From: Kees Cook <keescook@chromium.org>
To: Paul Moore <paul@paul-moore.com>
Cc: Kees Cook <keescook@chromium.org>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH 4/4] LoadPin: Allow filesystem switch when not enforcing
Date: Fri, 9 Dec 2022 11:57:45 -0800 [thread overview]
Message-ID: <20221209195746.1366607-4-keescook@chromium.org> (raw)
In-Reply-To: <20221209195520.never.357-kees@kernel.org>
For LoadPin to be used at all in a classic distro environment, it needs
to allow for switching filesystems (from the initramfs to the "real"
root filesystem). To allow for this, if the "enforce" mode is not set at
boot, reset the pinned filesystem tracking when the pinned filesystem
gets unmounted instead of invalidating further loads. Once enforcement
is set, it cannot be unset, and the pinning will stick.
This means that distros can build with CONFIG_SECURITY_LOADPIN=y, but with
CONFIG_SECURITY_LOADPIN_ENFORCE disabled, but after boot is running,
the system can enable enforcement:
$ sysctl -w kernel.loadpin.enforced=1
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
security/loadpin/loadpin.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index ef12d77548ae..d73a281adf86 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -119,11 +119,16 @@ static void loadpin_sb_free_security(struct super_block *mnt_sb)
/*
* When unmounting the filesystem we were using for load
* pinning, we acknowledge the superblock release, but make sure
- * no other modules or firmware can be loaded.
+ * no other modules or firmware can be loaded when we are in
+ * enforcing mode. Otherwise, allow the root to be reestablished.
*/
if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) {
- pinned_root = ERR_PTR(-EIO);
- pr_info("umount pinned fs: refusing further loads\n");
+ if (enforce) {
+ pinned_root = ERR_PTR(-EIO);
+ pr_info("umount pinned fs: refusing further loads\n");
+ } else {
+ pinned_root = NULL;
+ }
}
}
@@ -158,8 +163,9 @@ static int loadpin_check(struct file *file, enum kernel_read_file_id id)
/* First loaded module/firmware defines the root for all others. */
spin_lock(&pinned_root_spinlock);
/*
- * pinned_root is only NULL at startup. Otherwise, it is either
- * a valid reference, or an ERR_PTR.
+ * pinned_root is only NULL at startup or when the pinned root has
+ * been unmounted while we are not in enforcing mode. Otherwise, it
+ * is either a valid reference, or an ERR_PTR.
*/
if (!pinned_root) {
pinned_root = load_root;
--
2.34.1
next prev parent reply other threads:[~2022-12-09 19:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-09 19:57 [PATCH 0/4] LoadPin: Allow filesystem switch when not enforcing Kees Cook
2022-12-09 19:57 ` [PATCH 1/4] LoadPin: Refactor read-only check into a helper Kees Cook
2022-12-09 19:57 ` [PATCH 2/4] LoadPin: Refactor sysctl initialization Kees Cook
2022-12-09 19:57 ` [PATCH 3/4] LoadPin: Move pin reporting cleanly out of locking Kees Cook
2022-12-09 19:57 ` Kees Cook [this message]
2022-12-12 21:32 ` [PATCH 0/4] LoadPin: Allow filesystem switch when not enforcing Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221209195746.1366607-4-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=jmorris@namei.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.