diff options
Diffstat (limited to 'efi-lockdown.patch')
-rw-r--r-- | efi-lockdown.patch | 154 |
1 files changed, 58 insertions, 96 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index c80bdb38f..4f84f4715 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -530,14 +530,14 @@ in secure boot lockdown mode. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: David Howells <dhowells@redhat.com> --- - security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++---------- - 1 file changed, 29 insertions(+), 10 deletions(-) + security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c -index d89bebf85421..da6f55c96a61 100644 +index 8c9499867c91..f8428f579924 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c -@@ -443,14 +443,21 @@ void ima_update_policy_flag(void) +@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func) */ void __init ima_init_policy(void) { @@ -547,7 +547,7 @@ index d89bebf85421..da6f55c96a61 100644 + int appraise_entries = 0; + int secure_boot_entries = 0; + bool kernel_locked_down = __kernel_is_locked_down(NULL, false); - + /* if !ima_policy set entries = 0 so we load NO default rules */ - measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; - appraise_entries = ima_use_appraise_tcb ? @@ -562,25 +562,25 @@ index d89bebf85421..da6f55c96a61 100644 + + if (ima_use_secure_boot || kernel_locked_down) + secure_boot_entries = ARRAY_SIZE(secure_boot_rules); - + for (i = 0; i < measure_entries; i++) list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); -@@ -471,11 +478,23 @@ void __init ima_init_policy(void) - +@@ -509,12 +516,25 @@ void __init ima_init_policy(void) + /* - * Insert the appraise rules requiring file signatures, prior to -- * any other appraise rules. -+ * any other appraise rules. In secure boot lock-down mode, also -+ * require these appraise rules for custom policies. + * Insert the builtin "secure_boot" policy rules requiring file +- * signatures, prior to any other appraise rules. ++ * signatures, prior to any other appraise rules. In secure boot ++ * lock-down mode, also require these appraise rules for custom ++ * policies. */ -- for (i = 0; i < secure_boot_entries; i++) -- list_add_tail(&secure_boot_rules[i].list, -- &ima_default_rules); -+ for (i = 0; i < secure_boot_entries; i++) { + for (i = 0; i < secure_boot_entries; i++) { + struct ima_rule_entry *entry; + + /* Include for builtin policies */ -+ list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + temp_ima_appraise |= + ima_appraise_flag(secure_boot_rules[i].func); + + /* Include for custom policies */ + if (kernel_locked_down) { @@ -589,17 +589,16 @@ index d89bebf85421..da6f55c96a61 100644 + if (entry) + list_add_tail(&entry->list, &ima_policy_rules); + } -+ } - - for (i = 0; i < appraise_entries; i++) { - list_add_tail(&default_appraise_rules[i].list, + } + + /* -- -2.14.3 +2.17.1 -From 64b01ecc309c8ae79209e00dd8b95a549e5050b7 Mon Sep 17 00:00:00 2001 +From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Mon, 9 Apr 2018 09:52:46 +0100 -Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down +Subject: [PATCH] Enforce module signatures if the kernel is locked down If the kernel is locked down, require that all modules have valid signatures that we can verify or that IMA can validate the file. @@ -629,11 +628,11 @@ Reviewed-by: Jiri Bohac <jbohac@suse.cz> cc: "Lee, Chun-Yi" <jlee@suse.com> cc: James Morris <james.l.morris@oracle.com> --- - kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++++++++------------- + kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 13 deletions(-) diff --git a/kernel/module.c b/kernel/module.c -index a6e43a5806a1..9c1709a05037 100644 +index b046a32520d8..3bb0722c106e 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -64,6 +64,7 @@ @@ -643,10 +642,10 @@ index a6e43a5806a1..9c1709a05037 100644 +#include <linux/ima.h> #include <uapi/linux/module.h> #include "module-internal.h" - -@@ -2761,10 +2762,12 @@ static inline void kmemleak_load_module(const struct module *mod, + +@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod, #endif - + #ifdef CONFIG_MODULE_SIG -static int module_sig_check(struct load_info *info, int flags) +static int module_sig_check(struct load_info *info, int flags, @@ -657,21 +656,21 @@ index a6e43a5806a1..9c1709a05037 100644 const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; - + /* -@@ -2779,19 +2782,46 @@ static int module_sig_check(struct load_info *info, int flags) - err = mod_verify_sig(mod, &info->len); +@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags) + err = mod_verify_sig(mod, info); } - + - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - + - /* Not having a signature is only an error if we're strict. */ -- if (err == -ENOKEY && !sig_enforce) +- if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not @@ -690,7 +689,7 @@ index a6e43a5806a1..9c1709a05037 100644 + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - + - return err; + if (can_do_ima_check && is_ima_appraise_enabled()) + return 0; @@ -713,7 +712,7 @@ index a6e43a5806a1..9c1709a05037 100644 { return 0; } -@@ -3651,13 +3681,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, +@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, /* Allocate and load the module: note that size of section 0 is always zero, and we rely on this for optional sections. */ static int load_module(struct load_info *info, const char __user *uargs, @@ -721,34 +720,36 @@ index a6e43a5806a1..9c1709a05037 100644 + int flags, bool can_do_ima_check) { struct module *mod; - long err; - char *after_dashes; - + long err = 0; +@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs, + goto free_copy; + } + - err = module_sig_check(info, flags); + err = module_sig_check(info, flags, can_do_ima_check); if (err) goto free_copy; - -@@ -3846,7 +3876,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, + +@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, if (err) return err; - + - return load_module(&info, uargs, 0); + return load_module(&info, uargs, 0, false); } - + SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) -@@ -3873,7 +3903,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) +@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) info.hdr = hdr; info.len = size; - + - return load_module(&info, uargs, flags); + return load_module(&info, uargs, flags, true); } - + static inline int within(unsigned long addr, void *start, unsigned long size) -- -2.14.3 +2.17.1 From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> @@ -813,13 +814,13 @@ cc: kexec@lists.infradead.org 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index aed8fb2564b3..1553ac765e73 100644 +index 68559808fdfa..041d505070e1 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -199,6 +199,13 @@ static inline int kexec_load_check(unsigned long nr_segments, +@@ -202,6 +202,13 @@ static inline int kexec_load_check(unsigned long nr_segments, if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) return -EPERM; - + + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case @@ -827,11 +828,11 @@ index aed8fb2564b3..1553ac765e73 100644 + if (kernel_is_locked_down("kexec of unsigned images")) + return -EPERM; + - /* - * Verify we have a legal set of flags - * This leaves us room for future extensions. + /* Permit LSMs and IMA to fail the kexec */ + result = security_kernel_load_data(LOADING_KEXEC_IMAGE); + if (result < 0) -- -2.14.3 +2.17.1 From aed8ee965258e3926be6aaeb57aef8a9a03c9989 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> @@ -1524,45 +1525,6 @@ index 102160ff5c66..4f5757732553 100644 -- 2.14.3 -From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the - kernel is locked down - -There are some bpf functions can be used to read kernel memory: -bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow -private keys in kernel memory (e.g. the hibernation image signing key) to -be read by an eBPF program. - -Completely prohibit the use of BPF when the kernel is locked down. - -Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: netdev@vger.kernel.org -cc: Chun-Yi Lee <jlee@suse.com> -cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> ---- - kernel/bpf/syscall.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 0244973ee544..7457f2676c6d 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2031,6 +2031,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz - if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) - return -EPERM; - -+ if (kernel_is_locked_down("BPF")) -+ return -EPERM; -+ - err = check_uarg_tail_zero(uattr, sizeof(attr), size); - if (err) - return err; --- -2.14.3 - From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Wed, 4 Apr 2018 14:45:38 +0100 @@ -1738,9 +1700,9 @@ index 13b01351dd1c..4daec17b8215 100644 inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); -@@ -513,7 +539,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) +@@ -515,7 +541,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) return failed_creating(dentry); - + inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; |