Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/6] lockdown fixups
@ 2019-08-13 19:21 Matthew Garrett
  2019-08-13 19:21 ` [PATCH 1/6] tracefs: Fix potential null dereference in default_file_open() Matthew Garrett
                   ` (7 more replies)
  0 siblings, 8 replies; 14+ messages in thread
From: Matthew Garrett @ 2019-08-13 19:21 UTC (permalink / raw)
  To: jmorris; +Cc: linux-security-module

Fixups for the lockdown patchset. Potentially makes more sense to merge
these into the relevant original patches rather than keeping them
separate, but sending them for review.



^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH 1/6] tracefs: Fix potential null dereference in default_file_open()
  2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
@ 2019-08-13 19:21 ` Matthew Garrett
  2019-08-13 19:21 ` [PATCH 2/6] early_security_init() needs a stub got !CONFIG_SECURITY Matthew Garrett
                   ` (6 subsequent siblings)
  7 siblings, 0 replies; 14+ messages in thread
From: Matthew Garrett @ 2019-08-13 19:21 UTC (permalink / raw)
  To: jmorris; +Cc: linux-security-module, Ben Hutchings

From: Ben Hutchings <ben@decadent.org.uk>

The "open" operation in struct file_operations is optional, and
ftrace_event_id_fops does not set it.  In default_file_open(), after
all other checks have passed, return 0 if the underlying struct
file_operations does not implement open.

Fixes: 757ff7244358 ("tracefs: Restrict tracefs when the kernel is …")
References: https://bugs.debian.org/934304
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/tracefs/inode.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
index 34da48036e08..761af8ce4015 100644
--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -42,6 +42,8 @@ static int default_open_file(struct inode *inode, struct file *filp)
 		return ret;
 
 	real_fops = dentry->d_fsdata;
+	if (!real_fops->open)
+		return 0;
 	return real_fops->open(inode, filp);
 }
 
-- 
2.23.0.rc1.153.gdeed80330f-goog


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH 2/6] early_security_init() needs a stub got !CONFIG_SECURITY
  2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
  2019-08-13 19:21 ` [PATCH 1/6] tracefs: Fix potential null dereference in default_file_open() Matthew Garrett
@ 2019-08-13 19:21 ` Matthew Garrett
  2019-08-13 19:21 ` [PATCH 3/6] Avoid build warning when !CONFIG_KEXEC_SIG Matthew Garrett
                   ` (5 subsequent siblings)
  7 siblings, 0 replies; 14+ messages in thread
From: Matthew Garrett @ 2019-08-13 19:21 UTC (permalink / raw)
  To: jmorris; +Cc: linux-security-module, Stephen Rothwell

From: Stephen Rothwell <sfr@canb.auug.org.au>

An arm multi_v7_defconfig fails like this:

init/main.c: In function 'start_kernel':
init/main.c:596:2: error: implicit declaration of function 'early_security_init'; did you mean 'security_init'? [-Werror=implicit-function-declaration]
  early_security_init();
  ^~~~~~~~~~~~~~~~~~~
  security_init

Fixes: 45d29f9e9b8b ("security: Support early LSMs")
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
---
 include/linux/security.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 5748ccc2a42e..429f9f03372b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -473,6 +473,11 @@ static inline int security_init(void)
 	return 0;
 }
 
+static inline int early_security_init(void)
+{
+	return 0;
+}
+
 static inline int security_binder_set_context_mgr(struct task_struct *mgr)
 {
 	return 0;
-- 
2.23.0.rc1.153.gdeed80330f-goog


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH 3/6] Avoid build warning when !CONFIG_KEXEC_SIG
  2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
  2019-08-13 19:21 ` [PATCH 1/6] tracefs: Fix potential null dereference in default_file_open() Matthew Garrett
  2019-08-13 19:21 ` [PATCH 2/6] early_security_init() needs a stub got !CONFIG_SECURITY Matthew Garrett
@ 2019-08-13 19:21 ` Matthew Garrett
  2019-08-14  5:23   ` Dave Young
  2019-08-13 19:21 ` [PATCH 4/6] security: fix ptr_ret.cocci warnings Matthew Garrett
                   ` (4 subsequent siblings)
  7 siblings, 1 reply; 14+ messages in thread
From: Matthew Garrett @ 2019-08-13 19:21 UTC (permalink / raw)
  To: jmorris
  Cc: linux-security-module, Matthew Garrett, Matthew Garrett,
	Jiri Bohac, Dave Young, kexec

Refactor the signature validation and lockdown integration a little in
order to avoid an unused variable.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Jiri Bohac <jbohac@suse.cz>
Cc: Dave Young <dyoung@redhat.com>
Cc: kexec@lists.infradead.org
---
 kernel/kexec_file.c | 72 ++++++++++++++++++++++++++++-----------------
 1 file changed, 45 insertions(+), 27 deletions(-)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index be0c13076056..e878587715b9 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -177,36 +177,13 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 	image->image_loader_data = NULL;
 }
 
-/*
- * In file mode list of segments is prepared by kernel. Copy relevant
- * data from user space, do error checking, prepare segment list
- */
+#ifdef CONFIG_KEXEC_SIG
 static int
-kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
-			     const char __user *cmdline_ptr,
-			     unsigned long cmdline_len, unsigned flags)
+kimage_validate_signature(struct kimage *image)
 {
 	const char *reason;
 	int ret;
-	void *ldata;
-	loff_t size;
-
-	ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
-				       &size, INT_MAX, READING_KEXEC_IMAGE);
-	if (ret)
-		return ret;
-	image->kernel_buf_len = size;
-
-	/* IMA needs to pass the measurement list to the next kernel. */
-	ima_add_kexec_buffer(image);
 
-	/* Call arch image probe handlers */
-	ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
-					    image->kernel_buf_len);
-	if (ret)
-		goto out;
-
-#ifdef CONFIG_KEXEC_SIG
 	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
 					   image->kernel_buf_len);
 	switch (ret) {
@@ -228,7 +205,7 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 	decide:
 		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
 			pr_notice("%s rejected\n", reason);
-			goto out;
+			break;
 		}
 
 		ret = 0;
@@ -251,9 +228,44 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 		 */
 	default:
 		pr_notice("kernel signature verification failed (%d).\n", ret);
-		goto out;
+		break;
 	}
+
+	return ret;
+}
+#endif
+
+/*
+ * In file mode list of segments is prepared by kernel. Copy relevant
+ * data from user space, do error checking, prepare segment list
+ */
+static int
+kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
+			     const char __user *cmdline_ptr,
+			     unsigned long cmdline_len, unsigned flags)
+{
+	int ret;
+	void *ldata;
+	loff_t size;
+
+	ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
+				       &size, INT_MAX, READING_KEXEC_IMAGE);
+	if (ret)
+		return ret;
+	image->kernel_buf_len = size;
+
+	/* Call arch image probe handlers */
+	ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
+					    image->kernel_buf_len);
+	if (ret)
+		goto out;
+
+#ifdef CONFIG_KEXEC_SIG
+	ret = kimage_validate_signature(image);
+	if (ret)
+		goto out;
 #endif
+
 	/* It is possible that there no initramfs is being loaded */
 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
@@ -279,8 +291,14 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 			ret = -EINVAL;
 			goto out;
 		}
+
+		ima_kexec_cmdline(image->cmdline_buf,
+				  image->cmdline_buf_len - 1);
 	}
 
+	/* IMA needs to pass the measurement list to the next kernel. */
+	ima_add_kexec_buffer(image);
+
 	/* Call arch image load handlers */
 	ldata = arch_kexec_kernel_image_load(image);
 
-- 
2.23.0.rc1.153.gdeed80330f-goog


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH 4/6] security: fix ptr_ret.cocci warnings
  2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
                   ` (2 preceding siblings ...)
  2019-08-13 19:21 ` [PATCH 3/6] Avoid build warning when !CONFIG_KEXEC_SIG Matthew Garrett
@ 2019-08-13 19:21 ` Matthew Garrett
  2019-08-13 19:21 ` [PATCH 5/6] kexec: s/KEXEC_VERIFY_SIG/KEXEC_SIG/ for consistency Matthew Garrett
                   ` (3 subsequent siblings)
  7 siblings, 0 replies; 14+ messages in thread
From: Matthew Garrett @ 2019-08-13 19:21 UTC (permalink / raw)
  To: jmorris; +Cc: linux-security-module, kbuild test robot, Matthew Garrett

From: kbuild test robot <lkp@intel.com>

security/lockdown/lockdown.c:157:1-3: WARNING: PTR_ERR_OR_ZERO can be used

 Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR

Generated by: scripts/coccinelle/api/ptr_ret.cocci

Fixes: 80d14015a8e3 ("security: Add a static lockdown policy LSM")
Signed-off-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 security/lockdown/lockdown.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index f6c74cf6a798..0068cec77c05 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -176,10 +176,7 @@ static int __init lockdown_secfs_init(void)
 
 	dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
 					&lockdown_ops);
-	if (IS_ERR(dentry))
-		return PTR_ERR(dentry);
-
-	return 0;
+	return PTR_ERR_OR_ZERO(dentry);
 }
 
 core_initcall(lockdown_secfs_init);
-- 
2.23.0.rc1.153.gdeed80330f-goog


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH 5/6] kexec: s/KEXEC_VERIFY_SIG/KEXEC_SIG/ for consistency
  2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
                   ` (3 preceding siblings ...)
  2019-08-13 19:21 ` [PATCH 4/6] security: fix ptr_ret.cocci warnings Matthew Garrett
@ 2019-08-13 19:21 ` Matthew Garrett
  2019-08-13 19:21 ` [PATCH 6/6] Document locked_down LSM hook Matthew Garrett
                   ` (2 subsequent siblings)
  7 siblings, 0 replies; 14+ messages in thread
From: Matthew Garrett @ 2019-08-13 19:21 UTC (permalink / raw)
  To: jmorris; +Cc: linux-security-module, Matthew Garrett, Matthew Garrett

47b88836 ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
KEXEC_SIG_FORCE") removed CONFIG_KEXEC_VERIFY_SIG, but it's still present
in other architectures and we end up with build breakage as a result.
Make this consistent across architectures.

Fixes: 47b88836 ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")
Signed-off-by: Matthew Garrett <mjg59@google.com>
---
 arch/arm64/Kconfig                      | 6 +++---
 arch/s390/Kconfig                       | 2 +-
 arch/s390/configs/debug_defconfig       | 2 +-
 arch/s390/configs/defconfig             | 2 +-
 arch/s390/configs/performance_defconfig | 2 +-
 arch/s390/kernel/kexec_elf.c            | 4 ++--
 arch/s390/kernel/kexec_image.c          | 4 ++--
 arch/s390/kernel/machine_kexec_file.c   | 4 ++--
 arch/x86/kernel/ima_arch.c              | 4 ++--
 security/integrity/ima/Kconfig          | 2 +-
 security/integrity/ima/ima_main.c       | 2 +-
 11 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 697ea0510729..f940500a941b 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -961,7 +961,7 @@ config KEXEC_FILE
 	  for kernel and initramfs as opposed to list of segments as
 	  accepted by previous system call.
 
-config KEXEC_VERIFY_SIG
+config KEXEC_SIG
 	bool "Verify kernel signature during kexec_file_load() syscall"
 	depends on KEXEC_FILE
 	help
@@ -976,13 +976,13 @@ config KEXEC_VERIFY_SIG
 config KEXEC_IMAGE_VERIFY_SIG
 	bool "Enable Image signature verification support"
 	default y
-	depends on KEXEC_VERIFY_SIG
+	depends on KEXEC_SIG
 	depends on EFI && SIGNED_PE_FILE_VERIFICATION
 	help
 	  Enable Image signature verification support.
 
 comment "Support for PE file signature verification disabled"
-	depends on KEXEC_VERIFY_SIG
+	depends on KEXEC_SIG
 	depends on !EFI || !SIGNED_PE_FILE_VERIFICATION
 
 config CRASH_DUMP
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 109243fdb6ec..c4a423f30d49 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -555,7 +555,7 @@ config ARCH_HAS_KEXEC_PURGATORY
 	def_bool y
 	depends on KEXEC_FILE
 
-config KEXEC_VERIFY_SIG
+config KEXEC_SIG
 	bool "Verify kernel signature during kexec_file_load() syscall"
 	depends on KEXEC_FILE && SYSTEM_DATA_VERIFICATION
 	help
diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_defconfig
index b0920b35f87b..525e0a6addb9 100644
--- a/arch/s390/configs/debug_defconfig
+++ b/arch/s390/configs/debug_defconfig
@@ -64,7 +64,7 @@ CONFIG_NUMA=y
 CONFIG_PREEMPT=y
 CONFIG_HZ_100=y
 CONFIG_KEXEC_FILE=y
-CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_SIG=y
 CONFIG_EXPOLINE=y
 CONFIG_EXPOLINE_AUTO=y
 CONFIG_MEMORY_HOTPLUG=y
diff --git a/arch/s390/configs/defconfig b/arch/s390/configs/defconfig
index c59b922cb6c5..4c37279acdb4 100644
--- a/arch/s390/configs/defconfig
+++ b/arch/s390/configs/defconfig
@@ -39,7 +39,7 @@ CONFIG_NR_CPUS=256
 CONFIG_NUMA=y
 CONFIG_HZ_100=y
 CONFIG_KEXEC_FILE=y
-CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_SIG=y
 CONFIG_CRASH_DUMP=y
 CONFIG_HIBERNATION=y
 CONFIG_PM_DEBUG=y
diff --git a/arch/s390/configs/performance_defconfig b/arch/s390/configs/performance_defconfig
index 09aa5cb14873..158ad0f0d433 100644
--- a/arch/s390/configs/performance_defconfig
+++ b/arch/s390/configs/performance_defconfig
@@ -65,7 +65,7 @@ CONFIG_NR_CPUS=512
 CONFIG_NUMA=y
 CONFIG_HZ_100=y
 CONFIG_KEXEC_FILE=y
-CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_SIG=y
 CONFIG_EXPOLINE=y
 CONFIG_EXPOLINE_AUTO=y
 CONFIG_MEMORY_HOTPLUG=y
diff --git a/arch/s390/kernel/kexec_elf.c b/arch/s390/kernel/kexec_elf.c
index 6d0635ceddd0..9b4f37a4edf1 100644
--- a/arch/s390/kernel/kexec_elf.c
+++ b/arch/s390/kernel/kexec_elf.c
@@ -130,7 +130,7 @@ static int s390_elf_probe(const char *buf, unsigned long len)
 const struct kexec_file_ops s390_kexec_elf_ops = {
 	.probe = s390_elf_probe,
 	.load = s390_elf_load,
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC__SIG
 	.verify_sig = s390_verify_sig,
-#endif /* CONFIG_KEXEC_VERIFY_SIG */
+#endif /* CONFIG_KEXEC_SIG */
 };
diff --git a/arch/s390/kernel/kexec_image.c b/arch/s390/kernel/kexec_image.c
index 58318bf89fd9..af23eff5774d 100644
--- a/arch/s390/kernel/kexec_image.c
+++ b/arch/s390/kernel/kexec_image.c
@@ -59,7 +59,7 @@ static int s390_image_probe(const char *buf, unsigned long len)
 const struct kexec_file_ops s390_kexec_image_ops = {
 	.probe = s390_image_probe,
 	.load = s390_image_load,
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 	.verify_sig = s390_verify_sig,
-#endif /* CONFIG_KEXEC_VERIFY_SIG */
+#endif /* CONFIG_KEXEC_SIG */
 };
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index fbdd3ea73667..c0f33ba49a9a 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -22,7 +22,7 @@ const struct kexec_file_ops * const kexec_file_loaders[] = {
 	NULL,
 };
 
-#ifdef CONFIG_KEXEC_VERIFY_SIG
+#ifdef CONFIG_KEXEC_SIG
 /*
  * Module signature information block.
  *
@@ -90,7 +90,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
 				      VERIFYING_MODULE_SIGNATURE,
 				      NULL, NULL);
 }
-#endif /* CONFIG_KEXEC_VERIFY_SIG */
+#endif /* CONFIG_KEXEC_SIG */
 
 static int kexec_file_update_purgatory(struct kimage *image,
 				       struct s390_load_data *data)
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 64b973f0e985..b98890894731 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -66,9 +66,9 @@ bool arch_ima_get_secureboot(void)
 
 /* secureboot arch rules */
 static const char * const sb_arch_rules[] = {
-#if !IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG)
+#if !IS_ENABLED(CONFIG_KEXEC_SIG)
 	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
-#endif /* CONFIG_KEXEC_VERIFY_SIG */
+#endif /* CONFIG_KEXEC_SIG */
 	"measure func=KEXEC_KERNEL_CHECK",
 #if !IS_ENABLED(CONFIG_MODULE_SIG)
 	"appraise func=MODULE_CHECK appraise_type=imasig",
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 2692c7358c2c..32cd25fa44a5 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -160,7 +160,7 @@ config IMA_APPRAISE
 
 config IMA_ARCH_POLICY
         bool "Enable loading an IMA architecture specific policy"
-        depends on KEXEC_VERIFY_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
+        depends on KEXEC_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
         default n
         help
           This option enables loading an IMA architecture specific policy
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f302cbc387f8..1747bc7bcb60 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -541,7 +541,7 @@ int ima_load_data(enum kernel_load_data_id id)
 
 	switch (id) {
 	case LOADING_KEXEC_IMAGE:
-		if (IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG)
+		if (IS_ENABLED(CONFIG_KEXEC_SIG)
 		    && arch_ima_get_secureboot()) {
 			pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
 			return -EACCES;
-- 
2.23.0.rc1.153.gdeed80330f-goog


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH 6/6] Document locked_down LSM hook
  2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
                   ` (4 preceding siblings ...)
  2019-08-13 19:21 ` [PATCH 5/6] kexec: s/KEXEC_VERIFY_SIG/KEXEC_SIG/ for consistency Matthew Garrett
@ 2019-08-13 19:21 ` Matthew Garrett
  2019-08-13 22:59 ` [PATCH 0/6] lockdown fixups James Morris
  2019-08-14  5:06 ` James Morris
  7 siblings, 0 replies; 14+ messages in thread
From: Matthew Garrett @ 2019-08-13 19:21 UTC (permalink / raw)
  To: jmorris
  Cc: linux-security-module, Matthew Garrett, kbuild test robot,
	Matthew Garrett

The kbuild test robot pointed out that this wasn't documented.

Reported-by: kbuild test robot <lkp@intel.com>
Fixes: c360be6c ("security: Add a "locked down" LSM hook")
Signed-off-by: Matthew Garrett <mjg59@google.com>
---
 include/linux/lsm_hooks.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 5ec2912c8661..2f4ba9062fb8 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1446,6 +1446,11 @@
  * @bpf_prog_free_security:
  *	Clean up the security information stored inside bpf prog.
  *
+ * @locked_down
+ *     Determine whether a kernel feature that potentially enables arbitrary
+ *     code execution in kernel space should be permitted.
+ *
+ *     @what: kernel feature being accessed
  */
 union security_list_options {
 	int (*binder_set_context_mgr)(struct task_struct *mgr);
-- 
2.23.0.rc1.153.gdeed80330f-goog


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 0/6] lockdown fixups
  2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
                   ` (5 preceding siblings ...)
  2019-08-13 19:21 ` [PATCH 6/6] Document locked_down LSM hook Matthew Garrett
@ 2019-08-13 22:59 ` James Morris
  2019-08-14  5:06 ` James Morris
  7 siblings, 0 replies; 14+ messages in thread
From: James Morris @ 2019-08-13 22:59 UTC (permalink / raw)
  To: Matthew Garrett; +Cc: linux-security-module

On Tue, 13 Aug 2019, Matthew Garrett wrote:

> Fixups for the lockdown patchset. Potentially makes more sense to merge
> these into the relevant original patches rather than keeping them
> separate, but sending them for review.

Yep, it's difficult to guess which Linus would prefer, as this is 
also public development history now.

-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 0/6] lockdown fixups
  2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
                   ` (6 preceding siblings ...)
  2019-08-13 22:59 ` [PATCH 0/6] lockdown fixups James Morris
@ 2019-08-14  5:06 ` James Morris
  2019-08-14 17:20   ` Matthew Garrett
  7 siblings, 1 reply; 14+ messages in thread
From: James Morris @ 2019-08-14  5:06 UTC (permalink / raw)
  To: Matthew Garrett; +Cc: linux-security-module

[-- Attachment #1: Type: text/plain, Size: 851 bytes --]

On Tue, 13 Aug 2019, Matthew Garrett wrote:

> Fixups for the lockdown patchset. Potentially makes more sense to merge
> these into the relevant original patches rather than keeping them
> separate, but sending them for review.

Which kernel version are these against?

kernel/kexec_file.c: In function ‘kimage_validate_signature’:
kernel/kexec_file.c:220:4: error: label ‘out’ used but not defined
  220 |    goto out;
      |    ^~~~
kernel/kexec_file.c: In function ‘kimage_file_prepare_segments’:
kernel/kexec_file.c:295:3: error: implicit declaration of function 
‘ima_kexec_cmdline’ [-Werror=implicit-function-declaration]
  295 |   ima_kexec_cmdline(image->cmdline_buf,
      |   ^~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors


My next-lockdown branch is based on v5.2. 





-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 3/6] Avoid build warning when !CONFIG_KEXEC_SIG
  2019-08-13 19:21 ` [PATCH 3/6] Avoid build warning when !CONFIG_KEXEC_SIG Matthew Garrett
@ 2019-08-14  5:23   ` Dave Young
  2019-08-14 17:18     ` Matthew Garrett
  0 siblings, 1 reply; 14+ messages in thread
From: Dave Young @ 2019-08-14  5:23 UTC (permalink / raw)
  To: Matthew Garrett
  Cc: jmorris, linux-security-module, Matthew Garrett, Jiri Bohac, kexec

On 08/13/19 at 12:21pm, Matthew Garrett wrote:
> Refactor the signature validation and lockdown integration a little in
> order to avoid an unused variable.
> 
> Signed-off-by: Matthew Garrett <mjg59@google.com>
> Cc: Jiri Bohac <jbohac@suse.cz>
> Cc: Dave Young <dyoung@redhat.com>
> Cc: kexec@lists.infradead.org
> ---
>  kernel/kexec_file.c | 72 ++++++++++++++++++++++++++++-----------------
>  1 file changed, 45 insertions(+), 27 deletions(-)
> 
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index be0c13076056..e878587715b9 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -177,36 +177,13 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  	image->image_loader_data = NULL;
>  }
>  
> -/*
> - * In file mode list of segments is prepared by kernel. Copy relevant
> - * data from user space, do error checking, prepare segment list
> - */
> +#ifdef CONFIG_KEXEC_SIG
>  static int
> -kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> -			     const char __user *cmdline_ptr,
> -			     unsigned long cmdline_len, unsigned flags)
> +kimage_validate_signature(struct kimage *image)
>  {
>  	const char *reason;
>  	int ret;
> -	void *ldata;
> -	loff_t size;
> -
> -	ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
> -				       &size, INT_MAX, READING_KEXEC_IMAGE);
> -	if (ret)
> -		return ret;
> -	image->kernel_buf_len = size;
> -
> -	/* IMA needs to pass the measurement list to the next kernel. */
> -	ima_add_kexec_buffer(image);
>  
> -	/* Call arch image probe handlers */
> -	ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
> -					    image->kernel_buf_len);
> -	if (ret)
> -		goto out;
> -
> -#ifdef CONFIG_KEXEC_SIG
>  	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
>  					   image->kernel_buf_len);
>  	switch (ret) {
> @@ -228,7 +205,7 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
>  	decide:
>  		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
>  			pr_notice("%s rejected\n", reason);
> -			goto out;
> +			break;
>  		}
>  
>  		ret = 0;
> @@ -251,9 +228,44 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
>  		 */
>  	default:
>  		pr_notice("kernel signature verification failed (%d).\n", ret);
> -		goto out;
> +		break;
>  	}
> +
> +	return ret;
> +}
> +#endif
> +
> +/*
> + * In file mode list of segments is prepared by kernel. Copy relevant
> + * data from user space, do error checking, prepare segment list
> + */
> +static int
> +kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> +			     const char __user *cmdline_ptr,
> +			     unsigned long cmdline_len, unsigned flags)
> +{
> +	int ret;
> +	void *ldata;
> +	loff_t size;
> +
> +	ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
> +				       &size, INT_MAX, READING_KEXEC_IMAGE);
> +	if (ret)
> +		return ret;
> +	image->kernel_buf_len = size;
> +
> +	/* Call arch image probe handlers */
> +	ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
> +					    image->kernel_buf_len);
> +	if (ret)
> +		goto out;
> +
> +#ifdef CONFIG_KEXEC_SIG
> +	ret = kimage_validate_signature(image);
> +	if (ret)
> +		goto out;
>  #endif
> +
>  	/* It is possible that there no initramfs is being loaded */
>  	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
>  		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
> @@ -279,8 +291,14 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
>  			ret = -EINVAL;
>  			goto out;
>  		}
> +
> +		ima_kexec_cmdline(image->cmdline_buf,
> +				  image->cmdline_buf_len - 1);
>  	}
>  
> +	/* IMA needs to pass the measurement list to the next kernel. */
> +	ima_add_kexec_buffer(image);
> +
>  	/* Call arch image load handlers */
>  	ldata = arch_kexec_kernel_image_load(image);
>  

I can not get the whole thread, also not sure which tree it should
apply.

I assume it is based on your series for lockdown.  But it is really hard
to review because of no context in this patch.

Also I think it should be good to split the preparation piece of kexec
and send them separately.  Since it is improve the signature
verification logic, they do not necessarily depend on the lockdown
series.

Thanks
Dave

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 3/6] Avoid build warning when !CONFIG_KEXEC_SIG
  2019-08-14  5:23   ` Dave Young
@ 2019-08-14 17:18     ` Matthew Garrett
  0 siblings, 0 replies; 14+ messages in thread
From: Matthew Garrett @ 2019-08-14 17:18 UTC (permalink / raw)
  To: Dave Young; +Cc: James Morris, LSM List, Jiri Bohac, kexec devel list

On Tue, Aug 13, 2019 at 10:24 PM Dave Young <dyoung@redhat.com> wrote:

> I can not get the whole thread, also not sure which tree it should
> apply.

This should be against -next.

> Also I think it should be good to split the preparation piece of kexec
> and send them separately.  Since it is improve the signature
> verification logic, they do not necessarily depend on the lockdown
> series.

Sorry, which preparation piece? There shouldn't be any logic change in
this patch.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 0/6] lockdown fixups
  2019-08-14  5:06 ` James Morris
@ 2019-08-14 17:20   ` Matthew Garrett
  2019-08-14 18:24     ` James Morris
  0 siblings, 1 reply; 14+ messages in thread
From: Matthew Garrett @ 2019-08-14 17:20 UTC (permalink / raw)
  To: James Morris; +Cc: LSM List

On Tue, Aug 13, 2019 at 10:06 PM James Morris <jmorris@namei.org> wrote:
> Which kernel version are these against?

Crap. Sorry, these ended up derived from HEAD. Let me fix that up and
resend. Sorry about that!

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 0/6] lockdown fixups
  2019-08-14 17:20   ` Matthew Garrett
@ 2019-08-14 18:24     ` James Morris
  2019-08-14 18:26       ` Matthew Garrett
  0 siblings, 1 reply; 14+ messages in thread
From: James Morris @ 2019-08-14 18:24 UTC (permalink / raw)
  To: Matthew Garrett; +Cc: LSM List

On Wed, 14 Aug 2019, Matthew Garrett wrote:

> On Tue, Aug 13, 2019 at 10:06 PM James Morris <jmorris@namei.org> wrote:
> > Which kernel version are these against?
> 
> Crap. Sorry, these ended up derived from HEAD. Let me fix that up and
> resend. Sorry about that!

Do you have an upstream dependency on Mimi's code in -rc?

If so, just tell me which commit it is and I'll find the next good merge 
point.


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 0/6] lockdown fixups
  2019-08-14 18:24     ` James Morris
@ 2019-08-14 18:26       ` Matthew Garrett
  0 siblings, 0 replies; 14+ messages in thread
From: Matthew Garrett @ 2019-08-14 18:26 UTC (permalink / raw)
  To: James Morris; +Cc: LSM List

On Wed, Aug 14, 2019 at 11:24 AM James Morris <jmorris@namei.org> wrote:
>
> On Wed, 14 Aug 2019, Matthew Garrett wrote:
>
> > On Tue, Aug 13, 2019 at 10:06 PM James Morris <jmorris@namei.org> wrote:
> > > Which kernel version are these against?
> >
> > Crap. Sorry, these ended up derived from HEAD. Let me fix that up and
> > resend. Sorry about that!
>
> Do you have an upstream dependency on Mimi's code in -rc?

No, there's no dependency, I just ended up with an additional hunk
when rebasing.

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, back to index

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-13 19:21 [PATCH 0/6] lockdown fixups Matthew Garrett
2019-08-13 19:21 ` [PATCH 1/6] tracefs: Fix potential null dereference in default_file_open() Matthew Garrett
2019-08-13 19:21 ` [PATCH 2/6] early_security_init() needs a stub got !CONFIG_SECURITY Matthew Garrett
2019-08-13 19:21 ` [PATCH 3/6] Avoid build warning when !CONFIG_KEXEC_SIG Matthew Garrett
2019-08-14  5:23   ` Dave Young
2019-08-14 17:18     ` Matthew Garrett
2019-08-13 19:21 ` [PATCH 4/6] security: fix ptr_ret.cocci warnings Matthew Garrett
2019-08-13 19:21 ` [PATCH 5/6] kexec: s/KEXEC_VERIFY_SIG/KEXEC_SIG/ for consistency Matthew Garrett
2019-08-13 19:21 ` [PATCH 6/6] Document locked_down LSM hook Matthew Garrett
2019-08-13 22:59 ` [PATCH 0/6] lockdown fixups James Morris
2019-08-14  5:06 ` James Morris
2019-08-14 17:20   ` Matthew Garrett
2019-08-14 18:24     ` James Morris
2019-08-14 18:26       ` Matthew Garrett

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox