From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett <mjg59@srcf.ucam.org>, Matthew Garrett <mjg59@google.com>, David Howells <dhowells@redhat.com>, Kees Cook <keescook@chromium.org>, Thomas Gleixner <tglx@linutronix.de>, x86@kernel.org Subject: [PATCH V40 13/29] x86/msr: Restrict MSR access when the kernel is locked down Date: Mon, 19 Aug 2019 17:17:49 -0700 Message-ID: <20190820001805.241928-14-matthewgarrett@google.com> (raw) In-Reply-To: <20190820001805.241928-1-matthewgarrett@google.com> From: Matthew Garrett <mjg59@srcf.ucam.org> Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> cc: x86@kernel.org Signed-off-by: James Morris <jmorris@namei.org> --- arch/x86/kernel/msr.c | 8 ++++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 3db2252b958d..1547be359d7f 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -34,6 +34,7 @@ #include <linux/notifier.h> #include <linux/uaccess.h> #include <linux/gfp.h> +#include <linux/security.h> #include <asm/cpufeature.h> #include <asm/msr.h> @@ -79,6 +80,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + err = security_locked_down(LOCKDOWN_MSR); + if (err) + return err; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -130,6 +135,9 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + err = security_locked_down(LOCKDOWN_MSR); + if (err) + break; err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; diff --git a/include/linux/security.h b/include/linux/security.h index cd93fa5d3c6d..010637a79eac 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -109,6 +109,7 @@ enum lockdown_reason { LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, + LOCKDOWN_MSR, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 8b7d65dbb086..b1c1c72440d5 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -24,6 +24,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", + [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.23.0.rc1.153.gdeed80330f-goog
next prev parent reply index Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-08-20 0:17 [PATCH V40 00/29] Add kernel lockdown functionality Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 01/29] security: Support early LSMs Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 02/29] security: Add a "locked down" LSM hook Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 05/29] lockdown: Restrict /dev/{mem,kmem,port} when " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 06/29] kexec_load: Disable at runtime if " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 07/29] lockdown: Copy secure_boot flag in boot params across kexec reboot Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett 2019-08-30 14:26 ` Philipp Rudo 2019-08-20 0:17 ` [PATCH V40 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 10/29] hibernate: Disable when " Matthew Garrett 2019-08-20 21:43 ` Rafael J. Wysocki 2019-08-25 9:51 ` Pavel Machek 2019-08-20 0:17 ` [PATCH V40 11/29] PCI: Lock down BAR access " Matthew Garrett 2019-08-20 19:45 ` Bjorn Helgaas 2019-08-20 21:04 ` Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 12/29] x86: Lock down IO port " Matthew Garrett 2019-08-20 0:17 ` Matthew Garrett [this message] 2019-08-20 0:17 ` [PATCH V40 14/29] ACPI: Limit access to custom_method " Matthew Garrett 2019-08-20 22:07 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett 2019-08-20 22:08 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett 2019-08-20 22:08 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 17/29] lockdown: Prohibit PCMCIA CIS storage when " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 18/29] lockdown: Lock down TIOCSSERIAL Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 19/29] lockdown: Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett 2019-08-20 16:39 ` Jessica Yu 2019-08-20 0:17 ` [PATCH V40 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 21/29] lockdown: Lock down /proc/kcore Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 22/29] lockdown: Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 24/29] lockdown: Lock down perf when " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 27/29] tracefs: Restrict tracefs " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 28/29] efi: Restrict efivar_ssdt_load " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 29/29] lockdown: Print current->comm in restriction messages Matthew Garrett 2019-08-20 6:45 ` [PATCH V40 00/29] Add kernel lockdown functionality James Morris 2019-08-30 16:28 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM David Howells 2019-09-04 16:51 ` Matthew Garrett 2019-09-10 10:06 ` Matthew Garrett 2019-08-30 16:31 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down David Howells 2019-09-04 16:57 ` Matthew Garrett 2019-08-30 16:32 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190820001805.241928-14-matthewgarrett@google.com \ --to=matthewgarrett@google.com \ --cc=dhowells@redhat.com \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mjg59@google.com \ --cc=mjg59@srcf.ucam.org \ --cc=tglx@linutronix.de \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Security-Module Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \ linux-security-module@vger.kernel.org public-inbox-index linux-security-module Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module AGPL code for this site: git clone https://public-inbox.org/public-inbox.git