 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG static int kexec_image_verify_sig_default(struct kimage *image, void *buf, unsigned long buf_len) { @@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, unsigned long cmdline_len, unsigned flags) { - int ret = 0; + const char *reason; + int ret; void *ldata; loff_t size; @@ -207,15 +208,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, if (ret) goto out; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); - if (ret) { - pr_debug("kernel signature verification failed.\n"); +#else + ret = -ENODATA; +#endif + + switch (ret) { + case 0: + break; + + /* Certain verification errors are non-fatal if we're not + * checking errors, provided we aren't mandating that there + * must be a valid signature. + */ + case -ENODATA: + reason = "kexec of unsigned image"; + goto decide; + case -ENOPKG: + reason = "kexec of image with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "kexec of image with unavailable key"; + decide: + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + pr_notice("%s rejected\n", reason); + ret = -EKEYREJECTED; + goto out; + } + + ret = 0; + break; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + pr_notice("kernel signature verification failed (%d).\n", ret); goto out; } - pr_debug("kernel signature verification successful.\n"); -#endif + /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf, From patchwork Mon Mar 25 22:09:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870175 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 47CEA1708 for ; Mon, 25 Mar 2019 22:10:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3256029053 for ; Mon, 25 Mar 2019 22:10:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2671329067; Mon, 25 Mar 2019 22:10:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C2E8729053 for ; Mon, 25 Mar 2019 22:10:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730731AbfCYWKR (ORCPT ); Mon, 25 Mar 2019 18:10:17 -0400 Received: from mail-ua1-f73.google.com ([209.85.222.73]:36869 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730749AbfCYWKQ (ORCPT ); Mon, 25 Mar 2019 18:10:16 -0400 Received: by mail-ua1-f73.google.com with SMTP id h9so1343351uah.4 for ; Mon, 25 Mar 2019 15:10:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=X5oNP2XY53YozTNmiCclewjXBZfVRAeb2tiuFY95Uwk=; b=u13CIWRGtDMPj3byxBFCVrr6OnDevFvTn8bFk79IWQ56LzoqBeROHSCpVHTrb9tna+ QqcOQTtuSPNkcEgBAV1gJh/I5l0ktQ1woTpRAK9ZjwYb5I9okHjQGn/SUFJsOBIz09cC YvzwPEyi3dt9tEGY3MgzzFHFpsLDpERJo0wH8uf9DAVzkxAZMf2v7vlwDs0lSjNRpRnu LQytjUdQZEjm61YEsjWouhp1uiqxAatExqMEZordeAQwIvcSNsJrsF7viRyi2MSggQ3J 8V0vRKYU0k5tp7SWc2P8q99CmUAqb8NFdLeibtJIap7kN4PJsARZLkTr3HNNjTBVfY8c Inng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=X5oNP2XY53YozTNmiCclewjXBZfVRAeb2tiuFY95Uwk=; b=CepOsq/oK9axOk5waakqavAoT9C/KDasbkJLoa8/c6l80N8ZFcm5DGbxnSe5ZdyA/B 3GsqmyWeZF3ga77jFQt+e4AyIdzKWAYdVLR1bvOT09Z8EX4AnUsOoUeITULkF4Xd6z6V 8ft4XDfq7AUfLleInZ52A+O0zgrvK+mBiCZ+M/4IUnoft3GQQ57NLIJqeBu3wT8untvV UiI8dmxz+AZ0WUERrzT8ZojD7y5VzJiHFi5ysUw/kuV2DEb8brzVeV08D4sPlX0RUeJP Q6gcrssOWeSv5F0vpZd6x4x6/onlaZdu1jSsd63un8oJJ55MV+N7/FKdW4ctSR51xOii eXgg== X-Gm-Message-State: APjAAAWZSxW3MbKqY6yF6k5gQwPRE2dUyD6e6NAWoUS9s+X5GfqFhiX6 AmoMaL9VpEpueVBFilR0sQmY9RKyycuyxMDL3RGuQw== X-Google-Smtp-Source: APXvYqzl8l3EaB0PMaAyRgeDP1NMm5UxwAKE0Y/KH6TdWobwyxdUCyK8eGNGGP2jA6Rf5lBiNWAOaSO27zLTkKTYrWTFQQ== X-Received: by 2002:a1f:b587:: with SMTP id e129mr15961016vkf.23.1553551816082; Mon, 25 Mar 2019 15:10:16 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:34 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-8-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 07/27] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Jiri Bohac , kexec@lists.infradead.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Reviewed-by: Jiri Bohac cc: kexec@lists.infradead.org Signed-off-by: Matthew Garrett --- kernel/kexec_file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 67f3a866eabe..0cfe4f6f7f85 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -239,6 +239,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, } ret = 0; + + if (kernel_is_locked_down(reason)) { + ret = -EPERM; + goto out; + } + break; /* All other errors are fatal, including nomem, unparseable From patchwork Mon Mar 25 22:09:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870233 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C97CE14DE for ; Mon, 25 Mar 2019 22:12:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B3B7C28C1D for ; Mon, 25 Mar 2019 22:12:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A80522905C; Mon, 25 Mar 2019 22:12:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4950729053 for ; Mon, 25 Mar 2019 22:12:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730823AbfCYWKW (ORCPT ); Mon, 25 Mar 2019 18:10:22 -0400 Received: from mail-vk1-f202.google.com ([209.85.221.202]:52285 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730790AbfCYWKT (ORCPT ); Mon, 25 Mar 2019 18:10:19 -0400 Received: by mail-vk1-f202.google.com with SMTP id 81so4334206vkn.19 for ; Mon, 25 Mar 2019 15:10:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=uYemRAgVTJFGahU1zMfb1n2EMnLkr+SSlEuKQqgKmLY=; b=U9J1t3NxYbQMopyhw2GE3bLit1uMhrE4YcCM5dJ1VZEcPOPoJohS9muHLwrm4vQlDT 8XvcG/28ok21BF69yNbSQqCw3e6yjQAJUDrd2iaM/KgcHCo2BszrbFw8/6jMPHvtp/yf iWbLAQNCWBLdHGrn8i0OX9YYkOvt9fPMvh7laV3CW1NvPs5u0ovDE4DFMYQzJghhon6V bj6B9ZBfpvxXzkfjlaJuCbNMNi2Thezr5krapkJ9JEX32womUHt1rfjs8e8QB5aKcnQL DtOuGW6wgC0uGu7Lxs3FaIweVocdpEXRME7+Lfg6KE1hn5KohnaCb7igp2IE3uYR8ftF zagQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=uYemRAgVTJFGahU1zMfb1n2EMnLkr+SSlEuKQqgKmLY=; b=aTz6MhkhIB1dHr6S27/1D6xKdBYWLk8FRbcuOKA5E/aZc4OrvUtabXppdA0BK7i5uX 9YKf8yu4HkTK3DljbtfwicO3OOjGyCQLMtA6EnNuKtBYPMas7T1tu0aGZABHLQMTYCWk GzaTTlKVpTKyeqN2JVuXmgoXPhb4ZRVA0vhjrVEp0m15i6rEBsleVsLSNXRxf+e/N165 Q6LKmnCma++UVOQbN3mlPyKAlhaZVTB1GWiqiNPfur/Mp0w1Vkg9EFw9F66Vvjk2wTvw DJWja7pyZNwqMZhwS5DEVIgf6I3KsESJi81MmT+TXvSBZYxdnG3N1YAirUfR1auFPBAD WZFA== X-Gm-Message-State: APjAAAWo0ioOTKsobgwMjYtlaPvyFH7k98vi8ZwP8VBGWKHoaKM1QRGy zRL3/PWCruC7a0FNvEEr8nHm7mK2man2jJ5JjAqbAg== X-Google-Smtp-Source: APXvYqy7ER6okO+DXR1Hn9BcNwumz/DBgYufWQnxxDJBMiaFaOCwvLdckGZ0KGbfYqsKbYK+Droz0kzG4KKcv0gh0DEQqA== X-Received: by 2002:ab0:65c7:: with SMTP id n7mr16136307uaq.3.1553551818764; Mon, 25 Mar 2019 15:10:18 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:35 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 08/27] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Josh Boyer , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org Signed-off-by: Matthew Garrett --- kernel/power/hibernate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..802795becb88 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); } /** From patchwork Mon Mar 25 22:09:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870231 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9A0E21708 for ; Mon, 25 Mar 2019 22:12:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8543F28C1D for ; Mon, 25 Mar 2019 22:12:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7963F29067; Mon, 25 Mar 2019 22:12:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9523028C1D for ; Mon, 25 Mar 2019 22:12:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730063AbfCYWKW (ORCPT ); Mon, 25 Mar 2019 18:10:22 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:39145 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730754AbfCYWKW (ORCPT ); Mon, 25 Mar 2019 18:10:22 -0400 Received: by mail-qk1-f201.google.com with SMTP id w134so9947248qka.6 for ; Mon, 25 Mar 2019 15:10:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=xS16JMOxZwcG/rVliMetOoh+ZZR4mUKe0/mNdxJ1B6I=; b=rFLwckKvnZaBZEGlLyTz4YcQ5TpfXquDDLFv8EpNBBi8bl0H0aSpKbKlPmFsmJzv88 3s6m1iSnNGuRtAX7+GNWd2g9ka8O638ik4FPSJBJV5pRYd6bDqXfhUVknENqAjwj4phg ZBeThTpXCyvDIvKExlijnHhU7emouiyrTRHxYNNujKIPbNen6HUgDtriMiWILJkoVwSA VVGV8s5Vdp2kHgLsYghn2sBzhcQ4djG3Mg4picl1KnN4fEcpD276WFgQ7ohf4Qa5elqa AgffeNZduS1YSvn0RL82wvaNQg89a0p0VKGWQ4w6kG9QkJsl5oAYX7uvYcn10rHNeQC/ FZkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=xS16JMOxZwcG/rVliMetOoh+ZZR4mUKe0/mNdxJ1B6I=; b=j+LCP3jp7XyybYiKBOXJGBilDddwayedgkRyvJ6hFZKstT2gjJT82tCqhAtydEuaGM BfW18g2o0cUEhv0ghj4IECw+MlBdevS9tEpShfwR2sgRblXj9XFumLSzJAyN63XcTsRm 9PBuBUy0wdi8dL3n1VT7BdKFrefOfVQZHw2HM78IOTMim9vsaLlnVwbCMvFhvD8QvYlo I/NrDYHxyauBoDDTlFRiQaPfT7KrpI4VSCVKmhcl5IdxYJM0wxWMVxQUEdzV5IS+HoJX +/oG/Re6LtXhbbfs6XANTZXDfQdK4mymGZZqy9xpsTf/B3PPa88BQu0W0OtFBz3Mg1eg Y1MQ== X-Gm-Message-State: APjAAAWl3jAXrGfEHGPencm+J90g5AI6enAMITXLZYvlGZ6yJ74pA/Cv lRYiMbFusXNnr+Jc7yye21IBt7+90Dj/c3aaMci93g== X-Google-Smtp-Source: APXvYqzfwaoEvZ9qoFwlYj2A15EF/8fYD/EBKL5NEF9CZBOvMhdvlUypidpDWMgq04f0j1uGmMifcELa/DdB3HnIghzi7g== X-Received: by 2002:a0c:8aad:: with SMTP id 42mr23012965qvv.247.1553551821400; Mon, 25 Mar 2019 15:10:21 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:36 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 09/27] uswsusp: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , James Morris , linux-pm@vger.kernel.org, pavel@ucw.cz, rjw@rjwysocki.net, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: James Morris cc: linux-pm@vger.kernel.org Cc: pavel@ucw.cz Cc: rjw@rjwysocki.net Signed-off-by: Matthew Garrett --- kernel/power/user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c index 2d8b60a3c86b..0305d513c274 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) if (!hibernation_available()) return -EPERM; + if (kernel_is_locked_down("/dev/snapshot")) + return -EPERM; + lock_system_sleep(); if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { From patchwork Mon Mar 25 22:09:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870229 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E65FB18A6 for ; Mon, 25 Mar 2019 22:12:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D78EA29053 for ; Mon, 25 Mar 2019 22:12:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CBE9F2905C; Mon, 25 Mar 2019 22:12:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 540E829067 for ; Mon, 25 Mar 2019 22:12:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730749AbfCYWMR (ORCPT ); Mon, 25 Mar 2019 18:12:17 -0400 Received: from mail-ua1-f74.google.com ([209.85.222.74]:50639 "EHLO mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730882AbfCYWKY (ORCPT ); Mon, 25 Mar 2019 18:10:24 -0400 Received: by mail-ua1-f74.google.com with SMTP id i13so1333454ual.17 for ; Mon, 25 Mar 2019 15:10:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=5YTphNCZAMpEXxUv7rOxGetCpK0M7qq91rW7GzRAqO4=; b=W9BwWhhEk3R9kt9oYI4KanwoednXfPb3X+Yi6Dt+Nylfbq+ckM0NYWhPN6lcqRHtsy 9q7/RIgxD9eUug1W9CSmnVU3ZqOeo8hO7yARqNknkUxa12HmTFKKHfv3L9813irQS/l1 8GDnk8wMkQk4BFb3K2iIxXEbzphn1Uc9ullAkkMqIv2vP4KiH/ij5Ycgu0kkcfPsdowj Ca3PcotEOk1XWjCcZWRdKc6GRA9wVXrQlpkI9MUpz/sAYxBEJomW2EYBxc2smbvEkxtd CFHMc18928CoBKgH9zFhL5iznVkC7KOVPVm3dFRwVvZo/y8nCvHyQGefvJRQCUDmmDbY 0itg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=5YTphNCZAMpEXxUv7rOxGetCpK0M7qq91rW7GzRAqO4=; b=IzSpzoUEDXWasRWG37Pz0xI8Tcg61AizXR6Pd6Ai5+xlHtrfR2SOok2NzQx7vfz15O Kdhrb9tDzPyUYHELo43ULyWpSJ6R8eH3zGxeZQpxt+JrJjIHbxOKfdBokPix4g3Cm0TI SJPLlVANvFjaGbecZj8LJvkSnRy+h59bZgNFgRWbwAyJuHaP0l6nueUYjxi82HG/E5EF zHh4gUl/lDd+bSvqACqcR1qOPgE8MqEp6S0cJrLfmSdfkp4S2hRUpIItWxvdztdFx+rx pg1hohq+gKenrJJR9ElQdH9wAee/0SI7RNNgEkn2uVXjg+HTkNgEAObBnNQ27jp0Ggiw 7QIA== X-Gm-Message-State: APjAAAWOFyu+PmCDWQcQYsIgJcTy6FJix2NTs0/IX9oAuc2xZYKm04xj Hb8wfqALvaqKwC7hAwDpDJguFq5bNEvZodLkfVoC0g== X-Google-Smtp-Source: APXvYqyzu5YW23qFSwxQFEBET1+I50UyXTTqBzSetMilQACx2b/chaObguWIQJwc91+CoxdOnaCeEQxy/5kxawWHpIRqTA== X-Received: by 2002:a1f:b587:: with SMTP id e129mr15961378vkf.23.1553551823984; Mon, 25 Mar 2019 15:10:23 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:37 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Bjorn Helgaas , linux-pci@vger.kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Bjorn Helgaas cc: linux-pci@vger.kernel.org Signed-off-by: Matthew Garrett --- drivers/pci/pci-sysfs.c | 9 +++++++++ drivers/pci/proc.c | 9 ++++++++- drivers/pci/syscall.c | 3 ++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 9ecfe13157c0..40c14574fcf8 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { @@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 6fa1627ce08d..1549cdd0710e 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, int size = dev->cfg_size; int cnt; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (pos >= size) return 0; if (nbytes >= size) @@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..b8a08d3166a1 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); From patchwork Mon Mar 25 22:09:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870227 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C35C71708 for ; Mon, 25 Mar 2019 22:12:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AED8828C1D for ; Mon, 25 Mar 2019 22:12:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A35DB2905C; Mon, 25 Mar 2019 22:12:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4F04228C1D for ; Mon, 25 Mar 2019 22:12:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730955AbfCYWK2 (ORCPT ); Mon, 25 Mar 2019 18:10:28 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:45281 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730938AbfCYWK1 (ORCPT ); Mon, 25 Mar 2019 18:10:27 -0400 Received: by mail-qt1-f201.google.com with SMTP id 35so11658280qty.12 for ; Mon, 25 Mar 2019 15:10:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=kOBn4Vsz7+t5uoVUQ5YrfNtYfxZHot9P0BHurCwotW8=; b=EXK8l7T5cYfGiceftgkWGkN1G8A9oXteYG026SSL6tDI1FBBwP+joPkSAzs8YW9xhz NQ0CKWgD++O3K+ekroOkINAJMOrOZDJSU66JgvsVSh2PbLMX1olcD0kVRMWeiYERFYkS Cv2m2rSyv/k280NI7fC2mxmwSbrCoQugjaofRMLfhriI7h8oOba1lIwASidwkAk9hRr8 TSRxtrkRHH+YaJaNY1KBrfNUa+nOCt4o0S/JVKDA3vaiZsvIC2SzTYnNTUVROEQTV5M+ t5yTJG/8OV7Fnkp+2G1OIZbJGpI+tRE9f2VZ93vrU20ko/BqyRK9RJg/bArvjqE7M/QI sxWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=kOBn4Vsz7+t5uoVUQ5YrfNtYfxZHot9P0BHurCwotW8=; b=DcsdgXYW0dsBHCx+vm6awq5JO1pwA9WrM3ZxJxCW68zK0fxIynahOH6SVxQqAN0fC8 pzWifVUohNjoR9Lfw+vKCKPlKfgYo6gNWm0gxQghWDrn+3efMRb19KwX/TU8nmmg8Voc /yjhffQvalFkfIdEgooYOCN+I/LzRg3fKjjPbRjDyKTAjok4xLuodEGRIjzhV5bjeqHv svjpJtaAFV8ukd0n7jCAaHBDvJzdLkGUo3Y6rR8Wsz9mKr9IuWNU48++LW66YmariIxu mmzvBTUu/4MB8EKCGLMQPlTuCycxfbEgt+5FdNZbPZsHgtnsTa/Zk7jIRILvy1yxhOJW SKyg== X-Gm-Message-State: APjAAAUERmpNnwfl88XVpSItMo851SC0gKLxnzpTSflaNlrsdOmaPkIX SbqsdtWJk+kzKOTZCrOmNge9S++Bt7ftTwnIKHA2/A== X-Google-Smtp-Source: APXvYqxLKe+Q28iq+tNncS/NjM3aLWiZZQNw0bKZ7UoQYHGKv0NEYL0K/f+llQZd5V6QDj5i42d/7O0G6P6jzw1JZtBOcw== X-Received: by 2002:a0c:947a:: with SMTP id i55mr22757441qvi.223.1553551826807; Mon, 25 Mar 2019 15:10:26 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:38 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Thomas Gleixner , x86@kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Thomas Gleixner cc: x86@kernel.org Signed-off-by: Matthew Garrett --- arch/x86/kernel/ioport.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..abc702a6ae9c 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm"))) return -EPERM; /* @@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("iopl")) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | From patchwork Mon Mar 25 22:09:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870225 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EA4A414DE for ; Mon, 25 Mar 2019 22:12:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D526928C1D for ; Mon, 25 Mar 2019 22:12:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C9A832905C; Mon, 25 Mar 2019 22:12:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 711E028C1D for ; Mon, 25 Mar 2019 22:12:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730930AbfCYWKb (ORCPT ); Mon, 25 Mar 2019 18:10:31 -0400 Received: from mail-qt1-f202.google.com ([209.85.160.202]:39711 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730979AbfCYWKa (ORCPT ); Mon, 25 Mar 2019 18:10:30 -0400 Received: by mail-qt1-f202.google.com with SMTP id n13so11726642qtn.6 for ; Mon, 25 Mar 2019 15:10:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=X6Y9rMN4d7Ni/+gDAGhZZery08YVnWjdvZABIqrFXus=; b=LKDtQH3sTINmIHbUCB0iCeSNdNVfCPCiR/gdwGOJ9VGHpyESnabxsI6T5JdopVkytc rta7c6THcAqSYuieUe6En0Sal75bQ8Pe1TjoXjuV7CgLtMFTNuOKo82zGN/IuTjyVUsH S+O505e/+xrAB6M8XuHPCZVm9U7g7w1Ti/ngyH8w5BrjZ2cBPtEAYdhJdz7SuvGQAT3O yxJWocXTenVNZpPLhpPCDpt6TuGkQbE6e0BGEWVEMw3OF2fPtwh60ajUqxkRnQW7OgEO NZbrtnfEmiaV0IcoLOvZoPfk2lXw/0cKkRIXVkBYXD4etYbRGCgWoL8Z52K0LC27xPch JUoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=X6Y9rMN4d7Ni/+gDAGhZZery08YVnWjdvZABIqrFXus=; b=KFB16Epvf72t790HUSYSiZb2VQbSJeLhG7K1V+4h/mnaow9a1jotRB03vJIZ4mwdAV A8Xx1XCAqRI8IdWW+g1VrjDa/FURMQtQ2KymkgGF1OcvBZXB1Xqbt4DoCourIEvVnswS og6vO0v/DfMHUUXIEiO6OJ5xWJrEmhi5ire8Xuf46DktQVjuBjCIWjG21XsoVQC2IXHr EY25yTmSGhAiDUnBoilkMciD3H6PwxJtg5mJ+4YsqkfpU6/p1zL0DxEKyiVYBkdqXOD1 QFpJLhGkASPPQK7Wnx5rQ3vdVc70idGgAyBVv+KwRyPXYntyRtNMMRL9Ztn1YhFOBoag lzxw== X-Gm-Message-State: APjAAAU5yJGDqI2Gzo7fs/igWCcbdaohDGtXSDyJ4KBM6kJN9y/1AIq5 d5URma0Y27Ei9cGZHKY7ILJkoyUGEQwCFXI8dXElBQ== X-Google-Smtp-Source: APXvYqzdUtz5Gx36/UdEYYKDuhLU2x74e9CV9FTm/rJEs7XSKh22438Jm/2dKgLJLnTdtiHv8PVnyJ2VYXp4UDYxAlqcqw== X-Received: by 2002:a0c:8a54:: with SMTP id 20mr22892221qvu.167.1553551829340; Mon, 25 Mar 2019 15:10:29 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:39 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Kees Cook , Thomas Gleixner , x86@kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. MSR accesses are logged for the purposes of building up a whitelist as per Alan Cox's suggestion. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner cc: x86@kernel.org Signed-off-by: Matthew Garrett --- arch/x86/kernel/msr.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 4588414e2561..f5a2cf07972f 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + if (kernel_is_locked_down("Direct MSR access")) { + pr_info("Direct access to MSR %x\n", reg); + return -EPERM; + } + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + if (kernel_is_locked_down("Direct MSR access")) { + pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */ + err = -EPERM; + break; + } err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; From patchwork Mon Mar 25 22:09:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870219 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 87F771708 for ; Mon, 25 Mar 2019 22:12:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7569228C1D for ; Mon, 25 Mar 2019 22:12:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6700929067; Mon, 25 Mar 2019 22:12:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 179A728C1D for ; Mon, 25 Mar 2019 22:12:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731004AbfCYWKe (ORCPT ); Mon, 25 Mar 2019 18:10:34 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:48681 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731000AbfCYWKc (ORCPT ); Mon, 25 Mar 2019 18:10:32 -0400 Received: by mail-pl1-f201.google.com with SMTP id y17so771573plr.15 for ; Mon, 25 Mar 2019 15:10:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=JjClfNcwudfjVo/9wlvsMTmCzUCPUTa4DRML2JJ7YVY=; b=WlInIGo7E8Sg1V/FJrdy7246BJfv2IFZBnZYy6waTznK9n+caw2TjPOhGfPZ703SMU HsdZZBq/cfCb9aUasck8HT2YGLHxCNOEM9Dn8gFGDuQRppgl9963pB2bWUbB3OdW0afz R9HQ+dGBSgtqfa4Llibc6rDd6MCdkBpPk9PllURgbs7CB/aHBVoZoDL9rJ67wbDYeM2+ nkvuRWNqfMG3FM8h9H3EFUVkL8vF8uCHI4XGBEht/JE3ERIQt2oTW06JFFUZIo/C2MeG Gup11dIXcq1FY5/CF5EJkioM9JR9kP5hnhmiHGiydSEU3zr+pQBPM+64rv1Ip3uSVYPi STGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=JjClfNcwudfjVo/9wlvsMTmCzUCPUTa4DRML2JJ7YVY=; b=maU96LpmV5YzEEsU72tZAdjn0bPh9wpuwlJ6PRwIesDxQBKadjlXGVzh7G/hqMdmL2 kc5a497hl84g06/IcaZbVY2OiL9DgShNsBJjQpDt2rnLNgdkAxwrwgNiWXOmLLiWXxoy 5nMSODFtSacK3vQVqSMGZyrQM/AEXNMUsZUVGy7kQ9XwAOHAdHLd3xr547kIyHiyNCYW ljcuZL6fxWtF/A6sYapUa/dRwQbvkwbLTqXZZc0ujj3H1g6huKta2/BMciFrMFt0GMQx faGIRxZTiHKSAkbOYfMc7RuxmV6OfvwHp5/fioCnlKsnOX138S09NZXTAoIIHwLr2yOK KamQ== X-Gm-Message-State: APjAAAVrIDHE5pAQg6HKFhFPIyIsUygoDsX85DC7HPNKs+kbr1G0twhr s472BBjP3L9i5DIRBRpLoWW9Q+rb87M/Bob3p2lReg== X-Google-Smtp-Source: APXvYqy+/HPWSggooyPKfCP9rCJAS540SEUMOaDvUBcRppcKI7iz6oLk3Dau8NiT2sBTzaxyaianjTm+/T/hLkd14AF0/g== X-Received: by 2002:a63:6a45:: with SMTP id f66mr6790296pgc.7.1553551831630; Mon, 25 Mar 2019 15:10:31 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:40 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 13/27] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , linux-acpi@vger.kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: linux-acpi@vger.kernel.org Signed-off-by: Matthew Garrett --- drivers/acpi/custom_method.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index 4451877f83b6..ac8a90dc7096 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + if (kernel_is_locked_down("ACPI custom methods")) + return -EPERM; + if (!(*ppos)) { /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) From patchwork Mon Mar 25 22:09:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870221 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C607C186D for ; Mon, 25 Mar 2019 22:12:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B0F0728C1D for ; Mon, 25 Mar 2019 22:12:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A59F529053; Mon, 25 Mar 2019 22:12:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5B7492905C for ; Mon, 25 Mar 2019 22:12:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730486AbfCYWMI (ORCPT ); Mon, 25 Mar 2019 18:12:08 -0400 Received: from mail-oi1-f201.google.com ([209.85.167.201]:36933 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731013AbfCYWKe (ORCPT ); Mon, 25 Mar 2019 18:10:34 -0400 Received: by mail-oi1-f201.google.com with SMTP id v10so4459028oie.4 for ; Mon, 25 Mar 2019 15:10:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Du3LfKxiyrtDY9MxBnvqQFXXPhu80u18vHOumdetHcI=; b=VrMauZb+eQPOvofd+xivyKVFEkCCOvSF8qKqadOua3cMjf6D5TrZT1WMbTz8H7OVz0 DTdtIpcsVj9NOl3gcpVjzhO4mVKMyvI92hijoEdACD7E9B0Ji7wOX5LjuH7s6YD/i25P Oseo8bd0Gl1AQ3njPd9plNxAfzUIRFQuLezCj97MS32mNFhMUCza34R5bNPVl8F8ku/k 41yAMHG6zWtWCIuprn6o8f+ymsKRLuicHupSUH3sSaBODUhbYI42er5M3Ti7yr9LLFVL z43jrgjDfO9c9rGNDsQh765vnzu8REms7ZS1bs87OebwLENhNYfJV+1Eb8FDrFtWYkch N5Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Du3LfKxiyrtDY9MxBnvqQFXXPhu80u18vHOumdetHcI=; b=TqRS8UQENvIMMCZ+e9U92m/4x2VPblm+xrH4AlpbNS6T5ZG49opXejcBu9Hl9KUq2R YeZFWVzuSqO4HmvJv6aJv0j2lAFLlsPAfEGnO0JBvA/1/LUmV+aRJUo1eSCAhp6DU/Pf v0sUBzHjfbawFMnqhuwpArB+DzlQZAPhXNAM+z5gHYGClGg1S8iAE7Dth1lqHv70tT/a I1iDhMQGK/V/GVJ195bjB3P9KTe2snOiGcD+bDQbQce90AI1dHhF2QvuR8BHy9YZOyaW dO82DED6okn4DNe8vIpORyDuCNT+E0BJZCYfhTqwPsCgkHQrrVOdAI3x+ipHtpkDta56 MNsg== X-Gm-Message-State: APjAAAUC3ZWdAqze+eP5y7KrAZtt89yLa2Er3BHMjJ3AZMn3gUhigv24 SpJlK5/gnOcHhDJhSHwNaJoWOiDjGEduNSmKsozdIw== X-Google-Smtp-Source: APXvYqxDupMpWfLNMtoM3g47UnWhv4hMiRU+qH/WEMXcvRbfp6XpdqUzUlhxxmt1k3IP1YQclBpCIBQB4OZ6Pn0WW24s5A== X-Received: by 2002:aca:4103:: with SMTP id o3mr13576902oia.71.1553551834252; Mon, 25 Mar 2019 15:10:34 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:41 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 14/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Josh Boyer , Dave Young , linux-acpi@vger.kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Boyer This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware . Reject the option when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells cc: Dave Young cc: linux-acpi@vger.kernel.org Signed-off-by: Matthew Garrett --- drivers/acpi/osl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index f29e427d0d1d..3e44cef7a0cd 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -194,7 +194,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) return acpi_rsdp; #endif pa = acpi_arch_get_root_pointer(); From patchwork Mon Mar 25 22:09:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870215 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 759CC14DE for ; Mon, 25 Mar 2019 22:12:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6362B28C1D for ; Mon, 25 Mar 2019 22:12:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 57DD729067; Mon, 25 Mar 2019 22:12:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6FA628C1D for ; Mon, 25 Mar 2019 22:12:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731040AbfCYWKi (ORCPT ); Mon, 25 Mar 2019 18:10:38 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:45819 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731037AbfCYWKh (ORCPT ); Mon, 25 Mar 2019 18:10:37 -0400 Received: by mail-pf1-f202.google.com with SMTP id u78so10584038pfa.12 for ; Mon, 25 Mar 2019 15:10:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=hmYNaFdsLzMxO/YCEIEvJsYLVrtmlenBIeDGJtGu3OM=; b=WJr9K5NgaEvPnAiYcVXgNCci/FaQmP1mLDAruGRbuoJYCIIIAIHCe8AoJ7Kr/r7XTQ GQw08DDyEUVpKvHTAEIb+sEPYXaATnoEYcMU6RUM1j1Tho9BRATvED8dklQVfey1WoCS 5Zw2P9yQRsZ3CfcPkjLEJGSVsIfKaucUb4rie3Em8mgNadzfJUISMHz/jGWDE1Fa8RBq AE2BTFqdLHnL2BpGCs/nUCP1iEIBaaePrRAiduat/JTEYNX3z9pzJ+ITXdHdNLZkF0N4 S8pT0CxX6x4PrXc7LM2QN3tHBFsDnMAzcAJRZmMLq007lOBsanWryVyF2DgZD6WVGgwW Iyhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=hmYNaFdsLzMxO/YCEIEvJsYLVrtmlenBIeDGJtGu3OM=; b=n6T7SnZpam4b6p4LdwpQDnR4eeuAMoahahLowcWONWqcWaWj+fVI5eNQS2cbhbwnt0 9W0BdseJ7fen3dZG0n/MccTjbt3ronqqQ7QMk8SpQSvij/d+GsLywEmE3wlls6CFYEVi WIWF6Bte8BLfl0XzjlErsbULv934wEUcqwXEvNXXC5XlQawMV3LZ5P+KFMjFlEtLLP9q Yix7x3iJ+615i53DoYOUfftJFR3mMdfKB59+Jo2+aWgSQoo5dI+GguTj0eGzs4c+RC47 XyOxcZVEtvBjMBipCXwMFKL9/+uj2mYJcwwKSWLtCQurMUZi2Odac7P629k+9SL9S7ZB XtKA== X-Gm-Message-State: APjAAAVwEDrvd08rM4XTf95YMT2/BMGCGjfKq8dAWAa2hg9ZRNxTSqn0 rpJ2GvN0w7AtScgBcgLy1RnSPnRcsZNjHnfZkTHGnA== X-Google-Smtp-Source: APXvYqzfY5QZCxd8HlRriXAgwGnuI2xGeE8bqzN/WGpaom6jdlIsf/syZMyYGJEMLS58QanuSd8SJG/TxwADifrWkLpwHg== X-Received: by 2002:a63:4e10:: with SMTP id c16mr26146963pgb.302.1553551836682; Mon, 25 Mar 2019 15:10:36 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:42 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 15/27] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Linn Crosetto , linux-acpi@vger.kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When securelevel is set, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells cc: linux-acpi@vger.kernel.org Signed-off-by: Matthew Garrett --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 48eabb6c2d4f..f3b4117cd8f3 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override")) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); From patchwork Mon Mar 25 22:09:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870213 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1246A186D for ; Mon, 25 Mar 2019 22:12:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 02AFD28C1D for ; Mon, 25 Mar 2019 22:12:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EB43029092; Mon, 25 Mar 2019 22:11:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9248029053 for ; Mon, 25 Mar 2019 22:11:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731056AbfCYWKm (ORCPT ); Mon, 25 Mar 2019 18:10:42 -0400 Received: from mail-ua1-f74.google.com ([209.85.222.74]:39391 "EHLO mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731055AbfCYWKl (ORCPT ); Mon, 25 Mar 2019 18:10:41 -0400 Received: by mail-ua1-f74.google.com with SMTP id l26so1335395uar.6 for ; Mon, 25 Mar 2019 15:10:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=MX7HAsZv9v1mlAMwYMmTO69QilKEqMKiTqEWCeCZ+Co=; b=Ue7pG1g3SnEJ+37/Ryx2zTFU/Dp2cL3S75Vu4QwG5wOhef2kL5bd9FMy/sL+mwIDw0 1Ux0Ivh5ASpU828UAZXsmqgTym9C7SIFi2OYWSDvs+AcNTiL356uen+xZn4erhWd1jwi I340B5q0wq7+3jVgryCNL54Vz/zR+uUXVDNdl0AIYsYEdetZfkMgVr7uKxOJ/DQ3/XMG r6h/JJ9aF8A5uQm/HGiutfZbUH/OBKEGFXshyG+SZbo6rI23+mc7qlfyISvkmO8LXH0N tDA+gBMmuxDd98VTXSb6qicVFeFwlnBzVi0GAqYunCoRzdguUB2POrPEVDiN8TCRn1TS Da8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=MX7HAsZv9v1mlAMwYMmTO69QilKEqMKiTqEWCeCZ+Co=; b=dvrKe8LPywAGK/yvSJyn1wGmn1su1mis6tA23Nri74DuAyWYUC5M8dkXNO3f0fghg7 y6M+dlWZ5l7uAbOGEEt/GEU0cUfPfkqC5owh8yLGk/Jo6B27PVURvQKllf5TAZkGzZQi 6GVcIxXFeYIC2ajUjKGSIxXgcJqvH4gimHkBLPDFGuZgEEIeWzSDlm5xdDHdrH1es7mD 5gRhaA1K3vRD3CBmne2//mgqjMcK9e3Wy5DIlYtuayP+QogDQV+SuG/tWZCPMYTPfQuj 7mrLPngziwPsPQLmi2R6NtLCvzzovYNUyMy/TQ2LMTByvhhhIYcCyf4YjkQ5IB/poWd2 2Daw== X-Gm-Message-State: APjAAAWjxeKPro9O1/zSoAsK8gx+Nw6lwMhxUWD/0FbeWkntmnX9dBWW hJLGBKi+gTNNEKyaksEsbEnG+8+NPrRIbDPw+cFXWA== X-Google-Smtp-Source: APXvYqwIoZTGgFdO8Jf8mlA2MQNxtulFbG3DvCIo9GIeTiFXPfVK2S45XvPskEPu/e//UIjkQTwof+/+BZH2UOUJlvr0sQ== X-Received: by 2002:a67:dd8d:: with SMTP id i13mr16469935vsk.64.1553551840407; Mon, 25 Mar 2019 15:10:40 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:43 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 16/27] acpi: Disable APEI error injection if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Linn Crosetto , linux-acpi@vger.kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Linn Crosetto ACPI provides an error injection mechanism, EINJ, for debugging and testing the ACPI Platform Error Interface (APEI) and other RAS features. If supported by the firmware, ACPI specification 5.0 and later provide for a way to specify a physical memory address to which to inject the error. Injecting errors through EINJ can produce errors which to the platform are indistinguishable from real hardware errors. This can have undesirable side-effects, such as causing the platform to mark hardware as needing replacement. While it does not provide a method to load unauthenticated privileged code, the effect of these errors may persist across reboots and affect trust in the underlying hardware, so disable error injection through EINJ if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells cc: linux-acpi@vger.kernel.org Signed-off-by: Matthew Garrett --- drivers/acpi/apei/einj.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c index fcccbfdbdd1a..9fe6bbab2e7d 100644 --- a/drivers/acpi/apei/einj.c +++ b/drivers/acpi/apei/einj.c @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, int rc; u64 base_addr, size; + if (kernel_is_locked_down("ACPI error injection")) + return -EPERM; + /* If user manually set "flags", make sure it is legal */ if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) From patchwork Mon Mar 25 22:09:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870209 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 21B011708 for ; Mon, 25 Mar 2019 22:11:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0D35528C1D for ; Mon, 25 Mar 2019 22:11:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 019572905C; Mon, 25 Mar 2019 22:11:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6239229053 for ; Mon, 25 Mar 2019 22:11:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731085AbfCYWKo (ORCPT ); Mon, 25 Mar 2019 18:10:44 -0400 Received: from mail-ot1-f74.google.com ([209.85.210.74]:43740 "EHLO mail-ot1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731078AbfCYWKn (ORCPT ); Mon, 25 Mar 2019 18:10:43 -0400 Received: by mail-ot1-f74.google.com with SMTP id q23so1483258otk.10 for ; Mon, 25 Mar 2019 15:10:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=2ssyPCg3POhze4DuCq8LOChiCT8h5s76Ul4XqmSv8/4=; b=Gt2Z+naaOI4jaIW6k6icatZYz0vOiPy2qQ9nWh4sgTRJW+JPWo1rJPvo30ZMFECFRY dgHSFW+svQkWWl66DCDhDd0woNHp+XMrO2ZLUSjv9WtcKjHMozhhMD+MfGNh9FxgW+Dj ZCqjb4BXBWTTp3+LHvpASWsulruWVnM/NdFY/ZqEcdDbdxfTlwwrzvjWZGaUv92IC28E 1YpiArWA+SDGmq/Zj9zxjuWzr4y7OAhA6CHeFzHsFlnNtOd6VOQidtM7KJ5lIKE8a3g1 iwjwSj6qJ5ZcgCMcI98N5Hc8JovlNS+bMh0Pm6YDdgK+JAMlKOupdWfL9u8Q/3d9U5Ss 7Wug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=2ssyPCg3POhze4DuCq8LOChiCT8h5s76Ul4XqmSv8/4=; b=GtKX+Equk3j6jao47Atg3QAiAFI1whkeVXWAjJdn2A3nUnWKotGi/7iAxQIkXGANi/ 6NUDAcGDu/GYJ3EsvSczV5eqbfyOvVJOVr08i8273SR/BNT8AvXJedbMpXRwtv/56P4G VFZN++NHmvq65DN26hN3YgVtyiKcSmugZOTJX5ET+35+V2chVBTFHeavrMsUbZY00zi/ uo3hkqMG3WvC+XNwo72ODMfvZRqpr+Q1WM1R12Cn3Kf8KEvpRBFO1XyAejY55lPHuAyA eRRBx8Y+NO/arfM2H1lBk4/f5/kZY9cIR2qOsAgYa1+p3OZds182qY5MQxnn4K1WSQAf tDcg== X-Gm-Message-State: APjAAAXqwQwiTpdP4vKxu2cls8r3qaIHyxsFABK///LpyJ/SFrBflFmy irgDMQ8XsKqW9T3NuJlITPh6M+xENfParkGSTRv+2g== X-Google-Smtp-Source: APXvYqxi96o+qhxfCxMD7tnM4/PPRFA30e+tCetBW41PK8yY8O9kn57CJsnOy71MxaE6ZAIiNGzV/YN9QkpclEO2gJ3zUQ== X-Received: by 2002:aca:3b56:: with SMTP id i83mr13547187oia.162.1553551842820; Mon, 25 Mar 2019 15:10:42 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:44 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-18-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 17/27] Prohibit PCMCIA CIS storage when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Dominik Brodowski , linux-pcmcia@lists.infradead.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski Signed-off-by: David Howells cc: linux-pcmcia@lists.infradead.org Signed-off-by: Matthew Garrett --- drivers/pcmcia/cistpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c index ac0672b8dfca..8adf092d0e18 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; + if (kernel_is_locked_down("Direct PCMCIA CIS storage")) + return -EPERM; + s = to_socket(container_of(kobj, struct device, kobj)); if (off) From patchwork Mon Mar 25 22:09:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870183 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8BB4314DE for ; Mon, 25 Mar 2019 22:10:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 76A9F28C1D for ; Mon, 25 Mar 2019 22:10:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6B3402905C; Mon, 25 Mar 2019 22:10:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0552728C1D for ; Mon, 25 Mar 2019 22:10:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731109AbfCYWKu (ORCPT ); Mon, 25 Mar 2019 18:10:50 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:57177 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731098AbfCYWKq (ORCPT ); Mon, 25 Mar 2019 18:10:46 -0400 Received: by mail-qk1-f202.google.com with SMTP id a15so7163137qkl.23 for ; Mon, 25 Mar 2019 15:10:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=d2w/jghx/Rqm9mT1Z9xpzhe5/Zw0d2YU0UIlwgQoEuk=; b=FrawaBB6eN8b4P/bVnjNhs6scGHBTE+TRJi3FQc+Wwj3NMeo6WCD3+HQbjxbbv7+WI wDvx0vr8l5x8DzoI7Tj5mPDrvDE+B/5x/IkMJfAz/BDDG/Xw1MnUdDSmAETbxxPgdsmX VYNfR2jows0dyDzxsN0D5o4jEVaObey0r1uqPlTIw9+c9pUY9s2qld90O2y0Nsj7j2dn T+Bpo74qJ+oGzlbqnocrS8st4xl4QLtcoBL8M5dUotNMJLJ1Fia6RrOf17DILTsA8kZN M6JQjp5NfHLIqjiyEugQs0B+MPF4ooHCAmn4/M9kSptz6VxUATW91wp/wM7IeI0PAiiR 5qig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=d2w/jghx/Rqm9mT1Z9xpzhe5/Zw0d2YU0UIlwgQoEuk=; b=C6Eb3Q4FRi6ZW7QXMW5obPOqIgk2rJicN6kXMf5PvKAy5qOlUZf6v9YID30aMxcurt UZC8ELMZkzsnoNgqGDyQQ4fz9/4w3pKr0a+EFayZCTVEspQc85kxOIUZxBtd5r/ogHZW LpHEhqAH13ltOSGKa1RxARy8a7Chlej63sAZrmpfyiLlQqlonD34sp2IENTO900uvV0S 0//EN1J4xibF4XlhJtqwgvsuT36C8qn6DPl7PKU8veFThM6EIjufD3Cj9iA8z+ozo21O bLNnXpWh7mCPPDZh7bkP5K1KTiw7/GmjbC2dMswxbmht5nllpgIfKbDoltnssVV0kLE+ 5jjw== X-Gm-Message-State: APjAAAVaCo1LIncvDELc06skuvf0K6UFCQrqSxwxm55af3Yc2WVwvHcL +lhtLdIogKlv/UmVktsp4CYrHToLqzVsKq5JR4QI0Q== X-Google-Smtp-Source: APXvYqzVTVmfctzgnwCAHNdEt4TH8ZQrL1tFaVyjQTLK8D82gLE4ptXXx53VXcErlNp281g0KEM8LQ1kT4/LgoRtBMESyw== X-Received: by 2002:a0c:e58f:: with SMTP id t15mr22962206qvm.170.1553551845625; Mon, 25 Mar 2019 15:10:45 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:45 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-19-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 18/27] Lock down TIOCSSERIAL From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Greg Kroah-Hartman , Jiri Slaby , linux-serial@vger.kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells cc: Jiri Slaby Cc: linux-serial@vger.kernel.org Signed-off-by: Matthew Garrett --- drivers/tty/serial/serial_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index d4cca5bdaf1c..04534877b575 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; + if ((change_port || change_irq) && + kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { + retval = -EPERM; + goto exit; + } + if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port || From patchwork Mon Mar 25 22:09:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870207 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B306614DE for ; Mon, 25 Mar 2019 22:11:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9E6A428C1D for ; Mon, 25 Mar 2019 22:11:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 92BF829067; Mon, 25 Mar 2019 22:11:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD4E828C1D for ; Mon, 25 Mar 2019 22:11:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730384AbfCYWLt (ORCPT ); Mon, 25 Mar 2019 18:11:49 -0400 Received: from mail-oi1-f201.google.com ([209.85.167.201]:47422 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731077AbfCYWKt (ORCPT ); Mon, 25 Mar 2019 18:10:49 -0400 Received: by mail-oi1-f201.google.com with SMTP id n84so4441247oia.14 for ; Mon, 25 Mar 2019 15:10:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=5peyNALuutRmQZzMkIWMJWYer1k95cePDopKi9u624s=; b=Ts06+0QjEuiviBipZiSiGrSSEh1oAC6JXPVCji8k+m0Zn7BZRufrtCy2CLd89RguG/ pqF5duWLMmUdMagMdQxcHOy1Ya16712JpQfA06qm/8mDiShXQRnyP3ZBlhvYjnRIUuns REBRk+x9bmbUP/+6ON+WA3NQAqar+FQvhR92k4wnx+/dSybe3GhsixWyjYMGTlDZAf3T VjUKh6uzHjquj4+SuDrT+TyGzey7XVWBJ9NvQr6BYW4L1jumi0rW+6EkToTT9IkWJjEM BtAm5WCBi3AvlfUMG+MrRrYoH2guLFsdX3QrkudGMou3AqKjR9viLVQCcAZOry/Myn9C HIgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=5peyNALuutRmQZzMkIWMJWYer1k95cePDopKi9u624s=; b=hR1TJoUI8nNvmZyeu4oTSLPBZ9hj3I3sm16PuNK4SrfjJ0G922AgqIr81Cn8M4e5il GJ9RlmlgzFpKlefzvaKBGWvHy7nH7aH13UVt0ObhIgf6g/Fh1XsWqfw9ObssAp+hC+9T DYEocGPG2Rvmnw6HqVDoaV0ZFUp+pl8lk0PDsVnyBqtiK6FrNr6NGT5njEr+fYev/u/c Ab4ARqOgm5hh1LigRbqds+XZ81/bddzl+g5Y6FuiINcf2zkELQeHjePaVH2bm7sSVdmT BH9WkSsAdOdr3sMUPgFFlZkmgRYAnm3PxkuLqB8WSyhXPXu4UIlt11N5twRlORiSfu8S XRjw== X-Gm-Message-State: APjAAAXJ9G4yRnbbYqTkp0gov419QhcQYY9xAEDkcpctGcTY7DWEeQR3 Xp8E5fQa+neuW/bhVb7uen3+Qi/ShgRBnDXgPTKTBQ== X-Google-Smtp-Source: APXvYqzrfrJ6dLUvhvcnrxQhK4/6Y5+EAbdM8OEOt13tQTMHBHg67bdirfW2qugW/qN0xzgtq59HKDHeAJRqD/lVMIYw7Q== X-Received: by 2002:aca:5108:: with SMTP id f8mr12490996oib.55.1553551848074; Mon, 25 Mar 2019 15:10:48 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:46 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-20-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 19/27] Lock down module params that specify hardware parameters (eg. ioport) From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Alan Cox , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- kernel/params.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/kernel/params.c b/kernel/params.c index ce89f757e6da..8ac751c938f8 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) + return false; + return true; } static int parse_one(char *param, @@ -144,8 +150,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) (mod)->name +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; From patchwork Mon Mar 25 22:09:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870205 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2D24E14DE for ; Mon, 25 Mar 2019 22:11:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1737129053 for ; Mon, 25 Mar 2019 22:11:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0B84029067; Mon, 25 Mar 2019 22:11:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F1B0929053 for ; Mon, 25 Mar 2019 22:11:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730301AbfCYWLq (ORCPT ); Mon, 25 Mar 2019 18:11:46 -0400 Received: from mail-yw1-f73.google.com ([209.85.161.73]:45664 "EHLO mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731118AbfCYWKv (ORCPT ); Mon, 25 Mar 2019 18:10:51 -0400 Received: by mail-yw1-f73.google.com with SMTP id g140so15906936ywb.12 for ; Mon, 25 Mar 2019 15:10:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=WIYErqKuw8M4x3DY6l/FyYzixwb10M5/VPpKJUswY2U=; b=hpB5lrCxLRgzsbFkoUuenQDO6lEUzGh6NLvKA42UxU+AGaIXIjJE+xcRp+e/ZOInqG x7oBxQiIyt0Jr51SRzdjcAfkWutI6bY1d+giGLhZZMY6zF7D3Dq3jK4cHupG4miI9Ozt Dq7meYBrTo9DDUqob4RK3zVwZflAN5Cfi8BrCfLVpZMqpuTXP0q49E9QxEAQllrodIqn G6Qar+TYGLbgnUi+tum0fy/urAULLofT7wZ/OnBAyMMjOOLn/P2Ur5Kp6fw+NeMAVuUm sxvbYg2Op3Rj9WUwJJ590ShWho7Yn3yc6YZFn0EPTL7xnlnGsim/gEJbpwsFab/V+mUa EDqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=WIYErqKuw8M4x3DY6l/FyYzixwb10M5/VPpKJUswY2U=; b=DzkO0UrSygq/CxAslInrd0H9/oAkd8Y9FO0FakutdlMYXYKjJMFKUwVfMqyzpKtwdT PdS3NnWgPc/BdzS/tNeD3L1krEqmKdwLREFdtAN5bnNdNjeZ0kBlTDbFXjC/rMfF/NYS jBi4veCVzYwNteNQuWcKxGaUA/h89Ti1whjWIoyalMC4roHexgecMbQVpb5Ldv7Z3a4N ovRKY8cdxKQ0cW4Jq47Iy7ZveIzuhVRTuKb+1j74slt+DpvgzaPvwmLHkQXV30odVMeb lGUFoM3rV91aOy+LwbBAelFRrBs7goPfw0kHIFQ3jZZxaxTHuOxc8yaJ644t71eGziVD PshQ== X-Gm-Message-State: APjAAAUmfYec6X+1N+P4ubK7ND08CsaXVuHcqvR9tiCnkC0TD+88mh2/ nRvLMzqnDBiV2fJ21bIPo/GSn2Rwb3AQns5wyKtmqg== X-Google-Smtp-Source: APXvYqwVJ4zN7NiVgCoA+y896Titofd2gogrsZmPVHIfd0661OOJsMLiZ6FrWOjowM6gu0u12nVkbgN4S7Q0G/WH0XsLRQ== X-Received: by 2002:a5b:8cc:: with SMTP id w12mr4545500ybq.113.1553551850650; Mon, 25 Mar 2019 15:10:50 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:47 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 20/27] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Thomas Gleixner , Steven Rostedt , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. Suggested-by: Thomas Gleixner Signed-off-by: David Howells cc: Steven Rostedt cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org Signed-off-by: Matthew Garrett --- arch/x86/mm/testmmiotrace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index f6ae6830b341..bbaad357f5d7 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -115,6 +115,9 @@ static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + if (kernel_is_locked_down("MMIO trace testing")) + return -EPERM; + if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); From patchwork Mon Mar 25 22:09:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870187 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8B4DF1708 for ; Mon, 25 Mar 2019 22:10:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 752AA28C1D for ; Mon, 25 Mar 2019 22:10:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 63ADB2905C; Mon, 25 Mar 2019 22:10:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1426A28C1D for ; Mon, 25 Mar 2019 22:10:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730545AbfCYWKz (ORCPT ); Mon, 25 Mar 2019 18:10:55 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:47881 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731148AbfCYWKy (ORCPT ); Mon, 25 Mar 2019 18:10:54 -0400 Received: by mail-qk1-f202.google.com with SMTP id i124so9879663qkf.14 for ; Mon, 25 Mar 2019 15:10:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=PrJR0RaRgSbOBZwUzeo3I5hhwuXL6aA00K5kUeXQKiA=; b=ldxpNgaxH/YHCoW1sAkKWCMk2rgkoIUCtZL9a3pHP1mgnuQGeHZOc2Hb8QqN9V/vhm nwU9NE1Y9sBqrUedzaF+jEQRCmfrzLWhJhZpAhWJfkX7TRIC2hTXiF19DrpYCo2BovDm iQRcbzBQsxO7oY7WniRiSxdW6DFqLI79Z3k0SkVIgYoLlVlbBPLclFAG4RtQ/oNUBp7t CxNo8cyMyHiyiMM6FwJdS5EuDvNKTU6uEHB1PxHs+RFl/d5mu8kzoILCb//teVE+zVlz ws+ZRmX5w82F56rt7M41HYV41JtsVSNrO0vBivx7Ax4wLryQaFJ5ZTpkh2Rqwh8Av9ZD dMVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=PrJR0RaRgSbOBZwUzeo3I5hhwuXL6aA00K5kUeXQKiA=; b=R5/nYczmOsyQEv7TGwv9t+kzh+DDx4AKwMrIb6Vo99sPbriee90tnRm1rep4BK70Le KS4kStRXqCq5W+PITNFWe6FnUEhYRXj3rSaaDvJIFd0QJmRV53bQFvKnzNZmE6A/Mpk1 j18ShOaGMD49ewa5AFnp8Ar5tcyG2gAZr8ljDE/48syvCmxl1sc9MLjD185F2TQ51EpM T10Nbnn4zSjOfBgvX7HmXSpBsGbn/53TVYMWEMHuGNHO+4P29cymBhcyC9G1MOOVe0F3 jWuyIXgDEpKgzfwoVRxEZJwLnTYfqk5lrZelbfnEwdJ76usZ/1KCKvlC5akPCiqwxK9W 2hBA== X-Gm-Message-State: APjAAAWogHRr76cBJlrXUtewf5vdu6sbgncSfgQbhqB08LWom5lQMQRY p3E6jdDDLiqqo/9CsdDbqk2LRbb5QDxPTycRxQEWdw== X-Google-Smtp-Source: APXvYqyhMiEOX1rNfbi57TmOLS1KVwin8O8ieaW59rgI7j+7wNTl/HVDzf7gLUtBzf7Ww6FBHOSzd/qAlS2//YdqFdSo5A== X-Received: by 2002:a37:b444:: with SMTP id d65mr20940708qkf.125.1553551853273; Mon, 25 Mar 2019 15:10:53 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:48 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 21/27] Lock down /proc/kcore From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, James Morris , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. Signed-off-by: David Howells Reviewed-by: James Morris Signed-off-by: Matthew Garrett --- fs/proc/kcore.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index bbcc185062bb..d50ebfbf3dbb 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/proc/kcore")) + return -EPERM; if (!capable(CAP_SYS_RAWIO)) return -EPERM; From patchwork Mon Mar 25 22:09:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870203 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E43E514DE for ; Mon, 25 Mar 2019 22:11:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD59F28C1D for ; Mon, 25 Mar 2019 22:11:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C078E2905C; Mon, 25 Mar 2019 22:11:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C78E28C1D for ; Mon, 25 Mar 2019 22:11:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730012AbfCYWLh (ORCPT ); Mon, 25 Mar 2019 18:11:37 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:40413 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731172AbfCYWK4 (ORCPT ); Mon, 25 Mar 2019 18:10:56 -0400 Received: by mail-pg1-f201.google.com with SMTP id j184so10353759pgd.7 for ; Mon, 25 Mar 2019 15:10:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=naZ0ixtXEBG7XGPLPxcUPIELDdBmoCPAXKyiyaNTZ5I=; b=NIjTDHQHLWbBplFeWWC4DRIWlFLcDZNTxuEyxwPxtXI2qmNuqY428e8JBIwylotaIw ylsTVVH9P/FOzh/oECPMhER8ShKqU/Oojusg3kQ0yTKZnOETHhFv3numCvnwKRdjEnGD ldQasPDsT2jf2buPy6NZeoNpKrdxyERByjj79L1/dagfSJO7099lgFWB8X/duR41w9UC iYrE2xAAl5rfRQt3+WS9KdIY0YSiZXF000HvMH83kygW9yVJ8uW4A5jbuDyM8MR7A0ev 0Lu2sJVrtiBY5OhVpkRQdMIEt56Yv5en0v8UGiq/8udcfKdFC1gxhJxBVvzxDVDZnGAp ox6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=naZ0ixtXEBG7XGPLPxcUPIELDdBmoCPAXKyiyaNTZ5I=; b=S1KiJGz1TTcp0DSp2VorNX9URZbkCQw7yIeGIFjfcxEJg+Gl266evYW4trKpDCdBtS 2qkEK3cyjekn12zROCCc8JhR6dno5XGs40BNHWc9v0h5+m7/qxZMbO4VQsjudHNapyXy X5OfetYQVIZHmlPCzK9kEfJjvZRvwme/XgWdDRDK9uiKyoUauUVytkcJzVogOjJus0Uy N4j2zb8Vhd/W31gdhs3TvOKl25oRKdgbOEeKY0RDMnBlOE2YqXuMFNeX17FXRIDSzqVk vO3i1HKkKNPPhZqEaTLBbtJOeRgYMc5NvA5hzGKaFJZ70g4Yh1rUTxVPbi0Aj/Bz2BmP un8A== X-Gm-Message-State: APjAAAWqxBgnUHqXKsRqHeRFaHKBfCiDWNUEcD2aYsFbxSloz55ozyNH iF+n0f2FIHaql/0RZy2BXdrPf1Yy+U6+OI7v0v/klw== X-Google-Smtp-Source: APXvYqzN3xQUlEDfZ5+zFhO3QC8Yq79t0kRhGvrE59XgU2rstOpQfmofhCWF259NyTHdEf0rdfpMm975BTAJIqf8WLZgcQ== X-Received: by 2002:a63:470a:: with SMTP id u10mr26134869pga.17.1553551855675; Mon, 25 Mar 2019 15:10:55 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:49 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 22/27] Lock down kprobes From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Alexei Starovoitov , Matthew Garrett , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net, Masami Hiramatsu Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the creation of kprobes when the kernel is locked down by preventing their registration. This prevents kprobes from being used to access kernel memory, either to make modifications or to steal crypto data. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index f4ddfdd2d07e..6f66cca8e2c6 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; + if (kernel_is_locked_down("Use of kprobes")) + return -EPERM; + /* Adjust probe address from symbol */ addr = kprobe_addr(p); if (IS_ERR(addr)) From patchwork Mon Mar 25 22:09:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870189 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 268F514DE for ; Mon, 25 Mar 2019 22:11:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 101ED29053 for ; Mon, 25 Mar 2019 22:11:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 01A3628C1D; Mon, 25 Mar 2019 22:11:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DBC3328C1D for ; Mon, 25 Mar 2019 22:11:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731200AbfCYWLA (ORCPT ); Mon, 25 Mar 2019 18:11:00 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:48329 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731145AbfCYWK7 (ORCPT ); Mon, 25 Mar 2019 18:10:59 -0400 Received: by mail-qt1-f201.google.com with SMTP id 54so11707913qtn.15 for ; Mon, 25 Mar 2019 15:10:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=; b=PPz0adFxRnIhJCiW1dvfFqZx3Mh9sgICPD1y8AZBgFx6LZXJkci0PCoGUL8wjSX9Nf h9asMewLvjeCYovlpTTwhQOEiG6aj2hc7hSDk4/IyhhwBSgqpWj3QlDSdNTvpbzB3N7R 0ZtDDUJvNzb8GbuWfO50FjRp1onycdASeX1OQbR43J99LKeo4zmSIFVAZ5J+S0fB6pXS JvAGxNN//FwYcAzUadWvCWpGZqLyZWvKF+qcQhXQNV3TvpGOhhevmSCp9YYif/rOohlQ /uxJMY7Na89Y/BRUx+mkD27bASvozs3tqRTBlVkKf8hSPVvLh4RkgJnnqL0VSacDBbvA r61A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=; b=fTYKIgy34AweUTAnjsrPPARz6+cdvcbQun1073eQQimXBo6XDsGYlQQGYD3ipr1G6G tzIBg6l7pGj3FH3miZICNxgBDsK7ZeE2XPLsUwSJnKqEco7CcJnl3WgkNFWUPt8c3DjH R8GIh/y+iJ/FMVmD0T9HYg75O8JKwhW4e8u7mC+PSwXDfIr69GUo+LO/n+re3vTxA4nm Ac3qEBjxESzgbld4Ugh0IS/o8hUFLFiY8xwttXgfU1TzaWn9bu2QAdIYr9Fi+odCHQY/ mNUuFgdnOHzgLehw2CfIKd9khJUqTN7A+gu/9ST7zB97zJJ/TwACl/T6gZ5786hKixc1 Lflg== X-Gm-Message-State: APjAAAU8Yze7/cfCZ+PzgQ56ZGi3zKuD6q7zF4vEnKR7pR04LCmd5nKC NOBAGOBFO9FUdJAbifCe1w4OHdJdCYncnTMSxOPs+w== X-Google-Smtp-Source: APXvYqwFVFlq0p8BONzLBrYkCyHjaR3SnRyeXjk4F7y76T0DeGn+KK3s010oor2ZvbMe0U/S7B4g3FHOZ4pqAHtO4eEhpg== X-Received: by 2002:a05:620a:1383:: with SMTP id k3mr13843472qki.346.1553551858792; Mon, 25 Mar 2019 15:10:58 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:50 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Alexei Starovoitov , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Completely prohibit the use of BPF when the kernel is locked down. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann Signed-off-by: Matthew Garrett --- kernel/bpf/syscall.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index b155cd17c1bd..2cde39a875aa 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2585,6 +2585,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) return -EPERM; + if (kernel_is_locked_down("BPF")) + return -EPERM; + err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); if (err) return err; From patchwork Mon Mar 25 22:09:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870201 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6784514DE for ; Mon, 25 Mar 2019 22:11:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 500742905C for ; Mon, 25 Mar 2019 22:11:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3E87F28C1D; Mon, 25 Mar 2019 22:11:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF26028C1D for ; Mon, 25 Mar 2019 22:11:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731211AbfCYWLD (ORCPT ); Mon, 25 Mar 2019 18:11:03 -0400 Received: from mail-oi1-f201.google.com ([209.85.167.201]:53824 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731205AbfCYWLB (ORCPT ); Mon, 25 Mar 2019 18:11:01 -0400 Received: by mail-oi1-f201.google.com with SMTP id c21so4456471oig.20 for ; Mon, 25 Mar 2019 15:11:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=3+VKqpN9HOYaIvT2+O3RmkFaED64oX5fAU7Jkszi2gg=; b=mWvLXqUtDJA6ZLQ4rljXx/YaZEYZSY7mEfqNWbs0oXQfF43ZORE6QxhourW5k0jnJR EOW/YzXY2k9Y/KSzznidAk77H9YCAgP6qmLaA8i7271DXENkkL83AXVxTKa/Meu4Q2co m8fTI12PGZS3e44w3/pqpyVKbejs8l+8KA8+tKOSmF5W1GlmrnasS7nHxNENL0GL5XQ+ br75aVOU3PTCH7P9nYFy3uguV+OntpJ2wGZepe2FUIbVWrydycpb+54B1Hdm4WN8q64S zz2puwjsK3PPtJ47euvqUEzpvVrFHK8DvYd+YxQNYnD46/jx2VVSSWYUg1drwzVpSubk Cf8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=3+VKqpN9HOYaIvT2+O3RmkFaED64oX5fAU7Jkszi2gg=; b=rfmj6OQsogAGYiJ2BP42lX/HNV+5XzRMynUpbogk7I38po6/V9zA5u3NCXlfxew06K c1k2O2TkuJZZRy/p3r6PrZ4/EgNPaGaU74kahvbCN5iHga43W4zQXxWFmB3Etq4gWygn kKQscYc5+iKuBaarRSIjAmFgHAYgA+UjHY7fNq/dbnYNn9+FX8jQw5i9RaEdPxjvN9GL a7FLT0XxiFybVs9ZwYvsh70x5EUBh48CAZu3OnQLNsv1zY70Jzn72Bi9dwVhrmN/Fh/4 FdSNwOKFktLGyLbLWBykKqXtUPKrktbItUVy7bOqxryF+PGGDTfFdf8zMBkHAftIn51F mTlg== X-Gm-Message-State: APjAAAXpuvYJ4ue4tisCTbguDOLC1PTObXOrOKjc+ZNZ6+OlBg5VhfY9 3foRm7fyhhNmQA5VTorEnP3E3mLOnNanqVYgjudhlw== X-Google-Smtp-Source: APXvYqwWnnRUoY5R/OT5gcEm/ggiwDceTHXuykWXRhTc4QGkHiNci4Egd2xX6G579iCHrIPXxi6s8Cbr11+1Z/L75xFCVQ== X-Received: by 2002:aca:aa91:: with SMTP id t139mr13629092oie.174.1553551861302; Mon, 25 Mar 2019 15:11:01 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:51 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 24/27] Lock down perf From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo --- kernel/events/core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index 3cd13a30f732..7748c6f39992 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10461,6 +10461,11 @@ SYSCALL_DEFINE5(perf_event_open, return -EINVAL; } + if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) && + kernel_is_locked_down("PERF_SAMPLE_REGS_INTR")) + /* REGS_INTR can leak data, lockdown must prevent this */ + return -EPERM; + /* Only privileged users can get physical addresses */ if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) From patchwork Mon Mar 25 22:09:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870191 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 458F614DE for ; Mon, 25 Mar 2019 22:11:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2EDF728C1D for ; Mon, 25 Mar 2019 22:11:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 22F1C29067; Mon, 25 Mar 2019 22:11:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E19382905C for ; Mon, 25 Mar 2019 22:11:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731230AbfCYWLF (ORCPT ); Mon, 25 Mar 2019 18:11:05 -0400 Received: from mail-oi1-f201.google.com ([209.85.167.201]:53825 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731222AbfCYWLE (ORCPT ); Mon, 25 Mar 2019 18:11:04 -0400 Received: by mail-oi1-f201.google.com with SMTP id c21so4456522oig.20 for ; Mon, 25 Mar 2019 15:11:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=x7CSy5VUNpZirrVzUJKZsqK1/aML0MIeKkdBP16YKzM=; b=R7Xx65wIL06Y8y0QtQ8SG/vdw9oErMNuqyNB6rpB5YofGBaRNwZYi9l8tvDEOHq//V /7x3/yXesn18u/OkVNRZuU7tStW5UNqlnHJHIhVOhAP48zU7gjZ8VTuEGqyAyFngkllF USRMXhNXMQT/xjdXcye+DsqYj++Vp8TY8OnfRVUJHKTEzCLZEAl5bItoDD86rUuZknH3 TMbWURksHGo9J7sZ+klskcUUP10Gm6KYDacPW4+2Wz85Kl4XvtXO49dphZRi1jJlKepQ gvB4JPRZ131v68n3RPdYm6VB8q3LYfoYDbhCcBR8jDlY8zNRQzk8JLG0G5fXKDc0fzBe YB/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=x7CSy5VUNpZirrVzUJKZsqK1/aML0MIeKkdBP16YKzM=; b=RcN3u4jHowhoycWeeLtQk2AQYRQ4izqonneM5oDlDv0Ltz+UnJhYLoXmw/0xtS09ZS 2IDucqdIeL5f3BZ2R36jFjiLbutWi6aGg/Dyatc3N/7/jqVuGHItklLjQiwwQTo7orG/ xnCmSNtPRp8gRX5PaHvmxY6wzdgp7GAhDceibtXE2Nq6T6j2qlmYrTOWJq21OKwPxeRI KkR6L+PEalARjYvKSNFhHU6Ek5mqkjlvt+EnDRZtTp0IGBAuI06d6f9A/dl8LEKwPVbu 5hVFnUf0xoq8rtWwRjEWx13bbATUOE0XCIUN3hoOOVCJNuFYZEqklu0jpEMKcgnM9FlQ StTw== X-Gm-Message-State: APjAAAVA4pgY4M+/hgtntWWy/nkcETs98HyK/TQKBW1AL6QWFNwSvTgb /reRlRYPnaF81lXUxaDBTPtwJFnVJ/2R5Zqf4kWy9g== X-Google-Smtp-Source: APXvYqxbvkDBtdhhh8lD62vZuxS8kradSSiukiXkadLNavl6KpgmoLZs1rLXZlzlDCrboZhOM501EYIRM+kDmvkrCLFvhQ== X-Received: by 2002:aca:b589:: with SMTP id e131mr13718240oif.91.1553551863717; Mon, 25 Mar 2019 15:11:03 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:52 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 25/27] debugfs: Restrict debugfs when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Andy Shevchenko , acpi4asus-user@lists.sourceforge.net, platform-driver-x86@vger.kernel.org, Matthew Garrett , Thomas Gleixner , Greg Kroah-Hartman , Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Disallow opening of debugfs files that might be used to muck around when the kernel is locked down as various drivers give raw access to hardware through debugfs. Given the effort of auditing all 2000 or so files and manually fixing each one as necessary, I've chosen to apply a heuristic instead. The following changes are made: (1) chmod and chown are disallowed on debugfs objects (though the root dir can be modified by mount and remount, but I'm not worried about that). (2) When the kernel is locked down, only files with the following criteria are permitted to be opened: - The file must have mode 00444 - The file must not have ioctl methods - The file must not have mmap (3) When the kernel is locked down, files may only be opened for reading. Normal device interaction should be done through configfs, sysfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. I would actually prefer to lock down all files by default and have the the files unlocked by the creator. This is tricky to manage correctly, though, as there are 19 creation functions and ~1600 call sites (some of them in loops scanning tables). Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner Cc: Greg Kroah-Hartman Signed-off-by: Matthew Garrett --- fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++ fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 4fce1da7db23..c33042c1eff3 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry) } EXPORT_SYMBOL_GPL(debugfs_file_put); +/* + * Only permit access to world-readable files when the kernel is locked down. + * We also need to exclude any file that has ways to write or alter it as root + * can bypass the permissions check. + */ +static bool debugfs_is_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) +{ + if ((inode->i_mode & 07777) == 0444 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && + !real_fops->mmap) + return false; + + return kernel_is_locked_down("debugfs"); +} + static int open_proxy_open(struct inode *inode, struct file *filp) { struct dentry *dentry = F_DENTRY(filp); @@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + + r = -EPERM; + if (debugfs_is_locked_down(inode, filp, real_fops)) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not clean up after itself at exit? */ @@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); + r = -EPERM; + if (debugfs_is_locked_down(inode, filp, real_fops)) + goto out; + real_fops = fops_get(real_fops); if (!real_fops) { /* Huh? Module did not cleanup after itself at exit? */ diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index 13b01351dd1c..4daec17b8215 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount; static int debugfs_mount_count; static bool debugfs_registered; +/* + * Don't allow access attributes to be changed whilst the kernel is locked down + * so that we can use the file mode as part of a heuristic to determine whether + * to lock down individual files. + */ +static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) +{ + if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) && + kernel_is_locked_down("debugfs")) + return -EPERM; + return simple_setattr(dentry, ia); +} + +static const struct inode_operations debugfs_file_inode_operations = { + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_dir_inode_operations = { + .lookup = simple_lookup, + .setattr = debugfs_setattr, +}; +static const struct inode_operations debugfs_symlink_inode_operations = { + .get_link = simple_get_link, + .setattr = debugfs_setattr, +}; + static struct inode *debugfs_get_inode(struct super_block *sb) { struct inode *inode = new_inode(sb); @@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, inode->i_mode = mode; inode->i_private = data; + inode->i_op = &debugfs_file_inode_operations; inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); @@ -513,7 +539,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) return failed_creating(dentry); inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; inode->i_fop = &simple_dir_operations; /* directory inodes start off with i_nlink == 2 (for "." entry) */ @@ -608,7 +634,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, return failed_creating(dentry); } inode->i_mode = S_IFLNK | S_IRWXUGO; - inode->i_op = &simple_symlink_inode_operations; + inode->i_op = &debugfs_symlink_inode_operations; inode->i_link = link; d_instantiate(dentry, inode); return end_creating(dentry); From patchwork Mon Mar 25 22:09:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870197 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DEF831708 for ; Mon, 25 Mar 2019 22:11:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C586F28C1D for ; Mon, 25 Mar 2019 22:11:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BA09D2905C; Mon, 25 Mar 2019 22:11:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6F2C628C1D for ; Mon, 25 Mar 2019 22:11:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730187AbfCYWLV (ORCPT ); Mon, 25 Mar 2019 18:11:21 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:45644 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731238AbfCYWLG (ORCPT ); Mon, 25 Mar 2019 18:11:06 -0400 Received: by mail-pl1-f201.google.com with SMTP id e2so769918pln.12 for ; Mon, 25 Mar 2019 15:11:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=5iSVCneQgilycqdqj85O1X6up5O4FEWFZBNwHvOvXOE=; b=L6UspPUU7LpZxMcfbvoaI7Tg2n4+p8fNP0UIxntKJjFcQLBoyhSwOBNbR2F8mzIaKp GIFYVoLj5UCHQLKPSNOy9yizp0XrUg8UzwGIp2+slwke4lpHQBDSdlO5NoKjSnGbCR7h uF7pOgqEe/fSBZncHMy/19wRFDRB2xiQpMA2Bo9V9y/dbESDO0ppIPZB8X72vddRlLHv XSdbSQNs39ZB2osRt/Bxw8FB0kw1KzhihnVnv/26GrLdvgR7Ew+92pmiw3Ojs2WIShPf C3QQ7cCi0EqgtReJFWC6heAf48COoTMjjKW/xEQj+2JB5C9NfAEGtD8DQcTdpBZehENr fokA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=5iSVCneQgilycqdqj85O1X6up5O4FEWFZBNwHvOvXOE=; b=N5Rrcbt80KKTSTyJNAHhC4uNDcYSPyealsFRPBs8tsEWyfXM0e+2jgHQ1tf/RHhCmS KLja/abCJdx/fjWiIdwnoRxVc8rROttRKx2IhzQecMz2zOzyicjxn11NNR+zNhG+kOau gKrMJoXYn+SCQY2FlNX70rYOpi2qFRbwt5eug1jqMbA8Tqbh+KOc9ye5mUxWwnjnnSbL IG5qMueloExNcH6F3ryMh7JjRON7PztBYTgtRE/sLNZMaZgVJS6OoMap4zaOJVhhmiCE Up+U+TIH3jXpkkS3wjBHSE7zrB3Bh+wS47oUf2jbDeoJjqH+W6ltJHAgGaogAs6ovW09 QL5w== X-Gm-Message-State: APjAAAUva5rz/HgtW7zYAA+ZN9TtTNg305v12IF4umm7CvPvlcAjhgLA JDaWN46vjzgTp8GjQRXRal0POxc67d6cj/rxihS8xg== X-Google-Smtp-Source: APXvYqw/eS3XyvJZeawA1kpIC3m8aG+vdw0JhNVqktthhhxksycK7tomczkg1Fo70yGcLG+56LXYxzqHSIkSrhiDGbszvA== X-Received: by 2002:a63:6fc1:: with SMTP id k184mr13169649pgc.239.1553551866271; Mon, 25 Mar 2019 15:11:06 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:53 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-27-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 26/27] lockdown: Print current->comm in restriction messages From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: : is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- security/lock_down.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/lock_down.c b/security/lock_down.c index 18d8776a4d02..ee00ca2677e7 100644 --- a/security/lock_down.c +++ b/security/lock_down.c @@ -53,8 +53,8 @@ void __init init_lockdown(void) bool __kernel_is_locked_down(const char *what, bool first) { if (what && first && kernel_locked_down) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - what); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, what); return kernel_locked_down; } EXPORT_SYMBOL(__kernel_is_locked_down); From patchwork Mon Mar 25 22:09:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10870193 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8D4221708 for ; Mon, 25 Mar 2019 22:11:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7918D28C1D for ; Mon, 25 Mar 2019 22:11:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6CA7D2905C; Mon, 25 Mar 2019 22:11:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB8BD28C1D for ; Mon, 25 Mar 2019 22:11:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731239AbfCYWLM (ORCPT ); Mon, 25 Mar 2019 18:11:12 -0400 Received: from mail-ua1-f74.google.com ([209.85.222.74]:53843 "EHLO mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731257AbfCYWLK (ORCPT ); Mon, 25 Mar 2019 18:11:10 -0400 Received: by mail-ua1-f74.google.com with SMTP id a8so1342064uaq.20 for ; Mon, 25 Mar 2019 15:11:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=oX6b6UXnLFndsb7tObotwtVDLDo+/sc4TNosNTsNVcE=; b=n3zobW7nksY3qoybt2xy2r7QRwNaPKsNzK7ZjnA/boc9nKSz+Su7uPl/+JupnTybMv /XeeRkIi2xuCtJQmbLrLR+10kfx/wGc61VHvQ7gztx1YC91CrYqyUiUmiGnrNBUfycfD jMSyri79P8gFp4TYefUuEvRv2SFiz6IJWZdAQ2fjDOtR35QpGRxpBq25z7Pa2bT1fCJ0 /lR0QvzHUHFoOvwvj6cJNKhWotq8K+rxaTXRFY6GMl0ENOC8cepO3wUG+cUB419Oeh3M iHCvLAYu3WnUBgc0WcHilrF2fTeHWOoOJ+Gz7SCvGHguvir76jDiyLuOY5aFukASBQL6 G2DQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=oX6b6UXnLFndsb7tObotwtVDLDo+/sc4TNosNTsNVcE=; b=lqkNgRwqDj5wx9X8jfuxR79Pwym9gnMKw2/cDvuWdzrPElW58ZeTuxTesslyPf2tJA DZn8y47/NNG8N7XJGJr1bhheChiKcaO8n3b6QJWfhXrSo5Py5pJGHWG3EpP/EqccZw3W iA5nsh/uUkaSDn90k/nEHP7JoSa96UuWfc/oJuNQ2YCEVoIAwxZ8+yzsPT5cmS6mVGNs E6lk+rXpw0hA7U2Cmc5flFAX4i4Zck+Plk5hiqTL39iC+9p9kCpCpDecEOEFSn+d8Gvy kngOIuExIyyoqsPyCiUmttS7iGqbGIt+ldG7fylM5jWmQE9hairmPMRa5tr+2+ragk1R +EhA== X-Gm-Message-State: APjAAAVWV17sa9WhtUIq4hYKs+U9iF2LKfJR27zhGmYrAB20Gx1htptg eXUv+odDjNc41Z29rMw2Ek/najh5h5/QWlniInprFA== X-Google-Smtp-Source: APXvYqzCpwMqlIY8s3ZXJhy4/xktxbcuRE1AUoDFA2gIf7tGU5DXdtz2c+CCt1ERYYG6SQktfyBy5XA5qh59xr5enW0ujA== X-Received: by 2002:a67:fbc2:: with SMTP id o2mr2467492vsr.78.1553551868925; Mon, 25 Mar 2019 15:11:08 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:54 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-28-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 27/27] kexec: Allow kexec_file() with appropriate IMA policy when locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Matthew Garrett , Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Systems in lockdown mode should block the kexec of untrusted kernels. For x86 and ARM we can ensure that a kernel is trustworthy by validating a PE signature, but this isn't possible on other architectures. On those platforms we can use IMA digital signatures instead. Add a function to determine whether IMA has or will verify signatures for a given event type, and if so permit kexec_file() even if the kernel is otherwise locked down. This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in order to prevent an attacker from loading additional keys at runtime. Signed-off-by: Matthew Garrett Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org Acked-by: Mimi Zohar --- include/linux/ima.h | 9 ++++++ kernel/kexec_file.c | 7 +++- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ 5 files changed, 68 insertions(+), 2 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index b5e16b8c50b7..05921227d700 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -127,4 +127,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_kexec_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 0cfe4f6f7f85..8ffa4b75c620 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -240,7 +240,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, ret = 0; - if (kernel_is_locked_down(reason)) { + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + kernel_is_locked_down(reason)) { ret = -EPERM; goto out; } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..fe03cc6f1ca4 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -115,6 +115,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 4ffac4f5c647..106f06dee9d1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -442,7 +442,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 122797023bdb..f8f1cdb74a4f 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1341,3 +1341,53 @@ int ima_policy_show(struct seq_file *m, void *v) return 0; } #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */