From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett <mjg59@srcf.ucam.org>, Matthew Garrett <mjg59@google.com>, Dave Young <dyoung@redhat.com>, kexec@lists.infradead.org Subject: [PATCH V32 04/27] kexec_load: Disable at runtime if the kernel is locked down Date: Wed, 3 Apr 2019 17:32:26 -0700 [thread overview] Message-ID: <20190404003249.14356-5-matthewgarrett@google.com> (raw) In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com> From: Matthew Garrett <mjg59@srcf.ucam.org> The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Dave Young <dyoung@redhat.com> cc: kexec@lists.infradead.org --- kernel/kexec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..57047acc9a36 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down("kexec of unsigned images", + LOCKDOWN_INTEGRITY)) + return -EPERM; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. -- 2.21.0.392.gf8f6787159e-goog
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: Matthew Garrett <mjg59@srcf.ucam.org>, linux-api@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Matthew Garrett <mjg59@google.com>, dhowells@redhat.com, linux-security-module@vger.kernel.org, luto@kernel.org, Dave Young <dyoung@redhat.com> Subject: [PATCH V32 04/27] kexec_load: Disable at runtime if the kernel is locked down Date: Wed, 3 Apr 2019 17:32:26 -0700 [thread overview] Message-ID: <20190404003249.14356-5-matthewgarrett@google.com> (raw) In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com> From: Matthew Garrett <mjg59@srcf.ucam.org> The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Dave Young <dyoung@redhat.com> cc: kexec@lists.infradead.org --- kernel/kexec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..57047acc9a36 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down("kexec of unsigned images", + LOCKDOWN_INTEGRITY)) + return -EPERM; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. -- 2.21.0.392.gf8f6787159e-goog _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2019-04-04 0:33 UTC|newest] Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-04-04 0:32 [PATCH V32 0/27] Lockdown patches for 5.2 Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett 2019-04-16 8:40 ` Andrew Donnellan 2019-04-16 8:40 ` Andrew Donnellan 2019-04-18 6:38 ` Daniel Axtens 2019-04-18 6:38 ` Daniel Axtens 2019-04-18 19:35 ` Matthew Garrett 2019-04-18 19:35 ` Matthew Garrett 2019-04-29 0:06 ` Daniel Axtens 2019-04-29 0:06 ` Daniel Axtens 2019-04-29 4:54 ` Daniel Axtens 2019-04-29 4:54 ` Daniel Axtens 2019-04-30 5:15 ` Andrew Donnellan 2019-04-30 5:15 ` Andrew Donnellan 2019-04-29 22:56 ` Matthew Garrett 2019-05-02 21:07 ` James Morris 2019-05-02 21:15 ` Matthew Garrett 2019-05-02 23:19 ` James Morris 2019-05-03 0:34 ` Andy Lutomirski 2019-04-04 0:32 ` [PATCH V32 02/27] Enforce module signatures if the kernel is locked down Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 03/27] Restrict /dev/{mem,kmem,port} when " Matthew Garrett 2019-04-04 0:32 ` Matthew Garrett [this message] 2019-04-04 0:32 ` [PATCH V32 04/27] kexec_load: Disable at runtime if " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 05/27] Copy secure_boot flag in boot params across kexec reboot Matthew Garrett 2019-04-04 0:32 ` Matthew Garrett 2019-04-04 0:32 ` Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 06/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett 2019-04-04 0:32 ` Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 07/27] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett 2019-04-04 0:32 ` Matthew Garrett 2019-04-04 0:32 ` Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 08/27] hibernate: Disable when " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 09/27] uswsusp: " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 10/27] PCI: Lock down BAR access " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 11/27] x86: Lock down IO port " Matthew Garrett 2019-04-04 7:49 ` Thomas Gleixner 2019-04-04 0:32 ` [PATCH V32 12/27] x86/msr: Restrict MSR " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 13/27] ACPI: Limit access to custom_method " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 14/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 15/27] acpi: Disable ACPI table override if the kernel is " Matthew Garrett 2019-04-04 0:32 ` Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 16/27] Prohibit PCMCIA CIS storage when " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 17/27] Lock down TIOCSSERIAL Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 18/27] Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 19/27] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett 2019-04-04 1:33 ` Steven Rostedt 2019-04-04 7:47 ` Thomas Gleixner 2019-04-04 0:32 ` [PATCH V32 20/27] Lock down /proc/kcore Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 21/27] Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 22/27] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett 2019-04-30 19:19 ` Jann Horn 2019-04-04 0:32 ` [PATCH V32 23/27] Lock down perf when " Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 24/27] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 25/27] lockdown: Print current->comm in restriction messages Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 26/27] debugfs: Restrict debugfs when the kernel is locked down Matthew Garrett 2019-04-04 0:32 ` [PATCH V32 27/27] tracefs: Restrict tracefs " Matthew Garrett 2019-04-04 13:39 ` Steven Rostedt 2019-04-04 20:09 ` Matthew Garrett
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190404003249.14356-5-matthewgarrett@google.com \ --to=matthewgarrett@google.com \ --cc=dhowells@redhat.com \ --cc=dyoung@redhat.com \ --cc=jmorris@namei.org \ --cc=kexec@lists.infradead.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@kernel.org \ --cc=mjg59@google.com \ --cc=mjg59@srcf.ucam.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.