diff options
| author | Jeremy Cline <jcline@redhat.com> | 2018-10-23 14:36:56 -0400 |
|---|---|---|
| committer | Jeremy Cline <jcline@redhat.com> | 2018-10-23 14:36:56 -0400 |
| commit | 764628643cfcb53d59edf15adf7f32508a220c0e (patch) | |
| tree | 74ca9229375ba1562da2fee8ceb0f658f11f9bb8 /efi-lockdown.patch | |
| parent | 6fcbd945bc574b93b64a087473420454f2dda0e5 (diff) | |
| download | kernel-764628643cfcb53d59edf15adf7f32508a220c0e.tar.gz kernel-764628643cfcb53d59edf15adf7f32508a220c0e.tar.xz kernel-764628643cfcb53d59edf15adf7f32508a220c0e.zip | |
Sync up stabilization with f29
Diffstat (limited to 'efi-lockdown.patch')
| -rw-r--r-- | efi-lockdown.patch | 63 |
1 files changed, 11 insertions, 52 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index c80bdb38f..f11505b9e 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -565,22 +565,21 @@ index d89bebf85421..da6f55c96a61 100644 for (i = 0; i < measure_entries; i++) list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); -@@ -471,11 +478,23 @@ void __init ima_init_policy(void) - +@@ -487,12 +494,24 @@ void __init ima_init_policy(void) + /* * Insert the appraise rules requiring file signatures, prior to - * any other appraise rules. + * any other appraise rules. In secure boot lock-down mode, also + * require these appraise rules for custom policies. */ -- for (i = 0; i < secure_boot_entries; i++) -- list_add_tail(&secure_boot_rules[i].list, -- &ima_default_rules); -+ for (i = 0; i < secure_boot_entries; i++) { + for (i = 0; i < secure_boot_entries; i++) { + struct ima_rule_entry *entry; + + /* Include for builtin policies */ -+ list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + temp_ima_appraise |= + ima_appraise_flag(secure_boot_rules[i].func); + + /* Include for custom policies */ + if (kernel_locked_down) { @@ -589,10 +588,9 @@ index d89bebf85421..da6f55c96a61 100644 + if (entry) + list_add_tail(&entry->list, &ima_policy_rules); + } -+ } - + } + for (i = 0; i < appraise_entries; i++) { - list_add_tail(&default_appraise_rules[i].list, -- 2.14.3 @@ -671,7 +669,7 @@ index a6e43a5806a1..9c1709a05037 100644 - } - /* Not having a signature is only an error if we're strict. */ -- if (err == -ENOKEY && !sig_enforce) +- if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not @@ -1524,45 +1522,6 @@ index 102160ff5c66..4f5757732553 100644 -- 2.14.3 -From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the - kernel is locked down - -There are some bpf functions can be used to read kernel memory: -bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow -private keys in kernel memory (e.g. the hibernation image signing key) to -be read by an eBPF program. - -Completely prohibit the use of BPF when the kernel is locked down. - -Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: netdev@vger.kernel.org -cc: Chun-Yi Lee <jlee@suse.com> -cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> ---- - kernel/bpf/syscall.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 0244973ee544..7457f2676c6d 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2031,6 +2031,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz - if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) - return -EPERM; - -+ if (kernel_is_locked_down("BPF")) -+ return -EPERM; -+ - err = check_uarg_tail_zero(uattr, sizeof(attr), size); - if (err) - return err; --- -2.14.3 - From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Wed, 4 Apr 2018 14:45:38 +0100 @@ -1738,9 +1697,9 @@ index 13b01351dd1c..4daec17b8215 100644 inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); -@@ -513,7 +539,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) +@@ -515,7 +541,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) return failed_creating(dentry); - + inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; |