LKML Archive on lore.kernel.org
 help / color / Atom feed
From: Randy Dunlap <rdunlap@infradead.org>
To: Matthew Garrett <mjg59@google.com>, jmorris@namei.org
Cc: LSM List <linux-security-module@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	David Howells <dhowells@redhat.com>
Subject: Re: [PULL REQUEST] Lock down patches
Date: Thu, 28 Feb 2019 15:24:39 -0800
Message-ID: <6826f3fa-487e-ca4e-0433-9160f38cd901@infradead.org> (raw)
In-Reply-To: <CACdnJuvW47m3JvEcuEX1bsr+L2Ht9LDn_iCuPbHLOoaohOFW4Q@mail.gmail.com>

On 2/28/19 1:28 PM, Matthew Garrett wrote:
> Hi James,
> 
> David is low on cycles at the moment, so I'm taking over for this time
> round. This patchset introduces an optional kernel lockdown feature,
> intended to strengthen the boundary between UID 0 and the kernel. When
> enabled and active (by enabling the config option and passing the
> "lockdown" option on the kernel command line), various pieces of
> kernel functionality are restricted. Applications that rely on
> low-level access to either hardware or the kernel may cease working as
> a result - therefore this should not be enabled without appropriate
> evaluation beforehand.

Documentation/process/submitting-patches.rst says (IMO) that these
patches should also have Signed-of-by: <you>.

"The Signed-off-by: tag indicates that the signer was involved in the
development of the patch, or that he/she was in the patch's delivery path."

Also, the sysrq key usage should be documented in
Documentation/admin-guide/sysrq.rst.

> The majority of mainstream distributions have been carrying variants
> of this patchset for many years now, so there's value in providing a
> unified upstream implementation to reduce the delta. This PR probably
> doesn't meet every distribution requirement, but gets us much closer
> to not requiring external patches.
> 
> This PR is mostly the same as the previous attempt, but with the
> following changes:
> 
> 1) The integration between EFI secure boot and the lockdown state has
> been removed
> 2) A new CONFIG_KERNEL_LOCK_DOWN_FORCE kconfig option has been added,
> which will always enable lockdown regardless of the kernel command
> line
> 3) The integration with IMA has been dropped for now. Requiring the
> use of the IMA secure boot policy when lockdown is enabled isn't
> practical for most distributions at the moment, as there's still not a
> great deal of infrastructure for shipping packages with appropriate
> IMA signatures, and it makes it complicated for end users to manage
> custom IMA policies.
> 
> The following changes since commit a3b22b9f11d9fbc48b0291ea92259a5a810e9438:
> 
>   Linux 5.0-rc7 (2019-02-17 18:46:40 -0800)
> 
> are available in the Git repository at:
> 
>   https://github.com/mjg59/linux lock_down
> 
> for you to fetch changes up to 43e004ecae91bf9159b8e91cd1d613e58b8f63f8:
> 
>   lockdown: Print current->comm in restriction messages (2019-02-28
> 11:19:23 -0800)
> 
> ----------------------------------------------------------------
> Dave Young (1):
>       Copy secure_boot flag in boot params across kexec reboot
> 
> David Howells (12):
>       Add the ability to lock down access to the running kernel image
>       Enforce module signatures if the kernel is locked down
>       Prohibit PCMCIA CIS storage when the kernel is locked down
>       Lock down TIOCSSERIAL
>       Lock down module params that specify hardware parameters (eg. ioport)
>       x86/mmiotrace: Lock down the testmmiotrace module
>       Lock down /proc/kcore
>       Lock down kprobes
>       bpf: Restrict kernel image access functions when the kernel is locked down
>       Lock down perf
>       debugfs: Restrict debugfs when the kernel is locked down
>       lockdown: Print current->comm in restriction messages
> 
> Jiri Bohac (2):
>       kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE
>       kexec_file: Restrict at runtime if the kernel is locked down
> 
> Josh Boyer (2):
>       hibernate: Disable when the kernel is locked down
>       acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down
> 
> Kyle McMartin (1):
>       Add a SysRq option to lift kernel lockdown
> 
> Linn Crosetto (2):
>       acpi: Disable ACPI table override if the kernel is locked down
>       acpi: Disable APEI error injection if the kernel is locked down
> 
> Matthew Garrett (7):
>       Restrict /dev/{mem,kmem,port} when the kernel is locked down
>       kexec_load: Disable at runtime if the kernel is locked down
>       uswsusp: Disable when the kernel is locked down
>       PCI: Lock down BAR access when the kernel is locked down
>       x86: Lock down IO port access when the kernel is locked down
>       x86/msr: Restrict MSR access when the kernel is locked down
>       ACPI: Limit access to custom_method when the kernel is locked down
> 
>  arch/x86/Kconfig                       |  20 ++++++++++++-----
>  arch/x86/include/asm/setup.h           |   2 ++
>  arch/x86/kernel/ioport.c               |   6 ++++--
>  arch/x86/kernel/kexec-bzimage64.c      |   1 +
>  arch/x86/kernel/msr.c                  |  10 +++++++++
>  arch/x86/mm/testmmiotrace.c            |   3 +++
>  crypto/asymmetric_keys/verify_pefile.c |   4 +++-
>  drivers/acpi/apei/einj.c               |   3 +++
>  drivers/acpi/custom_method.c           |   3 +++
>  drivers/acpi/osl.c                     |   2 +-
>  drivers/acpi/tables.c                  |   5 +++++
>  drivers/char/mem.c                     |   2 ++
>  drivers/input/misc/uinput.c            |   1 +
>  drivers/pci/pci-sysfs.c                |   9 ++++++++
>  drivers/pci/proc.c                     |   9 +++++++-
>  drivers/pci/syscall.c                  |   3 ++-
>  drivers/pcmcia/cistpl.c                |   3 +++
>  drivers/tty/serial/serial_core.c       |   6 ++++++
>  drivers/tty/sysrq.c                    |  19 +++++++++++------
>  fs/debugfs/file.c                      |  28 ++++++++++++++++++++++++
>  fs/debugfs/inode.c                     |  30 ++++++++++++++++++++++++--
>  fs/proc/kcore.c                        |   2 ++
>  include/linux/ima.h                    |   6 ++++++
>  include/linux/input.h                  |   5 +++++
>  include/linux/kernel.h                 |  17 +++++++++++++++
>  include/linux/kexec.h                  |   4 ++--
>  include/linux/security.h               |   9 +++++++-
>  include/linux/sysrq.h                  |   8 ++++++-
>  kernel/bpf/syscall.c                   |   3 +++
>  kernel/debug/kdb/kdb_main.c            |   2 +-
>  kernel/events/core.c                   |   5 +++++
>  kernel/kexec.c                         |   7 ++++++
>  kernel/kexec_file.c                    |  56
> ++++++++++++++++++++++++++++++++++++++++++------
>  kernel/kprobes.c                       |   3 +++
>  kernel/module.c                        |  56
> ++++++++++++++++++++++++++++++++++++------------
>  kernel/params.c                        |  26 ++++++++++++++++++-----
>  kernel/power/hibernate.c               |   2 +-
>  kernel/power/user.c                    |   3 +++
>  security/Kconfig                       |  24 +++++++++++++++++++++
>  security/Makefile                      |   3 +++
>  security/lock_down.c                   | 106
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  41 files changed, 466 insertions(+), 50 deletions(-)
>  create mode 100644 security/lock_down.c
> 


-- 
~Randy

  parent reply index

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-28 21:28 Matthew Garrett
2019-02-28 22:20 ` Mimi Zohar
2019-02-28 23:13   ` Matthew Garrett
2019-03-01  0:05     ` Mimi Zohar
2019-03-01  1:01       ` Matthew Garrett
2019-03-01  1:44         ` Mimi Zohar
2019-03-01  3:33           ` Matthew Garrett
2019-03-01  4:16             ` Mimi Zohar
2019-02-28 22:44 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-02-28 22:44   ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-02-28 23:10 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-02-28 23:10   ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-02-28 23:11 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-02-28 23:11   ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-02-28 23:11 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-02-28 23:11   ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-02-28 23:11   ` [PATCH 03/27] Enforce module signatures if the kernel is locked down Matthew Garrett
2019-02-28 23:11   ` [PATCH 04/27] Restrict /dev/{mem,kmem,port} when " Matthew Garrett
2019-02-28 23:11   ` [PATCH 05/27] kexec_load: Disable at runtime if " Matthew Garrett
2019-02-28 23:11   ` [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot Matthew Garrett
2019-02-28 23:11   ` [PATCH 07/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett
2019-02-28 23:11   ` [PATCH 08/27] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett
2019-03-01  2:05     ` Mimi Zohar
2019-02-28 23:11   ` [PATCH 09/27] hibernate: Disable when " Matthew Garrett
2019-03-19 22:15     ` Pavel Machek
2019-02-28 23:11   ` [PATCH 10/27] uswsusp: " Matthew Garrett
2019-02-28 23:11   ` [PATCH 11/27] PCI: Lock down BAR access " Matthew Garrett
2019-02-28 23:11   ` [PATCH 12/27] x86: Lock down IO port " Matthew Garrett
2019-02-28 23:11   ` [PATCH 13/27] x86/msr: Restrict MSR " Matthew Garrett
2019-02-28 23:11   ` [PATCH 14/27] ACPI: Limit access to custom_method " Matthew Garrett
2019-02-28 23:11   ` [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett
2019-02-28 23:11   ` [PATCH 16/27] acpi: Disable ACPI table override if the kernel is " Matthew Garrett
2019-02-28 23:11   ` [PATCH 17/27] acpi: Disable APEI error injection " Matthew Garrett
2019-02-28 23:11   ` [PATCH 18/27] Prohibit PCMCIA CIS storage when " Matthew Garrett
2019-02-28 23:11   ` [PATCH 19/27] Lock down TIOCSSERIAL Matthew Garrett
2019-02-28 23:11   ` [PATCH 20/27] Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett
2019-02-28 23:11   ` [PATCH 21/27] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett
2019-02-28 23:11   ` [PATCH 22/27] Lock down /proc/kcore Matthew Garrett
2019-02-28 23:11   ` [PATCH 23/27] Lock down kprobes Matthew Garrett
2019-02-28 23:12   ` [PATCH 24/27] bpf: Restrict kernel image access functions when the kernel is locked down Matthew Garrett
2019-02-28 23:12   ` [PATCH 25/27] Lock down perf Matthew Garrett
2019-02-28 23:12   ` [PATCH 26/27] debugfs: Restrict debugfs when the kernel is locked down Matthew Garrett
2019-02-28 23:12   ` [PATCH 27/27] lockdown: Print current->comm in restriction messages Matthew Garrett
2019-02-28 23:24 ` Randy Dunlap [this message]
2019-03-04 22:10 ` [PULL REQUEST] Lock down patches Matthew Garrett

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6826f3fa-487e-ca4e-0433-9160f38cd901@infradead.org \
    --to=rdunlap@infradead.org \
    --cc=dhowells@redhat.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git
	git clone --mirror https://lore.kernel.org/lkml/10 lkml/git/10.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git