From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
Matthew Garrett <matthewgarrett@google.com>,
Matthew Garrett <mjg59@google.com>,
Kees Cook <keescook@chromium.org>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: [PATCH V37 02/29] security: Add a "locked down" LSM hook
Date: Wed, 31 Jul 2019 15:15:50 -0700 [thread overview]
Message-ID: <20190731221617.234725-3-matthewgarrett@google.com> (raw)
In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com>
Add a mechanism to allow LSMs to make a policy decision around whether
kernel functionality that would allow tampering with or examining the
runtime state of the kernel should be permitted.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 2 ++
include/linux/security.h | 32 ++++++++++++++++++++++++++++++++
security/security.c | 6 ++++++
3 files changed, 40 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index aebb0e032072..29c22cf40113 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1807,6 +1807,7 @@ union security_list_options {
int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux);
void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
#endif /* CONFIG_BPF_SYSCALL */
+ int (*locked_down)(enum lockdown_reason what);
};
struct security_hook_heads {
@@ -2046,6 +2047,7 @@ struct security_hook_heads {
struct hlist_head bpf_prog_alloc_security;
struct hlist_head bpf_prog_free_security;
#endif /* CONFIG_BPF_SYSCALL */
+ struct hlist_head locked_down;
} __randomize_layout;
/*
diff --git a/include/linux/security.h b/include/linux/security.h
index 66a2fcbe6ab0..c2b1204e8e26 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -77,6 +77,33 @@ enum lsm_event {
LSM_POLICY_CHANGE,
};
+/*
+ * These are reasons that can be passed to the security_locked_down()
+ * LSM hook. Lockdown reasons that protect kernel integrity (ie, the
+ * ability for userland to modify kernel code) are placed before
+ * LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel
+ * confidentiality (ie, the ability for userland to extract
+ * information from the running kernel that would otherwise be
+ * restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX.
+ *
+ * LSM authors should note that the semantics of any given lockdown
+ * reason are not guaranteed to be stable - the same reason may block
+ * one set of features in one kernel release, and a slightly different
+ * set of features in a later kernel release. LSMs that seek to expose
+ * lockdown policy at any level of granularity other than "none",
+ * "integrity" or "confidentiality" are responsible for either
+ * ensuring that they expose a consistent level of functionality to
+ * userland, or ensuring that userland is aware that this is
+ * potentially a moving target. It is easy to misuse this information
+ * in a way that could break userspace. Please be careful not to do
+ * so.
+ */
+enum lockdown_reason {
+ LOCKDOWN_NONE,
+ LOCKDOWN_INTEGRITY_MAX,
+ LOCKDOWN_CONFIDENTIALITY_MAX,
+};
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
@@ -393,6 +420,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+int security_locked_down(enum lockdown_reason what);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1205,6 +1233,10 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
{
return -EOPNOTSUPP;
}
+static inline int security_locked_down(enum lockdown_reason what)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/security.c b/security/security.c
index 90f1e291c800..ce6c945bf347 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2392,3 +2392,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux)
call_void_hook(bpf_prog_free_security, aux);
}
#endif /* CONFIG_BPF_SYSCALL */
+
+int security_locked_down(enum lockdown_reason what)
+{
+ return call_int_hook(locked_down, 0, what);
+}
+EXPORT_SYMBOL(security_locked_down);
--
2.22.0.770.g0f2c4a37fd-goog
next prev parent reply other threads:[~2019-07-31 22:16 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-31 22:15 [PATCH V37 00/29] security: Add support for locking down the kernel Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 01/29] security: Support early LSMs Matthew Garrett
2019-07-31 22:15 ` Matthew Garrett [this message]
2019-07-31 22:15 ` [PATCH V37 03/29] security: Add a static lockdown policy LSM Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 04/29] Enforce module signatures if the kernel is locked down Matthew Garrett
2019-08-01 14:21 ` Jessica Yu
2019-08-01 20:42 ` Matthew Garrett
2019-08-08 10:01 ` Jessica Yu
2019-08-08 18:31 ` Matthew Garrett
2019-08-08 22:43 ` James Morris
2019-08-09 20:59 ` [PATCH V39] " Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 05/29] Restrict /dev/{mem,kmem,port} when " Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 06/29] kexec_load: Disable at runtime if " Matthew Garrett
2019-07-31 22:15 ` Matthew Garrett
2019-07-31 22:15 ` Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 07/29] Copy secure_boot flag in boot params across kexec reboot Matthew Garrett
2019-07-31 22:15 ` Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett
2019-07-31 22:15 ` Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett
2019-07-31 22:15 ` Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 10/29] hibernate: Disable when " Matthew Garrett
2019-07-31 22:15 ` [PATCH V37 11/29] PCI: Lock down BAR access " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 12/29] x86: Lock down IO port " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 13/29] x86/msr: Restrict MSR " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 14/29] ACPI: Limit access to custom_method " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett
2019-07-31 22:16 ` Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 17/29] Prohibit PCMCIA CIS storage when " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 18/29] Lock down TIOCSSERIAL Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 19/29] Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett
2019-08-01 16:19 ` Jessica Yu
2019-08-01 20:44 ` Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 21/29] Lock down /proc/kcore Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 22/29] Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 24/29] Lock down perf when " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 27/29] tracefs: Restrict tracefs " Matthew Garrett
[not found] ` <CGME20190813061053eucas1p1b6945259d9663b743e7cb32521d041e7@eucas1p1.samsung.com>
2019-08-13 6:10 ` Marek Szyprowski
[not found] ` <CGME20190813072111eucas1p2b87f3f8d16c22a0a3d024bc5ebcc8bcc@eucas1p2.samsung.com>
2019-08-13 7:21 ` Marek Szyprowski
[not found] ` <CGME20190814061246eucas1p128cae99a14f27bc79fa2aa72084a0413@eucas1p1.samsung.com>
2019-08-14 6:12 ` [PATCH] tracefs: Fix NULL pointer dereference when no lockdown is used Marek Szyprowski
2019-07-31 22:16 ` [PATCH V37 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down Matthew Garrett
2019-07-31 22:16 ` [PATCH V37 29/29] lockdown: Print current->comm in restriction messages Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190731221617.234725-3-matthewgarrett@google.com \
--to=matthewgarrett@google.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.