diff options
Diffstat (limited to 'efi-lockdown.patch')
| -rw-r--r-- | efi-lockdown.patch | 1560 |
1 files changed, 860 insertions, 700 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index a4b602b2a..fab50ef1a 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -1,81 +1,44 @@ -From 73958cc1f78cfc69f3b1ec26a3406b3c45f6d202 Mon Sep 17 00:00:00 2001 +From 07ff2bbc3633a42ef5f0988b5bb821ed5d3399b9 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Mon, 9 Apr 2018 09:52:45 +0100 -Subject: [PATCH 01/24] Add the ability to lock down access to the running +Date: Mon, 18 Feb 2019 12:44:57 +0000 +Subject: [PATCH 01/27] Add the ability to lock down access to the running kernel image Provide a single call to allow kernel code to determine whether the system should be locked down, thereby disallowing various accesses that might -allow the running kernel image to be changed, including: - - - /dev/mem and similar - - Loading of unauthorised modules - - Fiddling with MSR registers - - Suspend to disk managed by the kernel - - Use of device DMA - -Two kernel configuration options are provided: - - (*) CONFIG_LOCK_DOWN_KERNEL - - This makes lockdown available and applies it to all the points that - need to be locked down if the mode is set. Lockdown mode can be - enabled by providing: - - lockdown=1 - - on the command line. - - (*) CONFIG_LOCK_DOWN_MANDATORY - - This forces lockdown on at compile time, overriding the command line - option. - -init_lockdown() is used as a hook from which lockdown can be managed in -future. It has to be called from arch setup code before things like ACPI -are enabled. - -Note that, with the other changes in this series, if lockdown mode is -enabled, the kernel will not be able to use certain drivers as the ability -to manually configure hardware parameters would then be prohibited. This -primarily applies to ISA hardware devices. +allow the running kernel image to be changed including the loading of +modules that aren't validly signed with a key we recognise, fiddling with +MSR registers and disallowing hibernation. Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: James Morris <james.l.morris@oracle.com> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- - arch/x86/kernel/setup.c | 2 ++ - include/linux/kernel.h | 32 ++++++++++++++++++++++++ - security/Kconfig | 23 ++++++++++++++++- - security/Makefile | 3 +++ - security/lock_down.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 124 insertions(+), 1 deletion(-) + include/linux/kernel.h | 17 ++++++++++++ + include/linux/security.h | 9 +++++- + security/Kconfig | 15 ++++++++++ + security/Makefile | 3 ++ + security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 security/lock_down.c -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 6285697b6e56..566f0f447053 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -996,6 +996,8 @@ void __init setup_arch(char **cmdline_p) - if (efi_enabled(EFI_BOOT)) - efi_init(); - -+ init_lockdown(); -+ - dmi_scan_machine(); - dmi_memdev_walk(); - dmi_set_dump_stack_arch_desc(); diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 4ae1dfd9bf05..7d085cca9cee 100644 +index 8f0e68e250a7..833bf32ce4e6 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h -@@ -306,6 +306,38 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) +@@ -340,6 +340,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) { } #endif - + +#ifdef CONFIG_LOCK_DOWN_KERNEL -+extern void __init init_lockdown(void); +extern bool __kernel_is_locked_down(const char *what, bool first); ++#else ++static inline bool __kernel_is_locked_down(const char *what, bool first) ++{ ++ return false; ++} ++#endif + -+#ifndef CONFIG_LOCK_DOWN_MANDATORY +#define kernel_is_locked_down(what) \ + ({ \ + static bool message_given; \ @@ -83,72 +46,59 @@ index 4ae1dfd9bf05..7d085cca9cee 100644 + message_given = true; \ + locked_down; \ + }) -+#else -+#define kernel_is_locked_down(what) \ -+ ({ \ -+ static bool message_given; \ -+ __kernel_is_locked_down(what, !message_given); \ -+ message_given = true; \ -+ true; \ -+ }) -+#endif ++ + /* Internal, do not use. */ + int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); + int __must_check _kstrtol(const char *s, unsigned int base, long *res); +diff --git a/include/linux/security.h b/include/linux/security.h +index 13537a49ae97..b290946341a4 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -1798,5 +1798,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux) + #endif /* CONFIG_SECURITY */ + #endif /* CONFIG_BPF_SYSCALL */ + +-#endif /* ! __LINUX_SECURITY_H */ ++#ifdef CONFIG_LOCK_DOWN_KERNEL ++extern void __init init_lockdown(void); +#else +static inline void __init init_lockdown(void) +{ +} -+static inline bool __kernel_is_locked_down(const char *what, bool first) -+{ -+ return false; -+} -+#define kernel_is_locked_down(what) ({ false; }) +#endif -+ - /* Internal, do not use. */ - int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); - int __must_check _kstrtol(const char *s, unsigned int base, long *res); + ++#endif /* ! __LINUX_SECURITY_H */ diff --git a/security/Kconfig b/security/Kconfig -index c4302067a3ad..a68e5bdebad5 100644 +index 1d6463fb1450..47dc3403b5af 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -231,6 +231,28 @@ config STATIC_USERMODEHELPER_PATH +@@ -229,6 +229,21 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). - + +config LOCK_DOWN_KERNEL + bool "Allow the kernel to be 'locked down'" + help -+ Allow the kernel to be locked down. Locking down the kernel turns -+ off various features that might otherwise allow access to the kernel -+ image (eg. setting MSR registers). -+ -+ Note, however, that locking down your kernel will prevent some -+ drivers from functioning because allowing manual configuration of -+ hardware parameters is forbidden, lest a device be used to access the -+ kernel by DMA. This mostly applies to ISA devices. ++ Allow the kernel to be locked down. If lockdown support is enabled ++ and activated, the kernel will impose additional restrictions ++ intended to prevent uid 0 from being able to modify the running ++ kernel. This may break userland applications that rely on low-level ++ access to hardware. + -+ The kernel lockdown can be triggered by adding lockdown=1 to the -+ kernel command line. -+ -+config LOCK_DOWN_MANDATORY -+ bool "Make kernel lockdown mandatory" -+ depends on LOCK_DOWN_KERNEL -+ help -+ Makes the lockdown non-negotiable. It is always on and cannot be -+ disabled. ++config LOCK_DOWN_KERNEL_FORCE ++ bool "Enable kernel lockdown mode automatically" ++ depends on LOCK_DOWN_KERNEL ++ help ++ Enable the kernel lock down functionality automatically at boot. + source "security/selinux/Kconfig" source "security/smack/Kconfig" source "security/tomoyo/Kconfig" -@@ -278,4 +300,3 @@ config DEFAULT_SECURITY - default "" if DEFAULT_SECURITY_DAC - - endmenu -- diff --git a/security/Makefile b/security/Makefile -index 4d2d3782ddef..507ac8c520ce 100644 +index c598b904938f..5ff090149c88 100644 --- a/security/Makefile +++ b/security/Makefile -@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o +@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity obj-$(CONFIG_INTEGRITY) += integrity/ @@ -157,10 +107,11 @@ index 4d2d3782ddef..507ac8c520ce 100644 +obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o diff --git a/security/lock_down.c b/security/lock_down.c new file mode 100644 -index 000000000000..f35ffdd096ad +index 000000000000..18d8776a4d02 --- /dev/null +++ b/security/lock_down.c -@@ -0,0 +1,65 @@ +@@ -0,0 +1,60 @@ ++// SPDX-License-Identifier: GPL-2.0 +/* Lock down the kernel + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. @@ -172,27 +123,21 @@ index 000000000000..f35ffdd096ad + * 2 of the Licence, or (at your option) any later version. + */ + ++#include <linux/security.h> +#include <linux/export.h> -+#include <linux/sched.h> + -+#ifndef CONFIG_LOCK_DOWN_MANDATORY +static __ro_after_init bool kernel_locked_down; -+#else -+#define kernel_locked_down true -+#endif + +/* + * Put the kernel into lock-down mode. + */ +static void __init lock_kernel_down(const char *where) +{ -+#ifndef CONFIG_LOCK_DOWN_MANDATORY + if (!kernel_locked_down) { + kernel_locked_down = true; + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", + where); + } -+#endif +} + +static int __init lockdown_param(char *ignored) @@ -209,8 +154,8 @@ index 000000000000..f35ffdd096ad + */ +void __init init_lockdown(void) +{ -+#ifdef CONFIG_LOCK_DOWN_MANDATORY -+ pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n"); ++#ifdef CONFIG_LOCK_DOWN_FORCE ++ lock_kernel_down("Kernel configuration"); +#endif +} + @@ -221,307 +166,121 @@ index 000000000000..f35ffdd096ad +bool __kernel_is_locked_down(const char *what, bool first) +{ + if (what && first && kernel_locked_down) -+ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", -+ current->comm, what); ++ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", ++ what); + return kernel_locked_down; +} +EXPORT_SYMBOL(__kernel_is_locked_down); -- -2.14.3 - -From 13dada34d9aa56ac4ee5438c7ebefde2d30d5542 Mon Sep 17 00:00:00 2001 -From: Kyle McMartin <kyle@redhat.com> -Date: Mon, 9 Apr 2018 09:52:45 +0100 -Subject: [PATCH 02/24] Add a SysRq option to lift kernel lockdown +2.21.0 -Make an option to provide a sysrq key that will lift the kernel lockdown, -thereby allowing the running kernel image to be accessed and modified. - -On x86 this is triggered with SysRq+x, but this key may not be available on -all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h. -Since this macro must be defined in an arch to be able to use this facility -for that arch, the Kconfig option is restricted to arches that support it. - -Signed-off-by: Kyle McMartin <kyle@redhat.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: x86@kernel.org ---- - arch/x86/include/asm/setup.h | 2 ++ - drivers/input/misc/uinput.c | 1 + - drivers/tty/sysrq.c | 19 ++++++++++++------ - include/linux/input.h | 5 +++++ - include/linux/sysrq.h | 8 +++++++- - kernel/debug/kdb/kdb_main.c | 2 +- - security/Kconfig | 11 +++++++++++ - security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ - 8 files changed, 87 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h -index ae13bc974416..3108e297d87d 100644 ---- a/arch/x86/include/asm/setup.h -+++ b/arch/x86/include/asm/setup.h -@@ -9,6 +9,8 @@ - #include <linux/linkage.h> - #include <asm/page_types.h> - -+#define LOCKDOWN_LIFT_KEY 'x' -+ - #ifdef __i386__ - - #include <linux/pfn.h> -diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index 96a887f33698..027c730631cc 100644 ---- a/drivers/input/misc/uinput.c -+++ b/drivers/input/misc/uinput.c -@@ -365,6 +365,7 @@ static int uinput_create_device(struct uinput_device *udev) - dev->flush = uinput_dev_flush; - } - -+ dev->flags |= INPUTDEV_FLAGS_SYNTHETIC; - dev->event = uinput_dev_event; - - input_set_drvdata(udev->dev, udev); -diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index 6364890575ec..ffeb3aa86cd1 100644 ---- a/drivers/tty/sysrq.c -+++ b/drivers/tty/sysrq.c -@@ -487,6 +487,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { - /* x: May be registered on mips for TLB dump */ - /* x: May be registered on ppc/powerpc for xmon */ - /* x: May be registered on sparc64 for global PMU dump */ -+ /* x: May be registered on x86_64 for disabling secure boot */ - NULL, /* x */ - /* y: May be registered on sparc64 for global register dump */ - NULL, /* y */ -@@ -530,7 +531,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) - sysrq_key_table[i] = op_p; - } +From e5709852ca1e9ed443d9abebcb35cbc2f0d9d987 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 18 Feb 2019 12:44:58 +0000 +Subject: [PATCH 02/27] Enforce module signatures if the kernel is locked down --void __handle_sysrq(int key, bool check_mask) -+void __handle_sysrq(int key, unsigned int from) - { - struct sysrq_key_op *op_p; - int orig_log_level; -@@ -550,11 +551,15 @@ void __handle_sysrq(int key, bool check_mask) - - op_p = __sysrq_get_key_op(key); - if (op_p) { -+ /* Ban synthetic events from some sysrq functionality */ -+ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && -+ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) -+ printk("This sysrq operation is disabled from userspace.\n"); - /* - * Should we check for enabled operations (/proc/sysrq-trigger - * should not) and is the invoked operation enabled? - */ -- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { -+ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { - pr_cont("%s\n", op_p->action_msg); - console_loglevel = orig_log_level; - op_p->handler(key); -@@ -586,7 +591,7 @@ void __handle_sysrq(int key, bool check_mask) - void handle_sysrq(int key) - { - if (sysrq_on()) -- __handle_sysrq(key, true); -+ __handle_sysrq(key, SYSRQ_FROM_KERNEL); - } - EXPORT_SYMBOL(handle_sysrq); +If the kernel is locked down, require that all modules have valid +signatures that we can verify. -@@ -667,7 +672,7 @@ static void sysrq_do_reset(struct timer_list *t) - static void sysrq_handle_reset_request(struct sysrq_state *state) - { - if (state->reset_requested) -- __handle_sysrq(sysrq_xlate[KEY_B], false); -+ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL); - - if (sysrq_reset_downtime_ms) - mod_timer(&state->keyreset_timer, -@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, - - default: - if (sysrq->active && value && value != 2) { -+ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ? -+ SYSRQ_FROM_SYNTHETIC : 0; - sysrq->need_reinject = false; -- __handle_sysrq(sysrq_xlate[code], true); -+ __handle_sysrq(sysrq_xlate[code], from); - } - break; - } -@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, +I have adjusted the errors generated: - if (get_user(c, buf)) - return -EFAULT; -- __handle_sysrq(c, false); -+ __handle_sysrq(c, SYSRQ_FROM_PROC); - } + (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, + ENOKEY), then: - return count; -diff --git a/include/linux/input.h b/include/linux/input.h -index 7c7516eb7d76..38cd0ea72c37 100644 ---- a/include/linux/input.h -+++ b/include/linux/input.h -@@ -42,6 +42,7 @@ struct input_value { - * @phys: physical path to the device in the system hierarchy - * @uniq: unique identification code for the device (if device has it) - * @id: id of the device (struct input_id) -+ * @flags: input device flags (SYNTHETIC, etc.) - * @propbit: bitmap of device properties and quirks - * @evbit: bitmap of types of events supported by the device (EV_KEY, - * EV_REL, etc.) -@@ -124,6 +125,8 @@ struct input_dev { - const char *uniq; - struct input_id id; - -+ unsigned int flags; -+ - unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)]; + (a) If signatures are enforced then EKEYREJECTED is returned. - unsigned long evbit[BITS_TO_LONGS(EV_CNT)]; -@@ -190,6 +193,8 @@ struct input_dev { - }; - #define to_input_dev(d) container_of(d, struct input_dev, dev) + (b) If there's no signature or we can't check it, but the kernel is + locked down then EPERM is returned (this is then consistent with + other lockdown cases). -+#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001 -+ - /* - * Verify that we are in sync with input_device_id mod_devicetable.h #defines - */ -diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h -index 8c71874e8485..7de1f08b60a9 100644 ---- a/include/linux/sysrq.h -+++ b/include/linux/sysrq.h -@@ -29,6 +29,8 @@ - #define SYSRQ_ENABLE_BOOT 0x0080 - #define SYSRQ_ENABLE_RTNICE 0x0100 - -+#define SYSRQ_DISABLE_USERSPACE 0x00010000 -+ - struct sysrq_key_op { - void (*handler)(int); - char *help_msg; -@@ -43,8 +45,12 @@ struct sysrq_key_op { - * are available -- else NULL's). - */ - -+#define SYSRQ_FROM_KERNEL 0x0001 -+#define SYSRQ_FROM_PROC 0x0002 -+#define SYSRQ_FROM_SYNTHETIC 0x0004 -+ - void handle_sysrq(int key); --void __handle_sysrq(int key, bool check_mask); -+void __handle_sysrq(int key, unsigned int from); - int register_sysrq_key(int key, struct sysrq_key_op *op); - int unregister_sysrq_key(int key, struct sysrq_key_op *op); - struct sysrq_key_op *__sysrq_get_key_op(int key); -diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c -index dbb0781a0533..aae9a0f44058 100644 ---- a/kernel/debug/kdb/kdb_main.c -+++ b/kernel/debug/kdb/kdb_main.c -@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv) - return KDB_ARGCOUNT; - - kdb_trap_printk++; -- __handle_sysrq(*argv[1], check_mask); -+ __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0); - kdb_trap_printk--; + (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails + the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we + return the error we got. - return 0; -diff --git a/security/Kconfig b/security/Kconfig -index a68e5bdebad5..46967ee77dfd 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -253,6 +253,17 @@ config LOCK_DOWN_MANDATORY - Makes the lockdown non-negotiable. It is always on and cannot be - disabled. - -+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+ bool "Allow the kernel lockdown to be lifted by SysRq" -+ depends on LOCK_DOWN_KERNEL -+ depends on !LOCK_DOWN_MANDATORY -+ depends on MAGIC_SYSRQ -+ depends on X86 -+ help -+ Allow the lockdown on a kernel to be lifted, by pressing a SysRq key -+ combination on a wired keyboard. On x86, this is SysRq+x. -+ -+ - source "security/selinux/Kconfig" - source "security/smack/Kconfig" - source "security/tomoyo/Kconfig" -diff --git a/security/lock_down.c b/security/lock_down.c -index f35ffdd096ad..2615669dbf03 100644 ---- a/security/lock_down.c -+++ b/security/lock_down.c -@@ -11,9 +11,15 @@ +Note that the X.509 code doesn't check for key expiry as the RTC might not +be valid or might not have been transferred to the kernel's clock yet. - #include <linux/export.h> - #include <linux/sched.h> -+#include <linux/sysrq.h> -+#include <asm/setup.h> + [Modified by Matthew Garrett to remove the IMA integration. This will + be replaced with integration with the IMA architecture policy + patchset.] - #ifndef CONFIG_LOCK_DOWN_MANDATORY -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+static __read_mostly bool kernel_locked_down; -+#else - static __ro_after_init bool kernel_locked_down; -+#endif - #else - #define kernel_locked_down true - #endif -@@ -63,3 +69,44 @@ bool __kernel_is_locked_down(const char *what, bool first) - return kernel_locked_down; - } - EXPORT_SYMBOL(__kernel_is_locked_down); -+ -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+ -+/* -+ * Take the kernel out of lockdown mode. -+ */ -+static void lift_kernel_lockdown(void) -+{ -+ pr_notice("Lifting lockdown\n"); -+ kernel_locked_down = false; -+} -+ -+/* -+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by -+ * echoing the appropriate letter into the sysrq-trigger file). -+ */ -+static void sysrq_handle_lockdown_lift(int key) -+{ -+ if (kernel_locked_down) -+ lift_kernel_lockdown(); -+} -+ -+static struct sysrq_key_op lockdown_lift_sysrq_op = { -+ .handler = sysrq_handle_lockdown_lift, -+ .help_msg = "unSB(x)", -+ .action_msg = "Disabling Secure Boot restrictions", -+ .enable_mask = SYSRQ_DISABLE_USERSPACE, -+}; +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Jiri Bohac <jbohac@suse.cz> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> +Cc: Jessica Yu <jeyu@kernel.org> +--- + kernel/module.c | 39 ++++++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 2ad1b5239910..9a377c6ea200 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2767,8 +2767,9 @@ static inline void kmemleak_load_module(const struct module *mod, + #ifdef CONFIG_MODULE_SIG + static int module_sig_check(struct load_info *info, int flags) + { +- int err = -ENOKEY; ++ int err = -ENODATA; + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; ++ const char *reason; + const void *mod = info->hdr; + + /* +@@ -2783,16 +2784,40 @@ static int module_sig_check(struct load_info *info, int flags) + err = mod_verify_sig(mod, info); + } + +- if (!err) { ++ switch (err) { ++ case 0: + info->sig_ok = true; + return 0; +- } + +- /* Not having a signature is only an error if we're strict. */ +- if (err == -ENOKEY && !is_module_sig_enforced()) +- err = 0; ++ /* We don't permit modules to be loaded into trusted kernels ++ * without a valid signature on them, but if we're not ++ * enforcing, certain errors are non-fatal. ++ */ ++ case -ENODATA: ++ reason = "Loading of unsigned module"; ++ goto decide; ++ case -ENOPKG: ++ reason = "Loading of module with unsupported crypto"; ++ goto decide; ++ case -ENOKEY: ++ reason = "Loading of module with unavailable key"; ++ decide: ++ if (is_module_sig_enforced()) { ++ pr_notice("%s is rejected\n", reason); ++ return -EKEYREJECTED; ++ } + +- return err; ++ if (kernel_is_locked_down(reason)) ++ return -EPERM; ++ return 0; + -+static int __init lockdown_lift_sysrq(void) -+{ -+ if (kernel_locked_down) { -+ lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY; -+ register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op); ++ /* All other errors are fatal, including nomem, unparseable ++ * signatures and signature check failures - even if signatures ++ * aren't required. ++ */ ++ default: ++ return err; + } -+ return 0; -+} -+ -+late_initcall(lockdown_lift_sysrq); -+ -+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ + } + #else /* !CONFIG_MODULE_SIG */ + static int module_sig_check(struct load_info *info, int flags) -- -2.14.3 +2.21.0 -From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001 +From 4da16916fdf7dd6271bc6f16c0f9c32f430e7b42 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:46 +0100 -Subject: [PATCH 05/24] Restrict /dev/{mem,kmem,port} when the kernel is locked +Date: Mon, 18 Feb 2019 12:44:58 +0000 +Subject: [PATCH 03/27] Restrict /dev/{mem,kmem,port} when the kernel is locked down Allowing users to read and write to core kernel memory makes it possible @@ -536,31 +295,32 @@ thus DMA from being used to accomplish the same thing. Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> +Cc: x86@kernel.org --- drivers/char/mem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index ffeb60d3434c..b2fca26e5765 100644 +index b08dc50f9f26..0a2f2e75d5f4 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c -@@ -784,6 +784,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) - +@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) + static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port")) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } - + -- -2.14.3 +2.21.0 -From a19b6b9637f114388cc7087176860eee962cac79 Mon Sep 17 00:00:00 2001 +From e6802bece8b23dea57d5dfe72dc8383d0fa7f89c Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:46 +0100 -Subject: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked +Date: Mon, 18 Feb 2019 12:44:58 +0000 +Subject: [PATCH 04/27] kexec_load: Disable at runtime if the kernel is locked down The kexec_load() syscall permits the loading and execution of arbitrary @@ -573,20 +333,19 @@ signature on the image to be booted. Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Dave Young <dyoung@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> -Reviewed-by: James Morris <james.l.morris@oracle.com> cc: kexec@lists.infradead.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- kernel/kexec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 68559808fdfa..041d505070e1 100644 +index 68559808fdfa..8ea0ce31271f 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -202,6 +202,13 @@ static inline int kexec_load_check(unsigned long nr_segments, - if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) - return -EPERM; +@@ -207,6 +207,13 @@ static inline int kexec_load_check(unsigned long nr_segments, + if (result < 0) + return result; + /* + * kexec can be used to circumvent module loading restrictions, so @@ -595,16 +354,313 @@ index 68559808fdfa..041d505070e1 100644 + if (kernel_is_locked_down("kexec of unsigned images")) + return -EPERM; + - /* Permit LSMs and IMA to fail the kexec */ - result = security_kernel_load_data(LOADING_KEXEC_IMAGE); - if (result < 0) + /* + * Verify we have a legal set of flags + * This leaves us room for future extensions. -- -2.17.1 +2.21.0 -From aed8ee965258e3926be6aaeb57aef8a9a03c9989 Mon Sep 17 00:00:00 2001 +From 082fd91e5e574dff4063bc6062378ae581747c5a Mon Sep 17 00:00:00 2001 +From: Dave Young <dyoung@redhat.com> +Date: Mon, 18 Feb 2019 12:44:58 +0000 +Subject: [PATCH 05/27] Copy secure_boot flag in boot params across kexec + reboot + +Kexec reboot in case secure boot being enabled does not keep the secure +boot mode in new kernel, so later one can load unsigned kernel via legacy +kexec_load. In this state, the system is missing the protections provided +by secure boot. + +Adding a patch to fix this by retain the secure_boot flag in original +kernel. + +secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the +stub. Fixing this issue by copying secure_boot flag across kexec reboot. + +Signed-off-by: Dave Young <dyoung@redhat.com> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: kexec@lists.infradead.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> +--- + arch/x86/kernel/kexec-bzimage64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 278cd07228dd..d49554b948fd 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, + if (efi_enabled(EFI_OLD_MEMMAP)) + return 0; + ++ params->secure_boot = boot_params.secure_boot; + ei->efi_loader_signature = current_ei->efi_loader_signature; + ei->efi_systab = current_ei->efi_systab; + ei->efi_systab_hi = current_ei->efi_systab_hi; +-- +2.21.0 + +From 4b84eb5e3c362deee572d47d12e8dd30d6ad1333 Mon Sep 17 00:00:00 2001 +From: Jiri Bohac <jbohac@suse.cz> +Date: Mon, 18 Feb 2019 12:44:58 +0000 +Subject: [PATCH 06/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and + KEXEC_SIG_FORCE + +This is a preparatory patch for kexec_file_load() lockdown. A locked down +kernel needs to prevent unsigned kernel images from being loaded with +kexec_file_load(). Currently, the only way to force the signature +verification is compiling with KEXEC_VERIFY_SIG. This prevents loading +usigned images even when the kernel is not locked down at runtime. + +This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. +Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG +turns on the signature verification but allows unsigned images to be +loaded. KEXEC_SIG_FORCE disallows images without a valid signature. + +[Modified by David Howells such that: + + (1) verify_pefile_signature() differentiates between no-signature and + sig-didn't-match in its returned errors. + + (2) kexec fails with EKEYREJECTED and logs an appropriate message if + signature checking is enforced and an signature is not found, uses + unsupported crypto or has no matching key. + + (3) kexec fails with EKEYREJECTED if there is a signature for which we + have a key, but signature doesn't match - even if in non-forcing mode. + + (4) kexec fails with EBADMSG or some other error if there is a signature + which cannot be parsed - even if in non-forcing mode. + + (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract + the signature - even if in non-forcing mode. + +] + +Signed-off-by: Jiri Bohac <jbohac@suse.cz> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Jiri Bohac <jbohac@suse.cz> +cc: kexec@lists.infradead.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> +--- + arch/x86/Kconfig | 20 ++++++++--- + crypto/asymmetric_keys/verify_pefile.c | 4 ++- + include/linux/kexec.h | 4 +-- + kernel/kexec_file.c | 48 ++++++++++++++++++++++---- + 4 files changed, 61 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 4b4a7f32b68e..735d04a4b18f 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2016,20 +2016,30 @@ config KEXEC_FILE + config ARCH_HAS_KEXEC_PURGATORY + def_bool KEXEC_FILE + +-config KEXEC_VERIFY_SIG ++config KEXEC_SIG + bool "Verify kernel signature during kexec_file_load() syscall" + depends on KEXEC_FILE + ---help--- +- This option makes kernel signature verification mandatory for +- the kexec_file_load() syscall. + +- In addition to that option, you need to enable signature ++ This option makes the kexec_file_load() syscall check for a valid ++ signature of the kernel image. The image can still be loaded without ++ a valid signature unless you also enable KEXEC_SIG_FORCE, though if ++ there's a signature that we can check, then it must be valid. ++ ++ In addition to this option, you need to enable signature + verification for the corresponding kernel image type being + loaded in order for this to work. + ++config KEXEC_SIG_FORCE ++ bool "Require a valid signature in kexec_file_load() syscall" ++ depends on KEXEC_SIG ++ ---help--- ++ This option makes kernel signature verification mandatory for ++ the kexec_file_load() syscall. ++ + config KEXEC_BZIMAGE_VERIFY_SIG + bool "Enable bzImage signature verification support" +- depends on KEXEC_VERIFY_SIG ++ depends on KEXEC_SIG + depends on SIGNED_PE_FILE_VERIFICATION + select SYSTEM_TRUSTED_KEYRING + ---help--- +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index d178650fd524..4473cea1e877 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + + if (!ddir->certs.virtual_address || !ddir->certs.size) { + pr_debug("Unsigned PE binary\n"); +- return -EKEYREJECTED; ++ return -ENODATA; + } + + chkaddr(ctx->header_size, ddir->certs.virtual_address, +@@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + * (*) 0 if at least one signature chain intersects with the keys in the trust + * keyring, or: + * ++ * (*) -ENODATA if there is no signature present. ++ * + * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a + * chain. + * +diff --git a/include/linux/kexec.h b/include/linux/kexec.h +index b9b1bc5f9669..58b27c7bdc2b 100644 +--- a/include/linux/kexec.h ++++ b/include/linux/kexec.h +@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, + unsigned long cmdline_len); + typedef int (kexec_cleanup_t)(void *loader_data); + +-#ifdef CONFIG_KEXEC_VERIFY_SIG ++#ifdef CONFIG_KEXEC_SIG + typedef int (kexec_verify_sig_t)(const char *kernel_buf, + unsigned long kernel_len); + #endif +@@ -134,7 +134,7 @@ struct kexec_file_ops { + kexec_probe_t *probe; + kexec_load_t *load; + kexec_cleanup_t *cleanup; +-#ifdef CONFIG_KEXEC_VERIFY_SIG ++#ifdef CONFIG_KEXEC_SIG + kexec_verify_sig_t *verify_sig; + #endif + }; +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index f1d0e00a3971..67f3a866eabe 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) + return kexec_image_post_load_cleanup_default(image); + } + +-#ifdef CONFIG_KEXEC_VERIFY_SIG ++#ifdef CONFIG_KEXEC_SIG + static int kexec_image_verify_sig_default(struct kimage *image, void *buf, + unsigned long buf_len) + { +@@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, + const char __user *cmdline_ptr, + unsigned long cmdline_len, unsigned flags) + { +- int ret = 0; ++ const char *reason; ++ int ret; + void *ldata; + loff_t size; + +@@ -207,15 +208,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, + if (ret) + goto out; + +-#ifdef CONFIG_KEXEC_VERIFY_SIG ++#ifdef CONFIG_KEXEC_SIG + ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, + image->kernel_buf_len); +- if (ret) { +- pr_debug("kernel signature verification failed.\n"); ++#else ++ ret = -ENODATA; ++#endif ++ ++ switch (ret) { ++ case 0: ++ break; ++ ++ /* Certain verification errors are non-fatal if we're not ++ * checking errors, provided we aren't mandating that there ++ * must be a valid signature. ++ */ ++ case -ENODATA: ++ reason = "kexec of unsigned image"; ++ goto decide; ++ case -ENOPKG: ++ reason = "kexec of image with unsupported crypto"; ++ goto decide; ++ case -ENOKEY: ++ reason = "kexec of image with unavailable key"; ++ decide: ++ if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { ++ pr_notice("%s rejected\n", reason); ++ ret = -EKEYREJECTED; ++ goto out; ++ } ++ ++ ret = 0; ++ break; ++ ++ /* All other errors are fatal, including nomem, unparseable ++ * signatures and signature check failures - even if signatures ++ * aren't required. ++ */ ++ default: ++ pr_notice("kernel signature verification failed (%d).\n", ret); + goto out; + } +- pr_debug("kernel signature verification successful.\n"); +-#endif ++ + /* It is possible that there no initramfs is being loaded */ + if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { + ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf, +-- +2.21.0 + +From 854a15bda329f93a425d592cd10d06c3a0486e75 Mon Sep 17 00:00:00 2001 +From: Jiri Bohac <jbohac@suse.cz> +Date: Mon, 18 Feb 2019 12:44:58 +0000 +Subject: [PATCH 07/27] kexec_file: Restrict at runtime if the kernel is locked + down + +When KEXEC_SIG is not enabled, kernel should not load images through +kexec_file systemcall if the kernel is locked down. + +[Modified by David Howells to fit with modifications to the previous patch + and to return -EPERM if the kernel is locked down for consistency with + other lockdowns. Modified by Matthew Garrett to remove the IMA + integration, which will be replaced by integrating with the IMA + architecture policy patches.] + +Signed-off-by: Jiri Bohac <jbohac@suse.cz> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Jiri Bohac <jbohac@suse.cz> +cc: kexec@lists.infradead.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> +--- + kernel/kexec_file.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index 67f3a866eabe..0cfe4f6f7f85 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -239,6 +239,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, + } + + ret = 0; ++ ++ if (kernel_is_locked_down(reason)) { ++ ret = -EPERM; ++ goto out; ++ } ++ + break; + + /* All other errors are fatal, including nomem, unparseable +-- +2.21.0 + +From 5077fcf70e31cb618274da06a8ef3b49aa92cda0 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Mon, 9 Apr 2018 09:52:47 +0100 -Subject: [PATCH 07/24] hibernate: Disable when the kernel is locked down +Date: Mon, 18 Feb 2019 12:44:59 +0000 +Subject: [PATCH 08/27] hibernate: Disable when the kernel is locked down There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -613,32 +669,34 @@ kernel is locked down. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +Cc: rjw@rjwysocki.net +Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- kernel/power/hibernate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index 5454cc639a8d..629f158f5a0c 100644 +index abef759de7c8..802795becb88 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; - + bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); } - + /** -- -2.14.3 +2.21.0 -From 8732c1663d7c0305ae01ba5a1ee4d2299b7b4612 Mon Sep 17 00:00:00 2001 +From 6687ec57697209008a846f94b8079dd3b8c5426d Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:47 +0100 -Subject: [PATCH 08/24] uswsusp: Disable when the kernel is locked down +Date: Mon, 18 Feb 2019 12:44:59 +0000 +Subject: [PATCH 09/27] uswsusp: Disable when the kernel is locked down uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel @@ -646,34 +704,36 @@ is locked down. Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Reviewed-by: James Morris <james.l.morris@oracle.com> cc: linux-pm@vger.kernel.org +Cc: pavel@ucw.cz +Cc: rjw@rjwysocki.net +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- kernel/power/user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c -index 75c959de4b29..959b336d8eca 100644 +index 2d8b60a3c86b..0305d513c274 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) if (!hibernation_available()) return -EPERM; - + + if (kernel_is_locked_down("/dev/snapshot")) + return -EPERM; + lock_system_sleep(); - + if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -2.14.3 +2.21.0 -From 4f5f0aae410d1929872eec346954c85e3a85f4f3 Mon Sep 17 00:00:00 2001 +From 074f89fba44418ebcf18e0ebbf1ed63fbc0b1d49 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:48 +0100 -Subject: [PATCH 09/24] PCI: Lock down BAR access when the kernel is locked +Date: Mon, 18 Feb 2019 12:44:59 +0000 +Subject: [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down Any hardware that can potentially generate DMA has to be locked down in @@ -685,8 +745,8 @@ sufficiently IOMMU-isolated devices. Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Bjorn Helgaas <bhelgaas@google.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> cc: linux-pci@vger.kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- drivers/pci/pci-sysfs.c | 9 +++++++++ drivers/pci/proc.c | 9 ++++++++- @@ -694,30 +754,30 @@ cc: linux-pci@vger.kernel.org 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 366d93af051d..1e149ec006a4 100644 +index 9ecfe13157c0..40c14574fcf8 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c -@@ -903,6 +903,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, +@@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; - + + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { -@@ -1165,6 +1168,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, +@@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; - + + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; - -@@ -1240,6 +1246,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, + +@@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { @@ -726,15 +786,15 @@ index 366d93af051d..1e149ec006a4 100644 + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } - + diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 1ee8927a0635..469445a9019b 100644 +index 6fa1627ce08d..1549cdd0710e 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, int size = dev->cfg_size; int cnt; - + + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + @@ -744,7 +804,7 @@ index 1ee8927a0635..469445a9019b 100644 @@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; - + + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + @@ -754,12 +814,12 @@ index 1ee8927a0635..469445a9019b 100644 @@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - + - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; - + if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..b8a08d3166a1 100644 @@ -768,20 +828,20 @@ index d96626c614f5..b8a08d3166a1 100644 @@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - + - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; - + dev = pci_get_domain_bus_and_slot(0, bus, dfn); -- -2.14.3 +2.21.0 -From 677537cdec42804f1936b57ffaa6181f633bc015 Mon Sep 17 00:00:00 2001 +From 206cc8259d1da899524e42e506c5ea975a28082a Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:48 +0100 -Subject: [PATCH 10/24] x86: Lock down IO port access when the kernel is locked +Date: Mon, 18 Feb 2019 12:44:59 +0000 +Subject: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down IO port access would permit users to gain access to PCI configuration @@ -795,8 +855,8 @@ KDDISABIO console ioctls. Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> cc: x86@kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- arch/x86/kernel/ioport.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) @@ -806,14 +866,14 @@ index 0fe1c8782208..abc702a6ae9c 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) - + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm"))) return -EPERM; - + /* @@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; @@ -826,12 +886,12 @@ index 0fe1c8782208..abc702a6ae9c 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | -- -2.14.3 +2.21.0 -From f005be07fababf8c698a556fe465871ad168c9d9 Mon Sep 17 00:00:00 2001 +From 8138905c5c6ff3c6a54913a41a658c17496de070 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:48 +0100 -Subject: [PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked +Date: Mon, 18 Feb 2019 12:44:59 +0000 +Subject: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down Writing to MSRs should not be allowed if the kernel is locked down, since @@ -845,20 +905,20 @@ Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> cc: x86@kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- arch/x86/kernel/msr.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index ef688804f80d..dfb61d358196 100644 +index 4588414e2561..f5a2cf07972f 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; - + + if (kernel_is_locked_down("Direct MSR access")) { + pr_info("Direct access to MSR %x\n", reg); + return -EPERM; @@ -866,7 +926,7 @@ index ef688804f80d..dfb61d358196 100644 + if (count % 8) return -EINVAL; /* Invalid chunk size */ - + @@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; @@ -880,12 +940,12 @@ index ef688804f80d..dfb61d358196 100644 if (err) break; -- -2.14.3 +2.21.0 -From 0a48b7c936757dda851ab2d3ecde7f6a79de7a5b Mon Sep 17 00:00:00 2001 +From 8f7a5950f729e8eb182a260286155940d8cdfe40 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 9 Apr 2018 09:52:48 +0100 -Subject: [PATCH 12/24] ACPI: Limit access to custom_method when the kernel is +Date: Mon, 18 Feb 2019 12:44:59 +0000 +Subject: [PATCH 13/27] ACPI: Limit access to custom_method when the kernel is locked down custom_method effectively allows arbitrary access to system memory, making @@ -894,20 +954,20 @@ Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> cc: linux-acpi@vger.kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- drivers/acpi/custom_method.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index e967c1173ba3..a07fbe999eb6 100644 +index 4451877f83b6..ac8a90dc7096 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; - + + if (kernel_is_locked_down("ACPI custom methods")) + return -EPERM; + @@ -915,12 +975,12 @@ index e967c1173ba3..a07fbe999eb6 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.14.3 +2.21.0 -From 2ed74b084366d7dba7b4a611ba13d99b82c4e11e Mon Sep 17 00:00:00 2001 +From 72e33c3bf28a388e657955143c0cbea7afa2e522 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> -Date: Mon, 9 Apr 2018 09:52:49 +0100 -Subject: [PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has +Date: Mon, 18 Feb 2019 12:44:59 +0000 +Subject: [PATCH 14/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down This option allows userspace to pass the RSDP address to the kernel, which @@ -929,20 +989,20 @@ the option when the kernel is locked down. Signed-off-by: Josh Boyer <jwboyer@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> cc: Dave Young <dyoung@redhat.com> cc: linux-acpi@vger.kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- drivers/acpi/osl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 7ca41bf023c9..34e4ce7939f4 100644 +index f29e427d0d1d..3e44cef7a0cd 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c -@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) +@@ -194,7 +194,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa; - + #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) @@ -950,12 +1010,12 @@ index 7ca41bf023c9..34e4ce7939f4 100644 #endif pa = acpi_arch_get_root_pointer(); -- -2.14.3 +2.21.0 -From 7fb2ddf683c23cc4b227d7d75a5d039970ca910e Mon Sep 17 00:00:00 2001 +From 6a23b59330d20f81b610a4f140bd29f54ceb577a Mon Sep 17 00:00:00 2001 From: Linn Crosetto <linn@hpe.com> -Date: Mon, 9 Apr 2018 09:52:49 +0100 -Subject: [PATCH 14/24] acpi: Disable ACPI table override if the kernel is +Date: Mon, 18 Feb 2019 12:45:00 +0000 +Subject: [PATCH 15/27] acpi: Disable ACPI table override if the kernel is locked down From the kernel documentation (initrd_table_override.txt): @@ -970,20 +1030,20 @@ so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto <linn@hpe.com> Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> cc: linux-acpi@vger.kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c -index 849c4fb19b03..6c5ee7e66842 100644 +index 48eabb6c2d4f..f3b4117cd8f3 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c -@@ -527,6 +527,11 @@ void __init acpi_table_upgrade(void) +@@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; - + + if (kernel_is_locked_down("ACPI table override")) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; @@ -993,12 +1053,12 @@ index 849c4fb19b03..6c5ee7e66842 100644 memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- -2.14.3 +2.21.0 -From d1ff6505c76cec9438217f2c284f024a1ac2ac59 Mon Sep 17 00:00:00 2001 +From 97f806b68d7286ec7026f802c22c5fb5a6311a45 Mon Sep 17 00:00:00 2001 From: Linn Crosetto <linn@hpe.com> -Date: Mon, 9 Apr 2018 09:52:50 +0100 -Subject: [PATCH 15/24] acpi: Disable APEI error injection if the kernel is +Date: Mon, 18 Feb 2019 12:45:00 +0000 +Subject: [PATCH 16/27] acpi: Disable APEI error injection if the kernel is locked down ACPI provides an error injection mechanism, EINJ, for debugging and testing @@ -1018,20 +1078,20 @@ the kernel is locked down. Signed-off-by: Linn Crosetto <linn@hpe.com> Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> cc: linux-acpi@vger.kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- drivers/acpi/apei/einj.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c -index b38737c83a24..6d71e1e97b20 100644 +index fcccbfdbdd1a..9fe6bbab2e7d 100644 --- a/drivers/acpi/apei/einj.c +++ b/drivers/acpi/apei/einj.c @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, int rc; u64 base_addr, size; - + + if (kernel_is_locked_down("ACPI error injection")) + return -EPERM; + @@ -1039,12 +1099,12 @@ index b38737c83a24..6d71e1e97b20 100644 if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) -- -2.14.3 +2.21.0 -From 3153be0328e3a752aacab95d503fbd460f517402 Mon Sep 17 00:00:00 2001 +From afc8d146b3f5a9a24338bd6588c55b6e70024f87 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:37 +0100 -Subject: [PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked +Date: Mon, 18 Feb 2019 12:45:00 +0000 +Subject: [PATCH 17/27] Prohibit PCMCIA CIS storage when the kernel is locked down Prohibit replacement of the PCMCIA Card Information Structure when the @@ -1053,31 +1113,32 @@ kernel is locked down. Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: David Howells <dhowells@redhat.com> cc: linux-pcmcia@lists.infradead.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- drivers/pcmcia/cistpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c -index 102646fedb56..e46c948d7246 100644 +index ac0672b8dfca..8adf092d0e18 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; - + + if (kernel_is_locked_down("Direct PCMCIA CIS storage")) + return -EPERM; + s = to_socket(container_of(kobj, struct device, kobj)); - + if (off) -- -2.14.3 +2.21.0 -From 9fedc1427e8589edf2e16a481f8588711adba69a Mon Sep 17 00:00:00 2001 +From ff1d4a9114a86373a24fe52b0b5a9503ad4fab1b Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:37 +0100 -Subject: [PATCH 17/24] Lock down TIOCSSERIAL +Date: Mon, 18 Feb 2019 12:45:00 +0000 +Subject: [PATCH 18/27] Lock down TIOCSSERIAL Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial @@ -1087,18 +1148,20 @@ ignore attempts to change port/irq or give an error. Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: David Howells <dhowells@redhat.com> cc: Jiri Slaby <jslaby@suse.com> +Cc: linux-serial@vger.kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- drivers/tty/serial/serial_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 0466f9f08a91..360f8e4416c4 100644 +index d4cca5bdaf1c..04534877b575 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c -@@ -829,6 +829,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, +@@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; - + + if ((change_port || change_irq) && + kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { + retval = -EPERM; @@ -1109,12 +1172,12 @@ index 0466f9f08a91..360f8e4416c4 100644 retval = -EPERM; if (change_irq || change_port || -- -2.14.3 +2.21.0 -From f8fd52e2b077ce5a993807f8fc6e27a17cf4d19f Mon Sep 17 00:00:00 2001 +From 2465b843e56020672d9704d3ab925a0399184e36 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:37 +0100 -Subject: [PATCH 18/24] Lock down module params that specify hardware +Date: Mon, 18 Feb 2019 12:45:01 +0000 +Subject: [PATCH 19/27] Lock down module params that specify hardware parameters (eg. ioport) Provided an annotation for module parameters that specify hardware @@ -1123,18 +1186,19 @@ dma buffers and other types). Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- kernel/params.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/kernel/params.c b/kernel/params.c -index cc9108c2a1fd..2c08c4aa376b 100644 +index ce89f757e6da..8ac751c938f8 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } - + -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) @@ -1150,7 +1214,7 @@ index cc9108c2a1fd..2c08c4aa376b 100644 + return false; + return true; } - + static int parse_one(char *param, @@ -144,8 +150,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, @@ -1168,7 +1232,7 @@ index cc9108c2a1fd..2c08c4aa376b 100644 @@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } - + +#ifdef CONFIG_MODULES +#define mod_name(mod) (mod)->name +#else @@ -1180,7 +1244,7 @@ index cc9108c2a1fd..2c08c4aa376b 100644 struct module_kobject *mk, @@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; - + kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); @@ -1192,12 +1256,12 @@ index cc9108c2a1fd..2c08c4aa376b 100644 if (!err) return len; -- -2.14.3 +2.21.0 -From 9c88e2ab392f5ac9c80529e43175fe65d00cdb67 Mon Sep 17 00:00:00 2001 +From 7b4a19032dfd343a927c2fa4b1cd83a2d0c81bc0 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module +Date: Mon, 18 Feb 2019 12:45:01 +0000 +Subject: [PATCH 20/27] x86/mmiotrace: Lock down the testmmiotrace module The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. @@ -1209,6 +1273,7 @@ cc: Steven Rostedt <rostedt@goodmis.org> cc: Ingo Molnar <mingo@kernel.org> cc: "H. Peter Anvin" <hpa@zytor.com> cc: x86@kernel.org +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- arch/x86/mm/testmmiotrace.c | 3 +++ 1 file changed, 3 insertions(+) @@ -1220,7 +1285,7 @@ index f6ae6830b341..bbaad357f5d7 100644 @@ -115,6 +115,9 @@ static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); - + + if (kernel_is_locked_down("MMIO trace testing")) + return -EPERM; + @@ -1228,42 +1293,43 @@ index f6ae6830b341..bbaad357f5d7 100644 pr_err("you have to use the module argument mmio_address.\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); -- -2.14.3 +2.21.0 -From 256e20401f9f5dd19028d4220095897a15daa67c Mon Sep 17 00:00:00 2001 +From a7e2f1bfd9eda4cde25effdd7e663b68e31a36cf Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 20/24] Lock down /proc/kcore +Date: Mon, 18 Feb 2019 12:45:02 +0000 +Subject: [PATCH 21/27] Lock down /proc/kcore Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: James Morris <james.l.morris@oracle.com> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- fs/proc/kcore.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c -index d1e82761de81..cdebdee81719 100644 +index bbcc185062bb..d50ebfbf3dbb 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c -@@ -546,6 +546,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) - +@@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) + static int open_kcore(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/proc/kcore")) + return -EPERM; if (!capable(CAP_SYS_RAWIO)) return -EPERM; - + -- -2.14.3 +2.21.0 -From f68ca24bc8d8a64cf30e59a595fad0e6782e933f Mon Sep 17 00:00:00 2001 +From 0b8b0a68642ba0dedb57f7c734a7cc84d96cd30c Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 21/24] Lock down kprobes +Date: Mon, 18 Feb 2019 12:45:02 +0000 +Subject: [PATCH 22/27] Lock down kprobes Disallow the creation of kprobes when the kernel is locked down by preventing their registration. This prevents kprobes from being used to @@ -1271,18 +1337,23 @@ access kernel memory, either to make modifications or to steal crypto data. Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> +Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com> +Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com> +Cc: davem@davemloft.net +Cc: Masami Hiramatsu <mhiramat@kernel.org> --- kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index 102160ff5c66..4f5757732553 100644 +index f4ddfdd2d07e..6f66cca8e2c6 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c -@@ -1561,6 +1561,9 @@ int register_kprobe(struct kprobe *p) +@@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; - + + if (kernel_is_locked_down("Use of kprobes")) + return -EPERM; + @@ -1290,29 +1361,75 @@ index 102160ff5c66..4f5757732553 100644 addr = kprobe_addr(p); if (IS_ERR(addr)) -- -2.14.3 +2.21.0 -From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001 +From 2128009ce3291b0c4ced8672e68c6b57fc0202a8 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 23/24] Lock down perf +Date: Mon, 18 Feb 2019 12:45:02 +0000 +Subject: [PATCH 23/27] bpf: Restrict kernel image access functions when the + kernel is locked down + +There are some bpf functions can be used to read kernel memory: +bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow +private keys in kernel memory (e.g. the hibernation image signing key) to +be read by an eBPF program and kernel memory to be altered without +restriction. + +Completely prohibit the use of BPF when the kernel is locked down. + +Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: netdev@vger.kernel.org +cc: Chun-Yi Lee <jlee@suse.com> +cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> +Cc: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> +--- + kernel/bpf/syscall.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index b155cd17c1bd..2cde39a875aa 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -2585,6 +2585,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz + if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) + return -EPERM; + ++ if (kernel_is_locked_down("BPF")) ++ return -EPERM; ++ + err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); + if (err) + return err; +-- +2.21.0 + +From 2fba6ffa91430a0c2a3177c6a5a0982deb966781 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 18 Feb 2019 12:45:02 +0000 +Subject: [PATCH 24/27] Lock down perf Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Arnaldo Carvalho de Melo <acme@kernel.org> --- kernel/events/core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c -index fc1c330c6bd6..1922f2e0980a 100644 +index 3cd13a30f732..7748c6f39992 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c -@@ -10407,6 +10407,11 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -10461,6 +10461,11 @@ SYSCALL_DEFINE5(perf_event_open, return -EINVAL; } - + + if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) && + kernel_is_locked_down("PERF_SAMPLE_REGS_INTR")) + /* REGS_INTR can leak data, lockdown must prevent this */ @@ -1322,12 +1439,12 @@ index fc1c330c6bd6..1922f2e0980a 100644 if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) -- -2.14.3 +2.21.0 -From fe5091f97838c8c64b891280bcd30367e71cd5c3 Mon Sep 17 00:00:00 2001 +From 8972429a68131c4e1387978697d8cd3e3a51fce2 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked +Date: Mon, 18 Feb 2019 12:45:02 +0000 +Subject: [PATCH 25/27] debugfs: Restrict debugfs when the kernel is locked down Disallow opening of debugfs files that might be used to muck around when @@ -1365,19 +1482,21 @@ cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett <mjg59@srcf.ucam.org> cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++ fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c -index 1f99678ff5d3..51cb894c21f2 100644 +index 4fce1da7db23..c33042c1eff3 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry) } EXPORT_SYMBOL_GPL(debugfs_file_put); - + +/* + * Only permit access to world-readable files when the kernel is locked down. + * We also need to exclude any file that has ways to write or alter it as root @@ -1402,7 +1521,7 @@ index 1f99678ff5d3..51cb894c21f2 100644 struct dentry *dentry = F_DENTRY(filp); @@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; - + real_fops = debugfs_real_fops(filp); + + r = -EPERM; @@ -1414,7 +1533,7 @@ index 1f99678ff5d3..51cb894c21f2 100644 /* Huh? Module did not clean up after itself at exit? */ @@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; - + real_fops = debugfs_real_fops(filp); + r = -EPERM; + if (debugfs_is_locked_down(inode, filp, real_fops)) @@ -1430,7 +1549,7 @@ index 13b01351dd1c..4daec17b8215 100644 @@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount; static int debugfs_mount_count; static bool debugfs_registered; - + +/* + * Don't allow access attributes to be changed whilst the kernel is locked down + * so that we can use the file mode as part of a heuristic to determine whether @@ -1462,19 +1581,19 @@ index 13b01351dd1c..4daec17b8215 100644 @@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, inode->i_mode = mode; inode->i_private = data; - + + inode->i_op = &debugfs_file_inode_operations; inode->i_fop = proxy_fops; dentry->d_fsdata = (void *)((unsigned long)real_fops | DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); -@@ -515,7 +541,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) +@@ -513,7 +539,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) return failed_creating(dentry); inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; - inode->i_op = &simple_dir_inode_operations; + inode->i_op = &debugfs_dir_inode_operations; inode->i_fop = &simple_dir_operations; - + /* directory inodes start off with i_nlink == 2 (for "." entry) */ @@ -608,7 +634,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, return failed_creating(dentry); @@ -1486,151 +1605,192 @@ index 13b01351dd1c..4daec17b8215 100644 d_instantiate(dentry, inode); return end_creating(dentry); -- -2.14.3 - -From patchwork Wed Nov 21 12:05:10 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Vasily Gorbik <gor@linux.ibm.com> -X-Patchwork-Id: 1015495 -Return-Path: <SRS0=ejdu=OA=vger.kernel.org=linux-kernel-owner@kernel.org> -Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) - by smtp.lore.kernel.org (Postfix) with ESMTP id AF80FC04EBA - for <linux-kernel@archiver.kernel.org>; Wed, 21 Nov 2018 12:05:25 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 80EA921479 - for <linux-kernel@archiver.kernel.org>; Wed, 21 Nov 2018 12:05:25 +0000 (UTC) -DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 80EA921479 -Authentication-Results: mail.kernel.org; - dmarc=fail (p=none dis=none) header.from=linux.ibm.com -Authentication-Results: mail.kernel.org; - spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1730155AbeKUWjb (ORCPT - <rfc822;linux-kernel@archiver.kernel.org>); - Wed, 21 Nov 2018 17:39:31 -0500 -Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33574 "EHLO - mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) - by vger.kernel.org with ESMTP id S1729128AbeKUWjb (ORCPT - <rfc822;linux-kernel@vger.kernel.org>); - Wed, 21 Nov 2018 17:39:31 -0500 -Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) - by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id - wALBx6kw056071 - for <linux-kernel@vger.kernel.org>; Wed, 21 Nov 2018 07:05:22 -0500 -Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) - by mx0b-001b2d01.pphosted.com with ESMTP id 2nw5p847fp-1 - (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) - for <linux-kernel@vger.kernel.org>; Wed, 21 Nov 2018 07:05:22 -0500 -Received: from localhost - by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use - Only! Violators will be prosecuted - for <linux-kernel@vger.kernel.org> from <gor@linux.ibm.com>; - Wed, 21 Nov 2018 12:05:20 -0000 -Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) - by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: - Authorized Use Only! Violators will be prosecuted; - (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) - Wed, 21 Nov 2018 12:05:17 -0000 -Received: from b06wcsmtp001.portsmouth.uk.ibm.com - (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) - by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with - ESMTP id wALC5GXF60817580 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 - verify=FAIL); - Wed, 21 Nov 2018 12:05:16 GMT -Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) - by IMSVA (Postfix) with ESMTP id 4EB1CA4060; - Wed, 21 Nov 2018 12:05:16 +0000 (GMT) -Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) - by IMSVA (Postfix) with ESMTP id 0C844A405F; - Wed, 21 Nov 2018 12:05:16 +0000 (GMT) -Received: from localhost (unknown [9.152.212.229]) - by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTPS; - Wed, 21 Nov 2018 12:05:15 +0000 (GMT) -Date: Wed, 21 Nov 2018 13:05:10 +0100 -From: Vasily Gorbik <gor@linux.ibm.com> -To: David Howells <dhowells@redhat.com>, - James Morris <jmorris@namei.org> -Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>, - Greg Kroah-Hartman <gregkh@linuxfoundation.org>, - linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org -Subject: [PATCH next-lockdown 1/1] debugfs: avoid EPERM when no open file - operation defined -References: <4136.1522452584@warthog.procyon.org.uk> - <cover.thread-bfac1b.your-ad-here.call-01542799656-ext-6093@work.hours> -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf-8 -Content-Disposition: inline -In-Reply-To: - <cover.thread-bfac1b.your-ad-here.call-01542799656-ext-6093@work.hours> -X-TM-AS-GCONF: 00 -x-cbid: 18112112-0008-0000-0000-000002963F3F -X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused -x-cbparentid: 18112112-0009-0000-0000-000022006F52 -Message-Id: - <patch-1.thread-bfac1b.git-bfac1b60354c.your-ad-here.call-01542799656-ext-6093@work.hours> -X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, - definitions=2018-11-21_05:,, - signatures=0 -X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 - priorityscore=1501 - malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 - clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 - mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx - scancount=1 engine=8.0.1-1810050000 definitions=main-1811210107 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: <linux-kernel.vger.kernel.org> -X-Mailing-List: linux-kernel@vger.kernel.org - -With "debugfs: Restrict debugfs when the kernel is locked down" -return code "r" is unconditionally set to -EPERM, which stays like that -until function return if no "open" file operation defined, effectivelly -resulting in "Operation not permitted" for all such files despite kernel -lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. - -In particular this breaks 2 debugfs files on s390: -/sys/kernel/debug/s390_hypfs/diag_304 -/sys/kernel/debug/s390_hypfs/diag_204 - -To address that set EPERM return code only when debugfs_is_locked_down -returns true. - -Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") -Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> +2.21.0 + +From e9bf5c2e6f6cad9c992b5195af04d1f6500aa3ed Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 28 Feb 2018 14:43:03 +0000 +Subject: [PATCH 26/27] lockdown: Print current->comm in restriction messages + +Print the content of current->comm in messages generated by lockdown to +indicate a restriction that was hit. This makes it a bit easier to find +out what caused the message. + +The message now patterned something like: + + Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7 + +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Matthew Garrett <matthewgarrett@google.com> --- - fs/debugfs/file.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) + security/lock_down.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c -index 51cb894c21f2..89c86faaa02a 100644 ---- a/fs/debugfs/file.c -+++ b/fs/debugfs/file.c -@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) +diff --git a/security/lock_down.c b/security/lock_down.c +index 18d8776a4d02..ee00ca2677e7 100644 +--- a/security/lock_down.c ++++ b/security/lock_down.c +@@ -53,8 +53,8 @@ void __init init_lockdown(void) + bool __kernel_is_locked_down(const char *what, bool first) + { + if (what && first && kernel_locked_down) +- pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", +- what); ++ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", ++ current->comm, what); + return kernel_locked_down; + } + EXPORT_SYMBOL(__kernel_is_locked_down); +-- +2.21.0 + +From 1c57935ab108280aa79fe4420d4bc13e19bd38e2 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthewgarrett@google.com> +Date: Tue, 12 Mar 2019 12:50:30 -0700 +Subject: [PATCH 27/27] kexec: Allow kexec_file() with appropriate IMA policy + when locked down + +Systems in lockdown mode should block the kexec of untrusted kernels. +For x86 and ARM we can ensure that a kernel is trustworthy by validating +a PE signature, but this isn't possible on other architectures. On those +platforms we can use IMA digital signatures instead. Add a function to +determine whether IMA has or will verify signatures for a given event type, +and if so permit kexec_file() even if the kernel is otherwise locked down. +This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set +in order to prevent an attacker from loading additional keys at runtime. + +Signed-off-by: Matthew Garrett <mjg59@google.com> +Acked-by: Mimi Zohar <zohar@linux.ibm.com> +Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> +Cc: linux-integrity@vger.kernel.org +--- + include/linux/ima.h | 9 ++++++ + kernel/kexec_file.c | 7 +++- + security/integrity/ima/ima.h | 2 ++ + security/integrity/ima/ima_main.c | 2 +- + security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ + 5 files changed, 68 insertions(+), 2 deletions(-) + +diff --git a/include/linux/ima.h b/include/linux/ima.h +index b5e16b8c50b7..60007b86f4fc 100644 +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -127,4 +127,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, + return 0; + } + #endif /* CONFIG_IMA_APPRAISE */ ++ ++#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) ++extern bool ima_appraise_signature(enum kernel_read_file_id func); ++#else ++static inline bool ima_appraise_signature(enum kernel_read_file_id func) ++{ ++ return false; ++} ++#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ + #endif /* _LINUX_IMA_H */ +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index a1cc37c8b43b..7599039623a7 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -240,7 +240,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - real_fops = debugfs_real_fops(filp); + ret = 0; -- r = -EPERM; -- if (debugfs_is_locked_down(inode, filp, real_fops)) -+ if (debugfs_is_locked_down(inode, filp, real_fops)) { -+ r = -EPERM; - goto out; -+ } +- if (kernel_is_locked_down(reason)) { ++ /* If IMA is guaranteed to appraise a signature on the kexec ++ * image, permit it even if the kernel is otherwise locked ++ * down. ++ */ ++ if (!ima_appraise_signature(READING_KEXEC_IMAGE) && ++ kernel_is_locked_down(reason)) { + ret = -EPERM; + goto out; + } +diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h +index cc12f3449a72..fe03cc6f1ca4 100644 +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -115,6 +115,8 @@ struct ima_kexec_hdr { + u64 count; + }; - real_fops = fops_get(real_fops); - if (!real_fops) { -@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; ++extern const int read_idmap[]; ++ + #ifdef CONFIG_HAVE_IMA_KEXEC + void ima_load_kexec_buffer(void); + #else +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index 4ffac4f5c647..106f06dee9d1 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -442,7 +442,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) + return 0; + } - real_fops = debugfs_real_fops(filp); -- r = -EPERM; -- if (debugfs_is_locked_down(inode, filp, real_fops)) -+ if (debugfs_is_locked_down(inode, filp, real_fops)) { -+ r = -EPERM; - goto out; +-static const int read_idmap[READING_MAX_ID] = { ++const int read_idmap[READING_MAX_ID] = { + [READING_FIRMWARE] = FIRMWARE_CHECK, + [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, + [READING_MODULE] = MODULE_CHECK, +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 122797023bdb..f8f1cdb74a4f 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -1341,3 +1341,53 @@ int ima_policy_show(struct seq_file *m, void *v) + return 0; + } + #endif /* CONFIG_IMA_READ_POLICY */ ++ ++#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) ++/* ++ * ima_appraise_signature: whether IMA will appraise a given function using ++ * an IMA digital signature. This is restricted to cases where the kernel ++ * has a set of built-in trusted keys in order to avoid an attacker simply ++ * loading additional keys. ++ */ ++bool ima_appraise_signature(enum kernel_read_file_id id) ++{ ++ struct ima_rule_entry *entry; ++ bool found = false; ++ enum ima_hooks func; ++ ++ if (id >= READING_MAX_ID) ++ return false; ++ ++ func = read_idmap[id] ?: FILE_CHECK; ++ ++ rcu_read_lock(); ++ list_for_each_entry_rcu(entry, ima_rules, list) { ++ if (entry->action != APPRAISE) ++ continue; ++ ++ /* ++ * A generic entry will match, but otherwise require that it ++ * match the func we're looking for ++ */ ++ if (entry->func && entry->func != func) ++ continue; ++ ++ /* ++ * We require this to be a digital signature, not a raw IMA ++ * hash. ++ */ ++ if (entry->flags & IMA_DIGSIG_REQUIRED) ++ found = true; ++ ++ /* ++ * We've found a rule that matches, so break now even if it ++ * didn't require a digital signature - a later rule that does ++ * won't override it, so would be a false positive. ++ */ ++ break; + } - - real_fops = fops_get(real_fops); - if (!real_fops) { ++ ++ rcu_read_unlock(); ++ return found; ++} ++#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ +-- +2.21.0 + |