diff options
Diffstat (limited to 'efi-lockdown.patch')
-rw-r--r-- | efi-lockdown.patch | 1550 |
1 files changed, 0 insertions, 1550 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch deleted file mode 100644 index 8bce057fa..000000000 --- a/efi-lockdown.patch +++ /dev/null @@ -1,1550 +0,0 @@ -From e8b9c4420c929255708e0bff42142de49ff1971b Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 9 Apr 2018 09:52:45 +0100 -Subject: [PATCH 01/22] Add the ability to lock down access to the running - kernel image - -Provide a single call to allow kernel code to determine whether the system -should be locked down, thereby disallowing various accesses that might -allow the running kernel image to be changed, including: - - - /dev/mem and similar - - Loading of unauthorised modules - - Fiddling with MSR registers - - Suspend to disk managed by the kernel - - Use of device DMA - -Two kernel configuration options are provided: - - (*) CONFIG_LOCK_DOWN_KERNEL - - This makes lockdown available and applies it to all the points that - need to be locked down if the mode is set. Lockdown mode can be - enabled by providing: - - lockdown=1 - - on the command line. - - (*) CONFIG_LOCK_DOWN_MANDATORY - - This forces lockdown on at compile time, overriding the command line - option. - -init_lockdown() is used as a hook from which lockdown can be managed in -future. It has to be called from arch setup code before things like ACPI -are enabled. - -Note that, with the other changes in this series, if lockdown mode is -enabled, the kernel will not be able to use certain drivers as the ability -to manually configure hardware parameters would then be prohibited. This -primarily applies to ISA hardware devices. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - arch/x86/kernel/setup.c | 2 ++ - include/linux/kernel.h | 32 ++++++++++++++++++++ - security/Kconfig | 23 ++++++++++++++- - security/Makefile | 3 ++ - security/lock_down.c | 65 +++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 124 insertions(+), 1 deletion(-) - create mode 100644 security/lock_down.c - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 3d872a527cd9..cf2f3df1b8d7 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1005,6 +1005,8 @@ void __init setup_arch(char **cmdline_p) - if (efi_enabled(EFI_BOOT)) - efi_init(); - -+ init_lockdown(); -+ - dmi_scan_machine(); - dmi_memdev_walk(); - dmi_set_dump_stack_arch_desc(); -diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index a8868a32098c..4e63db72cfea 100644 ---- a/include/linux/kernel.h -+++ b/include/linux/kernel.h -@@ -350,6 +350,38 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) - { } - #endif - -+#ifdef CONFIG_LOCK_DOWN_KERNEL -+extern void __init init_lockdown(void); -+extern bool __kernel_is_locked_down(const char *what, bool first); -+ -+#ifndef CONFIG_LOCK_DOWN_MANDATORY -+#define kernel_is_locked_down(what) \ -+ ({ \ -+ static bool message_given; \ -+ bool locked_down = __kernel_is_locked_down(what, !message_given); \ -+ message_given = true; \ -+ locked_down; \ -+ }) -+#else -+#define kernel_is_locked_down(what) \ -+ ({ \ -+ static bool message_given; \ -+ __kernel_is_locked_down(what, !message_given); \ -+ message_given = true; \ -+ true; \ -+ }) -+#endif -+#else -+static inline void __init init_lockdown(void) -+{ -+} -+static inline bool __kernel_is_locked_down(const char *what, bool first) -+{ -+ return false; -+} -+#define kernel_is_locked_down(what) ({ false; }) -+#endif -+ - /* Internal, do not use. */ - int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); - int __must_check _kstrtol(const char *s, unsigned int base, long *res); -diff --git a/security/Kconfig b/security/Kconfig -index 1d6463fb1450..44c6a0da6f21 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -229,6 +229,28 @@ config STATIC_USERMODEHELPER_PATH - If you wish for all usermode helper programs to be disabled, - specify an empty string here (i.e. ""). - -+config LOCK_DOWN_KERNEL -+ bool "Allow the kernel to be 'locked down'" -+ help -+ Allow the kernel to be locked down. Locking down the kernel turns -+ off various features that might otherwise allow access to the kernel -+ image (eg. setting MSR registers). -+ -+ Note, however, that locking down your kernel will prevent some -+ drivers from functioning because allowing manual configuration of -+ hardware parameters is forbidden, lest a device be used to access the -+ kernel by DMA. This mostly applies to ISA devices. -+ -+ The kernel lockdown can be triggered by adding lockdown=1 to the -+ kernel command line. -+ -+config LOCK_DOWN_MANDATORY -+ bool "Make kernel lockdown mandatory" -+ depends on LOCK_DOWN_KERNEL -+ help -+ Makes the lockdown non-negotiable. It is always on and cannot be -+ disabled. -+ - source "security/selinux/Kconfig" - source "security/smack/Kconfig" - source "security/tomoyo/Kconfig" -@@ -250,4 +272,3 @@ config LSM - If unsure, leave this as the default. - - endmenu -- -diff --git a/security/Makefile b/security/Makefile -index c598b904938f..5ff090149c88 100644 ---- a/security/Makefile -+++ b/security/Makefile -@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o - # Object integrity file lists - subdir-$(CONFIG_INTEGRITY) += integrity - obj-$(CONFIG_INTEGRITY) += integrity/ -+ -+# Allow the kernel to be locked down -+obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o -diff --git a/security/lock_down.c b/security/lock_down.c -new file mode 100644 -index 000000000000..f35ffdd096ad ---- /dev/null -+++ b/security/lock_down.c -@@ -0,0 +1,65 @@ -+/* Lock down the kernel -+ * -+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#include <linux/export.h> -+#include <linux/sched.h> -+ -+#ifndef CONFIG_LOCK_DOWN_MANDATORY -+static __ro_after_init bool kernel_locked_down; -+#else -+#define kernel_locked_down true -+#endif -+ -+/* -+ * Put the kernel into lock-down mode. -+ */ -+static void __init lock_kernel_down(const char *where) -+{ -+#ifndef CONFIG_LOCK_DOWN_MANDATORY -+ if (!kernel_locked_down) { -+ kernel_locked_down = true; -+ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", -+ where); -+ } -+#endif -+} -+ -+static int __init lockdown_param(char *ignored) -+{ -+ lock_kernel_down("command line"); -+ return 0; -+} -+ -+early_param("lockdown", lockdown_param); -+ -+/* -+ * Lock the kernel down from very early in the arch setup. This must happen -+ * prior to things like ACPI being initialised. -+ */ -+void __init init_lockdown(void) -+{ -+#ifdef CONFIG_LOCK_DOWN_MANDATORY -+ pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n"); -+#endif -+} -+ -+/** -+ * kernel_is_locked_down - Find out if the kernel is locked down -+ * @what: Tag to use in notice generated if lockdown is in effect -+ */ -+bool __kernel_is_locked_down(const char *what, bool first) -+{ -+ if (what && first && kernel_locked_down) -+ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", -+ current->comm, what); -+ return kernel_locked_down; -+} -+EXPORT_SYMBOL(__kernel_is_locked_down); --- -2.20.1 - -From 2779f0447b80b3cf94fb0252a4b209aa36250ed6 Mon Sep 17 00:00:00 2001 -From: Kyle McMartin <kyle@redhat.com> -Date: Mon, 9 Apr 2018 09:52:45 +0100 -Subject: [PATCH 02/22] Add a SysRq option to lift kernel lockdown - -Make an option to provide a sysrq key that will lift the kernel lockdown, -thereby allowing the running kernel image to be accessed and modified. - -On x86 this is triggered with SysRq+x, but this key may not be available on -all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h. -Since this macro must be defined in an arch to be able to use this facility -for that arch, the Kconfig option is restricted to arches that support it. - -Signed-off-by: Kyle McMartin <kyle@redhat.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: x86@kernel.org ---- - arch/x86/include/asm/setup.h | 2 ++ - drivers/input/misc/uinput.c | 1 + - drivers/tty/sysrq.c | 19 ++++++++++----- - include/linux/input.h | 5 ++++ - include/linux/sysrq.h | 8 +++++- - kernel/debug/kdb/kdb_main.c | 2 +- - security/Kconfig | 11 +++++++++ - security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++ - 8 files changed, 87 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h -index ed8ec011a9fd..8daf633a5347 100644 ---- a/arch/x86/include/asm/setup.h -+++ b/arch/x86/include/asm/setup.h -@@ -9,6 +9,8 @@ - #include <linux/linkage.h> - #include <asm/page_types.h> - -+#define LOCKDOWN_LIFT_KEY 'x' -+ - #ifdef __i386__ - - #include <linux/pfn.h> -diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index 26ec603fe220..a73e92490286 100644 ---- a/drivers/input/misc/uinput.c -+++ b/drivers/input/misc/uinput.c -@@ -366,6 +366,7 @@ static int uinput_create_device(struct uinput_device *udev) - dev->flush = uinput_dev_flush; - } - -+ dev->flags |= INPUTDEV_FLAGS_SYNTHETIC; - dev->event = uinput_dev_event; - - input_set_drvdata(udev->dev, udev); -diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index fa0ce7dd9e24..06c60fed7656 100644 ---- a/drivers/tty/sysrq.c -+++ b/drivers/tty/sysrq.c -@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { - /* x: May be registered on mips for TLB dump */ - /* x: May be registered on ppc/powerpc for xmon */ - /* x: May be registered on sparc64 for global PMU dump */ -+ /* x: May be registered on x86_64 for disabling secure boot */ - NULL, /* x */ - /* y: May be registered on sparc64 for global register dump */ - NULL, /* y */ -@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) - sysrq_key_table[i] = op_p; - } - --void __handle_sysrq(int key, bool check_mask) -+void __handle_sysrq(int key, unsigned int from) - { - struct sysrq_key_op *op_p; - int orig_log_level; -@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask) - - op_p = __sysrq_get_key_op(key); - if (op_p) { -+ /* Ban synthetic events from some sysrq functionality */ -+ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && -+ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) -+ printk("This sysrq operation is disabled from userspace.\n"); - /* - * Should we check for enabled operations (/proc/sysrq-trigger - * should not) and is the invoked operation enabled? - */ -- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { -+ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { - pr_info("%s\n", op_p->action_msg); - console_loglevel = orig_log_level; - op_p->handler(key); -@@ -579,7 +584,7 @@ void __handle_sysrq(int key, bool check_mask) - void handle_sysrq(int key) - { - if (sysrq_on()) -- __handle_sysrq(key, true); -+ __handle_sysrq(key, SYSRQ_FROM_KERNEL); - } - EXPORT_SYMBOL(handle_sysrq); - -@@ -659,7 +664,7 @@ static void sysrq_do_reset(struct timer_list *t) - static void sysrq_handle_reset_request(struct sysrq_state *state) - { - if (state->reset_requested) -- __handle_sysrq(sysrq_xlate[KEY_B], false); -+ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL); - - if (sysrq_reset_downtime_ms) - mod_timer(&state->keyreset_timer, -@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, - - default: - if (sysrq->active && value && value != 2) { -+ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ? -+ SYSRQ_FROM_SYNTHETIC : 0; - sysrq->need_reinject = false; -- __handle_sysrq(sysrq_xlate[code], true); -+ __handle_sysrq(sysrq_xlate[code], from); - } - break; - } -@@ -1096,7 +1103,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, - - if (get_user(c, buf)) - return -EFAULT; -- __handle_sysrq(c, false); -+ __handle_sysrq(c, SYSRQ_FROM_PROC); - } - - return count; -diff --git a/include/linux/input.h b/include/linux/input.h -index 7c7516eb7d76..38cd0ea72c37 100644 ---- a/include/linux/input.h -+++ b/include/linux/input.h -@@ -42,6 +42,7 @@ struct input_value { - * @phys: physical path to the device in the system hierarchy - * @uniq: unique identification code for the device (if device has it) - * @id: id of the device (struct input_id) -+ * @flags: input device flags (SYNTHETIC, etc.) - * @propbit: bitmap of device properties and quirks - * @evbit: bitmap of types of events supported by the device (EV_KEY, - * EV_REL, etc.) -@@ -124,6 +125,8 @@ struct input_dev { - const char *uniq; - struct input_id id; - -+ unsigned int flags; -+ - unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)]; - - unsigned long evbit[BITS_TO_LONGS(EV_CNT)]; -@@ -190,6 +193,8 @@ struct input_dev { - }; - #define to_input_dev(d) container_of(d, struct input_dev, dev) - -+#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001 -+ - /* - * Verify that we are in sync with input_device_id mod_devicetable.h #defines - */ -diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h -index 8c71874e8485..7de1f08b60a9 100644 ---- a/include/linux/sysrq.h -+++ b/include/linux/sysrq.h -@@ -29,6 +29,8 @@ - #define SYSRQ_ENABLE_BOOT 0x0080 - #define SYSRQ_ENABLE_RTNICE 0x0100 - -+#define SYSRQ_DISABLE_USERSPACE 0x00010000 -+ - struct sysrq_key_op { - void (*handler)(int); - char *help_msg; -@@ -43,8 +45,12 @@ struct sysrq_key_op { - * are available -- else NULL's). - */ - -+#define SYSRQ_FROM_KERNEL 0x0001 -+#define SYSRQ_FROM_PROC 0x0002 -+#define SYSRQ_FROM_SYNTHETIC 0x0004 -+ - void handle_sysrq(int key); --void __handle_sysrq(int key, bool check_mask); -+void __handle_sysrq(int key, unsigned int from); - int register_sysrq_key(int key, struct sysrq_key_op *op); - int unregister_sysrq_key(int key, struct sysrq_key_op *op); - struct sysrq_key_op *__sysrq_get_key_op(int key); -diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c -index 82a3b32a7cfc..efee1abf5e8e 100644 ---- a/kernel/debug/kdb/kdb_main.c -+++ b/kernel/debug/kdb/kdb_main.c -@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv) - return KDB_ARGCOUNT; - - kdb_trap_printk++; -- __handle_sysrq(*argv[1], check_mask); -+ __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0); - kdb_trap_printk--; - - return 0; -diff --git a/security/Kconfig b/security/Kconfig -index 44c6a0da6f21..f885e88e0705 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -251,6 +251,17 @@ config LOCK_DOWN_MANDATORY - Makes the lockdown non-negotiable. It is always on and cannot be - disabled. - -+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+ bool "Allow the kernel lockdown to be lifted by SysRq" -+ depends on LOCK_DOWN_KERNEL -+ depends on !LOCK_DOWN_MANDATORY -+ depends on MAGIC_SYSRQ -+ depends on X86 -+ help -+ Allow the lockdown on a kernel to be lifted, by pressing a SysRq key -+ combination on a wired keyboard. On x86, this is SysRq+x. -+ -+ - source "security/selinux/Kconfig" - source "security/smack/Kconfig" - source "security/tomoyo/Kconfig" -diff --git a/security/lock_down.c b/security/lock_down.c -index f35ffdd096ad..2615669dbf03 100644 ---- a/security/lock_down.c -+++ b/security/lock_down.c -@@ -11,9 +11,15 @@ - - #include <linux/export.h> - #include <linux/sched.h> -+#include <linux/sysrq.h> -+#include <asm/setup.h> - - #ifndef CONFIG_LOCK_DOWN_MANDATORY -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+static __read_mostly bool kernel_locked_down; -+#else - static __ro_after_init bool kernel_locked_down; -+#endif - #else - #define kernel_locked_down true - #endif -@@ -63,3 +69,44 @@ bool __kernel_is_locked_down(const char *what, bool first) - return kernel_locked_down; - } - EXPORT_SYMBOL(__kernel_is_locked_down); -+ -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+ -+/* -+ * Take the kernel out of lockdown mode. -+ */ -+static void lift_kernel_lockdown(void) -+{ -+ pr_notice("Lifting lockdown\n"); -+ kernel_locked_down = false; -+} -+ -+/* -+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by -+ * echoing the appropriate letter into the sysrq-trigger file). -+ */ -+static void sysrq_handle_lockdown_lift(int key) -+{ -+ if (kernel_locked_down) -+ lift_kernel_lockdown(); -+} -+ -+static struct sysrq_key_op lockdown_lift_sysrq_op = { -+ .handler = sysrq_handle_lockdown_lift, -+ .help_msg = "unSB(x)", -+ .action_msg = "Disabling Secure Boot restrictions", -+ .enable_mask = SYSRQ_DISABLE_USERSPACE, -+}; -+ -+static int __init lockdown_lift_sysrq(void) -+{ -+ if (kernel_locked_down) { -+ lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY; -+ register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op); -+ } -+ return 0; -+} -+ -+late_initcall(lockdown_lift_sysrq); -+ -+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ --- -2.20.1 - -From 597069f3ba9dbf3537bd2ab5642f203fa24fd1f4 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:46 +0100 -Subject: [PATCH 03/22] Restrict /dev/{mem,kmem,port} when the kernel is locked - down - -Allowing users to read and write to core kernel memory makes it possible -for the kernel to be subverted, avoiding module loading restrictions, and -also to steal cryptographic information. - -Disallow /dev/mem and /dev/kmem from being opened this when the kernel has -been locked down to prevent this. - -Also disallow /dev/port from being opened to prevent raw ioport access and -thus DMA from being used to accomplish the same thing. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> ---- - drivers/char/mem.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index b08dc50f9f26..0a2f2e75d5f4 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) - - static int open_port(struct inode *inode, struct file *filp) - { -+ if (kernel_is_locked_down("/dev/mem,kmem,port")) -+ return -EPERM; - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; - } - --- -2.20.1 - -From 97b73030d3ccb2c4595c4fe948b0af368a6b10e3 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:46 +0100 -Subject: [PATCH 04/22] kexec_load: Disable at runtime if the kernel is locked - down - -The kexec_load() syscall permits the loading and execution of arbitrary -code in ring 0, which is something that lock-down is meant to prevent. It -makes sense to disable kexec_load() in this situation. - -This does not affect kexec_file_load() syscall which can check for a -signature on the image to be booted. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Dave Young <dyoung@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -Reviewed-by: James Morris <james.l.morris@oracle.com> -cc: kexec@lists.infradead.org -Signed-off-by: Jeremy Cline <jcline@redhat.com> ---- - kernel/kexec.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 68559808fdfa..041d505070e1 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -202,6 +202,13 @@ static inline int kexec_load_check(unsigned long nr_segments, - if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) - return -EPERM; - -+ /* -+ * kexec can be used to circumvent module loading restrictions, so -+ * prevent loading in that case -+ */ -+ if (kernel_is_locked_down("kexec of unsigned images")) -+ return -EPERM; -+ - /* Permit LSMs and IMA to fail the kexec */ - result = security_kernel_load_data(LOADING_KEXEC_IMAGE); - if (result < 0) --- -2.20.1 - -From 1b27ccaab50813a5a3c29f7be294a3cf98966d3b Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Mon, 9 Apr 2018 09:52:47 +0100 -Subject: [PATCH 05/22] hibernate: Disable when the kernel is locked down - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the signed modules trust model, -so until we can work with signed hibernate images we disable it when the -kernel is locked down. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -cc: linux-pm@vger.kernel.org -Signed-off-by: Jeremy Cline <jcline@redhat.com> ---- - kernel/power/hibernate.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index abef759de7c8..802795becb88 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; - - bool hibernation_available(void) - { -- return (nohibernate == 0); -+ return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); - } - - /** --- -2.20.1 - -From 65c098838ab0e21528ecbd5ad27e1b5174b42b14 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:47 +0100 -Subject: [PATCH 06/22] uswsusp: Disable when the kernel is locked down - -uswsusp allows a user process to dump and then restore kernel state, which -makes it possible to modify the running kernel. Disable this if the kernel -is locked down. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -Reviewed-by: James Morris <james.l.morris@oracle.com> -cc: linux-pm@vger.kernel.org ---- - kernel/power/user.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/power/user.c b/kernel/power/user.c -index 2d8b60a3c86b..0305d513c274 100644 ---- a/kernel/power/user.c -+++ b/kernel/power/user.c -@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) - if (!hibernation_available()) - return -EPERM; - -+ if (kernel_is_locked_down("/dev/snapshot")) -+ return -EPERM; -+ - lock_system_sleep(); - - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { --- -2.20.1 - -From 05eecdf72d557817d7613733dca6eac08e61377e Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:48 +0100 -Subject: [PATCH 07/22] PCI: Lock down BAR access when the kernel is locked - down - -Any hardware that can potentially generate DMA has to be locked down in -order to avoid it being possible for an attacker to modify kernel code, -allowing them to circumvent disabled module loading or module signing. -Default to paranoid - in future we can potentially relax this for -sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Bjorn Helgaas <bhelgaas@google.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -cc: linux-pci@vger.kernel.org ---- - drivers/pci/pci-sysfs.c | 9 +++++++++ - drivers/pci/proc.c | 9 ++++++++- - drivers/pci/syscall.c | 3 ++- - 3 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 25794c27c7a4..0d969598e273 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -904,6 +904,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8 *) buf; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -1166,6 +1169,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - enum pci_mmap_state mmap_type; - struct resource *res = &pdev->resource[bar]; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) - return -EINVAL; - -@@ -1241,6 +1247,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 6fa1627ce08d..1549cdd0710e 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, - int size = dev->cfg_size; - int cnt; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("Direct PCI access")) - return -EPERM; - - if (fpriv->mmap_state == pci_mmap_io) { -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index d96626c614f5..b8a08d3166a1 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || -+ kernel_is_locked_down("Direct PCI access")) - return -EPERM; - - dev = pci_get_domain_bus_and_slot(0, bus, dfn); --- -2.20.1 - -From 00ead3a144b821267a941a26c646a1fd07d8163a Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:48 +0100 -Subject: [PATCH 08/22] x86: Lock down IO port access when the kernel is locked - down - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO -register space. This would potentially permit root to trigger arbitrary -DMA, so lock it down by default. - -This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and -KDDISABIO console ioctls. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Thomas Gleixner <tglx@linutronix.de> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -cc: x86@kernel.org ---- - arch/x86/kernel/ioport.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 0fe1c8782208..abc702a6ae9c 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("ioperm"))) - return -EPERM; - - /* -@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("iopl")) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | --- -2.20.1 - -From 6efd2de8172dac74fbea76d7205657c4cf22ef6a Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:48 +0100 -Subject: [PATCH 09/22] x86/msr: Restrict MSR access when the kernel is locked - down - -Writing to MSRs should not be allowed if the kernel is locked down, since -it could lead to execution of arbitrary code in kernel mode. Based on a -patch by Kees Cook. - -MSR accesses are logged for the purposes of building up a whitelist as per -Alan Cox's suggestion. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Thomas Gleixner <tglx@linutronix.de> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -cc: x86@kernel.org ---- - arch/x86/kernel/msr.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 4588414e2561..f5a2cf07972f 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (kernel_is_locked_down("Direct MSR access")) { -+ pr_info("Direct access to MSR %x\n", reg); -+ return -EPERM; -+ } -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EFAULT; - break; - } -+ if (kernel_is_locked_down("Direct MSR access")) { -+ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */ -+ err = -EPERM; -+ break; -+ } - err = wrmsr_safe_regs_on_cpu(cpu, regs); - if (err) - break; --- -2.20.1 - -From 7e4c9369ca56ec7508ad851fb3f8af7b7e83c4e5 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:48 +0100 -Subject: [PATCH 10/22] ACPI: Limit access to custom_method when the kernel is - locked down - -custom_method effectively allows arbitrary access to system memory, making -it possible for an attacker to circumvent restrictions on module loading. -Disable it if the kernel is locked down. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -cc: linux-acpi@vger.kernel.org ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index aa972dc5cb7e..af1d161f188f 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (kernel_is_locked_down("ACPI custom methods")) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) --- -2.20.1 - -From 20f5e7cfa6d01d10a5bb83a6b276d6f403aa012c Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Mon, 9 Apr 2018 09:52:49 +0100 -Subject: [PATCH 11/22] acpi: Ignore acpi_rsdp kernel param when the kernel has - been locked down - -This option allows userspace to pass the RSDP address to the kernel, which -makes it possible for a user to modify the workings of hardware . Reject -the option when the kernel is locked down. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -cc: Dave Young <dyoung@redhat.com> -cc: linux-acpi@vger.kernel.org ---- - drivers/acpi/osl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index f29e427d0d1d..3e44cef7a0cd 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -194,7 +194,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) - acpi_physical_address pa; - - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) - return acpi_rsdp; - #endif - pa = acpi_arch_get_root_pointer(); --- -2.20.1 - -From 700ce42e36ac0b7387c55d8fe13dd1dda3d4f178 Mon Sep 17 00:00:00 2001 -From: Linn Crosetto <linn@hpe.com> -Date: Mon, 9 Apr 2018 09:52:49 +0100 -Subject: [PATCH 12/22] acpi: Disable ACPI table override if the kernel is - locked down - -From the kernel documentation (initrd_table_override.txt): - - If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible - to override nearly any ACPI table provided by the BIOS with an - instrumented, modified one. - -When securelevel is set, the kernel should disallow any unauthenticated -changes to kernel space. ACPI tables contain code invoked by the kernel, -so do not allow ACPI tables to be overridden if the kernel is locked down. - -Signed-off-by: Linn Crosetto <linn@hpe.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -cc: linux-acpi@vger.kernel.org ---- - drivers/acpi/tables.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c -index 8fccbe49612a..1794f5b4afae 100644 ---- a/drivers/acpi/tables.c -+++ b/drivers/acpi/tables.c -@@ -539,6 +539,11 @@ void __init acpi_table_upgrade(void) - if (table_nr == 0) - return; - -+ if (kernel_is_locked_down("ACPI table override")) { -+ pr_notice("kernel is locked down, ignoring table override\n"); -+ return; -+ } -+ - acpi_tables_addr = - memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, - all_tables_size, PAGE_SIZE); --- -2.20.1 - -From 795cc6dc11944a24309cd29b02efc6ff6eea241e Mon Sep 17 00:00:00 2001 -From: Linn Crosetto <linn@hpe.com> -Date: Mon, 9 Apr 2018 09:52:50 +0100 -Subject: [PATCH 13/22] acpi: Disable APEI error injection if the kernel is - locked down - -ACPI provides an error injection mechanism, EINJ, for debugging and testing -the ACPI Platform Error Interface (APEI) and other RAS features. If -supported by the firmware, ACPI specification 5.0 and later provide for a -way to specify a physical memory address to which to inject the error. - -Injecting errors through EINJ can produce errors which to the platform are -indistinguishable from real hardware errors. This can have undesirable -side-effects, such as causing the platform to mark hardware as needing -replacement. - -While it does not provide a method to load unauthenticated privileged code, -the effect of these errors may persist across reboots and affect trust in -the underlying hardware, so disable error injection through EINJ if -the kernel is locked down. - -Signed-off-by: Linn Crosetto <linn@hpe.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -cc: linux-acpi@vger.kernel.org ---- - drivers/acpi/apei/einj.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c -index 2d4be94f8c00..6ee4ad207e8b 100644 ---- a/drivers/acpi/apei/einj.c -+++ b/drivers/acpi/apei/einj.c -@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, - int rc; - u64 base_addr, size; - -+ if (kernel_is_locked_down("ACPI error injection")) -+ return -EPERM; -+ - /* If user manually set "flags", make sure it is legal */ - if (flags && (flags & - ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) --- -2.20.1 - -From fbdf91419289d47c747d5535bb92a8923a0fce97 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:37 +0100 -Subject: [PATCH 14/22] Prohibit PCMCIA CIS storage when the kernel is locked - down - -Prohibit replacement of the PCMCIA Card Information Structure when the -kernel is locked down. - -Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: linux-pcmcia@lists.infradead.org ---- - drivers/pcmcia/cistpl.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c -index ac0672b8dfca..8adf092d0e18 100644 ---- a/drivers/pcmcia/cistpl.c -+++ b/drivers/pcmcia/cistpl.c -@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, - struct pcmcia_socket *s; - int error; - -+ if (kernel_is_locked_down("Direct PCMCIA CIS storage")) -+ return -EPERM; -+ - s = to_socket(container_of(kobj, struct device, kobj)); - - if (off) --- -2.20.1 - -From 9a3726b9bf16e62fce77570c972857abc303fcd1 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:37 +0100 -Subject: [PATCH 15/22] Lock down TIOCSSERIAL - -Lock down TIOCSSERIAL as that can be used to change the ioport and irq -settings on a serial port. This only appears to be an issue for the serial -drivers that use the core serial code. All other drivers seem to either -ignore attempts to change port/irq or give an error. - -Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: Jiri Slaby <jslaby@suse.com> ---- - drivers/tty/serial/serial_core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 351843f847c0..3cffe2f5d132 100644 ---- a/drivers/tty/serial/serial_core.c -+++ b/drivers/tty/serial/serial_core.c -@@ -852,6 +852,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, - new_flags = (__force upf_t)new_info->flags; - old_custom_divisor = uport->custom_divisor; - -+ if ((change_port || change_irq) && -+ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { -+ retval = -EPERM; -+ goto exit; -+ } -+ - if (!capable(CAP_SYS_ADMIN)) { - retval = -EPERM; - if (change_irq || change_port || --- -2.20.1 - -From 3602dd89747ed890d31fcb4d64a3fcd48490fff7 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:37 +0100 -Subject: [PATCH 16/22] Lock down module params that specify hardware - parameters (eg. ioport) - -Provided an annotation for module parameters that specify hardware -parameters (such as io ports, iomem addresses, irqs, dma channels, fixed -dma buffers and other types). - -Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - kernel/params.c | 26 +++++++++++++++++++++----- - 1 file changed, 21 insertions(+), 5 deletions(-) - -diff --git a/kernel/params.c b/kernel/params.c -index ce89f757e6da..8ac751c938f8 100644 ---- a/kernel/params.c -+++ b/kernel/params.c -@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b) - return parameqn(a, b, strlen(a)+1); - } - --static void param_check_unsafe(const struct kernel_param *kp) -+static bool param_check_unsafe(const struct kernel_param *kp, -+ const char *doing) - { - if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { - pr_notice("Setting dangerous option %s - tainting kernel\n", - kp->name); - add_taint(TAINT_USER, LOCKDEP_STILL_OK); - } -+ -+ if (kp->flags & KERNEL_PARAM_FL_HWPARAM && -+ kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) -+ return false; -+ return true; - } - - static int parse_one(char *param, -@@ -144,8 +150,10 @@ static int parse_one(char *param, - pr_debug("handling %s with %p\n", param, - params[i].ops->set); - kernel_param_lock(params[i].mod); -- param_check_unsafe(¶ms[i]); -- err = params[i].ops->set(val, ¶ms[i]); -+ if (param_check_unsafe(¶ms[i], doing)) -+ err = params[i].ops->set(val, ¶ms[i]); -+ else -+ err = -EPERM; - kernel_param_unlock(params[i].mod); - return err; - } -@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, - return count; - } - -+#ifdef CONFIG_MODULES -+#define mod_name(mod) (mod)->name -+#else -+#define mod_name(mod) "unknown" -+#endif -+ - /* sysfs always hands a nul-terminated string in buf. We rely on that. */ - static ssize_t param_attr_store(struct module_attribute *mattr, - struct module_kobject *mk, -@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, - return -EPERM; - - kernel_param_lock(mk->mod); -- param_check_unsafe(attribute->param); -- err = attribute->param->ops->set(buf, attribute->param); -+ if (param_check_unsafe(attribute->param, mod_name(mk->mod))) -+ err = attribute->param->ops->set(buf, attribute->param); -+ else -+ err = -EPERM; - kernel_param_unlock(mk->mod); - if (!err) - return len; --- -2.20.1 - -From 5c8a455102b3ca36e84694d888fad219726bd268 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 17/22] x86/mmiotrace: Lock down the testmmiotrace module - -The testmmiotrace module shouldn't be permitted when the kernel is locked -down as it can be used to arbitrarily read and write MMIO space. - -Suggested-by: Thomas Gleixner <tglx@linutronix.de> -Signed-off-by: David Howells <dhowells@redhat.com -cc: Thomas Gleixner <tglx@linutronix.de> -cc: Steven Rostedt <rostedt@goodmis.org> -cc: Ingo Molnar <mingo@kernel.org> -cc: "H. Peter Anvin" <hpa@zytor.com> -cc: x86@kernel.org ---- - arch/x86/mm/testmmiotrace.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c -index f6ae6830b341..bbaad357f5d7 100644 ---- a/arch/x86/mm/testmmiotrace.c -+++ b/arch/x86/mm/testmmiotrace.c -@@ -115,6 +115,9 @@ static int __init init(void) - { - unsigned long size = (read_far) ? (8 << 20) : (16 << 10); - -+ if (kernel_is_locked_down("MMIO trace testing")) -+ return -EPERM; -+ - if (mmio_address == 0) { - pr_err("you have to use the module argument mmio_address.\n"); - pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); --- -2.20.1 - -From 711e6f9ef237fd513eddfc1f0e3796c419bc138e Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 18/22] Lock down /proc/kcore - -Disallow access to /proc/kcore when the kernel is locked down to prevent -access to cryptographic data. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: James Morris <james.l.morris@oracle.com> ---- - fs/proc/kcore.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c -index bbcc185062bb..d50ebfbf3dbb 100644 ---- a/fs/proc/kcore.c -+++ b/fs/proc/kcore.c -@@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) - - static int open_kcore(struct inode *inode, struct file *filp) - { -+ if (kernel_is_locked_down("/proc/kcore")) -+ return -EPERM; - if (!capable(CAP_SYS_RAWIO)) - return -EPERM; - --- -2.20.1 - -From f2a835a43a6463abfe6781156ebdb7346d7a3c51 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 19/22] Lock down kprobes - -Disallow the creation of kprobes when the kernel is locked down by -preventing their registration. This prevents kprobes from being used to -access kernel memory, either to make modifications or to steal crypto data. - -Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - kernel/kprobes.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index c83e54727131..743c40bd1982 100644 ---- a/kernel/kprobes.c -+++ b/kernel/kprobes.c -@@ -1571,6 +1571,9 @@ int register_kprobe(struct kprobe *p) - struct module *probed_mod; - kprobe_opcode_t *addr; - -+ if (kernel_is_locked_down("Use of kprobes")) -+ return -EPERM; -+ - /* Adjust probe address from symbol */ - addr = kprobe_addr(p); - if (IS_ERR(addr)) --- -2.20.1 - -From 23afb750c60b6b2d8025eb4d52ce6ff565ca1a63 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 20/22] Lock down perf - -Disallow the use of certain perf facilities that might allow userspace to -access kernel data. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - kernel/events/core.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/kernel/events/core.c b/kernel/events/core.c -index 5f59d848171e..ddf0fa63cb80 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -10727,6 +10727,11 @@ SYSCALL_DEFINE5(perf_event_open, - return -EINVAL; - } - -+ if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) && -+ kernel_is_locked_down("PERF_SAMPLE_REGS_INTR")) -+ /* REGS_INTR can leak data, lockdown must prevent this */ -+ return -EPERM; -+ - /* Only privileged users can get physical addresses */ - if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && - perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) --- -2.20.1 - -From dc6da5e583b02c04a6e0518158ef3d82735aeb5d Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 21/22] debugfs: Restrict debugfs when the kernel is locked - down - -Disallow opening of debugfs files that might be used to muck around when -the kernel is locked down as various drivers give raw access to hardware -through debugfs. Given the effort of auditing all 2000 or so files and -manually fixing each one as necessary, I've chosen to apply a heuristic -instead. The following changes are made: - - (1) chmod and chown are disallowed on debugfs objects (though the root dir - can be modified by mount and remount, but I'm not worried about that). - - (2) When the kernel is locked down, only files with the following criteria - are permitted to be opened: - - - The file must have mode 00444 - - The file must not have ioctl methods - - The file must not have mmap - - (3) When the kernel is locked down, files may only be opened for reading. - -Normal device interaction should be done through configfs, sysfs or a -miscdev, not debugfs. - -Note that this makes it unnecessary to specifically lock down show_dsts(), -show_devs() and show_call() in the asus-wmi driver. - -I would actually prefer to lock down all files by default and have the -the files unlocked by the creator. This is tricky to manage correctly, -though, as there are 19 creation functions and ~1600 call sites (some of -them in loops scanning tables). - -Signed-off-by: David Howells <dhowells@redhat.com> -cc: Andy Shevchenko <andy.shevchenko@gmail.com> -cc: acpi4asus-user@lists.sourceforge.net -cc: platform-driver-x86@vger.kernel.org -cc: Matthew Garrett <mjg59@srcf.ucam.org> -cc: Thomas Gleixner <tglx@linutronix.de> ---- - fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++ - fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++-- - 2 files changed, 56 insertions(+), 2 deletions(-) - -diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c -index 4fce1da7db23..c33042c1eff3 100644 ---- a/fs/debugfs/file.c -+++ b/fs/debugfs/file.c -@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry) - } - EXPORT_SYMBOL_GPL(debugfs_file_put); - -+/* -+ * Only permit access to world-readable files when the kernel is locked down. -+ * We also need to exclude any file that has ways to write or alter it as root -+ * can bypass the permissions check. -+ */ -+static bool debugfs_is_locked_down(struct inode *inode, -+ struct file *filp, -+ const struct file_operations *real_fops) -+{ -+ if ((inode->i_mode & 07777) == 0444 && -+ !(filp->f_mode & FMODE_WRITE) && -+ !real_fops->unlocked_ioctl && -+ !real_fops->compat_ioctl && -+ !real_fops->mmap) -+ return false; -+ -+ return kernel_is_locked_down("debugfs"); -+} -+ - static int open_proxy_open(struct inode *inode, struct file *filp) - { - struct dentry *dentry = F_DENTRY(filp); -@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -+ -+ r = -EPERM; -+ if (debugfs_is_locked_down(inode, filp, real_fops)) -+ goto out; -+ - real_fops = fops_get(real_fops); - if (!real_fops) { - /* Huh? Module did not clean up after itself at exit? */ -@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -+ r = -EPERM; -+ if (debugfs_is_locked_down(inode, filp, real_fops)) -+ goto out; -+ - real_fops = fops_get(real_fops); - if (!real_fops) { - /* Huh? Module did not cleanup after itself at exit? */ -diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 95b5e78c22b1..ce99ea07fdb4 100644 ---- a/fs/debugfs/inode.c -+++ b/fs/debugfs/inode.c -@@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount; - static int debugfs_mount_count; - static bool debugfs_registered; - -+/* -+ * Don't allow access attributes to be changed whilst the kernel is locked down -+ * so that we can use the file mode as part of a heuristic to determine whether -+ * to lock down individual files. -+ */ -+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) -+{ -+ if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) && -+ kernel_is_locked_down("debugfs")) -+ return -EPERM; -+ return simple_setattr(dentry, ia); -+} -+ -+static const struct inode_operations debugfs_file_inode_operations = { -+ .setattr = debugfs_setattr, -+}; -+static const struct inode_operations debugfs_dir_inode_operations = { -+ .lookup = simple_lookup, -+ .setattr = debugfs_setattr, -+}; -+static const struct inode_operations debugfs_symlink_inode_operations = { -+ .get_link = simple_get_link, -+ .setattr = debugfs_setattr, -+}; -+ - static struct inode *debugfs_get_inode(struct super_block *sb) - { - struct inode *inode = new_inode(sb); -@@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, - inode->i_mode = mode; - inode->i_private = data; - -+ inode->i_op = &debugfs_file_inode_operations; - inode->i_fop = proxy_fops; - dentry->d_fsdata = (void *)((unsigned long)real_fops | - DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); -@@ -516,7 +542,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) - return failed_creating(dentry); - - inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; -- inode->i_op = &simple_dir_inode_operations; -+ inode->i_op = &debugfs_dir_inode_operations; - inode->i_fop = &simple_dir_operations; - - /* directory inodes start off with i_nlink == 2 (for "." entry) */ -@@ -611,7 +637,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, - return failed_creating(dentry); - } - inode->i_mode = S_IFLNK | S_IRWXUGO; -- inode->i_op = &simple_symlink_inode_operations; -+ inode->i_op = &debugfs_symlink_inode_operations; - inode->i_link = link; - d_instantiate(dentry, inode); - return end_creating(dentry); --- -2.20.1 - -From 29131d94aceb11ad6be4b0d8820db23986f1a0b2 Mon Sep 17 00:00:00 2001 -From: Vasily Gorbik <gor@linux.ibm.com> -Date: Wed, 21 Nov 2018 13:05:10 +0100 -Subject: [PATCH 22/22] debugfs: avoid EPERM when no open file operation - defined - -With "debugfs: Restrict debugfs when the kernel is locked down" -return code "r" is unconditionally set to -EPERM, which stays like that -until function return if no "open" file operation defined, effectivelly -resulting in "Operation not permitted" for all such files despite kernel -lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. - -In particular this breaks 2 debugfs files on s390: -/sys/kernel/debug/s390_hypfs/diag_304 -/sys/kernel/debug/s390_hypfs/diag_204 - -To address that set EPERM return code only when debugfs_is_locked_down -returns true. - -Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") -Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> ---- - fs/debugfs/file.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c -index c33042c1eff3..3a5033ff9ec7 100644 ---- a/fs/debugfs/file.c -+++ b/fs/debugfs/file.c -@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) - - real_fops = debugfs_real_fops(filp); - -- r = -EPERM; -- if (debugfs_is_locked_down(inode, filp, real_fops)) -+ if (debugfs_is_locked_down(inode, filp, real_fops)) { -+ r = -EPERM; - goto out; -+ } - - real_fops = fops_get(real_fops); - if (!real_fops) { -@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -- r = -EPERM; -- if (debugfs_is_locked_down(inode, filp, real_fops)) -+ if (debugfs_is_locked_down(inode, filp, real_fops)) { -+ r = -EPERM; - goto out; -+ } - - real_fops = fops_get(real_fops); - if (!real_fops) { --- -2.20.1 - |