From patchwork Tue Mar 26 18:27:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055053 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 205AFC43381 for ; Tue, 26 Mar 2019 18:28:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D511B206DF for ; Tue, 26 Mar 2019 18:28:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="qpR+NIwT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732574AbfCZS2C (ORCPT ); Tue, 26 Mar 2019 14:28:02 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:55830 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732553AbfCZS17 (ORCPT ); Tue, 26 Mar 2019 14:27:59 -0400 Received: by mail-pg1-f201.google.com with SMTP id 14so12274140pgf.22 for ; Tue, 26 Mar 2019 11:27:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=z0heVlIJ2WOboYO239ZlPpbeGlyknUedDglqO7JseJY=; b=qpR+NIwT8Gcrwrm/TqQT6GJ/IkgWV3CJP/nJ3JtlKRmAcIwsd49/d524LAr+EliXmw Luz0y9TJViOMtQg6hk/JewnaKHYwm0Um1y6t4QYmJgTQjmFNcj/MayT0yAMLzzSPEVnd leBXn3j8MSROSTbRoVVKkY+e8M8tKRE2UgyB9c9SK9tnlSHRIyVuZ0BDshxhky5c0sey a8nKkl3pGDLkuSHk96aB0XTYzcCzsNu3WaAutlPYwyeFbArJZ0ii9UjeGJeHHHw50GKC /80XEsiVFScnL2Zow0kofc5Az05USCfMPJyE3g2uy7GM7ZoftDYTxYDC7aA7Ma9B/5S3 IHaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=z0heVlIJ2WOboYO239ZlPpbeGlyknUedDglqO7JseJY=; b=kfjEUBuAI5RRxAbdaFFGnsBH/zwLizergPOk9ZW58nF6U/4K9XwNSdZfm3eeX15LMK eHEBf6mLD/q3nksgovg7TOSkCUFamCP7HbhmNuZ3pnQA23dNZh/+pBKYx602iFH86HC1 V+wzWF2XzhCHFdBN4QGyHIFppNyZuxzEoOWitsL2gxD+zULTwGCaOQl1bj//RCYCb7JH d3iW6bjdGu8NIaU3uX4SDRyQH3IV9+z/9s44qxDB1C0KayhrcqTdnaQ0GAXv1YBjKzMk daFLEc2cIIYx5zzjOSBpYQ0qLNX4gRIHpmetK51YFqyzHcraUcMiSXG0ZdBHdrSsUVd1 dPlw== X-Gm-Message-State: APjAAAU1sSALJ4yN5alaPhVIJjmLzk0c687C5YGwbS9jf+WAmvgWok7P NMp84W2mDJNirPVhNiaxkvoAITZX8CFtVsb/+35tgw== X-Google-Smtp-Source: APXvYqzBqWJTBIDaoorokWZU9klUcr5ee1hPeO3KvlYm/BIcoNSti6Bf78ubqcUFXKUiDU9mLchOup4y/vlIFW4OQrSdAA== X-Received: by 2002:a63:6c01:: with SMTP id h1mr30191165pgc.330.1553624878066; Tue, 26 Mar 2019 11:27:58 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:17 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-2-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 01/25] Add the ability to lock down access to the running kernel image From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Provide a single call to allow kernel code to determine whether the system should be locked down, thereby disallowing various accesses that might allow the running kernel image to be changed including the loading of modules that aren't validly signed with a key we recognise, fiddling with MSR registers and disallowing hibernation. Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- Documentation/ABI/testing/lockdown | 19 +++ .../admin-guide/kernel-parameters.txt | 9 ++ include/linux/kernel.h | 28 ++++ include/linux/security.h | 9 +- init/main.c | 1 + security/Kconfig | 39 +++++ security/Makefile | 3 + security/lock_down.c | 147 ++++++++++++++++++ 8 files changed, 254 insertions(+), 1 deletion(-) create mode 100644 Documentation/ABI/testing/lockdown create mode 100644 security/lock_down.c diff --git a/Documentation/ABI/testing/lockdown b/Documentation/ABI/testing/lockdown new file mode 100644 index 000000000000..5bd51e20917a --- /dev/null +++ b/Documentation/ABI/testing/lockdown @@ -0,0 +1,19 @@ +What: security/lockdown +Date: March 2019 +Contact: Matthew Garrett +Description: + If CONFIG_LOCK_DOWN_KERNEL is enabled, the kernel can be + moved to a more locked down state at runtime by writing to + this attribute. Valid values are: + + integrity: + The kernel will disable functionality that allows + userland to modify the running kernel image, other + than through the loading or execution of appropriately + signed objects. + + confidentiality: + The kernel will disable all functionality disabled by + the integrity mode, but additionally will disable + features that potentially permit userland to obtain + confidential information stored within the kernel. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 91c0251fdb86..594d268d92ba 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2213,6 +2213,15 @@ lockd.nlm_udpport=M [NFS] Assign UDP port. Format: + lockdown= [SECURITY] + { integrity | confidentiality } + Enable the kernel lockdown feature. If set to + integrity, kernel features that allow userland to + modify the running kernel are disabled. If set to + confidentiality, kernel features that allow userland + to extract confidential information from the kernel + are also disabled. + locktorture.nreaders_stress= [KNL] Set the number of locking read-acquisition kthreads. Defaults to being automatically set based on the diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 8f0e68e250a7..30cf695719d5 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -340,6 +340,34 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) { } #endif +enum lockdown_level { + LOCKDOWN_NONE, + LOCKDOWN_INTEGRITY, + LOCKDOWN_CONFIDENTIALITY, + LOCKDOWN_MAX, +}; + +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern bool __kernel_is_locked_down(const char *what, + enum lockdown_level level, + bool first); +#else +static inline bool __kernel_is_locked_down(const char *what, + enum lockdown_level level, + bool first) +{ + return false; +} +#endif + +#define kernel_is_locked_down(what, level) \ + ({ \ + static bool message_given; \ + bool locked_down = __kernel_is_locked_down(what, level, !message_given); \ + message_given = true; \ + locked_down; \ + }) + /* Internal, do not use. */ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); diff --git a/include/linux/security.h b/include/linux/security.h index 13537a49ae97..b290946341a4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1798,5 +1798,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux) #endif /* CONFIG_SECURITY */ #endif /* CONFIG_BPF_SYSCALL */ -#endif /* ! __LINUX_SECURITY_H */ +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern void __init init_lockdown(void); +#else +static inline void __init init_lockdown(void) +{ +} +#endif +#endif /* ! __LINUX_SECURITY_H */ diff --git a/init/main.c b/init/main.c index e2e80ca3165a..4c6cca9681c7 100644 --- a/init/main.c +++ b/init/main.c @@ -555,6 +555,7 @@ asmlinkage __visible void __init start_kernel(void) boot_cpu_init(); page_address_init(); pr_notice("%s", linux_banner); + init_lockdown(); setup_arch(&command_line); /* * Set up the the initial canary and entropy after arch diff --git a/security/Kconfig b/security/Kconfig index 1d6463fb1450..593ff231eac6 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -229,6 +229,45 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). +config LOCK_DOWN_KERNEL + bool "Allow the kernel to be 'locked down'" + help + Allow the kernel to be locked down. If lockdown support is enabled + and activated, the kernel will impose additional restrictions + intended to prevent uid 0 from being able to modify the running + kernel. This may break userland applications that rely on low-level + access to hardware. + +choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE + depends on LOCK_DOWN_KERNEL + help + The kernel can be configured to default to differing levels of + lockdown. + +config LOCK_DOWN_KERNEL_FORCE_NONE + bool "None" + help + No lockdown functionality is enabled by default. Lockdown may be + enabled via the kernel commandline or /sys/kernel/security/lockdown. + +config LOCK_DOWN_KERNEL_FORCE_INTEGRITY + bool "Integrity" + help + The kernel runs in integrity mode by default. Features that allow + the kernel to be modified at runtime are disabled. + +config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY + bool "Confidentiality" + help + The kernel runs in confidentiality mode by default. Features that + allow the kernel to be modified at runtime or that permit userland + code to read confidential material held inside the kernel are + disabled. + +endchoice + source "security/selinux/Kconfig" source "security/smack/Kconfig" source "security/tomoyo/Kconfig" diff --git a/security/Makefile b/security/Makefile index c598b904938f..5ff090149c88 100644 --- a/security/Makefile +++ b/security/Makefile @@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity obj-$(CONFIG_INTEGRITY) += integrity/ + +# Allow the kernel to be locked down +obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o diff --git a/security/lock_down.c b/security/lock_down.c new file mode 100644 index 000000000000..0f9ef4c30aa8 --- /dev/null +++ b/security/lock_down.c @@ -0,0 +1,147 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Lock down the kernel + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include + +static enum lockdown_level kernel_locked_down; + +char *lockdown_levels[LOCKDOWN_MAX] = {"none", "integrity", "confidentiality"}; + +/* + * Put the kernel into lock-down mode. + */ +static int lock_kernel_down(const char *where, enum lockdown_level level) +{ + if (kernel_locked_down >= level) + return -EPERM; + + kernel_locked_down = level; + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", + where); + return 0; +} + +static int __init lockdown_param(char *level) +{ + if (!level) + return -EINVAL; + + if (strcmp(level, "integrity") == 0) + lock_kernel_down("command line", LOCKDOWN_INTEGRITY); + else if (strcmp(level, "confidentiality") == 0) + lock_kernel_down("command line", LOCKDOWN_CONFIDENTIALITY); + else + return -EINVAL; + + return 0; +} + +early_param("lockdown", lockdown_param); + +/* + * This must be called before arch setup code in order to ensure that the + * appropriate default can be applied without being overridden by the command + * line option. + */ +void __init init_lockdown(void) +{ +#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_INTEGRITY); +#elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY) + lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY); +#endif +} + +/** + * kernel_is_locked_down - Find out if the kernel is locked down + * @what: Tag to use in notice generated if lockdown is in effect + */ +bool __kernel_is_locked_down(const char *what, enum lockdown_level level, + bool first) +{ + if ((kernel_locked_down >= level) && what && first) + pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", + what); + return (kernel_locked_down >= level); +} +EXPORT_SYMBOL(__kernel_is_locked_down); + +static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count, + loff_t *ppos) +{ + char temp[80]; + int i, offset=0; + + for (i = LOCKDOWN_NONE; i < LOCKDOWN_MAX; i++) { + if (lockdown_levels[i]) { + const char *label = lockdown_levels[i]; + + if (kernel_locked_down == i) + offset += sprintf(temp+offset, "[%s] ", label); + else + offset += sprintf(temp+offset, "%s ", label); + } + } + + /* Convert the last space to a newline if needed. */ + if (offset > 0) + temp[offset-1] = '\n'; + + return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); +} + +static ssize_t lockdown_write(struct file *file, const char __user *buf, + size_t n, loff_t *ppos) +{ + char *state; + int i, len, err = 0; + + state = memdup_user_nul(buf, n); + if (IS_ERR(state)) + return PTR_ERR(state); + + len = strlen(state); + if (state[len-1] == '\n') { + state[len-1] = '\0'; + len--; + } + + for (i = 0; i < LOCKDOWN_MAX; i++) { + const char *label = lockdown_levels[i]; + + if (label && len == strlen(label) && !strncmp(state, label, len)) + err = lock_kernel_down("securityfs", i); + } + + kfree(state); + return err ? err : n; +} + +static const struct file_operations lockdown_ops = { + .read = lockdown_read, + .write = lockdown_write, +}; + +static int __init lockdown_secfs_init(void) +{ + struct dentry *dentry; + + dentry = securityfs_create_file("lockdown", 0660, NULL, NULL, + &lockdown_ops); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + + return 0; +} + +core_initcall(lockdown_secfs_init); From patchwork Tue Mar 26 18:27:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055054 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE2ACC43381 for ; Tue, 26 Mar 2019 18:28:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C1402206DF for ; Tue, 26 Mar 2019 18:28:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="bA3dmIiF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732590AbfCZS2F (ORCPT ); Tue, 26 Mar 2019 14:28:05 -0400 Received: from mail-oi1-f202.google.com ([209.85.167.202]:36074 "EHLO mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732566AbfCZS2B (ORCPT ); Tue, 26 Mar 2019 14:28:01 -0400 Received: by mail-oi1-f202.google.com with SMTP id t66so5741538oie.3 for ; Tue, 26 Mar 2019 11:28:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=fNnpo8lLzymZARu5UXrve26AL2A88YZO9HZRbBxOnPc=; b=bA3dmIiFcHRvOdKWWJyyAWFxpd0/eSw3KHIROhS1I9yokwsCzfmKaqf2p2y68VqWW/ vlpoVkko2s4T0hcqSYMOU+Pcj9KiiFB8r4MVvv23Z4PL1HYmVD0aMOI1DyIsqALq8Pb+ xMGOgj4XAA7JK6szCyO/HvwnUME6L00WvEEIuexfwS454lE90GHCMLcOXzmPyOuuGij5 Ecg3v1tSGWh7r3dyYdfuMXae9MtbkUTDYLO4ipHww1JcpLUO7xwp8vIc9kcixNO56mIh IoUbHw0PRwuDn3ud9o3XyiRofhdf9MR73HyKVnqYfuvGbIALzJx0UJ57RtLp+OwxaJrp RduA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=fNnpo8lLzymZARu5UXrve26AL2A88YZO9HZRbBxOnPc=; b=N2PH4j0qbUIX6cjHGl75ONhEs82VUjL0ZE2ioQZCpwYDvLygy4NP/InSRxhsX+RqdM NZfXGbYYHmG61E6YMN/mRlx5qw8eLcn67DOwuCYLaARAxJwrs9ooyOZ6jXwbbvOqT4Lo 2oxE8WPK08rBFzD6WyRqTNH6AiemDyYljx5Fc2W/iMXYJgoGjxgmiU4uFQDG1tp9k9nQ qtBzcP/sp29lPNbBr0jvFe/4KSgDtgV70tipCALKv6m0pSDgyPuOg99HT3/XC53+/DAz i2o3rCVHEj7GG5yGEeuxZcoBMlIykTo3G+rDn1DEOLd49TDVfU9NzoPzEvJTwfjpZZ7a msWg== X-Gm-Message-State: APjAAAXRJlm9ANciXanuFmH+lDo/AS6fz+EfQkt1zBI3xwC7kVQGSar8 bJC9PR1D1TxbbumYsDiedxKjxe6beSs6Sa7VkZCEdA== X-Google-Smtp-Source: APXvYqxK5etbNZOafsOtIe3ObV0QXWQIHk+fUQNdgAx8FlSaBS+KmOAPLWPk31D+F29XECjttdxMIxlQUKAsFpz/tE3e+g== X-Received: by 2002:aca:dd0b:: with SMTP id u11mr16650482oig.24.1553624880468; Tue, 26 Mar 2019 11:28:00 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:18 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 02/25] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Jessica Yu Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.] Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Jessica Yu --- kernel/module.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 2ad1b5239910..deea9d2763f8 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2767,8 +2767,9 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, int flags) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2783,16 +2784,40 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) + return -EPERM; + return 0; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) From patchwork Tue Mar 26 18:27:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055055 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90DC9C10F05 for ; Tue, 26 Mar 2019 18:28:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 651292087E for ; Tue, 26 Mar 2019 18:28:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="K5sdA5I1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732613AbfCZS2I (ORCPT ); Tue, 26 Mar 2019 14:28:08 -0400 Received: from mail-vk1-f202.google.com ([209.85.221.202]:34501 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732575AbfCZS2D (ORCPT ); Tue, 26 Mar 2019 14:28:03 -0400 Received: by mail-vk1-f202.google.com with SMTP id y82so2016306vkd.1 for ; Tue, 26 Mar 2019 11:28:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=J/O8uCPgOG3C0ZxSZ9IB3rxgWx3qFX62jDUsj+e+998=; b=K5sdA5I1sE//tLsvi5folYzvaOlJGge5wGHbTEfX+aWT54ddING0zVnNuLoD1bBwcg gjLVM6znIYvwcHeqwhtIEdbJyxbTy/EpYVnEckV1FU6h0uQvnInhH4CntIcrPrCNHgeh whtma18ma5ixu+z6D26uRzegoUdRlr6DfiOP6EDSld30DWglteeG7X8fivQOp/ibvREf 4x0xKRoTsrL3BKW37+UZt9+d4vmcP3Ook/9PmuK0x4K1R2Eg5LJ04AJSMZvXgxhZmgVD 7MhxCVABNsu2vAapO5xiGnKBb3C2ysBlByJmzKLoxts1P6Ukapc3hjKsUO70BZZ91uAz ncuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=J/O8uCPgOG3C0ZxSZ9IB3rxgWx3qFX62jDUsj+e+998=; b=eciJgYHwcMVtnGBQ2pVH1nta9dobm/Pn9R3NOS1gn3ZRFMH2OrSM6OHcLHRO35Hjw+ P9pkNlHfWriHhSStAtMLx6Jwn3cv5ACowZ6BxTzzo2mMebCNQCj5V5O6wTPZvjC5hXXB ES9pqDgS/B1TJryLTRwVdrHSTr+nOoGoWyLFO7JdkjIAgLNfkVeox7dlYGbFlW2Bf7iU y6gKvHMMH8aO3WY+AYNperB3PDgllCupcxCNAVapKrvPMGfeKyD9SSmyBWx5ovHGDTcs 1NszRRE1mvzQxmBWxjVPGzWGzAAZl53p3dznOezTk7l/LPMh62UE5qlKA/iFH30Q8P0T MVkA== X-Gm-Message-State: APjAAAV+HU5KTs2SXGOE2MuNCjmyWs2khLo7ysaS+/eSC8Xrk5ThQSPN wI2EM222/Sz2Oyg4VPjJK0Eo+pCOyyuiaBG9a+6I4g== X-Google-Smtp-Source: APXvYqzjIT3j6D/3W+JJCtNIBBhklG4H27OmJuFi+A4uUlowWE/PlFjW1Ck18pWgkexJ4RTQcQWsikYrws3GECQHMeiRxg== X-Received: by 2002:a67:fa52:: with SMTP id j18mr10694005vsq.118.1553624882922; Tue, 26 Mar 2019 11:28:02 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:19 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-4-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 03/25] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , x86@kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: x86@kernel.org --- drivers/char/mem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..67b85939b1bd 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port", LOCKDOWN_INTEGRITY)) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } From patchwork Tue Mar 26 18:27:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055077 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C010C43381 for ; Tue, 26 Mar 2019 18:30:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4F747206DF for ; Tue, 26 Mar 2019 18:30:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="q/9vwQqe" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732974AbfCZSa1 (ORCPT ); Tue, 26 Mar 2019 14:30:27 -0400 Received: from mail-vk1-f201.google.com ([209.85.221.201]:48224 "EHLO mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732566AbfCZS2G (ORCPT ); Tue, 26 Mar 2019 14:28:06 -0400 Received: by mail-vk1-f201.google.com with SMTP id l85so5677685vke.15 for ; Tue, 26 Mar 2019 11:28:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=LW7lq5jkExR1NuLSqDh6tdSVxounhx+I412qfIcDAFY=; b=q/9vwQqeELW8VlIFBstln+nSZdV89CEKrwLeAoPYLE0WmwDflbjM9zmZfkKzmVHUCm BRnYfeAzcXfVP3XdbekpJi4zOfVDDYynZcWlYJti/6+3PxXoHiybysEqPwNAyOwkVt5z 6L1AOH9G3bHZuwcCpB3xab+jt0vlMwC1dvuwiaHH84kZPIiYvnVXeABd6keKeimDoNiQ UxsPfKdmLHQpyQPhNC7Sa2RQjxS3K2H2JEzrv6rj/nis1F03CbK2WTnLlqiaDqM6GC0e cx56GL8Ws9KW2dbhz2y9dpGYjqfK4CjEmLkgl8xLX7USn7CY0pmxMYV1pgX6tmm3D3dT gMFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=LW7lq5jkExR1NuLSqDh6tdSVxounhx+I412qfIcDAFY=; b=nevRsM4oYS1mtX3KFZVMickEL5wENy9BR9a3Htp8kfA3OBtczWuZ+GjC0Pjl7iREUn 8Uy8DD1/TuCdmUEqaQ8Kv+ZgCKXEGWf7oiXx9F0arF4v0AIHuBtqnUoFxl5QWgC5SP5T kbd8iErDPA04CcJyMWwCEe5zBZwQwbSRk34c8rnTGhgqmkw5+44421hG0So4lwAJwean g2u/OUhFpCpmudtcJYITJVZAtoLDiYvtYbIzyiUYJfAtKqul2JNKuik36rZAsv+zFF1z w80E8Gco81xUxfJ3w2PS9utLXwHtMpV0cIw0vEEwn2WIE/GD7djevCmQ7e2ZgRY2VRbd Z1vA== X-Gm-Message-State: APjAAAWOKX3RPvRyqLif+OG4BhHBn03AJdSKSlFvjn8QZ41CHN8r1Mip PjJtgXb4gO+m1/9cbNmdBUm17BU7JEdcX0Mpo+K3Qw== X-Google-Smtp-Source: APXvYqyA91v3/8afrN3palsHlyZwOfxxJU/6gpXp8Dz1dELvFCw4kA9b2STRODD028ObSqqbRbJywu9/c/Poz5yc+WFrRA== X-Received: by 2002:a1f:a18e:: with SMTP id k136mr7884472vke.88.1553624885547; Tue, 26 Mar 2019 11:28:05 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:20 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 04/25] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Dave Young , kexec@lists.infradead.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Dave Young cc: kexec@lists.infradead.org --- kernel/kexec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..57047acc9a36 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,14 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down("kexec of unsigned images", + LOCKDOWN_INTEGRITY)) + return -EPERM; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. From patchwork Tue Mar 26 18:27:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055056 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB320C43381 for ; Tue, 26 Mar 2019 18:28:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AEC5920866 for ; Tue, 26 Mar 2019 18:28:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="XKxuTIw9" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732629AbfCZS2L (ORCPT ); Tue, 26 Mar 2019 14:28:11 -0400 Received: from mail-vk1-f202.google.com ([209.85.221.202]:41719 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732610AbfCZS2J (ORCPT ); Tue, 26 Mar 2019 14:28:09 -0400 Received: by mail-vk1-f202.google.com with SMTP id g9so5836366vke.8 for ; Tue, 26 Mar 2019 11:28:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ZxYq8cG2sFhGgbw0k3aUDfwIzpbQidarvZYq7w9bkW0=; b=XKxuTIw96/3+PO2e8Ya9M0C6H/BRKjbA7yCgb6ScDY71OKQu5O1qKynqYWdRZD1PkT 6X/9B1zYux3mu1aFjig8XS7q3DMLwHqMmXUvoGtAgZTiVqAXOPlB39jvB0b2LcsukNoL pPWqayoIdW9Nge+E83siRCq3NRELl3ui1CHNEgvGTxCphitA1+OlZJQrBFj2IxpBsuI7 OqL6q+lDn6kFhRlnMVUGjoMx6N8teAVHCUvVXD+VM8jpkzW3SOP0RUjD2LSxBoRDE4M5 OP99Uwtyx2pNjnZ+DqkkO4GZpT9A9MLxfN2L8AWVWnyv+Fsq/32fW8wpw4Kzu4Khwxel 8K+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ZxYq8cG2sFhGgbw0k3aUDfwIzpbQidarvZYq7w9bkW0=; b=QB3FE3Q1NkmRyNl8I01q4Ka3T1dAGgoad8JMFjR64hf3b2bObonLKMb/Mdu8Q9E7R+ OfJ0chCfJZetHuX7YD5BS0yw2Kk/V3hwXQeWanikOX2oHTZmZzk93Z5Iiz/gJ+FS+Q76 +VIy58kM77g1LIUKEj6sC1Jpvkq0gXxFLLGJmtnU/TYzoeNVfo4JKJa6n0scqJw2AfNL uKTSo9pNZg23Xqn8npHBd0VdRaUEnQ7+U/un7tZiJzJqDBrMRH6BEbRuCPxgIHAJE/CX ox6viZ7bg4Nw7JHfdGvBxwsV286EVYkH8pjqRM7WkIxSoauk4D6vELw/u2kk2ymF7Poz LzWA== X-Gm-Message-State: APjAAAVepL+DkG7NoJK/S+Lh+l5bdaigOepEvI3DrprXtJyxFM3sH9nX VDl5C4Zy5at8Kx7ayoVPbvhFQ+pgEkx6aEpLdiEffA== X-Google-Smtp-Source: APXvYqxlissl0NjOJ+77xdIz+6/F0YGZJeXa8wrNGBsNkoGBnW975xjqFKfU2vra4AZjmcWWJ9+pVUMa08cHnkbiVaF4kQ== X-Received: by 2002:a67:f3c3:: with SMTP id j3mr10831580vsn.206.1553624888095; Tue, 26 Mar 2019 11:28:08 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:21 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 05/25] Copy secure_boot flag in boot params across kexec reboot From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Dave Young , Matthew Garrett , kexec@lists.infradead.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dave Young Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: kexec@lists.infradead.org --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 278cd07228dd..d49554b948fd 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; From patchwork Tue Mar 26 18:27:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055057 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD37FC4360F for ; Tue, 26 Mar 2019 18:28:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A59972084B for ; Tue, 26 Mar 2019 18:28:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="qYJW/xs+" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732646AbfCZS2N (ORCPT ); Tue, 26 Mar 2019 14:28:13 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:51787 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732622AbfCZS2L (ORCPT ); Tue, 26 Mar 2019 14:28:11 -0400 Received: by mail-ot1-f73.google.com with SMTP id y19so8831000otk.18 for ; Tue, 26 Mar 2019 11:28:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=DR3rBb2V8Dk77n+84nIF0+Znm0UqE9/8zaxdQ5CO2lo=; b=qYJW/xs+nLDcVGGTYVEVD05T/qerxpSxu5bGyCDyqRIN2PQcO/8rizPMkEG5e9Q/K0 SFoDzqGhV+38csuM69grnxhhFT4BiwC+wwvUHZrsP2a+ElcfMDnOkJdguaVu2IjpjD0s 4wPlkPUTr2mESbl6ovuAdSF4bYbUZGmG7/erzjPE1iAdak1g83oCJZUEO6DVBhoUeB9z cw9AEgwlYCfHOS4TfzcHpZ+K9aDyCNS0FK2N4LaxlfjnZiVI0S8KvIXG+PGcu3zB6ILk JFIPhAeLRMIB8hYAG10DKu4KsQCQcgb5ie1C+bK/xLY0vr2tSMWjeAQxgrNQBlYjpf4B HH6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=DR3rBb2V8Dk77n+84nIF0+Znm0UqE9/8zaxdQ5CO2lo=; b=NWbfX1BQW5HDEEkgWJSkeGHyr9FyfUrMWvUssfPebIyjVq1arlESd20HNEUCsaFdtK o8Ui2K2Ho/e5jYrs+YUvDJO7vUfZQoOTye/2ozuCxFg5z2UmAmqI1pZ8FI/l0vcEvYun FlG7bA2ImVsW8KDWBDf8c4vIBvQrisRafzziH4LSS1KxIEfy1ymbIgTApDGekT81U3VA U7IEzfpeoaoz8rHDX3OMFHPpUiKOQ/J/d6XstUMWCP5TmG86xotGdnsg6g1u4W0zbdX4 Azz/oTS83YL+HJ3PCrXytOxovDuhBGDvcT5OC5MaiZjkZtNS+kcC6/UDGWAu8udsWnxF jXwQ== X-Gm-Message-State: APjAAAU0z5DBYwS5p8ZUGYKkMq5UakBMM4Twdi2V8gNn1e5IJ0FKJzZJ oF4q4p4E77pOSWigEpFbA0Paf1sNGqfjv2zmRQacLQ== X-Google-Smtp-Source: APXvYqw4gd1ZERpUGHBC5v8fMRulSwVLUw0V07pXZdOQJYCMHhe2tsQoihJIKx5WNOGpIu0Wee6WW9kbDcKmvL2X64t7og== X-Received: by 2002:a9d:76cb:: with SMTP id p11mr8330720otl.248.1553624890542; Tue, 26 Mar 2019 11:28:10 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:22 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Jiri Bohac , Matthew Garrett , kexec@lists.infradead.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Bohac This is a preparatory patch for kexec_file_load() lockdown. A locked down kernel needs to prevent unsigned kernel images from being loaded with kexec_file_load(). Currently, the only way to force the signature verification is compiling with KEXEC_VERIFY_SIG. This prevents loading usigned images even when the kernel is not locked down at runtime. This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG turns on the signature verification but allows unsigned images to be loaded. KEXEC_SIG_FORCE disallows images without a valid signature. [Modified by David Howells such that: (1) verify_pefile_signature() differentiates between no-signature and sig-didn't-match in its returned errors. (2) kexec fails with EKEYREJECTED and logs an appropriate message if signature checking is enforced and an signature is not found, uses unsupported crypto or has no matching key. (3) kexec fails with EKEYREJECTED if there is a signature for which we have a key, but signature doesn't match - even if in non-forcing mode. (4) kexec fails with EBADMSG or some other error if there is a signature which cannot be parsed - even if in non-forcing mode. (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract the signature - even if in non-forcing mode. ] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac cc: kexec@lists.infradead.org --- arch/x86/Kconfig | 20 ++++++++--- crypto/asymmetric_keys/verify_pefile.c | 4 ++- include/linux/kexec.h | 4 +-- kernel/kexec_file.c | 48 ++++++++++++++++++++++---- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 4b4a7f32b68e..735d04a4b18f 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2016,20 +2016,30 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE -config KEXEC_VERIFY_SIG +config KEXEC_SIG bool "Verify kernel signature during kexec_file_load() syscall" depends on KEXEC_FILE ---help--- - This option makes kernel signature verification mandatory for - the kexec_file_load() syscall. - In addition to that option, you need to enable signature + This option makes the kexec_file_load() syscall check for a valid + signature of the kernel image. The image can still be loaded without + a valid signature unless you also enable KEXEC_SIG_FORCE, though if + there's a signature that we can check, then it must be valid. + + In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work. +config KEXEC_SIG_FORCE + bool "Require a valid signature in kexec_file_load() syscall" + depends on KEXEC_SIG + ---help--- + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + config KEXEC_BZIMAGE_VERIFY_SIG bool "Enable bzImage signature verification support" - depends on KEXEC_VERIFY_SIG + depends on KEXEC_SIG depends on SIGNED_PE_FILE_VERIFICATION select SYSTEM_TRUSTED_KEYRING ---help--- diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index d178650fd524..4473cea1e877 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, if (!ddir->certs.virtual_address || !ddir->certs.size) { pr_debug("Unsigned PE binary\n"); - return -EKEYREJECTED; + return -ENODATA; } chkaddr(ctx->header_size, ddir->certs.virtual_address, @@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * (*) 0 if at least one signature chain intersects with the keys in the trust * keyring, or: * + * (*) -ENODATA if there is no signature present. + * * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a * chain. * diff --git a/include/linux/kexec.h b/include/linux/kexec.h index b9b1bc5f9669..58b27c7bdc2b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, unsigned long cmdline_len); typedef int (kexec_cleanup_t)(void *loader_data); -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG typedef int (kexec_verify_sig_t)(const char *kernel_buf, unsigned long kernel_len); #endif @@ -134,7 +134,7 @@ struct kexec_file_ops { kexec_probe_t *probe; kexec_load_t *load; kexec_cleanup_t *cleanup; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG kexec_verify_sig_t *verify_sig; #endif }; diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index f1d0e00a3971..67f3a866eabe 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG static int kexec_image_verify_sig_default(struct kimage *image, void *buf, unsigned long buf_len) { @@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, unsigned long cmdline_len, unsigned flags) { - int ret = 0; + const char *reason; + int ret; void *ldata; loff_t size; @@ -207,15 +208,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, if (ret) goto out; -#ifdef CONFIG_KEXEC_VERIFY_SIG +#ifdef CONFIG_KEXEC_SIG ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); - if (ret) { - pr_debug("kernel signature verification failed.\n"); +#else + ret = -ENODATA; +#endif + + switch (ret) { + case 0: + break; + + /* Certain verification errors are non-fatal if we're not + * checking errors, provided we aren't mandating that there + * must be a valid signature. + */ + case -ENODATA: + reason = "kexec of unsigned image"; + goto decide; + case -ENOPKG: + reason = "kexec of image with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "kexec of image with unavailable key"; + decide: + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + pr_notice("%s rejected\n", reason); + ret = -EKEYREJECTED; + goto out; + } + + ret = 0; + break; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + pr_notice("kernel signature verification failed (%d).\n", ret); goto out; } - pr_debug("kernel signature verification successful.\n"); -#endif + /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf, From patchwork Tue Mar 26 18:27:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055058 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10AB5C43381 for ; Tue, 26 Mar 2019 18:28:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D5CC6217D7 for ; Tue, 26 Mar 2019 18:28:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="l//G//2s" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732669AbfCZS2S (ORCPT ); Tue, 26 Mar 2019 14:28:18 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:55782 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732642AbfCZS2N (ORCPT ); Tue, 26 Mar 2019 14:28:13 -0400 Received: by mail-pl1-f201.google.com with SMTP id m37so2642377plg.22 for ; Tue, 26 Mar 2019 11:28:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=iaaF5/aYD/K1PTKwNLEWQdX8WLqLGYfc09hndKsTKvo=; b=l//G//2sHdyapUFBKmU1Oe0w93NOV++WkMVLG4McMk+SBsjMEM+vwC89tGHOeX4bX3 iLq2kDF27llh4VMpGE2JN5mQSXFfsQXQ6lDhYGtVWKn+8k364eUUUUFwWmvoQAg6NLmf GHIbF9CfAVLYRRoFqCFAY1gOfCMug1s/siggmuBq1Znm3Cu8YRUYsq7EpMo/6j7VjBef lCBHnMX9WL8pjUdPRK6ORN67KC8xL61mOXGev20Lw8Mkp0N+UiHfZzP3hC5VMfvpsnuf ki1fbB3JpuJVLdbavBWsVnzqyTLpzCb7ODNS0Q+LbzEj0FoHeMceWgWYlYk7kiTux4VE KGoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=iaaF5/aYD/K1PTKwNLEWQdX8WLqLGYfc09hndKsTKvo=; b=TNrRKQYcrACZJ4nXsG+t1oXlvCkSfhsLcAjc4hXuznBb/jsccq09s3Xf/19SdpTWKN ziLi/VUgQP+un+sqHcphIyIXfpsIRm2r0WBneGxzyER3IMxqSannOQFRJHcx0eDr7eAe cMYDlZ2KeAmTDDf/fY1jPMlSwZO8np6ZFe3NdgUFAjTLBfPXGWkXMIsXG1sxh5HVOto4 EOBI9kyhlJ5bIxr4GEmAGvLdJjivegqcDPrUONpshQOd3K2SYsMvdyegSi/45k7I5VWc D3B5k1AoViqXKwpFw3QHxBEW5hWhI/Lqob+F4c0k6bjorZOxgcqRuKIOgsF37O4FCMCu ZqBQ== X-Gm-Message-State: APjAAAWtmwyzehMu52jIbECuZ2gxKc6w2P+NJvA/6buG+2JDHSGg29bX jF6soGiy4Y51zfvkOdq4uWpsGRuKmSYN2LrU2VUzFQ== X-Google-Smtp-Source: APXvYqx/+tjzXSZCjrL8Cln0/kVVOU3RI7T0H+0YpsU3UDmguRWm19jB1kNMcF+CVt78WKXvE7FVTtk8kfMkEo40fzSgPQ== X-Received: by 2002:a63:2747:: with SMTP id n68mr29116516pgn.317.1553624892782; Tue, 26 Mar 2019 11:28:12 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:23 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-8-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Jiri Bohac , Matthew Garrett , kexec@lists.infradead.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac cc: kexec@lists.infradead.org --- kernel/kexec_file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 67f3a866eabe..a1cc37c8b43b 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -239,6 +239,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, } ret = 0; + + if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) { + ret = -EPERM; + goto out; + } + break; /* All other errors are fatal, including nomem, unparseable From patchwork Tue Mar 26 18:27:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055076 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DB99C43381 for ; Tue, 26 Mar 2019 18:30:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D467D206DF for ; Tue, 26 Mar 2019 18:30:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="hd/qJI5p" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732717AbfCZSaI (ORCPT ); Tue, 26 Mar 2019 14:30:08 -0400 Received: from mail-yw1-f73.google.com ([209.85.161.73]:39514 "EHLO mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732649AbfCZS2Q (ORCPT ); Tue, 26 Mar 2019 14:28:16 -0400 Received: by mail-yw1-f73.google.com with SMTP id p1so19966956ywm.6 for ; Tue, 26 Mar 2019 11:28:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=hd/qJI5pj21wdEXiN1GwGQHBvVWEtmSPOfLn12fiaFf2w7nNYsYJpe9u8ow9/Re1Kb FvKsZkCo/b0GsFfWFuz7eAQFgkAyaD1YtMu/MyusFUzAhdYBGkZWIj1S+E8fN9DnaUae L8FwSMa5O7X9SlCg7DEGpzVPkBfeq+h0Wz6MqDxvDPB424xtQc9WmiNTOO+jUGewUNHD lpCXH7AOi+wpEp3OI9bXgjF1sBIcv8UIJnzzt+rmTvkH36pdxeTNEvndnDJ1OpSY/cAA rOexpy+QRByAQot5nHETdAlDEtaJ3PrSaljT6cRrg+ws0ERdZzfzb5mmKZf2MqHgiBKm t7vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=qZ+YzzxeOtuJYzPWdqhbmEpQUFKUA4jc//oDXiHlXZW+bUTGEwBJdY8yBCDTx3GXnF IQ2/n+dtsgscCQ6rU3uEHJxqCJE3ZkCu1W2QNLWYCUDPIKisbvKdPUUGpaEuubsK/cwM f+tpmdEplpcYWm4AiyTkxrtbOFWNbYre0aWv7T0TPl4fRU9SNzg19sVtuL3wBZpvp+yr gD2jXVb8c+uh2Nom9b03Ai8CgYtcoV1DTnNwVMG1MduvI9OhgHolWs5UwtY6qtv9jNbp QSo3yPdQ+g/VqYxL2bKQKMPPKh6/tSTgpkzjJRgwApA7vsfHHjbXWvtdUgYeItfvznGv z8mQ== X-Gm-Message-State: APjAAAWmmby7P7HTcOaNEwE/BhgKG44JUdM+u/kZ6LFCk6wNHQXvnJd4 gjYabUxnDWmj8VcSYFAVut+o5vZStKwQ5/v4AelbhQ== X-Google-Smtp-Source: APXvYqz53lg90CRAmq2n9UPcuRM+Zbwo5prjfkTYkHVgr5i0xCngmc0ofLZBkRfHjvHhL+zyIQ3AzU157vWcCX9jyM6hWw== X-Received: by 2002:a81:3c90:: with SMTP id j138mr27011505ywa.276.1553624895457; Tue, 26 Mar 2019 11:28:15 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:24 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 08/25] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Josh Boyer , Matthew Garrett , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org --- kernel/power/hibernate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..928b198cfa26 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,8 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation", + LOCKDOWN_INTEGRITY); } /** From patchwork Tue Mar 26 18:27:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055059 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA0A0C4360F for ; Tue, 26 Mar 2019 18:28:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BA20020879 for ; Tue, 26 Mar 2019 18:28:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Oz9kzY7d" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732691AbfCZS2V (ORCPT ); Tue, 26 Mar 2019 14:28:21 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:55895 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732665AbfCZS2T (ORCPT ); Tue, 26 Mar 2019 14:28:19 -0400 Received: by mail-qt1-f201.google.com with SMTP id h51so14375447qte.22 for ; Tue, 26 Mar 2019 11:28:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=UWUYbOZniscPzPib57I8cPwH1j1zNPSziYufzU02lOY=; b=Oz9kzY7d3lv55fVkI6Kb0Gzd3zJwJVSAVP1ulUaw9XyfUgwUTFQ69SW1TpPJkSkz4I 8NUL2BguYiSmd8NFIwTgZKd7UB7lU8F2hm+SV82c1BpjE00Nve3eEAV5dCvYM6U0Adft 8cHrLisTQIpYkEfVr7pSsB7vKPAWYQArSJSuLNv7EWxW+QmxHN7LZdgApdkQI107/Ow2 GZ3GQday6ZqELcHEK3ZUIq2VgMJhr6I6/cma2bxfcIUaCW826/CfZVTmkThJ3vczr5og R+xZyn2RY8eloJabWhb+3U23suPmtoBLFDiFAW2oz2cFDyDctnrk/MCbULdQ+P4rFbUa 32UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=UWUYbOZniscPzPib57I8cPwH1j1zNPSziYufzU02lOY=; b=o/Wd23G3vp4ZeuiQ+Jd4Xe4JFjB290GjMEjk6NkfZXu4PZau2DnT5qtwOs8n4c6eVR S1uForDS7vX0xl9F5vtDaoxrPUeceF7ys79WrVf7ioApGrhOmjpZiw4IYuktOMOvwZVM z7TS/dJRY7HTMm4IuFFSr2Eyg4fitsCHipdZtiHdvC7w1PDm51KLFFq7CqnUI514qWJK okdjFsb6mWBtzzm+975CdE0mLIbceosCdxjexBpHtQX8kIoqxwXvR9X1WcqDs6VCgZtQ BNVJ3kMJQxM9opAYm5Bj2AdjrtiUcigIne23OD2UZQ+RYvqzjZM2VdAcQ+o3RDLcrj5C HpIQ== X-Gm-Message-State: APjAAAVP46UCbfFi8ynL78unKxY0RA6A5J6UW0GXjygkI3fcuwgmsGlN OuEjYQbcZBYqXvORRdVr9NG+dR6yFSX5VenK3HH2qQ== X-Google-Smtp-Source: APXvYqy8T5iMSU8bRAJDeiOYdZ+vf7wI+oEKQds8Wx9UYe7VIOiL7DRxsniEJLG6jiM0ADBnIZ62Ujuch6uEFVoBA5UeiQ== X-Received: by 2002:ac8:1091:: with SMTP id a17mr25977158qtj.135.1553624898035; Tue, 26 Mar 2019 11:28:18 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:25 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 09/25] uswsusp: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , linux-pm@vger.kernel.org, pavel@ucw.cz, rjw@rjwysocki.net Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel is locked down. Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: linux-pm@vger.kernel.org Cc: pavel@ucw.cz Cc: rjw@rjwysocki.net --- kernel/power/user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c index 2d8b60a3c86b..99e13fd13237 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) if (!hibernation_available()) return -EPERM; + if (kernel_is_locked_down("/dev/snapshot", LOCKDOWN_INTEGRITY)) + return -EPERM; + lock_system_sleep(); if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { From patchwork Tue Mar 26 18:27:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055075 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94151C43381 for ; Tue, 26 Mar 2019 18:29:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5F7642084B for ; Tue, 26 Mar 2019 18:29:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Yz7oOrcD" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732695AbfCZS2Y (ORCPT ); Tue, 26 Mar 2019 14:28:24 -0400 Received: from mail-ua1-f73.google.com ([209.85.222.73]:39585 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732686AbfCZS2W (ORCPT ); Tue, 26 Mar 2019 14:28:22 -0400 Received: by mail-ua1-f73.google.com with SMTP id v5so240942ual.6 for ; Tue, 26 Mar 2019 11:28:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=; b=Yz7oOrcDdKUM0oYpsGth5oCv8+Sc+iqvbZ8HKnhPKCnBF9rUHCL9szQCMAPU1PE8KZ V5oNz+OBCLawb6XGwCVNO/3W7ZIGW6CJqa38iNh+smM0l3Mf3WI096uUxVztD+vMlcy8 withllnQOAKuH6gF0+c6jcTe8VCipjbIFvdZQ3SG7qlyXzoR+Tduukj9v5gmr817WjTN 9qDDUFYKJxhZTZ6Uwfhk7qeYMwY0kNDGpr/Xub4PUqKY1bIS3otzcyj76HMmWPO1Cupi V7GyBI5YYjxdJUAmUSXaa8vzKtz1GNVChjlfHcl09ljj04vfopWnPSjdHPO8UC5ktyD4 6Vaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=; b=KDP0LuTwCOyYfCbhSKIIBxhU8EX0/tfoS+rSwHgfD9rVEFndd2U+SsJIQX3vtOM26G hl7cxKawb+dRns0kK2JpfYwKj9W8YuNM2c+g9M2AK/4cLdoPk3xH6Sc8ZDDPLua3ex5x XSmhMoroDIHJnAGWVko3D+kcJ1UFa5l9vzRZN8ol525RF1Po15D3kl3x+BKYZ5O5B4A/ 9MO/pdQ3qKoiade77fIYD5TAV3hvMhL1NgYuvxXtyFTyYTD6u9t6gnbhbNmQ/Xyarmpr DqOGa8iUqDPeHuw9OFKW5wStCpZAt3eWC1HYnfkUxfdTps3Q97cAzpogMQMh1TqOW60y 3e3g== X-Gm-Message-State: APjAAAWpUL2PP1NfK34caFnAQY4UMP6nO3p10NZqIY+68n6WkLBp5GWu wl7epc3SwU4N2dp+KVfjrm8TBlI1Z2YxCv/TZr0i6g== X-Google-Smtp-Source: APXvYqxJT/ULfLCwvV7wSB2GAtE6Vz8ph2N7xnq6Ot24PIma7JsvCCcrM8TBMNJZ/wPOc6HUu0fWwieS5ffY5o8z3DZmWA== X-Received: by 2002:a1f:a4d:: with SMTP id 74mr14878315vkk.13.1553624900606; Tue, 26 Mar 2019 11:28:20 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:26 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Bjorn Helgaas , linux-pci@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Bjorn Helgaas cc: linux-pci@vger.kernel.org --- drivers/pci/pci-sysfs.c | 9 +++++++++ drivers/pci/proc.c | 9 ++++++++- drivers/pci/syscall.c | 3 ++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 9ecfe13157c0..59d02088945e 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { @@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 6fa1627ce08d..85769f222b6d 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, int size = dev->cfg_size; int cnt; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (pos >= size) return 0; if (nbytes >= size) @@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..0669cb09e792 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); From patchwork Tue Mar 26 18:27:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055060 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4F28C43381 for ; Tue, 26 Mar 2019 18:28:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2881020866 for ; Tue, 26 Mar 2019 18:28:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="VOLB9NJT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732725AbfCZS2Z (ORCPT ); Tue, 26 Mar 2019 14:28:25 -0400 Received: from mail-oi1-f201.google.com ([209.85.167.201]:37522 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732696AbfCZS2Y (ORCPT ); Tue, 26 Mar 2019 14:28:24 -0400 Received: by mail-oi1-f201.google.com with SMTP id v10so5714547oie.4 for ; Tue, 26 Mar 2019 11:28:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=; b=VOLB9NJTyx8dN7/6UA5I87VxSg+nwZPoTxN2KDQgkrTv2236J9Olmq+quOI2nLXRXN 1xZDat5ybiq8T8oFTM7wVNVjTnSSmmqUmWVdAzkBVYQT/TNuUFG4cfNZOz6XbbMduPQN jGPrQ3p3Du3K2KpWCoNs+2PsG7NrMg3SnaWygYmUHgW9YFvQSRfr9JLEjftvt4jqdqxx kl7nzHXM2jDxvwdZWc4ku65yfo6VoMaCqe6rocAivPH8R4QqQzivdbAJiP0R5QfdFmN4 /LCq63e0gersazqqSl1O5radgSWZS9ZX8q4kkMVsn1u/MQc+a0q8rH9IU5wU2naCScPL uQow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=; b=QaOdzE4Qa0I3dZDGpaJlT0FXQzgwrShaKcaqZ7f6GTWjZXP/C1rpqiU4yhze2CZL4v kwtyg2Nbn4Qkh9iyc1lryxAdBEd/x5QXtvml5lwNhE5iDsL3tU+9g/VnDy1ApZvwEgcX EHvHWiCc82y/Nw/tAVUwMegv0UcAbHlVDuea0uPltfKLVs1wT6Wn2RU1RyAaTZYZYmGI OOoyWh1Cbz3coGGl6GL9J8qWb2msoTiD9df9fWpFcKPpDHK53WzAuxF4UKKNBAOakeFi Fuw2mtKWESHS2Tj+kkESNyvR2rj/v8ty5YEmhizr3DOG+UMy8BOdRI21MykEQc77tHDF uzSg== X-Gm-Message-State: APjAAAVz1WFLWciumVIpi9xQkcx48DxqLw2xj7GlsXZlzLg+39mN4WvQ MVsDSh2OyWkzcJhIALj66oVi0Sk7TaO214OeNut17g== X-Google-Smtp-Source: APXvYqya4Q8mCNGenT/N6+mKmThPwv3Vw/5eFEF/hr0CHDhgdoiFSSgysKJ1Dj8ievmiAFsBB5YGdTZL+MPpKiKtZGiROg== X-Received: by 2002:aca:7592:: with SMTP id q140mr16468631oic.152.1553624902883; Tue, 26 Mar 2019 11:28:22 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:27 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 11/25] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , x86@kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: x86@kernel.org Reviewed-by: Andy Lutomirski --- arch/x86/kernel/ioport.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..febbd7eb847c 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm", LOCKDOWN_INTEGRITY))) return -EPERM; /* @@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("iopl", LOCKDOWN_INTEGRITY)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | From patchwork Tue Mar 26 18:27:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055061 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E287C43381 for ; Tue, 26 Mar 2019 18:28:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 64ABD20866 for ; Tue, 26 Mar 2019 18:28:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="QSA3jV9B" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732747AbfCZS23 (ORCPT ); Tue, 26 Mar 2019 14:28:29 -0400 Received: from mail-yw1-f74.google.com ([209.85.161.74]:37389 "EHLO mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732726AbfCZS20 (ORCPT ); Tue, 26 Mar 2019 14:28:26 -0400 Received: by mail-yw1-f74.google.com with SMTP id x185so19969069ywd.4 for ; Tue, 26 Mar 2019 11:28:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=; b=QSA3jV9BWatdGl7hVSyhHwxLAxTneVkVg14uAJ/VF/6Frih2P7oXfTEv9kMP9G6XvB HEOGTc5uUxEQVWGmCh16CeR2IwnyK1KEWe+pwfhYfgXyj7bxXTdw9tKhsEjRGPG6ArGf qjggUxIgwpRtfAPv2l9cbaEcSWEgwDoxZkkEkMYKJh+bakWOkmpkPFLrGS1LnsvYGQuo Wh2GSZNqJwd+KUkfQlegDvzkqx/b3gLT9LlY1/YbcrJdfresNx4cOhRBgKV40TW1CyVL y8hFknGmWJARHvfiwFgL/XqzMwUY7qIZmWfCXy3Y6k4nk5qc1EVpbSGWzm9iUJ2bhVMd QkwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=; b=azma4+XaGVZbU+es5nEzMKAY/0wN41+ooo8J8qolXH9nZdQIGymWWbuHXqXK9ZbHDP 0pqnsuyz0l7fsmC8+FP8xfw1XAH4BiXJ7rIoKQ4i6BWX5Io78XlOxMrABc6Ef3d98YM+ PiENffw+1sGlIur7+kaZ/zWv+H9cWP3dH2T6fEU8DeVFtPwid76wdeAJXvUvDqHZ+k/r qM3kv1chvbsNV8+7x58mwmgUaXisTnhiwiGy8OllyCsCFAVW+0aef5EoqSoPK2MthNR4 r7hgeNTN9Z6SnfIko/4RQloQONM6RfFdbyD899M/MHQZ+iEyMmmYe6HYyzd9RJp1krXz Uutw== X-Gm-Message-State: APjAAAX7fewpqZowlYcY5kl53U0A/pEP+cshLPHhs+Zhw/yY0vJYW7dZ sjUwFoiZZYl9S71BKC03ocN89k8T6+FJf1Ggq07YXA== X-Google-Smtp-Source: APXvYqwzBhCfjCntQfOahXU56F0snMQq9ElS1KJwPE0d2nevxhWZdfF4MEC3IHuSvBuLMVlduS6O46rzOWmCP057ftS/gA== X-Received: by 2002:a25:1d04:: with SMTP id d4mr2412901ybd.517.1553624905627; Tue, 26 Mar 2019 11:28:25 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:28 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 12/25] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook , Thomas Gleixner , x86@kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner cc: x86@kernel.org --- arch/x86/kernel/msr.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 4588414e2561..731be1be52b6 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + if (kernel_is_locked_down("Direct MSR access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -135,6 +138,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + if (kernel_is_locked_down("Direct MSR access", + LOCKDOWN_INTEGRITY)) { + err = -EPERM; + break; + } err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; From patchwork Tue Mar 26 18:27:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055074 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 700BDC43381 for ; Tue, 26 Mar 2019 18:29:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4058420700 for ; Tue, 26 Mar 2019 18:29:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="DIlec5t0" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732949AbfCZS3v (ORCPT ); Tue, 26 Mar 2019 14:29:51 -0400 Received: from mail-pl1-f202.google.com ([209.85.214.202]:41278 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732731AbfCZS22 (ORCPT ); Tue, 26 Mar 2019 14:28:28 -0400 Received: by mail-pl1-f202.google.com with SMTP id 42so2644115pld.8 for ; Tue, 26 Mar 2019 11:28:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=aQw0KGeWmvPzPQJC9aCiMXHo5RCdIiAFpbvhdBtqfOA=; b=DIlec5t0clil2K3z1mQdY8Ozo7PzlyiRXYNLrqoik42GWf+SWRdQxm0hFn3CDu6CT7 z3l23Zj/4mmAJvQOjaNVvuhjtGBp3PSUL8NIDYIfVFqPmo7Y6tVU4WhqiKb0j0Ovyq4/ uP4N0qPuQ8UBSpbd8J1/FCclbdWKoOxyfSchUBo9pr+auLEflx/O9jYxyHyO2OntwoNa zDIVBPCnINJDBVVQo1xUe9xiaiS1lQhbv4c8ylFNhZNGEiesp70hGeaXM6fmeK6Oi71x UTtqtlH3qdj+vmoGt8YCUW/DXotr4XE7NM7x+YRhhoncOOODmnhhmeTokf2EM59RBNWL 7Shw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=aQw0KGeWmvPzPQJC9aCiMXHo5RCdIiAFpbvhdBtqfOA=; b=nKx+vHSBPOJ9dSYcoeOSnwsvHESuIDHncBZouzz6ncqjMeGOW05B8jA7pYVJ36G6Y0 5JCKN6j5g/4hyLONwngEhx4hujHhHJcv6eS+MOutxuU8NcNNjO1zevuyv0kwOaRYur+m aVrp8njw8+lwWaYZMU+gSEiXfXBGROBqrGWHaJ3nlR18H6cTKaxIW82d+j/rDDg5W6Vc C286718sL+2hJQTJhjvwE3Esm1n04XupbeuzkaKvW/onMNQPcw7cWcTn5VdoeWt8NErR MeQxvBf1cR9CVKqru+ffZXw2SR014XW2CJLDeX5WtKyJo2m/pZbHTOAG+egYQK3z6Asb 85aw== X-Gm-Message-State: APjAAAVsp3b+fWb6CbeGmYE5urtMozw3CAKyGsueDqbBwtrdEoAjTPAH dRBatsCtRp0XdOFbCEDrCUitMpz4AQgK63uAKE+85A== X-Google-Smtp-Source: APXvYqwMAG8zXNmY8SYtlr6zSMiao5parpM7h46gp9u2mGxgCIj6BeGnsuRx9l4mNv99r59blJSOQTYpZpUTUH4Dvq+5gw== X-Received: by 2002:a63:f80f:: with SMTP id n15mr30302790pgh.283.1553624907693; Tue, 26 Mar 2019 11:28:27 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:29 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 13/25] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , linux-acpi@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: linux-acpi@vger.kernel.org --- drivers/acpi/custom_method.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index 4451877f83b6..37de3cd84493 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + if (kernel_is_locked_down("ACPI custom methods", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (!(*ppos)) { /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) From patchwork Tue Mar 26 18:27:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055062 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0BFAAC43381 for ; Tue, 26 Mar 2019 18:28:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D2B4420866 for ; Tue, 26 Mar 2019 18:28:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="h4V4spb5" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732776AbfCZS2f (ORCPT ); Tue, 26 Mar 2019 14:28:35 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:55892 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732749AbfCZS2a (ORCPT ); Tue, 26 Mar 2019 14:28:30 -0400 Received: by mail-ot1-f73.google.com with SMTP id d38so8835316otb.22 for ; Tue, 26 Mar 2019 11:28:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=B6VKNJoBZyOp9UQCoOkYqDvTMA68uU6nV4VivW8ayKY=; b=h4V4spb546fgqSWgS1MCnVIdB5xf8zwauormzGFZ9wdZZR11ercKvrV9vGQBG2eaHy U5yAE9dWDJ8cLyFUTI6F6itG/zRVsHLE7RipWoTzwm3Euye6oips8veg3p0JE412stCi NA7uUXxXILc7TDlsvqcna7OqX/NcA45fCDGPS/y4ARKGku0QdHk5dnOgh3o+dQEsVIa4 70hb3FA8v3id5jV97bWtqjs/I7rVHqEdOkqe/GO66TDQ+GugNPfTcMdJKuvBVptU8XAN pXCcH/lTNqrDznbqQwAn+vWVf2zZb+yYoZ6C8xcYDV/S4TC8M3X2z2kIVCyt6ShkjatS 1KOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=B6VKNJoBZyOp9UQCoOkYqDvTMA68uU6nV4VivW8ayKY=; b=dvTCFmi41Vs2Ksfq0BZf1KWeJsZ30EKL+SwRuWIXtStSlZq+RkMqfjXixnVc/ORE1W oEHF+Vgjj9Slnht5K+DuFem1Gsy2uVIbydh7dAB9F0JBEmUAFdhaqNy9jGfBOdFvcmJA Fdt3EzPl+mX1X9z0JyfQT3ONa5I4k9uNpBu0d+szW05XcqY+10hNGN2HYSkcP8XQfxbF sDjl359IlA9EcLBmrEPdlDvLSuwVbtqFVriYgoVP/aPFFRPmBYmNpqG+Tt+NvXUwzUSD 33vMlFgr1XU/mlNHlgRxeAxrH0WLUcQVe/TFN64RoeO/CMsknS3p1Dn33tuk2qKEW/mA 5LvA== X-Gm-Message-State: APjAAAX8AqHp4yMX5PfiSz8wYmsGFm9zC/0CfSXUU7WlBSagc3OV8Wgh WLQyxk0edG/dyDstz1SGFTQaDwM8In2sIsC/drhmSw== X-Google-Smtp-Source: APXvYqyQy3Ly/I0+luq4SXBdXDDkmt0+oEhQUaMxXkgB8GNCQOuYQkqhB2oSrkQXziMzg96uVFB1sRh7FJkFmnGB+uM52Q== X-Received: by 2002:aca:54d2:: with SMTP id i201mr8572038oib.29.1553624910134; Tue, 26 Mar 2019 11:28:30 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:30 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Josh Boyer , Matthew Garrett , Dave Young , linux-acpi@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Boyer This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware . Reject the option when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: Dave Young cc: linux-acpi@vger.kernel.org --- drivers/acpi/osl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index f29e427d0d1d..cd5bba7b8eb3 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -194,7 +194,8 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification", + LOCKDOWN_INTEGRITY)) return acpi_rsdp; #endif pa = acpi_arch_get_root_pointer(); From patchwork Tue Mar 26 18:27:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055073 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6BE68C43381 for ; Tue, 26 Mar 2019 18:29:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 45D3520700 for ; Tue, 26 Mar 2019 18:29:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="AxYQmILS" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732940AbfCZS3l (ORCPT ); Tue, 26 Mar 2019 14:29:41 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:54871 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732762AbfCZS2d (ORCPT ); Tue, 26 Mar 2019 14:28:33 -0400 Received: by mail-pf1-f202.google.com with SMTP id h69so12440126pfd.21 for ; Tue, 26 Mar 2019 11:28:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=AxYQmILSdFg0+F/o39f/WfXSvOMkaN5wYJO4P7AP0HLuNoMiYIIvFwFvfk0hUBiR13 4UAMjUq31t9bSPe0MnXikCSkC2eyMupf0ei8U0Ch/JsGWJCIxjQKrkYNixwHJNhsKf+8 ewiscQ7iVR6PbhjFJ6irRmuxUVbZLX5V1eFKDgOc+diXskj2lcYCgwC0GRCcxdXfP6YA uW7rY+3bIfIzXqyMc9UiOcDQaANdLrPOlfGEVIiD5evpn8H4GKKNhOV6Dgx16grRJ0Oi rDHP+gZaykXlVyw38TJLvk19ALMIfOGPG8dCFPBpoaR2er4L7WOE5TXOO0+zJmre7Hh8 8mgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=agUe5s3AKdizV0ALkeq41X8u0EyYBdxm9D9biQdwVJj1q6CGewhJ/feoJV7yc5uz2w HOqGW3N0tgy34BIAZxX8JpO26Gu9R1W1/p+nj10AMbKIXOp0zpWVDn0OqIUHiJY5zVnZ sTh9bATV4CG/V3tjl06k+HxVFeBCjmYi3kD61kNgBe/X2cbtLbVQh4rx67PnLYPDRX4Q F+9erTO6JVbGlL4PczHqeuOgGtYASotNJt7wcLPIos4DufggIaFFQJDVixRN7hRS+6O+ OOFKIlu9I2+nGbDQLWfUIbbQkb0RH2zy8K/gskhhANyqH4bTkgT+OkCADjtPhSXmm0f7 3oKA== X-Gm-Message-State: APjAAAV2weh4/5H8Mrj+veR7ousA37mJRkrzzyV87BiB+x8Y7Nq8vXxq qjFCOpGXJF9Gbox47j1VbkT7xXuGuRHDWByfBAhPSg== X-Google-Smtp-Source: APXvYqzlbcsO0MLfv7TbuLhLJ50spDBJ4EO9m5/RfC1cSvWt7EDQbTTXzw3lPerDfy2lNc3+4Q1va2ANipQsr3I+ft+bOg== X-Received: by 2002:a65:5343:: with SMTP id w3mr13108859pgr.232.1553624912801; Tue, 26 Mar 2019 11:28:32 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:31 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 15/25] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Linn Crosetto , Matthew Garrett , linux-acpi@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 48eabb6c2d4f..0dc561210c86 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override", LOCKDOWN_INTEGRITY)) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); From patchwork Tue Mar 26 18:27:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055063 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 244D4C43381 for ; Tue, 26 Mar 2019 18:28:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EED012087C for ; Tue, 26 Mar 2019 18:28:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="h7dNOb7R" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732794AbfCZS2k (ORCPT ); Tue, 26 Mar 2019 14:28:40 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:37001 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732749AbfCZS2g (ORCPT ); Tue, 26 Mar 2019 14:28:36 -0400 Received: by mail-qt1-f201.google.com with SMTP id f89so14453012qtb.4 for ; Tue, 26 Mar 2019 11:28:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=4G8m95jwtwdfjA5z7EFk9aUl9ztD0RqYosPZp4xmjEc=; b=h7dNOb7RQMavv0sp0Zow1gRw63LnZH39UfrTPdhj02fkrvrZrEAZH78cfkEj+UQc+0 CJjusC/IoWX8sWu5YfQZWyBfIgCg1kdW7WmC1R0rHpjM1s0mtPsNpGYbUAw46xxOqXel 5tAmEK9SZvRqh7JM+1CynPqgm4agy0u9BCaznisqLEyI4iz7fwYVAXlnEe3mqReVkYi5 4mr/vqCxtGCrvpZY5FgmdB521DBRBqUSK5XY3wb/gMVqgChTLP1opGEFzTWsSfXhNHwd HVr3wnpU0+ls7oaLhQK8AaYMFujCCN2584QK2ScCQc8RLOMnVgvxdxBTdqIU+FBrYXyX 6JOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=4G8m95jwtwdfjA5z7EFk9aUl9ztD0RqYosPZp4xmjEc=; b=IXm5Gk9OgxvueySvAjRHgZbYGy0DlsCS3PKTGZpj7Fe+oQTR7uM3P17V1QPgF3HHfi nb70F3bDn8qB1WRDpL61/mlzSLWNTVoj3fZ3Ifr2C6pro04ihNMme61+qHeZUushiwEK fyJdaItHEN01z+QyVvPOKGGEGAuLTCg+4PuHXbN0aoShdxtsMj+XHjG16YUr5IR8f58X BprO1v8vSqLFSNS1RECz4WlBK2+CoLBQnYbUsTlfo5+M4z+OmWqPlFwUmEoEpInWbsQp S1p4GP6MQ3pLU9C3nFurHEeSgOJt5yevGATzv3mniab6/uCvbePr778TRdJ4VrA+dpKr w20Q== X-Gm-Message-State: APjAAAXSMxeciuy3vjmcrKh6wnaREAeCUViKSXmpPS66baf+IiDGU6gQ 3PCubLNMJ+gSqRHNwsCGefWBxU+8Z9//0N+Bk3/Biw== X-Google-Smtp-Source: APXvYqxQhg0QFZGUTOuDkDlVLMMfRXQc/lsxF8gnvkp3TvGjpj2EedXHo5jW5sl13rNyrq6r75ypdN01tARzQW4WSXWCWQ== X-Received: by 2002:a05:620a:1428:: with SMTP id k8mr24386884qkj.185.1553624915314; Tue, 26 Mar 2019 11:28:35 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:32 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 16/25] Prohibit PCMCIA CIS storage when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Dominik Brodowski , Matthew Garrett Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- drivers/pcmcia/cistpl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c index ac0672b8dfca..9e23300a55e5 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -1578,6 +1578,10 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; + if (kernel_is_locked_down("Direct PCMCIA CIS storage", + LOCKDOWN_INTEGRITY)) + return -EPERM; + s = to_socket(container_of(kobj, struct device, kobj)); if (off) From patchwork Tue Mar 26 18:27:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055064 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36437C43381 for ; Tue, 26 Mar 2019 18:28:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0ABF720866 for ; Tue, 26 Mar 2019 18:28:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Z7k55eRQ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732462AbfCZS2l (ORCPT ); Tue, 26 Mar 2019 14:28:41 -0400 Received: from mail-qt1-f202.google.com ([209.85.160.202]:37946 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732784AbfCZS2i (ORCPT ); Tue, 26 Mar 2019 14:28:38 -0400 Received: by mail-qt1-f202.google.com with SMTP id v18so14455736qtk.5 for ; Tue, 26 Mar 2019 11:28:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=h9EnFy04jMHVM1ZMNH2nx3A+bDTELFHTwxmLElxP71o=; b=Z7k55eRQRYGcZah8QOHEIlHkH8KCl4gYI7fGrsmv4pyVRN2TE0VQxMVCfKBoCJFYcV kvxQC/SOAqFtnWiz6XNtEHDlp0wdjYRXLoWdNGYNtazGpr1wIYh7W9UzmDh5iZf7wwKM bpBIXO6ymj34WPya4v+dPjhxdGs93VkG7jXgcc7DLXNfHMLrPcWGD1nX79BWUY3qY48s DgpRcNhmY8ZJAqANIbasB7lKFamqPuXlJZNJNd40vPj/fgZvScq0VExRxburPO3qk/JN 1PtAOp8+Mk7977nxUVBg5Z6w7LvRhumrO/NQ7JKIlm0NMH9sDbothKVECbiaIBhj6xzz yUIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=h9EnFy04jMHVM1ZMNH2nx3A+bDTELFHTwxmLElxP71o=; b=hzVTD6tsM6RSNaR2cFrHIws7X55KDgv1e4OMIsDCL4Q9oRAEmZufKdt1BXf2vNVYjI ol59BAI1xfgR0rCd4Ia/iuC4udQJySNz04U0b9AOUdscPRRzMIF/w4XEnjmlnEJcq401 BvDSOudZ1T5n91Up0QN2erZy+QipHnV9bgCUX8R6n913HydGNfvpkt+bTnuJA82CBXQG tCTaCzFeH/d+PuB6aDV/R7s8BDaMuXsPMByJCI6p1icIUsoXA6/rnSba1JU6AbqXh/pj z5fWsT9AuxZfXHCAgLgf6/5jXyJcPO38JMNTD4IeXEPxHH5LJBeGaXL8qAnIf6c2jmJ4 5dJA== X-Gm-Message-State: APjAAAW8YLukkON1DyOrU+DW1pDD8NrUb0ugawQn8tTLEVkWm6jIHd+z hpOsVZK3xNqmUvCxmsRcYUqY2flbDpHETP7hCg4UJA== X-Google-Smtp-Source: APXvYqxdTd1jUs6dwf4ovhU+ZzR5OkjsK7SluXNtMP4TQSlVeJye4bUNfuWPhjrz9fQ9H73M9kP4eC8pkZdt7zfnoeQ90g== X-Received: by 2002:a37:a797:: with SMTP id q145mr2953780qke.292.1553624917716; Tue, 26 Mar 2019 11:28:37 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:33 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-18-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 17/25] Lock down TIOCSSERIAL From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Greg Kroah-Hartman , Matthew Garrett , Jiri Slaby , linux-serial@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: Jiri Slaby Cc: linux-serial@vger.kernel.org --- drivers/tty/serial/serial_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index d4cca5bdaf1c..65b67f0d4386 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; + if ((change_port || change_irq) && + kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels", LOCKDOWN_INTEGRITY)) { + retval = -EPERM; + goto exit; + } + if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port || From patchwork Tue Mar 26 18:27:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055065 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C64AFC43381 for ; Tue, 26 Mar 2019 18:28:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9C260208E4 for ; Tue, 26 Mar 2019 18:28:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lAD+Qzjy" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732831AbfCZS2p (ORCPT ); Tue, 26 Mar 2019 14:28:45 -0400 Received: from mail-oi1-f201.google.com ([209.85.167.201]:53353 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732806AbfCZS2k (ORCPT ); Tue, 26 Mar 2019 14:28:40 -0400 Received: by mail-oi1-f201.google.com with SMTP id c21so5714063oig.20 for ; Tue, 26 Mar 2019 11:28:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=e4y+ZQyWx4Nt0qrBtIg+M07eqiLDT0f94JTcXc0xkLQ=; b=lAD+QzjyPkuMWI1jtrwYUcf9ZLsCsgEAV8IiHR2c/Giu1mweyB6KOIX9V7bRUMz3KS 21b4OTxu7xK5eC1N0v77eagIpq/LbKXwRJS5XlQ4ux8JVVcGH/79E9Aqu/MlHN+BG83Q s63yKyZH0rorrlhZwK4+OD/kLn5ykpACdXHTMpCcfhVzKV8mm56UXHrvwTEyIKgMLYwm 9+nV2/SVnS29ukwpXBcLbBMVsylFeXxX3Dj86XBbxl6L2a9j4b0wOHCTSIs7/9yqe5xK dXu5KTEuDJcq3bINEDmkRQmgq1sNVXBJ2s3Tt6W87zlrp3KwKRdoIU0KG8z2jTxMlJO8 svBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=e4y+ZQyWx4Nt0qrBtIg+M07eqiLDT0f94JTcXc0xkLQ=; b=LILLvBLxzjFFOoivelBFDI8NFgtVc+bqYqfEjtRtKqlxlRoWW/yjQxQGTqmVEpWlRl iwZk6Vk7q6JjCgaj5Jy/Cfg53gDDedeOKfPRooeCurDlxXUGBIri1X1zadxtDG4tAjBQ Ly+SfF9fjLKxelh+nxKkWjHov2h6+9wP+6OkUtQ38sXVf2X4t+DO2npvQN8teOm/rBKX oS7XL/SagfMl0/aggCzfmotHK+EkPvZZooYo5scnoL0mqKTE0S+bqsZetDjcpXP2bVL2 Xw6Va8Dryay/HXUhrqCcn6Phz3sLl2vp4jeKcF6EFjhBOwfbEd8GJg7sJIkOkc5eZKG7 LwMg== X-Gm-Message-State: APjAAAVnkU3d278WHWqyZvEyZa6V+f06o+g3lvNJhUogzTo9iEXe1ufq 7URD0QrL1NymdKYOhklY9MHlE28+KxDohY3InaiRJA== X-Google-Smtp-Source: APXvYqxKOCWDIgBn5rlg5DtWC2EvLiyCBHCBifCiS+zDJTN3dSw5kDx/CYcMYlbSMIB7aU/iaezdCEW+L4pijefSPl72Ng== X-Received: by 2002:aca:3d44:: with SMTP id k65mr15898886oia.143.1553624920139; Tue, 26 Mar 2019 11:28:40 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:34 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-19-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 18/25] Lock down module params that specify hardware parameters (eg. ioport) From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alan Cox , Matthew Garrett Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- kernel/params.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/kernel/params.c b/kernel/params.c index ce89f757e6da..da1297f7cc26 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) { if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { pr_notice("Setting dangerous option %s - tainting kernel\n", kp->name); add_taint(TAINT_USER, LOCKDEP_STILL_OK); } + + if (kp->flags & KERNEL_PARAM_FL_HWPARAM && + kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels", LOCKDOWN_INTEGRITY)) + return false; + return true; } static int parse_one(char *param, @@ -144,8 +150,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, params[i].ops->set); kernel_param_lock(params[i].mod); - param_check_unsafe(¶ms[i]); - err = params[i].ops->set(val, ¶ms[i]); + if (param_check_unsafe(¶ms[i], doing)) + err = params[i].ops->set(val, ¶ms[i]); + else + err = -EPERM; kernel_param_unlock(params[i].mod); return err; } @@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } +#ifdef CONFIG_MODULES +#define mod_name(mod) (mod)->name +#else +#define mod_name(mod) "unknown" +#endif + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ static ssize_t param_attr_store(struct module_attribute *mattr, struct module_kobject *mk, @@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); + if (param_check_unsafe(attribute->param, mod_name(mk->mod))) + err = attribute->param->ops->set(buf, attribute->param); + else + err = -EPERM; kernel_param_unlock(mk->mod); if (!err) return len; From patchwork Tue Mar 26 18:27:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055072 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3FB7C43381 for ; Tue, 26 Mar 2019 18:29:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8489C206DF for ; Tue, 26 Mar 2019 18:29:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="f1UEVtxL" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732547AbfCZS30 (ORCPT ); Tue, 26 Mar 2019 14:29:26 -0400 Received: from mail-vk1-f201.google.com ([209.85.221.201]:50190 "EHLO mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732804AbfCZS2o (ORCPT ); Tue, 26 Mar 2019 14:28:44 -0400 Received: by mail-vk1-f201.google.com with SMTP id k78so5823904vkk.17 for ; Tue, 26 Mar 2019 11:28:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=CCajKTRONhdynt5B0tRKLHYn7gScHVmkVEVnwB9DKOM=; b=f1UEVtxL0EVlbPLDdmHVG79aucAXc1fBqJUwg7tt7fSA+AaesqY3P1p2ZfzU8cEB3n 03bsTL9VAsQne/n8Nhvw1sWnpcWum4Nqv3Yd9wb0ciIhqZ81AcSWIwiSc4FpvQcIXzja GBTM5kZH/0zi5Ne9dZ+ikq9lnF2Q32FFRZvvpt9YRkY75BhFAUNRNgck5+N1zyk4f1qA vMNtUXdf9cac4ri6xntmYw06VGoUUZsq8lxd2e2TecdKei4KeSsc3xhm0MGSU87S8/FC RxRKWWq47aOtlEK1k4qA6SDhvIGzXiN34T2kO23uj22gg09sBp27vGRNkphNud+PLe70 YX9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=CCajKTRONhdynt5B0tRKLHYn7gScHVmkVEVnwB9DKOM=; b=FP/+rvX6Pv1P+gBjYi4dMP0dJpkBz3QxMOzttK+Krk+/ZriewOvhWYrHZbuej6hifS Tez18sgMm/gyRx07fQMgIYV0wlfYUtkEfR7JEndJW+INdcQ3XNZAG/xQKY/ObmNRLivY LbGBhOjcQFURZaOBg01cT5XJc1ZPGc0/7+qbQda5b6XQro9sLqbDtXGepJ6E3Xj6r/dQ m/1uEkNi2+YN3d65N0yUnav0SdB1qsJ7V8oNJlux59jQk2/A5rXNCetUjWBn4aHgTS2b 4m0EJbGG7uWNKUO1dNbCCsV9fnpAN24N63uIoMZ4U3cDYHI4Y4/yL/Jh+ZYI573ghDEZ akfQ== X-Gm-Message-State: APjAAAXDsdZCFyzcs3BMirRDjOhFRcRYn0BXfYQNqbP4o/3Z0vhJPuaS ArFAbvDE+x5l03hs4fIJW1F1dQoVp1ry/Dr5Y75wZw== X-Google-Smtp-Source: APXvYqz5uwzG+qKt/vXAWjIFjKNq6CxLPDoTjZaK9Y+pyALLrDT+Cci9K4q1KvaMk9n8XrM1s9rc/+mImVPEnueEPe9h4A== X-Received: by 2002:a67:e405:: with SMTP id d5mr11689528vsf.236.1553624922695; Tue, 26 Mar 2019 11:28:42 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:35 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-20-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Thomas Gleixner , Matthew Garrett , Steven Rostedt , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. This is a runtime check rather than buildtime in order to allow configurations where the same kernel may be run in both locked down or permissive modes depending on local policy. Suggested-by: Thomas Gleixner Signed-off-by: David Howells cc: Thomas Gleixner cc: Steven Rostedt cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org Acked-by: Steven Rostedt (VMware) --- arch/x86/mm/testmmiotrace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index f6ae6830b341..9e8ad665f354 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -115,6 +115,9 @@ static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + if (kernel_is_locked_down("MMIO trace testing", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); From patchwork Tue Mar 26 18:27:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055066 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E16B2C43381 for ; Tue, 26 Mar 2019 18:28:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BA3702087C for ; Tue, 26 Mar 2019 18:28:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IireMRZb" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732851AbfCZS2u (ORCPT ); Tue, 26 Mar 2019 14:28:50 -0400 Received: from mail-qt1-f202.google.com ([209.85.160.202]:37949 "EHLO mail-qt1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732806AbfCZS2q (ORCPT ); Tue, 26 Mar 2019 14:28:46 -0400 Received: by mail-qt1-f202.google.com with SMTP id v18so14456039qtk.5 for ; Tue, 26 Mar 2019 11:28:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=i92ao4UQPXz3UyfztS9poQmhL/y3JHZOqS1ytGgJ0IM=; b=IireMRZbHx4vA3G+/KY1Qp86vmqOO6m0TVHgQHNQc+DBPoZ/Ypi0LkIWmaO3+z2s/m 5C1L/OQacdr55cpK+BtdpqB1jMJ3ddX/JBAV/dGbD35Qq1bdCKpTUIiOuFos3WkJG+KT TtE03CjoZl4K4rqofSP9GDPM85kvl055ArYJIhbb7HiLBrrphd/IP0YCb7aRPM+WYo0q gqP37V6kBTTxQd2WlFY2084Ber08eBTVOKVw7PeBKH9Io3PY3hSK0lbKZky3cv9WE65z s+r4hpr41eMuC74315P0niUfnwjt0AqBQ9TfKQ+j6wrbZNXrQlm3aGZQxASMtyXGY5bI YDBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=i92ao4UQPXz3UyfztS9poQmhL/y3JHZOqS1ytGgJ0IM=; b=KO7vcDFoanleEsLOZbCAtyx3A9/RSUkjvv6+21vVbVSCjO2KW4WahPky1EkZv0pSj6 PRJIsk34jXI6ADgq4HBlaav9m9ydjNAJ5w+IaGy9MvsCiXLrXCao26euhKR15GF/RQlQ LWdU3OE8pfX00DhUKcAcZtpyDe8Zkf7MEnxKjwemmr3+IxD5nlK0Ffgb3vtER0d0bm1L lv6GT2D6BrQMqVy2VtzP7p+f+nfiz5EoNCBg89bqKCt+bWXgea/ndNvq6eFDQranSYqI WeQPYpOsufRAg+4Z9aC9cLQeaTLlao3Z0bt3PsX5CCguxNvXG4Og23O3eD5Q8yhfFBqL MDdw== X-Gm-Message-State: APjAAAULb5/13P+9u8a5H/558Ejzhj26yO7y/Bo1lk5rYqGOK8axh5Fj x6TilkNqNm9d1W8ynNVRtvqTJpsOgQcba1UZIRkzZQ== X-Google-Smtp-Source: APXvYqypggcG2fCExyn/1b0Jk74TXG8U+m5+z6/9Pu2BcIHAegaLxb67Ayhs7PmQ7gKNqObF+HrvkXaEizoEZ77vQGVIgw== X-Received: by 2002:a0c:d413:: with SMTP id t19mr26692906qvh.8.1553624925174; Tue, 26 Mar 2019 11:28:45 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:36 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 20/25] Lock down /proc/kcore From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. This is limited to lockdown confidentiality mode and is still permitted in integrity mode. Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- fs/proc/kcore.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index bbcc185062bb..1c556a453569 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/proc/kcore", LOCKDOWN_CONFIDENTIALITY)) + return -EPERM; if (!capable(CAP_SYS_RAWIO)) return -EPERM; From patchwork Tue Mar 26 18:27:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055071 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45B0EC43381 for ; Tue, 26 Mar 2019 18:29:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0AEE720700 for ; Tue, 26 Mar 2019 18:29:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wN0OIU1H" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732931AbfCZS3U (ORCPT ); Tue, 26 Mar 2019 14:29:20 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:42134 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732832AbfCZS2t (ORCPT ); Tue, 26 Mar 2019 14:28:49 -0400 Received: by mail-qt1-f201.google.com with SMTP id n10so14436801qtk.9 for ; Tue, 26 Mar 2019 11:28:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Ma5wFY8S+zLWiDtQQwXloQOufb4HtIW6yNfW58R46nU=; b=wN0OIU1HzFEnoV/MZj6PHWhTJfdiTInfVQklLLV38xbLMNs2qONKeSBC8YID/jggEH t/1BopOkbJq1ePdwJ+QdFX7IctHJCxejZ3vf2jLDkjb3qnbZWMwH8eR/WUCB8Q5Th/Ez 4lrlGF72lQ48rIq//y3d2kcNqTVMHtToNl/cbQCf2DzfZZG+EjUqxiX4YFqpg71sB+3K 4F64WWZw8uoy6mXFzkzm4yC/FjOfp8xhXFADBtx6zsC84pABkQC1Oh53fW8hNhMTWWqZ fpvmV869hLUznUiw3l7GE6Wlbk40rS3dJJXRhoC6YMJHivTGDpfIWVe8mY/XJ/XO+/57 VC6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Ma5wFY8S+zLWiDtQQwXloQOufb4HtIW6yNfW58R46nU=; b=FMy9oOuO7Yz7ozP1WtRPze+vjgakknPVbj7jbCFhVosQRKZE4V8gvUeRUTLrGZAFpc vGBe8DOY2ZgRfrBW1R0ssiyCClbehI3uCux47U1++xoN2a1u4CDpcYPnOzexYncVqOHq WUdV4QTXbKIShLHWcRrpNd8JO+VPJ8avRMUQhLDq1/Bye6yf4JYX2WsqtPC4j9ALJafb yNtSFaKvTqhm9JTW37qcT/M+2RWgTa62FF37TkO0lGENtK1L0bvqsATGiD02MY4Ec2SD SLxJiNekU6ozt2+Ztdxk8opFNDpGhVeRx0s14bHgktkc3yzluxYBCdlh6tawMlCECcCH LWSw== X-Gm-Message-State: APjAAAVeG+601BCe9knikjPSlMWWDY+OHyLQ2VxZj4bnpvYBNc9jomnf mAokys1jBZ0q2yWKql/1pfR6SmYOORKkd9eyClDgeQ== X-Google-Smtp-Source: APXvYqwe4mmFrCuPysLxkasGyEoSo4wHh50ua9s3bXX44JvYkgrjNaVz/zCC7KJz3TKl7vwF7Bx3Swls6JSZeKjjZ97dXQ== X-Received: by 2002:a05:620a:153b:: with SMTP id n27mr23767904qkk.343.1553624927797; Tue, 26 Mar 2019 11:28:47 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:37 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 21/25] Lock down kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alexei Starovoitov , Matthew Garrett , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net, Masami Hiramatsu Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the creation of kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index f4ddfdd2d07e..b9781bd2db8c 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; + if (kernel_is_locked_down("Use of kprobes", LOCKDOWN_CONFIDENTIALITY)) + return -EPERM; + /* Adjust probe address from symbol */ addr = kprobe_addr(p); if (IS_ERR(addr)) From patchwork Tue Mar 26 18:27:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055067 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CB94C10F05 for ; Tue, 26 Mar 2019 18:28:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5393E2084B for ; Tue, 26 Mar 2019 18:28:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lv/FPdRA" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732876AbfCZS2x (ORCPT ); Tue, 26 Mar 2019 14:28:53 -0400 Received: from mail-oi1-f201.google.com ([209.85.167.201]:52857 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732806AbfCZS2v (ORCPT ); Tue, 26 Mar 2019 14:28:51 -0400 Received: by mail-oi1-f201.google.com with SMTP id s133so5720130oif.19 for ; Tue, 26 Mar 2019 11:28:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=lv/FPdRA1RfB3vLPLo6Ht+4Uq/7S0A/5brocYyTzI3Cf2VUnSQ0RmEPSquMVKX6uD/ zrJp1bviYSiy6SZJcrSi/SnU87S//a3xTTx7d70ujTGBa19BZ9d9eIyQ09yXI5ydGDm3 smeM5uI0HkkoRudgW/7BwSzvYdn15I5Yz2VcXUuI/bHa1I+JU653xnazjSzECXoneTPe v1cOzCuVgxkyoJ9o43anec390AhCSqaQ43q4Y/AlB4htB/+T7rAzeG+CKI6r+eVG7ng+ iYwL4rTtcFO/MU3+KOdZahY6L4QxGGU3QfQMGKQiCJGn8N0OSOLJy8xVW6rUeAIuOxsx c/+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=Z/TW9gCZ9EnI0VKIseh2pTWvrX0WGrJvR7PyO3u/THI/Y8oE9taNmJtcYlLeMdoyOn bbfQYjlD557gNBOk8xfameJldV4LVM1RFl1oNHgMVVq4SmE3RlYupAw3/OvDBzY/Jc12 88gC2O3ARez6Bw6+SZUjfS5zTO6aQhFyaUeXUZpLZE6CV1RHnB0/EnW5jiJWc43k+Nn6 h43i+Y/zBHGD5wh2sqLPWwk5EKXANTmvLLoxkEBIa5sPoVvMeQrpk0MGriuwLfVsR7bv ZF/dFuDeTPXNic7rA0B0pCnybVRETRi/5rV4nqIi2SA/lZYTjV85iAoly2vuQvxddgud 4jPA== X-Gm-Message-State: APjAAAUYBfBPQ/pN4yrJ3z+afKAIwm6GZ8UCrKNjmfNKDLeK78KAzUhi ZoyX2XYC72m8AGM7SnH8wv46K6xB9r+RreJbmqzf7w== X-Google-Smtp-Source: APXvYqyAbat3PPV8AUkDGHHq4kmMbVqdPiRxqPB9rTmjyAlQ7tu5Vz3fAT5SgF1mWOwG5CrW9kJuVlZEyPz2qkjecy/Upg== X-Received: by 2002:aca:558d:: with SMTP id j135mr16551138oib.49.1553624930168; Tue, 26 Mar 2019 11:28:50 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:38 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alexei Starovoitov , Matthew Garrett , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann --- kernel/trace/bpf_trace.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 8b068adb9da1..9e8eda605b5e 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -137,6 +137,9 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) memset(dst, 0, size); @@ -156,6 +159,8 @@ static const struct bpf_func_proto bpf_probe_read_proto = { BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, u32, size) { + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; /* * Ensure we're in user context which is safe for the helper to * run. This helper has no business in a kthread. @@ -207,6 +212,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, char buf[64]; int i; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + /* * bpf_check()->check_func_arg()->check_stack_boundary() * guarantees that fmt points to bpf program stack, @@ -535,6 +543,9 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing From patchwork Tue Mar 26 18:27:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055068 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 193B3C43381 for ; Tue, 26 Mar 2019 18:28:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E26952084B for ; Tue, 26 Mar 2019 18:28:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Cuvbwz8H" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732897AbfCZS24 (ORCPT ); Tue, 26 Mar 2019 14:28:56 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:42284 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732881AbfCZS2x (ORCPT ); Tue, 26 Mar 2019 14:28:53 -0400 Received: by mail-pf1-f201.google.com with SMTP id f67so12469631pfh.9 for ; Tue, 26 Mar 2019 11:28:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=H3HRoHYDWMArQkaxv1MNV9sbVAN4QTLQDsX3m+S9eoU=; b=Cuvbwz8H/UPT74uyS/N/4qnzLflOCWavMy5nGUSyYS7YEzjkinR90BjdsCrgcJkE3I nx4KbkC9dnoe9GkBObKBMRpDYEdqno8HqIh6XA2YCeqV6CvG7JzzRNQF6q8pd5BERf2L RFxm3yO2wG89tTrr53Mp5FuBliWeQ+U4jl6R2mVmbyq/irL9EVf0dyxEQAXY+gsnOrUa sjp/qtKV1gEMDqiY5H2Ik89SIJ7l/HNOQiiyV055Dk+vHQVGGJnndcLvaKRB3EJIEJ7P b5O2WEtybYZzvX3/wEfbV1lJ62nVHR0Vg+h1YgKtbRZ41TCuXQBY+ohnhrP2W4Cl8SFS GMMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=H3HRoHYDWMArQkaxv1MNV9sbVAN4QTLQDsX3m+S9eoU=; b=jnKhZnZrGrt6pBB2jz3jAh5ZYhoFxR0fuaveYJ/JQiYZyVMMWOsJ7cqmL5hz4Qjffw Q4vpmo2BALPqDDrf6tHQnb+MYOqII1eMGAaAn9dUvCGGbZDKduEwSVKFzzcP3CyTSbUM uk2Mc0Qu10W3dI74kHze4SjTj5kPO18avjOHuVRu0Be3GaufBiczdH+Fw564Nv0vr7RU uSgEQsbAhMUVS7wuPUHerSKipN3EzFktLLjC6MdPqu1OHwwqCSnZultxPAjRVq4DH7UR 4nyGNgqzOdUrB3yzfUe9cjAfa0lwKnqfdKniI95rn/vtbxwualP3A8zspjvFmo+9hMXu u/eg== X-Gm-Message-State: APjAAAUmPl3SujxayNoTm1MXWk2EnBgr9J8WSqm8Wp4/2ZWq1YIVDLfH Ryo1YszD+1O3edMAo4V4PDatoJLrosSOFV87yX36bg== X-Google-Smtp-Source: APXvYqwphmFpi3T6TN1vNeRaZ63APL0Md38wVERg+esYXiBHNy7zUZ/YoDtb9yiRRaTqqwrQlnsrIfBnrwPddl2w0CiOFw== X-Received: by 2002:a63:f146:: with SMTP id o6mr29796370pgk.360.1553624932579; Tue, 26 Mar 2019 11:28:52 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:39 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 23/25] Lock down perf when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo --- kernel/events/core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index 3cd13a30f732..6ad3d83c091c 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10461,6 +10461,12 @@ SYSCALL_DEFINE5(perf_event_open, return -EINVAL; } + if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) && + kernel_is_locked_down("PERF_SAMPLE_REGS_INTR", + LOCKDOWN_CONFIDENTIALITY)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return -EPERM; + /* Only privileged users can get physical addresses */ if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) From patchwork Tue Mar 26 18:27:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055069 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1ED9C43381 for ; Tue, 26 Mar 2019 18:29:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9DD8F206BA for ; Tue, 26 Mar 2019 18:29:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="R2jr48bz" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732915AbfCZS3A (ORCPT ); Tue, 26 Mar 2019 14:29:00 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:43024 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732891AbfCZS24 (ORCPT ); Tue, 26 Mar 2019 14:28:56 -0400 Received: by mail-qk1-f202.google.com with SMTP id m8so12378314qka.10 for ; Tue, 26 Mar 2019 11:28:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ahwCRT59PUZ2OMjvkc7Um/co/AqhkFAUQugbjFE3pQg=; b=R2jr48bzMerg1oMgmmmSMR8HlYXKL/FiNAnxSWmcCueCQBGJw2kMfBP1Nz952fYkw0 zBz5k5I+oWx5YpGuyN8UqSbN973STVZEUATKECDMUb5svS2fWjQvt7fJEWLHBIMpvKQR C/P22YtQMfpusPgycXDw6S5EOrM2LaVN/i1Atun13qW8SO8k1BgLeiM3rFsUS6J6EN4j A/RsDbmdC/nSF42Vgk+LeCcwJDHXkWuek2Ou5bla/HgqZtwODBp8cVGYwB1D49tefdjL mYL23awC4c+Nv8UwxlbIZPdnFQlQjWNjHk/xls8WLrxuEqzUlYy5VSWjSF4rcy2Ulwku nLwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ahwCRT59PUZ2OMjvkc7Um/co/AqhkFAUQugbjFE3pQg=; b=MQ+5c2I8Oy4oK6CvFPpZv0oky5p6vwU3hdnc9JnwKnGKoXYGjWyO6S/QzkwK/Jo91V ZGl8iClxxtOeRlJML1ka0QoWCpFXl2YOyyB7A7T7gP3t8YpMCgnY8CvimLA5VMmuLVy9 ReJ80XAyUkt5yE2IMdmaD298mwidDkpHAJcbqVqgMevJLX2t3A4nyBg4bSPNvumXMZUl +tfjKi2wbf+OY0tMH6oIzhVOFdorXVKnifrR15TcBXmJk+0oEMyMKzTF0bs7QneRspPM JFhSQy4SAfXvZJIyabDEwxX2Wk+TOuh00C043PdlN4hIyWN6eiCVXGhfnSCojEU5ZOhT MqlQ== X-Gm-Message-State: APjAAAVLYRU1rA6iRTPvvH0SAaa2dSCWzpqQJ+V3/2mAA8bWxf3LIjNo zl8hPck2P+2/9Kk6EsFtyRJmY4fDkAq9mJzsyy4D3g== X-Google-Smtp-Source: APXvYqy+PZO657NT2rtW8JWUD/4TRR5zbeRGjli9Y62NtWOMN/t8xuRoQeqW8HHqnCrtjXRhw6Wm22riuwZjNviQj7ZjFg== X-Received: by 2002:a0c:ad4a:: with SMTP id v10mr26132549qvc.232.1553624935093; Tue, 26 Mar 2019 11:28:55 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:40 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 24/25] lockdown: Print current->comm in restriction messages From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: : is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells Signed-off-by: Matthew Garrett --- include/linux/ima.h | 9 ++++++ kernel/kexec_file.c | 7 +++- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ security/lock_down.c | 4 +-- 6 files changed, 70 insertions(+), 4 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index b5e16b8c50b7..05921227d700 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -127,4 +127,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_kexec_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index a1cc37c8b43b..7599039623a7 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -240,7 +240,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, ret = 0; - if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) { + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) { ret = -EPERM; goto out; } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..fe03cc6f1ca4 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -115,6 +115,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 4ffac4f5c647..106f06dee9d1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -442,7 +442,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 122797023bdb..f8f1cdb74a4f 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1341,3 +1341,53 @@ int ima_policy_show(struct seq_file *m, void *v) return 0; } #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ diff --git a/security/lock_down.c b/security/lock_down.c index 0f9ef4c30aa8..6bcffd0bb200 100644 --- a/security/lock_down.c +++ b/security/lock_down.c @@ -70,8 +70,8 @@ bool __kernel_is_locked_down(const char *what, enum lockdown_level level, bool first) { if ((kernel_locked_down >= level) && what && first) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - what); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, what); return (kernel_locked_down >= level); } EXPORT_SYMBOL(__kernel_is_locked_down); From patchwork Tue Mar 26 18:27:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 1055070 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E84AC43381 for ; Tue, 26 Mar 2019 18:29:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 50DD320700 for ; Tue, 26 Mar 2019 18:29:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="kKv5y01A" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732927AbfCZS3G (ORCPT ); Tue, 26 Mar 2019 14:29:06 -0400 Received: from mail-oi1-f202.google.com ([209.85.167.202]:50515 "EHLO mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732899AbfCZS26 (ORCPT ); Tue, 26 Mar 2019 14:28:58 -0400 Received: by mail-oi1-f202.google.com with SMTP id x125so857811oix.17 for ; Tue, 26 Mar 2019 11:28:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=IoXKM0YaE9Y+1YAYJ3jkE86oI9WuPOYgAsUS7wsInCs=; b=kKv5y01A21+36GWT1D4YyTFV1FMwIxaRgmZ3DkG7OUNg1kOgHEFkifuJwfBADEAl9r UlrestlL5PTDbdz6BL4gJKhnoOiL1vt6dr3ZdGRhdBSNCWdatU+k6Gy8qNWZ8Fgoq+cp kt6JGA6vd9D1HMp1m015CDo9jp4DqGO8Z74WjSl6r2+IwhvaZfdS/iDxhepP7yVB2vYB pZ2hOElr5UfIyrvrEG3cWvVCW8h/vbp0iVdw4EvRzjyGPIHw2gzZ9ejJQczvsuqGkRn4 k3vQ6Ka5ApjuDBzlYiMO2QHGnjvPuRgtounl5Od9RHGDOsC40Fg7QEqqHostyWFT5ZvV VewQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=IoXKM0YaE9Y+1YAYJ3jkE86oI9WuPOYgAsUS7wsInCs=; b=tU35xsIMncbwyZiZQplJVzlDx3b6aDqL3zqkUopK3YZYE0lhMlrQGXZ2dukEWdY8Mt biPO+BEgamIk2MEdehogPgC29xa70oGki53RaIRjT/N3Y6EtiWFPJVksZqrmn7KBT4P6 04AiO/rm03XuzrV65s176n5uMzDSsodZVG8KlTqSdJu6L8SVOVDMCEUmyVqtJbgnPf43 y1FQ+mqwSyWwII9rjSRiqIlJQ1PL1Ye+J+tiER8KSBdAT/2nDqhhEZvt3zDhgJa2AyOZ 0A5ix5eDkpdlSNfJZ/1KTYxlQE0ASH7adByhaMB5esg9YB4Mx3qM+Si6uytCZuj9RTsb bOlA== X-Gm-Message-State: APjAAAXxmlWEyQf9OVd47GVT8NcZOM/hsTJovX/p8kSRCV3skKig7N6v GgFFzgNLiKj96ANqVRzYFFW5bnJFFcTKW4cbtC//4A== X-Google-Smtp-Source: APXvYqyjNbwetsmBZSAi0gFELSpsFCAArafwfWaxUI3YirST+VOWV22o0s3zFRN5vHlTvkKDMRzgm8tVZfCAaQC6/Njgyg== X-Received: by 2002:aca:4b56:: with SMTP id y83mr16163700oia.63.1553624937594; Tue, 26 Mar 2019 11:28:57 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:41 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-26-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , gregkh@linuxfoundation.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett debugfs has not been meaningfully audited in terms of ensuring that userland cannot trample over the kernel. At Greg's request, disable access to it entirely when the kernel is locked down. This is done at open() time rather than init time as the kernel lockdown status may be made stricter at runtime. Signed-off-by: Matthew Garrett Cc: gregkh@linuxfoundation.org --- fs/debugfs/file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 4fce1da7db23..9ae12ef29ba0 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -142,6 +142,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp) const struct file_operations *real_fops = NULL; int r; + if (kernel_is_locked_down("debugfs", LOCKDOWN_INTEGRITY)) + return -EPERM; + r = debugfs_file_get(dentry); if (r) return r == -EIO ? -ENOENT : r; @@ -267,6 +270,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp) struct file_operations *proxy_fops = NULL; int r; + if (kernel_is_locked_down("debugfs", LOCKDOWN_INTEGRITY)) + return -EPERM; + r = debugfs_file_get(dentry); if (r) return r == -EIO ? -ENOENT : r;