* [PATCH v2 0/3] kexec: Add new parameter to limit the access to kexec
@ 2022-12-08 16:37 ` Ricardo Ribalda
0 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-08 16:37 UTC (permalink / raw)
To: Philipp Rudo, Eric Biederman, Jonathan Corbet
Cc: linux-doc, Ricardo Ribalda, Steven Rostedt,
Joel Fernandes (Google),
kexec, Sergey Senozhatsky, Ross Zwisler, linux-kernel
Add two parameter to specify how many times a kexec kernel can be loaded.
These parameter allow hardening the system.
While we are at it, fix a documentation issue and refactor some code.
To: Jonathan Corbet <corbet@lwn.net>
To: Eric Biederman <ebiederm@xmission.com>
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: kexec@lists.infradead.org
Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ross Zwisler <zwisler@kernel.org>
To: Philipp Rudo <prudo@redhat.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
Changes in v2:
- Instead of kexec_reboot_disabled, add two new counters (Thanks Philipp!)
- Link to v1: https://lore.kernel.org/r/20221114-disable-kexec-reset-v1-0-fb51d20cf871@chromium.org
---
Ricardo Ribalda (3):
Documentation: sysctl: Correct kexec_load_disabled
kexec: Factor out kexec_load_permited
kexec: Introduce paramters load_limit_reboot and load_limit_panic
Documentation/admin-guide/kernel-parameters.txt | 14 ++++
Documentation/admin-guide/sysctl/kernel.rst | 7 +-
include/linux/kexec.h | 3 +-
kernel/kexec.c | 2 +-
kernel/kexec_core.c | 98 ++++++++++++++++++++++++-
kernel/kexec_file.c | 2 +-
6 files changed, 119 insertions(+), 7 deletions(-)
---
base-commit: 479174d402bcf60789106eedc4def3957c060bad
change-id: 20221114-disable-kexec-reset-19b7e117338f
Best regards,
--
Ricardo Ribalda <ribalda@chromium.org>
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2 0/3] kexec: Add new parameter to limit the access to kexec
@ 2022-12-08 16:37 ` Ricardo Ribalda
0 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-08 16:37 UTC (permalink / raw)
To: Philipp Rudo, Eric Biederman, Jonathan Corbet
Cc: linux-doc, Ricardo Ribalda, Steven Rostedt,
Joel Fernandes (Google),
kexec, Sergey Senozhatsky, Ross Zwisler, linux-kernel
Add two parameter to specify how many times a kexec kernel can be loaded.
These parameter allow hardening the system.
While we are at it, fix a documentation issue and refactor some code.
To: Jonathan Corbet <corbet@lwn.net>
To: Eric Biederman <ebiederm@xmission.com>
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: kexec@lists.infradead.org
Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ross Zwisler <zwisler@kernel.org>
To: Philipp Rudo <prudo@redhat.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
Changes in v2:
- Instead of kexec_reboot_disabled, add two new counters (Thanks Philipp!)
- Link to v1: https://lore.kernel.org/r/20221114-disable-kexec-reset-v1-0-fb51d20cf871@chromium.org
---
Ricardo Ribalda (3):
Documentation: sysctl: Correct kexec_load_disabled
kexec: Factor out kexec_load_permited
kexec: Introduce paramters load_limit_reboot and load_limit_panic
Documentation/admin-guide/kernel-parameters.txt | 14 ++++
Documentation/admin-guide/sysctl/kernel.rst | 7 +-
include/linux/kexec.h | 3 +-
kernel/kexec.c | 2 +-
kernel/kexec_core.c | 98 ++++++++++++++++++++++++-
kernel/kexec_file.c | 2 +-
6 files changed, 119 insertions(+), 7 deletions(-)
---
base-commit: 479174d402bcf60789106eedc4def3957c060bad
change-id: 20221114-disable-kexec-reset-19b7e117338f
Best regards,
--
Ricardo Ribalda <ribalda@chromium.org>
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2 1/3] Documentation: sysctl: Correct kexec_load_disabled
2022-12-08 16:37 ` Ricardo Ribalda
@ 2022-12-08 16:38 ` Ricardo Ribalda
-1 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-08 16:38 UTC (permalink / raw)
To: Philipp Rudo, Eric Biederman, Jonathan Corbet
Cc: linux-doc, Ricardo Ribalda, Steven Rostedt,
Joel Fernandes (Google),
kexec, Sergey Senozhatsky, Ross Zwisler, linux-kernel
kexec_load_disabled affects both ``kexec_load`` and ``kexec_file_load``
syscalls. Make it explicit.
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
Documentation/admin-guide/sysctl/kernel.rst | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
index 98d1b198b2b4..97394bd9d065 100644
--- a/Documentation/admin-guide/sysctl/kernel.rst
+++ b/Documentation/admin-guide/sysctl/kernel.rst
@@ -450,9 +450,10 @@ this allows system administrators to override the
kexec_load_disabled
===================
-A toggle indicating if the ``kexec_load`` syscall has been disabled.
-This value defaults to 0 (false: ``kexec_load`` enabled), but can be
-set to 1 (true: ``kexec_load`` disabled).
+A toggle indicating if the syscalls ``kexec_load`` and
+``kexec_file_load`` have been disabled.
+This value defaults to 0 (false: ``kexec_*load`` enabled), but can be
+set to 1 (true: ``kexec_*load`` disabled).
Once true, kexec can no longer be used, and the toggle cannot be set
back to false.
This allows a kexec image to be loaded before disabling the syscall,
--
2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 1/3] Documentation: sysctl: Correct kexec_load_disabled
@ 2022-12-08 16:38 ` Ricardo Ribalda
0 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-08 16:38 UTC (permalink / raw)
To: Philipp Rudo, Eric Biederman, Jonathan Corbet
Cc: linux-doc, Ricardo Ribalda, Steven Rostedt,
Joel Fernandes (Google),
kexec, Sergey Senozhatsky, Ross Zwisler, linux-kernel
kexec_load_disabled affects both ``kexec_load`` and ``kexec_file_load``
syscalls. Make it explicit.
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
Documentation/admin-guide/sysctl/kernel.rst | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
index 98d1b198b2b4..97394bd9d065 100644
--- a/Documentation/admin-guide/sysctl/kernel.rst
+++ b/Documentation/admin-guide/sysctl/kernel.rst
@@ -450,9 +450,10 @@ this allows system administrators to override the
kexec_load_disabled
===================
-A toggle indicating if the ``kexec_load`` syscall has been disabled.
-This value defaults to 0 (false: ``kexec_load`` enabled), but can be
-set to 1 (true: ``kexec_load`` disabled).
+A toggle indicating if the syscalls ``kexec_load`` and
+``kexec_file_load`` have been disabled.
+This value defaults to 0 (false: ``kexec_*load`` enabled), but can be
+set to 1 (true: ``kexec_*load`` disabled).
Once true, kexec can no longer be used, and the toggle cannot be set
back to false.
This allows a kexec image to be loaded before disabling the syscall,
--
2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 2/3] kexec: Factor out kexec_load_permited
2022-12-08 16:37 ` Ricardo Ribalda
@ 2022-12-08 16:38 ` Ricardo Ribalda
-1 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-08 16:38 UTC (permalink / raw)
To: Philipp Rudo, Eric Biederman, Jonathan Corbet
Cc: linux-doc, Ricardo Ribalda, Steven Rostedt,
Joel Fernandes (Google),
kexec, Sergey Senozhatsky, Ross Zwisler, linux-kernel
Both syscalls (kexec and kexec_file) do the same check, lets factor it
out.
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
include/linux/kexec.h | 3 ++-
kernel/kexec.c | 2 +-
kernel/kexec_core.c | 11 ++++++++++-
kernel/kexec_file.c | 2 +-
4 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 41a686996aaa..e9e1ab5e8006 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -406,7 +406,8 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
extern struct kimage *kexec_image;
extern struct kimage *kexec_crash_image;
-extern int kexec_load_disabled;
+
+bool kexec_load_permited(void);
#ifndef kexec_flush_icache_page
#define kexec_flush_icache_page(page)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index cb8e6e6f983c..d83fc9093aff 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
int result;
/* We only trust the superuser with rebooting the system. */
- if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ if (!kexec_load_permited())
return -EPERM;
/* Permit LSMs and IMA to fail the kexec */
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index ca2743f9c634..18bd90ca9c99 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -928,7 +928,7 @@ int kimage_load_segment(struct kimage *image,
struct kimage *kexec_image;
struct kimage *kexec_crash_image;
-int kexec_load_disabled;
+static int kexec_load_disabled;
#ifdef CONFIG_SYSCTL
static struct ctl_table kexec_core_sysctls[] = {
{
@@ -952,6 +952,15 @@ static int __init kexec_core_sysctl_init(void)
late_initcall(kexec_core_sysctl_init);
#endif
+bool kexec_load_permited(void)
+{
+ /*
+ * Only the superuser can use the kexec syscall and if it has not
+ * been disabled.
+ */
+ return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
+}
+
/*
* No panic_cpu check version of crash_kexec(). This function is called
* only when panic_cpu holds the current CPU number; this is the only CPU
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 45637511e0de..701147c118d4 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
struct kimage **dest_image, *image;
/* We only trust the superuser with rebooting the system. */
- if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ if (!kexec_load_permited())
return -EPERM;
/* Make sure we have a legal set of flags */
--
2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 2/3] kexec: Factor out kexec_load_permited
@ 2022-12-08 16:38 ` Ricardo Ribalda
0 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-08 16:38 UTC (permalink / raw)
To: Philipp Rudo, Eric Biederman, Jonathan Corbet
Cc: linux-doc, Ricardo Ribalda, Steven Rostedt,
Joel Fernandes (Google),
kexec, Sergey Senozhatsky, Ross Zwisler, linux-kernel
Both syscalls (kexec and kexec_file) do the same check, lets factor it
out.
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
include/linux/kexec.h | 3 ++-
kernel/kexec.c | 2 +-
kernel/kexec_core.c | 11 ++++++++++-
kernel/kexec_file.c | 2 +-
4 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 41a686996aaa..e9e1ab5e8006 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -406,7 +406,8 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
extern struct kimage *kexec_image;
extern struct kimage *kexec_crash_image;
-extern int kexec_load_disabled;
+
+bool kexec_load_permited(void);
#ifndef kexec_flush_icache_page
#define kexec_flush_icache_page(page)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index cb8e6e6f983c..d83fc9093aff 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
int result;
/* We only trust the superuser with rebooting the system. */
- if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ if (!kexec_load_permited())
return -EPERM;
/* Permit LSMs and IMA to fail the kexec */
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index ca2743f9c634..18bd90ca9c99 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -928,7 +928,7 @@ int kimage_load_segment(struct kimage *image,
struct kimage *kexec_image;
struct kimage *kexec_crash_image;
-int kexec_load_disabled;
+static int kexec_load_disabled;
#ifdef CONFIG_SYSCTL
static struct ctl_table kexec_core_sysctls[] = {
{
@@ -952,6 +952,15 @@ static int __init kexec_core_sysctl_init(void)
late_initcall(kexec_core_sysctl_init);
#endif
+bool kexec_load_permited(void)
+{
+ /*
+ * Only the superuser can use the kexec syscall and if it has not
+ * been disabled.
+ */
+ return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
+}
+
/*
* No panic_cpu check version of crash_kexec(). This function is called
* only when panic_cpu holds the current CPU number; this is the only CPU
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 45637511e0de..701147c118d4 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
struct kimage **dest_image, *image;
/* We only trust the superuser with rebooting the system. */
- if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ if (!kexec_load_permited())
return -EPERM;
/* Make sure we have a legal set of flags */
--
2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic
2022-12-08 16:37 ` Ricardo Ribalda
@ 2022-12-08 16:38 ` Ricardo Ribalda
-1 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-08 16:38 UTC (permalink / raw)
To: Philipp Rudo, Eric Biederman, Jonathan Corbet
Cc: linux-doc, Ricardo Ribalda, Steven Rostedt,
Joel Fernandes (Google),
kexec, Sergey Senozhatsky, Ross Zwisler, linux-kernel
Add two parameter to specify how many times a kexec kernel can be loaded.
The sysadmin can set different limits for kexec panic and kexec reboot
kernels.
The value can be modified at runtime via sysfs, but only with a value
smaller than the current one (except -1).
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
Documentation/admin-guide/kernel-parameters.txt | 14 ++++
include/linux/kexec.h | 2 +-
kernel/kexec.c | 2 +-
kernel/kexec_core.c | 91 ++++++++++++++++++++++++-
kernel/kexec_file.c | 2 +-
5 files changed, 106 insertions(+), 5 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 42af9ca0127e..2b37d6a20747 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2374,6 +2374,20 @@
for Movable pages. "nn[KMGTPE]", "nn%", and "mirror"
are exclusive, so you cannot specify multiple forms.
+ kexec_core.load_limit_reboot=
+ kexec_core.load_limit_panic=
+ [KNL]
+ This parameter specifies a limit to the number of times
+ a kexec kernel can be loaded.
+ Format: <int>
+ -1 = Unlimited.
+ int = Number of times kexec can be called.
+
+ During runtime, this parameter can be modified with a
+ value smaller than the current one (but not -1).
+
+ Default: -1
+
kgdbdbgp= [KGDB,HW] kgdb over EHCI usb debug port.
Format: <Controller#>[,poll interval]
The controller # is the number of the ehci usb debug
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index e9e1ab5e8006..3d7d10f7187a 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
extern struct kimage *kexec_image;
extern struct kimage *kexec_crash_image;
-bool kexec_load_permited(void);
+bool kexec_load_permited(bool crash_image);
#ifndef kexec_flush_icache_page
#define kexec_flush_icache_page(page)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index d83fc9093aff..2b0856e83fe1 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
int result;
/* We only trust the superuser with rebooting the system. */
- if (!kexec_load_permited())
+ if (!kexec_load_permited(flags & KEXEC_ON_CRASH))
return -EPERM;
/* Permit LSMs and IMA to fail the kexec */
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index 18bd90ca9c99..7f9d5288b24b 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -952,13 +952,100 @@ static int __init kexec_core_sysctl_init(void)
late_initcall(kexec_core_sysctl_init);
#endif
-bool kexec_load_permited(void)
+struct kexec_load_limit {
+ /* Mutex protects the limit count. */
+ struct mutex mutex;
+ int limit;
+};
+
+struct kexec_load_limit load_limit_reboot = {
+ .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex),
+ .limit = -1,
+};
+
+struct kexec_load_limit load_limit_panic = {
+ .mutex = __MUTEX_INITIALIZER(load_limit_panic.mutex),
+ .limit = -1,
+};
+
+static int param_get_limit(char *buffer, const struct kernel_param *kp)
{
+ int ret;
+ struct kexec_load_limit *limit = kp->arg;
+
+ mutex_lock(&limit->mutex);
+ ret = scnprintf(buffer, PAGE_SIZE, "%i\n", limit->limit);
+ mutex_unlock(&limit->mutex);
+
+ return ret;
+}
+
+static int param_set_limit(const char *buffer, const struct kernel_param *kp)
+{
+ int ret;
+ struct kexec_load_limit *limit = kp->arg;
+ int new_val;
+
+ ret = kstrtoint(buffer, 0, &new_val);
+ if (ret)
+ return ret;
+
+ new_val = max(-1, new_val);
+
+ mutex_lock(&limit->mutex);
+
+ if (new_val == -1 && limit->limit != -1) {
+ ret = -EINVAL;
+ goto done;
+ }
+
+ if (limit->limit != -1 && new_val > limit->limit) {
+ ret = -EINVAL;
+ goto done;
+ }
+
+ limit->limit = new_val;
+
+done:
+ mutex_unlock(&limit->mutex);
+
+ return ret;
+}
+
+static const struct kernel_param_ops load_limit_ops = {
+ .get = param_get_limit,
+ .set = param_set_limit,
+};
+
+module_param_cb(load_limit_reboot, &load_limit_ops, &load_limit_reboot, 0644);
+MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec reboot kernel");
+
+module_param_cb(load_limit_panic, &load_limit_ops, &load_limit_panic, 0644);
+MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec panic kernel");
+
+bool kexec_load_permited(bool crash_image)
+{
+ struct kexec_load_limit *limit;
+
/*
* Only the superuser can use the kexec syscall and if it has not
* been disabled.
*/
- return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ return false;
+
+ /* Check limit counter and decrease it.*/
+ limit = crash_image ? &load_limit_panic : &load_limit_reboot;
+ mutex_lock(&limit->mutex);
+ if (!limit->limit) {
+ mutex_unlock(&limit->mutex);
+ return false;
+ }
+ if (limit->limit != -1)
+ limit->limit--;
+ mutex_unlock(&limit->mutex);
+
+ return true;
}
/*
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 701147c118d4..61212a9252a6 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
struct kimage **dest_image, *image;
/* We only trust the superuser with rebooting the system. */
- if (!kexec_load_permited())
+ if (!kexec_load_permited(flags & KEXEC_FILE_FLAGS))
return -EPERM;
/* Make sure we have a legal set of flags */
--
2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic
@ 2022-12-08 16:38 ` Ricardo Ribalda
0 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-08 16:38 UTC (permalink / raw)
To: Philipp Rudo, Eric Biederman, Jonathan Corbet
Cc: linux-doc, Ricardo Ribalda, Steven Rostedt,
Joel Fernandes (Google),
kexec, Sergey Senozhatsky, Ross Zwisler, linux-kernel
Add two parameter to specify how many times a kexec kernel can be loaded.
The sysadmin can set different limits for kexec panic and kexec reboot
kernels.
The value can be modified at runtime via sysfs, but only with a value
smaller than the current one (except -1).
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
Documentation/admin-guide/kernel-parameters.txt | 14 ++++
include/linux/kexec.h | 2 +-
kernel/kexec.c | 2 +-
kernel/kexec_core.c | 91 ++++++++++++++++++++++++-
kernel/kexec_file.c | 2 +-
5 files changed, 106 insertions(+), 5 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 42af9ca0127e..2b37d6a20747 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2374,6 +2374,20 @@
for Movable pages. "nn[KMGTPE]", "nn%", and "mirror"
are exclusive, so you cannot specify multiple forms.
+ kexec_core.load_limit_reboot=
+ kexec_core.load_limit_panic=
+ [KNL]
+ This parameter specifies a limit to the number of times
+ a kexec kernel can be loaded.
+ Format: <int>
+ -1 = Unlimited.
+ int = Number of times kexec can be called.
+
+ During runtime, this parameter can be modified with a
+ value smaller than the current one (but not -1).
+
+ Default: -1
+
kgdbdbgp= [KGDB,HW] kgdb over EHCI usb debug port.
Format: <Controller#>[,poll interval]
The controller # is the number of the ehci usb debug
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index e9e1ab5e8006..3d7d10f7187a 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
extern struct kimage *kexec_image;
extern struct kimage *kexec_crash_image;
-bool kexec_load_permited(void);
+bool kexec_load_permited(bool crash_image);
#ifndef kexec_flush_icache_page
#define kexec_flush_icache_page(page)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index d83fc9093aff..2b0856e83fe1 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
int result;
/* We only trust the superuser with rebooting the system. */
- if (!kexec_load_permited())
+ if (!kexec_load_permited(flags & KEXEC_ON_CRASH))
return -EPERM;
/* Permit LSMs and IMA to fail the kexec */
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index 18bd90ca9c99..7f9d5288b24b 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -952,13 +952,100 @@ static int __init kexec_core_sysctl_init(void)
late_initcall(kexec_core_sysctl_init);
#endif
-bool kexec_load_permited(void)
+struct kexec_load_limit {
+ /* Mutex protects the limit count. */
+ struct mutex mutex;
+ int limit;
+};
+
+struct kexec_load_limit load_limit_reboot = {
+ .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex),
+ .limit = -1,
+};
+
+struct kexec_load_limit load_limit_panic = {
+ .mutex = __MUTEX_INITIALIZER(load_limit_panic.mutex),
+ .limit = -1,
+};
+
+static int param_get_limit(char *buffer, const struct kernel_param *kp)
{
+ int ret;
+ struct kexec_load_limit *limit = kp->arg;
+
+ mutex_lock(&limit->mutex);
+ ret = scnprintf(buffer, PAGE_SIZE, "%i\n", limit->limit);
+ mutex_unlock(&limit->mutex);
+
+ return ret;
+}
+
+static int param_set_limit(const char *buffer, const struct kernel_param *kp)
+{
+ int ret;
+ struct kexec_load_limit *limit = kp->arg;
+ int new_val;
+
+ ret = kstrtoint(buffer, 0, &new_val);
+ if (ret)
+ return ret;
+
+ new_val = max(-1, new_val);
+
+ mutex_lock(&limit->mutex);
+
+ if (new_val == -1 && limit->limit != -1) {
+ ret = -EINVAL;
+ goto done;
+ }
+
+ if (limit->limit != -1 && new_val > limit->limit) {
+ ret = -EINVAL;
+ goto done;
+ }
+
+ limit->limit = new_val;
+
+done:
+ mutex_unlock(&limit->mutex);
+
+ return ret;
+}
+
+static const struct kernel_param_ops load_limit_ops = {
+ .get = param_get_limit,
+ .set = param_set_limit,
+};
+
+module_param_cb(load_limit_reboot, &load_limit_ops, &load_limit_reboot, 0644);
+MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec reboot kernel");
+
+module_param_cb(load_limit_panic, &load_limit_ops, &load_limit_panic, 0644);
+MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec panic kernel");
+
+bool kexec_load_permited(bool crash_image)
+{
+ struct kexec_load_limit *limit;
+
/*
* Only the superuser can use the kexec syscall and if it has not
* been disabled.
*/
- return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ return false;
+
+ /* Check limit counter and decrease it.*/
+ limit = crash_image ? &load_limit_panic : &load_limit_reboot;
+ mutex_lock(&limit->mutex);
+ if (!limit->limit) {
+ mutex_unlock(&limit->mutex);
+ return false;
+ }
+ if (limit->limit != -1)
+ limit->limit--;
+ mutex_unlock(&limit->mutex);
+
+ return true;
}
/*
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 701147c118d4..61212a9252a6 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
struct kimage **dest_image, *image;
/* We only trust the superuser with rebooting the system. */
- if (!kexec_load_permited())
+ if (!kexec_load_permited(flags & KEXEC_FILE_FLAGS))
return -EPERM;
/* Make sure we have a legal set of flags */
--
2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic
2022-12-08 16:38 ` Ricardo Ribalda
@ 2022-12-15 19:16 ` Joel Fernandes
-1 siblings, 0 replies; 14+ messages in thread
From: Joel Fernandes @ 2022-12-15 19:16 UTC (permalink / raw)
To: Ricardo Ribalda
Cc: Philipp Rudo, Eric Biederman, Jonathan Corbet, linux-doc,
Steven Rostedt, kexec, Sergey Senozhatsky, Ross Zwisler,
linux-kernel
Hi Ricardo,
On Thu, Dec 08, 2022 at 05:38:02PM +0100, Ricardo Ribalda wrote:
> Add two parameter to specify how many times a kexec kernel can be loaded.
>
> The sysadmin can set different limits for kexec panic and kexec reboot
> kernels.
>
> The value can be modified at runtime via sysfs, but only with a value
> smaller than the current one (except -1).
>
> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 14 ++++
> include/linux/kexec.h | 2 +-
> kernel/kexec.c | 2 +-
> kernel/kexec_core.c | 91 ++++++++++++++++++++++++-
> kernel/kexec_file.c | 2 +-
> 5 files changed, 106 insertions(+), 5 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 42af9ca0127e..2b37d6a20747 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2374,6 +2374,20 @@
> for Movable pages. "nn[KMGTPE]", "nn%", and "mirror"
> are exclusive, so you cannot specify multiple forms.
>
> + kexec_core.load_limit_reboot=
> + kexec_core.load_limit_panic=
> + [KNL]
> + This parameter specifies a limit to the number of times
> + a kexec kernel can be loaded.
> + Format: <int>
> + -1 = Unlimited.
> + int = Number of times kexec can be called.
> +
> + During runtime, this parameter can be modified with a
> + value smaller than the current one (but not -1).
> +
> + Default: -1
> +
> kgdbdbgp= [KGDB,HW] kgdb over EHCI usb debug port.
> Format: <Controller#>[,poll interval]
> The controller # is the number of the ehci usb debug
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index e9e1ab5e8006..3d7d10f7187a 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
> extern struct kimage *kexec_image;
> extern struct kimage *kexec_crash_image;
>
> -bool kexec_load_permited(void);
> +bool kexec_load_permited(bool crash_image);
>
> #ifndef kexec_flush_icache_page
> #define kexec_flush_icache_page(page)
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index d83fc9093aff..2b0856e83fe1 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
> int result;
>
> /* We only trust the superuser with rebooting the system. */
> - if (!kexec_load_permited())
> + if (!kexec_load_permited(flags & KEXEC_ON_CRASH))
nit: permitted.
> return -EPERM;
>
> /* Permit LSMs and IMA to fail the kexec */
> diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
> index 18bd90ca9c99..7f9d5288b24b 100644
> --- a/kernel/kexec_core.c
> +++ b/kernel/kexec_core.c
> @@ -952,13 +952,100 @@ static int __init kexec_core_sysctl_init(void)
> late_initcall(kexec_core_sysctl_init);
> #endif
>
> -bool kexec_load_permited(void)
> +struct kexec_load_limit {
> + /* Mutex protects the limit count. */
> + struct mutex mutex;
> + int limit;
Can you not just use atomic ops for limit, and get rid of the mutex?
That will simplify the code as well.
> +};
> +
> +struct kexec_load_limit load_limit_reboot = {
> + .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex),
> + .limit = -1,
> +};
> +
> +struct kexec_load_limit load_limit_panic = {
> + .mutex = __MUTEX_INITIALIZER(load_limit_panic.mutex),
> + .limit = -1,
> +};
> +
> +static int param_get_limit(char *buffer, const struct kernel_param *kp)
> {
> + int ret;
> + struct kexec_load_limit *limit = kp->arg;
> +
> + mutex_lock(&limit->mutex);
> + ret = scnprintf(buffer, PAGE_SIZE, "%i\n", limit->limit);
> + mutex_unlock(&limit->mutex);
> +
> + return ret;
> +}
> +
> +static int param_set_limit(const char *buffer, const struct kernel_param *kp)
> +{
> + int ret;
> + struct kexec_load_limit *limit = kp->arg;
> + int new_val;
> +
> + ret = kstrtoint(buffer, 0, &new_val);
> + if (ret)
> + return ret;
> +
> + new_val = max(-1, new_val);
> +
> + mutex_lock(&limit->mutex);
> +
> + if (new_val == -1 && limit->limit != -1) {
> + ret = -EINVAL;
> + goto done;
> + }
> +
> + if (limit->limit != -1 && new_val > limit->limit) {
> + ret = -EINVAL;
> + goto done;
> + }
> +
> + limit->limit = new_val;
> +
> +done:
> + mutex_unlock(&limit->mutex);
> +
> + return ret;
> +}
> +
> +static const struct kernel_param_ops load_limit_ops = {
> + .get = param_get_limit,
> + .set = param_set_limit,
> +};
> +
> +module_param_cb(load_limit_reboot, &load_limit_ops, &load_limit_reboot, 0644);
> +MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec reboot kernel");
> +
> +module_param_cb(load_limit_panic, &load_limit_ops, &load_limit_panic, 0644);
> +MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec panic kernel");
> +
> +bool kexec_load_permited(bool crash_image)
nit: permitted.
> +{
> + struct kexec_load_limit *limit;
> +
> /*
> * Only the superuser can use the kexec syscall and if it has not
> * been disabled.
> */
> - return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
> + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> + return false;
> +
> + /* Check limit counter and decrease it.*/
> + limit = crash_image ? &load_limit_panic : &load_limit_reboot;
> + mutex_lock(&limit->mutex);
> + if (!limit->limit) {
> + mutex_unlock(&limit->mutex);
> + return false;
> + }
> + if (limit->limit != -1)
> + limit->limit--;
> + mutex_unlock(&limit->mutex);
> +
> + return true;
IMO, patch 2/3 can be squashed with 3/3 but no strong preference.
thanks,
- Joel
> }
>
> /*
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 701147c118d4..61212a9252a6 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> struct kimage **dest_image, *image;
>
> /* We only trust the superuser with rebooting the system. */
> - if (!kexec_load_permited())
> + if (!kexec_load_permited(flags & KEXEC_FILE_FLAGS))
> return -EPERM;
>
> /* Make sure we have a legal set of flags */
>
> --
> 2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic
@ 2022-12-15 19:16 ` Joel Fernandes
0 siblings, 0 replies; 14+ messages in thread
From: Joel Fernandes @ 2022-12-15 19:16 UTC (permalink / raw)
To: Ricardo Ribalda
Cc: Philipp Rudo, Eric Biederman, Jonathan Corbet, linux-doc,
Steven Rostedt, kexec, Sergey Senozhatsky, Ross Zwisler,
linux-kernel
Hi Ricardo,
On Thu, Dec 08, 2022 at 05:38:02PM +0100, Ricardo Ribalda wrote:
> Add two parameter to specify how many times a kexec kernel can be loaded.
>
> The sysadmin can set different limits for kexec panic and kexec reboot
> kernels.
>
> The value can be modified at runtime via sysfs, but only with a value
> smaller than the current one (except -1).
>
> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 14 ++++
> include/linux/kexec.h | 2 +-
> kernel/kexec.c | 2 +-
> kernel/kexec_core.c | 91 ++++++++++++++++++++++++-
> kernel/kexec_file.c | 2 +-
> 5 files changed, 106 insertions(+), 5 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 42af9ca0127e..2b37d6a20747 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2374,6 +2374,20 @@
> for Movable pages. "nn[KMGTPE]", "nn%", and "mirror"
> are exclusive, so you cannot specify multiple forms.
>
> + kexec_core.load_limit_reboot=
> + kexec_core.load_limit_panic=
> + [KNL]
> + This parameter specifies a limit to the number of times
> + a kexec kernel can be loaded.
> + Format: <int>
> + -1 = Unlimited.
> + int = Number of times kexec can be called.
> +
> + During runtime, this parameter can be modified with a
> + value smaller than the current one (but not -1).
> +
> + Default: -1
> +
> kgdbdbgp= [KGDB,HW] kgdb over EHCI usb debug port.
> Format: <Controller#>[,poll interval]
> The controller # is the number of the ehci usb debug
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index e9e1ab5e8006..3d7d10f7187a 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
> extern struct kimage *kexec_image;
> extern struct kimage *kexec_crash_image;
>
> -bool kexec_load_permited(void);
> +bool kexec_load_permited(bool crash_image);
>
> #ifndef kexec_flush_icache_page
> #define kexec_flush_icache_page(page)
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index d83fc9093aff..2b0856e83fe1 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
> int result;
>
> /* We only trust the superuser with rebooting the system. */
> - if (!kexec_load_permited())
> + if (!kexec_load_permited(flags & KEXEC_ON_CRASH))
nit: permitted.
> return -EPERM;
>
> /* Permit LSMs and IMA to fail the kexec */
> diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
> index 18bd90ca9c99..7f9d5288b24b 100644
> --- a/kernel/kexec_core.c
> +++ b/kernel/kexec_core.c
> @@ -952,13 +952,100 @@ static int __init kexec_core_sysctl_init(void)
> late_initcall(kexec_core_sysctl_init);
> #endif
>
> -bool kexec_load_permited(void)
> +struct kexec_load_limit {
> + /* Mutex protects the limit count. */
> + struct mutex mutex;
> + int limit;
Can you not just use atomic ops for limit, and get rid of the mutex?
That will simplify the code as well.
> +};
> +
> +struct kexec_load_limit load_limit_reboot = {
> + .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex),
> + .limit = -1,
> +};
> +
> +struct kexec_load_limit load_limit_panic = {
> + .mutex = __MUTEX_INITIALIZER(load_limit_panic.mutex),
> + .limit = -1,
> +};
> +
> +static int param_get_limit(char *buffer, const struct kernel_param *kp)
> {
> + int ret;
> + struct kexec_load_limit *limit = kp->arg;
> +
> + mutex_lock(&limit->mutex);
> + ret = scnprintf(buffer, PAGE_SIZE, "%i\n", limit->limit);
> + mutex_unlock(&limit->mutex);
> +
> + return ret;
> +}
> +
> +static int param_set_limit(const char *buffer, const struct kernel_param *kp)
> +{
> + int ret;
> + struct kexec_load_limit *limit = kp->arg;
> + int new_val;
> +
> + ret = kstrtoint(buffer, 0, &new_val);
> + if (ret)
> + return ret;
> +
> + new_val = max(-1, new_val);
> +
> + mutex_lock(&limit->mutex);
> +
> + if (new_val == -1 && limit->limit != -1) {
> + ret = -EINVAL;
> + goto done;
> + }
> +
> + if (limit->limit != -1 && new_val > limit->limit) {
> + ret = -EINVAL;
> + goto done;
> + }
> +
> + limit->limit = new_val;
> +
> +done:
> + mutex_unlock(&limit->mutex);
> +
> + return ret;
> +}
> +
> +static const struct kernel_param_ops load_limit_ops = {
> + .get = param_get_limit,
> + .set = param_set_limit,
> +};
> +
> +module_param_cb(load_limit_reboot, &load_limit_ops, &load_limit_reboot, 0644);
> +MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec reboot kernel");
> +
> +module_param_cb(load_limit_panic, &load_limit_ops, &load_limit_panic, 0644);
> +MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec panic kernel");
> +
> +bool kexec_load_permited(bool crash_image)
nit: permitted.
> +{
> + struct kexec_load_limit *limit;
> +
> /*
> * Only the superuser can use the kexec syscall and if it has not
> * been disabled.
> */
> - return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
> + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> + return false;
> +
> + /* Check limit counter and decrease it.*/
> + limit = crash_image ? &load_limit_panic : &load_limit_reboot;
> + mutex_lock(&limit->mutex);
> + if (!limit->limit) {
> + mutex_unlock(&limit->mutex);
> + return false;
> + }
> + if (limit->limit != -1)
> + limit->limit--;
> + mutex_unlock(&limit->mutex);
> +
> + return true;
IMO, patch 2/3 can be squashed with 3/3 but no strong preference.
thanks,
- Joel
> }
>
> /*
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 701147c118d4..61212a9252a6 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> struct kimage **dest_image, *image;
>
> /* We only trust the superuser with rebooting the system. */
> - if (!kexec_load_permited())
> + if (!kexec_load_permited(flags & KEXEC_FILE_FLAGS))
> return -EPERM;
>
> /* Make sure we have a legal set of flags */
>
> --
> 2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic
2022-12-08 16:38 ` Ricardo Ribalda
@ 2022-12-15 21:29 ` Guilherme G. Piccoli
-1 siblings, 0 replies; 14+ messages in thread
From: Guilherme G. Piccoli @ 2022-12-15 21:29 UTC (permalink / raw)
To: Ricardo Ribalda, Joel Fernandes (Google)
Cc: linux-doc, Steven Rostedt, kexec, Philipp Rudo, Jonathan Corbet,
Eric Biederman, Sergey Senozhatsky, Ross Zwisler, linux-kernel
On 08/12/2022 13:38, Ricardo Ribalda wrote:
> Add two parameter to specify how many times a kexec kernel can be loaded.
>
> The sysadmin can set different limits for kexec panic and kexec reboot
> kernels.
>
> The value can be modified at runtime via sysfs, but only with a value
> smaller than the current one (except -1).
>
> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> ---
Thanks for your patches Ricardo!
Small nit in the subject: s/paramters/parameters. Just observed that
after Joel's review anyway, so kudos to him heh
Cheers,
Guilherme
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic
@ 2022-12-15 21:29 ` Guilherme G. Piccoli
0 siblings, 0 replies; 14+ messages in thread
From: Guilherme G. Piccoli @ 2022-12-15 21:29 UTC (permalink / raw)
To: Ricardo Ribalda, Joel Fernandes (Google)
Cc: linux-doc, Steven Rostedt, kexec, Philipp Rudo, Jonathan Corbet,
Eric Biederman, Sergey Senozhatsky, Ross Zwisler, linux-kernel
On 08/12/2022 13:38, Ricardo Ribalda wrote:
> Add two parameter to specify how many times a kexec kernel can be loaded.
>
> The sysadmin can set different limits for kexec panic and kexec reboot
> kernels.
>
> The value can be modified at runtime via sysfs, but only with a value
> smaller than the current one (except -1).
>
> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> ---
Thanks for your patches Ricardo!
Small nit in the subject: s/paramters/parameters. Just observed that
after Joel's review anyway, so kudos to him heh
Cheers,
Guilherme
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic
2022-12-15 19:16 ` Joel Fernandes
@ 2022-12-20 22:05 ` Ricardo Ribalda
-1 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-20 22:05 UTC (permalink / raw)
To: Joel Fernandes
Cc: Philipp Rudo, Eric Biederman, Jonathan Corbet, linux-doc,
Steven Rostedt, kexec, Sergey Senozhatsky, Ross Zwisler,
linux-kernel
Hi Joel
Thanks for looking into this
On Thu, 15 Dec 2022 at 20:16, Joel Fernandes <joel@joelfernandes.org> wrote:
>
> Hi Ricardo,
>
> On Thu, Dec 08, 2022 at 05:38:02PM +0100, Ricardo Ribalda wrote:
> > Add two parameter to specify how many times a kexec kernel can be loaded.
> >
> > The sysadmin can set different limits for kexec panic and kexec reboot
> > kernels.
> >
> > The value can be modified at runtime via sysfs, but only with a value
> > smaller than the current one (except -1).
> >
> > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> > ---
> > Documentation/admin-guide/kernel-parameters.txt | 14 ++++
> > include/linux/kexec.h | 2 +-
> > kernel/kexec.c | 2 +-
> > kernel/kexec_core.c | 91 ++++++++++++++++++++++++-
> > kernel/kexec_file.c | 2 +-
> > 5 files changed, 106 insertions(+), 5 deletions(-)
> >
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index 42af9ca0127e..2b37d6a20747 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -2374,6 +2374,20 @@
> > for Movable pages. "nn[KMGTPE]", "nn%", and "mirror"
> > are exclusive, so you cannot specify multiple forms.
> >
> > + kexec_core.load_limit_reboot=
> > + kexec_core.load_limit_panic=
> > + [KNL]
> > + This parameter specifies a limit to the number of times
> > + a kexec kernel can be loaded.
> > + Format: <int>
> > + -1 = Unlimited.
> > + int = Number of times kexec can be called.
> > +
> > + During runtime, this parameter can be modified with a
> > + value smaller than the current one (but not -1).
> > +
> > + Default: -1
> > +
> > kgdbdbgp= [KGDB,HW] kgdb over EHCI usb debug port.
> > Format: <Controller#>[,poll interval]
> > The controller # is the number of the ehci usb debug
> > diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> > index e9e1ab5e8006..3d7d10f7187a 100644
> > --- a/include/linux/kexec.h
> > +++ b/include/linux/kexec.h
> > @@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
> > extern struct kimage *kexec_image;
> > extern struct kimage *kexec_crash_image;
> >
> > -bool kexec_load_permited(void);
> > +bool kexec_load_permited(bool crash_image);
> >
> > #ifndef kexec_flush_icache_page
> > #define kexec_flush_icache_page(page)
> > diff --git a/kernel/kexec.c b/kernel/kexec.c
> > index d83fc9093aff..2b0856e83fe1 100644
> > --- a/kernel/kexec.c
> > +++ b/kernel/kexec.c
> > @@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
> > int result;
> >
> > /* We only trust the superuser with rebooting the system. */
> > - if (!kexec_load_permited())
> > + if (!kexec_load_permited(flags & KEXEC_ON_CRASH))
>
> nit: permitted.
>
> > return -EPERM;
> >
> > /* Permit LSMs and IMA to fail the kexec */
> > diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
> > index 18bd90ca9c99..7f9d5288b24b 100644
> > --- a/kernel/kexec_core.c
> > +++ b/kernel/kexec_core.c
> > @@ -952,13 +952,100 @@ static int __init kexec_core_sysctl_init(void)
> > late_initcall(kexec_core_sysctl_init);
> > #endif
> >
> > -bool kexec_load_permited(void)
> > +struct kexec_load_limit {
> > + /* Mutex protects the limit count. */
> > + struct mutex mutex;
> > + int limit;
>
> Can you not just use atomic ops for limit, and get rid of the mutex?
>
> That will simplify the code as well.
I could not find a way to use atomic_t. The operations are not just
counters, but maybe I am missing a better way to do it :)
The current operations:
- permitted():
if (param==-1) {
return -1;
}
if (param =0)
return -1;
param = param -1;
- paramter_set()
new_param = min(-1, new_param);
if (param == -1) {
param = new_param;
return
}
if (new_param == -1) {
return -EINVAL;
}
param = min(new_param, param);
>
> > +};
> > +
> > +struct kexec_load_limit load_limit_reboot = {
> > + .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex),
> > + .limit = -1,
> > +};
> > +
> > +struct kexec_load_limit load_limit_panic = {
> > + .mutex = __MUTEX_INITIALIZER(load_limit_panic.mutex),
> > + .limit = -1,
> > +};
> > +
> > +static int param_get_limit(char *buffer, const struct kernel_param *kp)
> > {
> > + int ret;
> > + struct kexec_load_limit *limit = kp->arg;
> > +
> > + mutex_lock(&limit->mutex);
> > + ret = scnprintf(buffer, PAGE_SIZE, "%i\n", limit->limit);
> > + mutex_unlock(&limit->mutex);
> > +
> > + return ret;
> > +}
> > +
> > +static int param_set_limit(const char *buffer, const struct kernel_param *kp)
> > +{
> > + int ret;
> > + struct kexec_load_limit *limit = kp->arg;
> > + int new_val;
> > +
> > + ret = kstrtoint(buffer, 0, &new_val);
> > + if (ret)
> > + return ret;
> > +
> > + new_val = max(-1, new_val);
> > +
> > + mutex_lock(&limit->mutex);
> > +
> > + if (new_val == -1 && limit->limit != -1) {
> > + ret = -EINVAL;
> > + goto done;
> > + }
> > +
> > + if (limit->limit != -1 && new_val > limit->limit) {
> > + ret = -EINVAL;
> > + goto done;
> > + }
> > +
> > + limit->limit = new_val;
> > +
> > +done:
> > + mutex_unlock(&limit->mutex);
> > +
> > + return ret;
> > +}
> > +
> > +static const struct kernel_param_ops load_limit_ops = {
> > + .get = param_get_limit,
> > + .set = param_set_limit,
> > +};
> > +
> > +module_param_cb(load_limit_reboot, &load_limit_ops, &load_limit_reboot, 0644);
> > +MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec reboot kernel");
> > +
> > +module_param_cb(load_limit_panic, &load_limit_ops, &load_limit_panic, 0644);
> > +MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec panic kernel");
> > +
> > +bool kexec_load_permited(bool crash_image)
>
> nit: permitted.
>
> > +{
> > + struct kexec_load_limit *limit;
> > +
> > /*
> > * Only the superuser can use the kexec syscall and if it has not
> > * been disabled.
> > */
> > - return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
> > + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > + return false;
> > +
> > + /* Check limit counter and decrease it.*/
> > + limit = crash_image ? &load_limit_panic : &load_limit_reboot;
> > + mutex_lock(&limit->mutex);
> > + if (!limit->limit) {
> > + mutex_unlock(&limit->mutex);
> > + return false;
> > + }
> > + if (limit->limit != -1)
> > + limit->limit--;
> > + mutex_unlock(&limit->mutex);
> > +
> > + return true;
>
> IMO, patch 2/3 can be squashed with 3/3 but no strong preference.
>
> thanks,
>
> - Joel
>
>
>
> > }
> >
> > /*
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index 701147c118d4..61212a9252a6 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> > struct kimage **dest_image, *image;
> >
> > /* We only trust the superuser with rebooting the system. */
> > - if (!kexec_load_permited())
> > + if (!kexec_load_permited(flags & KEXEC_FILE_FLAGS))
> > return -EPERM;
> >
> > /* Make sure we have a legal set of flags */
> >
> > --
> > 2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
--
Ricardo Ribalda
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic
@ 2022-12-20 22:05 ` Ricardo Ribalda
0 siblings, 0 replies; 14+ messages in thread
From: Ricardo Ribalda @ 2022-12-20 22:05 UTC (permalink / raw)
To: Joel Fernandes
Cc: Philipp Rudo, Eric Biederman, Jonathan Corbet, linux-doc,
Steven Rostedt, kexec, Sergey Senozhatsky, Ross Zwisler,
linux-kernel
Hi Joel
Thanks for looking into this
On Thu, 15 Dec 2022 at 20:16, Joel Fernandes <joel@joelfernandes.org> wrote:
>
> Hi Ricardo,
>
> On Thu, Dec 08, 2022 at 05:38:02PM +0100, Ricardo Ribalda wrote:
> > Add two parameter to specify how many times a kexec kernel can be loaded.
> >
> > The sysadmin can set different limits for kexec panic and kexec reboot
> > kernels.
> >
> > The value can be modified at runtime via sysfs, but only with a value
> > smaller than the current one (except -1).
> >
> > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> > ---
> > Documentation/admin-guide/kernel-parameters.txt | 14 ++++
> > include/linux/kexec.h | 2 +-
> > kernel/kexec.c | 2 +-
> > kernel/kexec_core.c | 91 ++++++++++++++++++++++++-
> > kernel/kexec_file.c | 2 +-
> > 5 files changed, 106 insertions(+), 5 deletions(-)
> >
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index 42af9ca0127e..2b37d6a20747 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -2374,6 +2374,20 @@
> > for Movable pages. "nn[KMGTPE]", "nn%", and "mirror"
> > are exclusive, so you cannot specify multiple forms.
> >
> > + kexec_core.load_limit_reboot=
> > + kexec_core.load_limit_panic=
> > + [KNL]
> > + This parameter specifies a limit to the number of times
> > + a kexec kernel can be loaded.
> > + Format: <int>
> > + -1 = Unlimited.
> > + int = Number of times kexec can be called.
> > +
> > + During runtime, this parameter can be modified with a
> > + value smaller than the current one (but not -1).
> > +
> > + Default: -1
> > +
> > kgdbdbgp= [KGDB,HW] kgdb over EHCI usb debug port.
> > Format: <Controller#>[,poll interval]
> > The controller # is the number of the ehci usb debug
> > diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> > index e9e1ab5e8006..3d7d10f7187a 100644
> > --- a/include/linux/kexec.h
> > +++ b/include/linux/kexec.h
> > @@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
> > extern struct kimage *kexec_image;
> > extern struct kimage *kexec_crash_image;
> >
> > -bool kexec_load_permited(void);
> > +bool kexec_load_permited(bool crash_image);
> >
> > #ifndef kexec_flush_icache_page
> > #define kexec_flush_icache_page(page)
> > diff --git a/kernel/kexec.c b/kernel/kexec.c
> > index d83fc9093aff..2b0856e83fe1 100644
> > --- a/kernel/kexec.c
> > +++ b/kernel/kexec.c
> > @@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
> > int result;
> >
> > /* We only trust the superuser with rebooting the system. */
> > - if (!kexec_load_permited())
> > + if (!kexec_load_permited(flags & KEXEC_ON_CRASH))
>
> nit: permitted.
>
> > return -EPERM;
> >
> > /* Permit LSMs and IMA to fail the kexec */
> > diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
> > index 18bd90ca9c99..7f9d5288b24b 100644
> > --- a/kernel/kexec_core.c
> > +++ b/kernel/kexec_core.c
> > @@ -952,13 +952,100 @@ static int __init kexec_core_sysctl_init(void)
> > late_initcall(kexec_core_sysctl_init);
> > #endif
> >
> > -bool kexec_load_permited(void)
> > +struct kexec_load_limit {
> > + /* Mutex protects the limit count. */
> > + struct mutex mutex;
> > + int limit;
>
> Can you not just use atomic ops for limit, and get rid of the mutex?
>
> That will simplify the code as well.
I could not find a way to use atomic_t. The operations are not just
counters, but maybe I am missing a better way to do it :)
The current operations:
- permitted():
if (param==-1) {
return -1;
}
if (param =0)
return -1;
param = param -1;
- paramter_set()
new_param = min(-1, new_param);
if (param == -1) {
param = new_param;
return
}
if (new_param == -1) {
return -EINVAL;
}
param = min(new_param, param);
>
> > +};
> > +
> > +struct kexec_load_limit load_limit_reboot = {
> > + .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex),
> > + .limit = -1,
> > +};
> > +
> > +struct kexec_load_limit load_limit_panic = {
> > + .mutex = __MUTEX_INITIALIZER(load_limit_panic.mutex),
> > + .limit = -1,
> > +};
> > +
> > +static int param_get_limit(char *buffer, const struct kernel_param *kp)
> > {
> > + int ret;
> > + struct kexec_load_limit *limit = kp->arg;
> > +
> > + mutex_lock(&limit->mutex);
> > + ret = scnprintf(buffer, PAGE_SIZE, "%i\n", limit->limit);
> > + mutex_unlock(&limit->mutex);
> > +
> > + return ret;
> > +}
> > +
> > +static int param_set_limit(const char *buffer, const struct kernel_param *kp)
> > +{
> > + int ret;
> > + struct kexec_load_limit *limit = kp->arg;
> > + int new_val;
> > +
> > + ret = kstrtoint(buffer, 0, &new_val);
> > + if (ret)
> > + return ret;
> > +
> > + new_val = max(-1, new_val);
> > +
> > + mutex_lock(&limit->mutex);
> > +
> > + if (new_val == -1 && limit->limit != -1) {
> > + ret = -EINVAL;
> > + goto done;
> > + }
> > +
> > + if (limit->limit != -1 && new_val > limit->limit) {
> > + ret = -EINVAL;
> > + goto done;
> > + }
> > +
> > + limit->limit = new_val;
> > +
> > +done:
> > + mutex_unlock(&limit->mutex);
> > +
> > + return ret;
> > +}
> > +
> > +static const struct kernel_param_ops load_limit_ops = {
> > + .get = param_get_limit,
> > + .set = param_set_limit,
> > +};
> > +
> > +module_param_cb(load_limit_reboot, &load_limit_ops, &load_limit_reboot, 0644);
> > +MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec reboot kernel");
> > +
> > +module_param_cb(load_limit_panic, &load_limit_ops, &load_limit_panic, 0644);
> > +MODULE_PARM_DESC(load_limit_reboot, "Maximum attempts to load a kexec panic kernel");
> > +
> > +bool kexec_load_permited(bool crash_image)
>
> nit: permitted.
>
> > +{
> > + struct kexec_load_limit *limit;
> > +
> > /*
> > * Only the superuser can use the kexec syscall and if it has not
> > * been disabled.
> > */
> > - return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
> > + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > + return false;
> > +
> > + /* Check limit counter and decrease it.*/
> > + limit = crash_image ? &load_limit_panic : &load_limit_reboot;
> > + mutex_lock(&limit->mutex);
> > + if (!limit->limit) {
> > + mutex_unlock(&limit->mutex);
> > + return false;
> > + }
> > + if (limit->limit != -1)
> > + limit->limit--;
> > + mutex_unlock(&limit->mutex);
> > +
> > + return true;
>
> IMO, patch 2/3 can be squashed with 3/3 but no strong preference.
>
> thanks,
>
> - Joel
>
>
>
> > }
> >
> > /*
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index 701147c118d4..61212a9252a6 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> > struct kimage **dest_image, *image;
> >
> > /* We only trust the superuser with rebooting the system. */
> > - if (!kexec_load_permited())
> > + if (!kexec_load_permited(flags & KEXEC_FILE_FLAGS))
> > return -EPERM;
> >
> > /* Make sure we have a legal set of flags */
> >
> > --
> > 2.39.0.rc0.267.gcb52ba06e7-goog-b4-0.11.0-dev-696ae
--
Ricardo Ribalda
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2022-12-20 22:05 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-08 16:37 [PATCH v2 0/3] kexec: Add new parameter to limit the access to kexec Ricardo Ribalda
2022-12-08 16:37 ` Ricardo Ribalda
2022-12-08 16:38 ` [PATCH v2 1/3] Documentation: sysctl: Correct kexec_load_disabled Ricardo Ribalda
2022-12-08 16:38 ` Ricardo Ribalda
2022-12-08 16:38 ` [PATCH v2 2/3] kexec: Factor out kexec_load_permited Ricardo Ribalda
2022-12-08 16:38 ` Ricardo Ribalda
2022-12-08 16:38 ` [PATCH v2 3/3] kexec: Introduce paramters load_limit_reboot and load_limit_panic Ricardo Ribalda
2022-12-08 16:38 ` Ricardo Ribalda
2022-12-15 19:16 ` Joel Fernandes
2022-12-15 19:16 ` Joel Fernandes
2022-12-20 22:05 ` Ricardo Ribalda
2022-12-20 22:05 ` Ricardo Ribalda
2022-12-15 21:29 ` Guilherme G. Piccoli
2022-12-15 21:29 ` Guilherme G. Piccoli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.