From 135abd0c282fbe19d4565c75b6c058d388cfd2bc Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 20 Oct 2017 16:22:53 -0500 Subject: Linux v4.14-rc5-94-g9a27ded2195a --- ...ce-between-updating-and-finding-negative-.patch | 258 ------ efi-lockdown.patch | 928 +++++++-------------- gitrev | 2 +- kernel.spec | 6 +- sources | 2 +- 5 files changed, 325 insertions(+), 871 deletions(-) delete mode 100644 KEYS-fix-race-between-updating-and-finding-negative-.patch diff --git a/KEYS-fix-race-between-updating-and-finding-negative-.patch b/KEYS-fix-race-between-updating-and-finding-negative-.patch deleted file mode 100644 index e72cdaf4a..000000000 --- a/KEYS-fix-race-between-updating-and-finding-negative-.patch +++ /dev/null @@ -1,258 +0,0 @@ -From 4b244721c11c2f66052ceadd8ef6c48a53290e10 Mon Sep 17 00:00:00 2001 -From: Eric Biggers -Date: Wed, 27 Sep 2017 12:50:42 -0700 -Subject: [PATCH] KEYS: fix race between updating and finding negative key - -In keyring_search_iterator() and in wait_for_key_construction(), we -check whether the key has been negatively instantiated, and if so return -the key's ->reject_error. - -However, no lock is held during this, and ->reject_error is in union -with ->payload. And it's impossible for KEY_FLAG_NEGATIVE to be updated -atomically with respect to ->reject_error and ->payload. - -Most problematically, when a negative key is positively instantiated via -__key_update() (via sys_add_key()), ->payload is initialized first, then -KEY_FLAG_NEGATIVE is cleared. But that means that ->reject_error can be -observed to have a bogus value, having been overwritten with ->payload, -while the key still appears to be "negative". Clearing -KEY_FLAG_NEGATIVE first wouldn't work either, since then anyone who -accesses the payload under rcu_read_lock() rather than the key semaphore -might observe an uninitialized ->payload. Nor can we just always take -the key's semaphore when checking whether the key is negative, since -keyring searches happen under rcu_read_lock(). - -Therefore, fix the bug by moving ->reject_error into the high bits of -->flags so that we can read and write it atomically with respect to -KEY_FLAG_NEGATIVE and KEY_FLAG_INSTANTIATED. - -This will also allow KEY_FLAG_NEGATIVE to be removed, since tests for -KEY_FLAG_NEGATIVE can be replaced with tests for nonzero reject_error. -But for ease of backporting this fix, that is left for a later patch. - -This fixes a kernel crash caused by the following program: - - #include - #include - #include - - int main(void) - { - int ringid = keyctl_join_session_keyring(NULL); - - if (fork()) { - for (;;) { - usleep(rand() % 4096); - add_key("user", "desc", "x", 1, ringid); - keyctl_clear(ringid); - } - } else { - for (;;) - request_key("user", "desc", "", ringid); - } - } - -Here is the crash: - - BUG: unable to handle kernel paging request at fffffffffd39a6b0 - IP: __key_link_begin+0x0/0x100 - PGD 7a0a067 P4D 7a0a067 PUD 7a0c067 PMD 0 - Oops: 0000 [#1] SMP - CPU: 1 PID: 165 Comm: keyctl_negate_r Not tainted 4.14.0-rc1 #377 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 - task: ffff9791fd809140 task.stack: ffffacba402bc000 - RIP: 0010:__key_link_begin+0x0/0x100 - RSP: 0018:ffffacba402bfdc8 EFLAGS: 00010282 - RAX: ffff9791fd809140 RBX: fffffffffd39a620 RCX: 0000000000000008 - RDX: ffffacba402bfdd0 RSI: fffffffffd39a6a0 RDI: ffff9791fd810600 - RBP: ffffacba402bfdf8 R08: 0000000000000063 R09: ffffffff94845620 - R10: 8080808080808080 R11: 0000000000000004 R12: ffff9791fd810600 - R13: ffff9791fd39a940 R14: fffffffffd39a6a0 R15: 0000000000000000 - FS: 00007fbf14a90740(0000) GS:ffff9791ffd00000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: fffffffffd39a6b0 CR3: 000000003b910003 CR4: 00000000003606e0 - Call Trace: - ? key_link+0x28/0xb0 - ? search_process_keyrings+0x13/0x100 - request_key_and_link+0xcb/0x550 - ? keyring_instantiate+0x110/0x110 - ? key_default_cmp+0x20/0x20 - SyS_request_key+0xc0/0x160 - ? exit_to_usermode_loop+0x5e/0x80 - entry_SYSCALL_64_fastpath+0x1a/0xa5 - RIP: 0033:0x7fbf14190bb9 - RSP: 002b:00007ffd8e4fe6c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f9 - RAX: ffffffffffffffda RBX: 0000000036cc28fb RCX: 00007fbf14190bb9 - RDX: 000055748b56ca4a RSI: 000055748b56ca46 RDI: 000055748b56ca4b - RBP: 000055748b56ca4a R08: 0000000000000001 R09: 0000000000000001 - R10: 0000000036cc28fb R11: 0000000000000246 R12: 000055748b56c8b0 - R13: 00007ffd8e4fe7d0 R14: 0000000000000000 R15: 0000000000000000 - Code: c5 0f 85 69 ff ff ff 48 c7 c3 82 ff ff ff eb ab 45 31 ed e9 18 ff ff ff 85 c0 75 8d eb d2 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 <48> 83 7e 10 00 0f 84 c5 00 00 00 55 48 89 e5 41 57 41 56 41 55 - RIP: __key_link_begin+0x0/0x100 RSP: ffffacba402bfdc8 - CR2: fffffffffd39a6b0 - -Fixes: 146aa8b1453b ("KEYS: Merge the type-specific data with the payload data") -Cc: [v4.4+] -Signed-off-by: Eric Biggers ---- - include/linux/key.h | 12 +++++++++++- - security/keys/key.c | 26 +++++++++++++++++++------- - security/keys/keyctl.c | 3 +++ - security/keys/keyring.c | 4 ++-- - security/keys/request_key.c | 11 +++++++---- - 5 files changed, 42 insertions(+), 14 deletions(-) - -diff --git a/include/linux/key.h b/include/linux/key.h -index e315e16b6ff8..b7b590d7c480 100644 ---- a/include/linux/key.h -+++ b/include/linux/key.h -@@ -189,6 +189,17 @@ struct key { - #define KEY_FLAG_KEEP 10 /* set if key should not be removed */ - #define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */ - -+ /* -+ * If the key is negatively instantiated, then bits 20-31 hold the error -+ * code which should be returned when someone tries to use the key -+ * (unless they allow negative keys). The error code is stored as a -+ * positive number, so it must be negated before being returned. -+ * -+ * Note that a key can go from negative to positive but not vice versa. -+ */ -+#define KEY_FLAGS_REJECT_ERROR_SHIFT 20 -+#define KEY_FLAGS_REJECT_ERROR_MASK 0xFFF00000 -+ - /* the key type and key description string - * - the desc is used to match a key against search criteria - * - it should be a printable string -@@ -213,7 +224,6 @@ struct key { - struct list_head name_link; - struct assoc_array keys; - }; -- int reject_error; - }; - - /* This is set on a keyring to restrict the addition of a link to a key -diff --git a/security/keys/key.c b/security/keys/key.c -index eb914a838840..786158d3442e 100644 ---- a/security/keys/key.c -+++ b/security/keys/key.c -@@ -401,6 +401,20 @@ int key_payload_reserve(struct key *key, size_t datalen) - } - EXPORT_SYMBOL(key_payload_reserve); - -+static void mark_key_instantiated(struct key *key, unsigned int reject_error) -+{ -+ unsigned long old, new; -+ -+ do { -+ old = READ_ONCE(key->flags); -+ new = (old & ~((1 << KEY_FLAG_NEGATIVE) | -+ KEY_FLAGS_REJECT_ERROR_MASK)) | -+ (1 << KEY_FLAG_INSTANTIATED) | -+ (reject_error ? (1 << KEY_FLAG_NEGATIVE) : 0) | -+ (reject_error << KEY_FLAGS_REJECT_ERROR_SHIFT); -+ } while (cmpxchg_release(&key->flags, old, new) != old); -+} -+ - /* - * Instantiate a key and link it into the target keyring atomically. Must be - * called with the target keyring's semaphore writelocked. The target key's -@@ -431,7 +445,7 @@ static int __key_instantiate_and_link(struct key *key, - if (ret == 0) { - /* mark the key as being instantiated */ - atomic_inc(&key->user->nikeys); -- set_bit(KEY_FLAG_INSTANTIATED, &key->flags); -+ mark_key_instantiated(key, 0); - - if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) - awaken = 1; -@@ -580,10 +594,8 @@ int key_reject_and_link(struct key *key, - if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { - /* mark the key as being negatively instantiated */ - atomic_inc(&key->user->nikeys); -- key->reject_error = -error; -- smp_wmb(); -- set_bit(KEY_FLAG_NEGATIVE, &key->flags); -- set_bit(KEY_FLAG_INSTANTIATED, &key->flags); -+ mark_key_instantiated(key, error); -+ - now = current_kernel_time(); - key->expiry = now.tv_sec + timeout; - key_schedule_gc(key->expiry + key_gc_delay); -@@ -753,7 +765,7 @@ static inline key_ref_t __key_update(key_ref_t key_ref, - ret = key->type->update(key, prep); - if (ret == 0) - /* updating a negative key instantiates it */ -- clear_bit(KEY_FLAG_NEGATIVE, &key->flags); -+ mark_key_instantiated(key, 0); - - up_write(&key->sem); - -@@ -987,7 +999,7 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen) - ret = key->type->update(key, &prep); - if (ret == 0) - /* updating a negative key instantiates it */ -- clear_bit(KEY_FLAG_NEGATIVE, &key->flags); -+ mark_key_instantiated(key, 0); - - up_write(&key->sem); - -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index 365ff85d7e27..19a09e121089 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -1223,6 +1223,9 @@ long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, - error == ERESTART_RESTARTBLOCK) - return -EINVAL; - -+ BUILD_BUG_ON(MAX_ERRNO > (KEY_FLAGS_REJECT_ERROR_MASK >> -+ KEY_FLAGS_REJECT_ERROR_SHIFT)); -+ - /* the appropriate instantiation authorisation key must have been - * assumed before calling this */ - ret = -EPERM; -diff --git a/security/keys/keyring.c b/security/keys/keyring.c -index 129a4175760b..e54ad0ed7aa4 100644 ---- a/security/keys/keyring.c -+++ b/security/keys/keyring.c -@@ -598,8 +598,8 @@ static int keyring_search_iterator(const void *object, void *iterator_data) - if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { - /* we set a different error code if we pass a negative key */ - if (kflags & (1 << KEY_FLAG_NEGATIVE)) { -- smp_rmb(); -- ctx->result = ERR_PTR(key->reject_error); -+ ctx->result = ERR_PTR(-(int)(kflags >> -+ KEY_FLAGS_REJECT_ERROR_SHIFT)); - kleave(" = %d [neg]", ctx->skipped_ret); - goto skipped; - } -diff --git a/security/keys/request_key.c b/security/keys/request_key.c -index 63e63a42db3c..0aab68344837 100644 ---- a/security/keys/request_key.c -+++ b/security/keys/request_key.c -@@ -590,15 +590,18 @@ struct key *request_key_and_link(struct key_type *type, - int wait_for_key_construction(struct key *key, bool intr) - { - int ret; -+ unsigned long flags; - - ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT, - intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); - if (ret) - return -ERESTARTSYS; -- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { -- smp_rmb(); -- return key->reject_error; -- } -+ -+ /* Pairs with RELEASE in mark_key_instantiated() */ -+ flags = smp_load_acquire(&key->flags); -+ if (flags & (1 << KEY_FLAG_NEGATIVE)) -+ return -(int)(flags >> KEY_FLAGS_REJECT_ERROR_SHIFT); -+ - return key_validate(key); - } - EXPORT_SYMBOL(wait_for_key_construction); --- -2.13.6 - diff --git a/efi-lockdown.patch b/efi-lockdown.patch index a45be8771..2f47274cc 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -1,17 +1,8 @@ -From patchwork Thu Oct 19 14:50:40 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [01/27] Add the ability to lock down access to the running kernel - image +From ae255bb7a54aa44ae4ac1b7a38617f976bdb07db Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017331 -Message-Id: <150842463996.7923.6815305873334959305.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:50:40 +0100 +Date: Wed, 24 May 2017 14:56:00 +0100 +Subject: [PATCH] Add the ability to lock down access to the running kernel + image Provide a single call to allow kernel code to determine whether the system should be locked down, thereby disallowing various accesses that might @@ -21,12 +12,11 @@ MSR registers and disallowing hibernation, Signed-off-by: David Howells --- - - include/linux/kernel.h | 17 +++++++++++++ - include/linux/security.h | 8 ++++++ - security/Kconfig | 8 ++++++ - security/Makefile | 3 ++ - security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/kernel.h | 17 ++++++++++++++ + include/linux/security.h | 8 +++++++ + security/Kconfig | 8 +++++++ + security/Makefile | 3 +++ + security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 96 insertions(+) create mode 100644 security/lock_down.c @@ -37,7 +27,7 @@ index 0ad4c3044cf9..362da2e4bf53 100644 @@ -287,6 +287,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) { } #endif - + +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern bool __kernel_is_locked_down(const char *what, bool first); +#else @@ -59,23 +49,23 @@ index 0ad4c3044cf9..362da2e4bf53 100644 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); diff --git a/include/linux/security.h b/include/linux/security.h -index ce6265960d6c..f9a894b42d4c 100644 +index ce6265960d6c..310775476b68 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1753,5 +1753,13 @@ static inline void free_secdata(void *secdata) { } #endif /* CONFIG_SECURITY */ - + +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern void __init init_lockdown(void); +#else -+static inline void __init init_lockdown(void); ++static inline void __init init_lockdown(void) +{ +} +#endif + #endif /* ! __LINUX_SECURITY_H */ - + diff --git a/security/Kconfig b/security/Kconfig index e8e449444e65..8e01fd59ae7e 100644 --- a/security/Kconfig @@ -83,7 +73,7 @@ index e8e449444e65..8e01fd59ae7e 100644 @@ -205,6 +205,14 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). - + +config LOCK_DOWN_KERNEL + bool "Allow the kernel to be 'locked down'" + help @@ -172,22 +162,13 @@ index 000000000000..d8595c0e6673 + return kernel_locked_down; +} +EXPORT_SYMBOL(__kernel_is_locked_down); +-- +2.13.5 -From patchwork Thu Oct 19 14:50:47 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [02/27] Add a SysRq option to lift kernel lockdown -From: David Howells -X-Patchwork-Id: 10017333 -Message-Id: <150842464774.7923.7951986297563109339.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:50:47 +0100 - +From 0712c10c74f2a24592f0c54595c2f19ee847b209 Mon Sep 17 00:00:00 2001 From: Kyle McMartin +Date: Wed, 18 Oct 2017 14:02:25 +0100 +Subject: [PATCH 01/25] Add a SysRq option to lift kernel lockdown Make an option to provide a sysrq key that will lift the kernel lockdown, thereby allowing the running kernel image to be accessed and modified. @@ -199,16 +180,15 @@ Signed-off-by: Kyle McMartin Signed-off-by: David Howells cc: x86@kernel.org --- - - arch/x86/include/asm/setup.h | 2 ++ - drivers/input/misc/uinput.c | 1 + - drivers/tty/sysrq.c | 19 +++++++++++------ - include/linux/input.h | 5 ++++ - include/linux/sysrq.h | 8 ++++++- - kernel/debug/kdb/kdb_main.c | 2 +- - security/Kconfig | 15 +++++++++++++ - security/lock_down.c | 48 ++++++++++++++++++++++++++++++++++++++++++ - 8 files changed, 92 insertions(+), 8 deletions(-) + arch/x86/include/asm/setup.h | 2 ++ + drivers/input/misc/uinput.c | 1 + + drivers/tty/sysrq.c | 19 ++++++++++++------ + include/linux/input.h | 5 +++++ + include/linux/sysrq.h | 8 +++++++- + kernel/debug/kdb/kdb_main.c | 2 +- + security/Kconfig | 8 ++++++++ + security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ + 8 files changed, 84 insertions(+), 8 deletions(-) diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h index a65cf544686a..863f77582c09 100644 @@ -217,11 +197,11 @@ index a65cf544686a..863f77582c09 100644 @@ -8,6 +8,8 @@ #include #include - + +#define LOCKDOWN_LIFT_KEY 'x' + #ifdef __i386__ - + #include diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 443151de90c6..45a1f5460805 100644 @@ -230,11 +210,11 @@ index 443151de90c6..45a1f5460805 100644 @@ -408,6 +408,7 @@ static int uinput_allocate_device(struct uinput_device *udev) if (!udev->dev) return -ENOMEM; - + + udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC; udev->dev->event = uinput_dev_event; input_set_drvdata(udev->dev, udev); - + diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c index 3ffc1ce29023..8b766dbad6dd 100644 --- a/drivers/tty/sysrq.c @@ -250,14 +230,14 @@ index 3ffc1ce29023..8b766dbad6dd 100644 @@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) sysrq_key_table[i] = op_p; } - + -void __handle_sysrq(int key, bool check_mask) +void __handle_sysrq(int key, unsigned int from) { struct sysrq_key_op *op_p; int orig_log_level; @@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask) - + op_p = __sysrq_get_key_op(key); if (op_p) { + /* Ban synthetic events from some sysrq functionality */ @@ -281,18 +261,18 @@ index 3ffc1ce29023..8b766dbad6dd 100644 + __handle_sysrq(key, SYSRQ_FROM_KERNEL); } EXPORT_SYMBOL(handle_sysrq); - + @@ -661,7 +666,7 @@ static void sysrq_do_reset(unsigned long _state) static void sysrq_handle_reset_request(struct sysrq_state *state) { if (state->reset_requested) - __handle_sysrq(sysrq_xlate[KEY_B], false); + __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL); - + if (sysrq_reset_downtime_ms) mod_timer(&state->keyreset_timer, @@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, - + default: if (sysrq->active && value && value != 2) { + int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ? @@ -304,13 +284,13 @@ index 3ffc1ce29023..8b766dbad6dd 100644 break; } @@ -1097,7 +1104,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, - + if (get_user(c, buf)) return -EFAULT; - __handle_sysrq(c, false); + __handle_sysrq(c, SYSRQ_FROM_PROC); } - + return count; diff --git a/include/linux/input.h b/include/linux/input.h index fb5e23c7ed98..9d2b45a21ade 100644 @@ -327,16 +307,16 @@ index fb5e23c7ed98..9d2b45a21ade 100644 @@ -124,6 +125,8 @@ struct input_dev { const char *uniq; struct input_id id; - + + unsigned int flags; + unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)]; - + unsigned long evbit[BITS_TO_LONGS(EV_CNT)]; @@ -190,6 +193,8 @@ struct input_dev { }; #define to_input_dev(d) container_of(d, struct input_dev, dev) - + +#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001 + /* @@ -349,7 +329,7 @@ index 387fa7d05c98..f7c52a9ea394 100644 @@ -28,6 +28,8 @@ #define SYSRQ_ENABLE_BOOT 0x0080 #define SYSRQ_ENABLE_RTNICE 0x0100 - + +#define SYSRQ_DISABLE_USERSPACE 0x00010000 + struct sysrq_key_op { @@ -358,7 +338,7 @@ index 387fa7d05c98..f7c52a9ea394 100644 @@ -42,8 +44,12 @@ struct sysrq_key_op { * are available -- else NULL's). */ - + +#define SYSRQ_FROM_KERNEL 0x0001 +#define SYSRQ_FROM_PROC 0x0002 +#define SYSRQ_FROM_SYNTHETIC 0x0004 @@ -375,31 +355,24 @@ index c8146d53ca67..b480cadf9272 100644 +++ b/kernel/debug/kdb/kdb_main.c @@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv) return KDB_ARGCOUNT; - + kdb_trap_printk++; - __handle_sysrq(*argv[1], check_mask); + __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0); kdb_trap_printk--; - + return 0; diff --git a/security/Kconfig b/security/Kconfig -index 8e01fd59ae7e..4be6be71e075 100644 +index 8e01fd59ae7e..453cc89c198a 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -213,6 +213,21 @@ config LOCK_DOWN_KERNEL +@@ -213,6 +213,14 @@ config LOCK_DOWN_KERNEL turns off various features that might otherwise allow access to the kernel image (eg. setting MSR registers). - -+config ALLOW_LOCKDOWN_LIFT -+ bool -+ help -+ Allow the lockdown on a kernel to be lifted, thereby restoring the -+ ability of userspace to access the kernel image (eg. by SysRq+x under -+ x86). -+ + +config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ + bool "Allow the kernel lockdown to be lifted by SysRq" -+ depends on MAGIC_SYSRQ ++ depends on LOCK_DOWN_KERNEL && MAGIC_SYSRQ + help + Allow the lockdown on a kernel to be lifted, by pressing a SysRq key + combination on a wired keyboard. @@ -409,45 +382,44 @@ index 8e01fd59ae7e..4be6be71e075 100644 source security/smack/Kconfig source security/tomoyo/Kconfig diff --git a/security/lock_down.c b/security/lock_down.c -index d8595c0e6673..f71118c340d2 100644 +index d8595c0e6673..2c6b00f0c229 100644 --- a/security/lock_down.c +++ b/security/lock_down.c -@@ -11,8 +11,13 @@ - +@@ -11,8 +11,14 @@ + #include #include +#include - -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT ++#include + ++#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ +static __read_mostly bool kernel_locked_down; +#else static __ro_after_init bool kernel_locked_down; +#endif - + /* * Put the kernel into lock-down mode. -@@ -58,3 +63,46 @@ bool __kernel_is_locked_down(const char *what, bool first) +@@ -58,3 +64,44 @@ bool __kernel_is_locked_down(const char *what, bool first) return kernel_locked_down; } EXPORT_SYMBOL(__kernel_is_locked_down); + ++#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ++ +/* + * Take the kernel out of lockdown mode. + */ -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT +static void lift_kernel_lockdown(void) +{ + pr_notice("Lifting lockdown\n"); + kernel_locked_down = false; +} -+#endif + +/* + * Allow lockdown to be lifted by pressing something like SysRq+x (and not by + * echoing the appropriate letter into the sysrq-trigger file). + */ -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY -+ +static void sysrq_handle_lockdown_lift(int key) +{ + if (kernel_locked_down) @@ -472,29 +444,22 @@ index d8595c0e6673..f71118c340d2 100644 + +late_initcall(lockdown_lift_sysrq); + -+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY */ ++#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ +-- +2.13.5 -From patchwork Thu Oct 19 14:50:55 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [03/27] Enforce module signatures if the kernel is locked down +From a77c5e9c49ac6458581e607a033e1e6a3928b21c Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017335 -Message-Id: <150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:50:55 +0100 +Date: Wed, 24 May 2017 14:56:01 +0100 +Subject: [PATCH 02/25] Enforce module signatures if the kernel is locked down If the kernel is locked down, require that all modules have valid signatures that we can verify. Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" --- - - kernel/module.c | 3 ++- + kernel/module.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c @@ -503,30 +468,22 @@ index de66ec825992..3d9a3270c179 100644 +++ b/kernel/module.c @@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags) } - + /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !sig_enforce) + if (err == -ENOKEY && !sig_enforce && + !kernel_is_locked_down("Loading of unsigned modules")) err = 0; - - return err; -From patchwork Thu Oct 19 14:51:02 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down -From: David Howells -X-Patchwork-Id: 10017337 -Message-Id: <150842466261.7923.14359746674406637357.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:51:02 +0100 + return err; +-- +2.13.5 +From 8ed6fd87e9e639955c0b9d864ea42dc7611670ca Mon Sep 17 00:00:00 2001 From: Matthew Garrett +Date: Wed, 24 May 2017 14:56:02 +0100 +Subject: [PATCH 03/25] Restrict /dev/mem and /dev/kmem when the kernel is + locked down Allowing users to write to address space makes it possible for the kernel to be subverted, avoiding module loading restrictions. Prevent this when the @@ -534,9 +491,9 @@ kernel has been locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" --- - - drivers/char/mem.c | 6 ++++++ + drivers/char/mem.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c @@ -546,39 +503,30 @@ index 593a8818aca9..b7c36898b689 100644 @@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, if (p != *ppos) return -EFBIG; - + + if (kernel_is_locked_down("/dev/mem")) + return -EPERM; + if (!valid_phys_addr_range(p, count)) return -EFAULT; - + @@ -540,6 +543,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ int err = 0; - + + if (kernel_is_locked_down("/dev/kmem")) + return -EPERM; + if (p < (unsigned long) high_memory) { unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); +-- +2.13.5 -From patchwork Thu Oct 19 14:51:09 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [05/27] kexec: Disable at runtime if the kernel is locked down -From: David Howells -X-Patchwork-Id: 10017339 -Message-Id: <150842466996.7923.17995994984545441369.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:51:09 +0100 - +From befd1007b58e66dbcf7367f6ccc3d992c7262d3a Mon Sep 17 00:00:00 2001 From: Matthew Garrett +Date: Wed, 24 May 2017 14:56:02 +0100 +Subject: [PATCH 04/25] kexec: Disable at runtime if the kernel is locked down kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable @@ -590,10 +538,10 @@ image to be booted. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Dave Young +Reviewed-by: "Lee, Chun-Yi" cc: kexec@lists.infradead.org --- - - kernel/kexec.c | 7 +++++++ + kernel/kexec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c @@ -602,7 +550,7 @@ index e62ec4dc6620..7dadfed9b676 100644 +++ b/kernel/kexec.c @@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; - + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case @@ -614,22 +562,14 @@ index e62ec4dc6620..7dadfed9b676 100644 * Verify we have a legal set of flags * This leaves us room for future extensions. */ +-- +2.13.5 -From patchwork Thu Oct 19 14:51:20 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [06/27] Copy secure_boot flag in boot params across kexec reboot -From: David Howells -X-Patchwork-Id: 10017341 -Message-Id: <150842468009.7923.5512653689857540199.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:51:20 +0100 - +From 845d8a124c5be487f29ab05cc69a45119a715184 Mon Sep 17 00:00:00 2001 From: Dave Young +Date: Wed, 24 May 2017 14:56:02 +0100 +Subject: [PATCH 05/25] Copy secure_boot flag in boot params across kexec + reboot Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy @@ -644,10 +584,10 @@ stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" cc: kexec@lists.infradead.org --- - - arch/x86/kernel/kexec-bzimage64.c | 1 + + arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c @@ -657,27 +597,19 @@ index fb095ba0c02f..7d0fac5bcbbe 100644 @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; - + + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; +-- +2.13.5 -From patchwork Thu Oct 19 14:51:27 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [07/27] kexec_file: Disable at runtime if securelevel has been set -From: David Howells -X-Patchwork-Id: 10017343 -Message-Id: <150842468754.7923.10037578333644594134.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:51:27 +0100 - +From d61c8a5a7719d363ef4213f1d1d99d1bde87f78b Mon Sep 17 00:00:00 2001 From: Chun-Yi Lee +Date: Wed, 24 May 2017 14:56:03 +0100 +Subject: [PATCH 06/25] kexec_file: Disable at runtime if securelevel has been + set When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. @@ -690,8 +622,7 @@ Signed-off-by: Chun-Yi Lee Signed-off-by: David Howells cc: kexec@lists.infradead.org --- - - kernel/kexec_file.c | 7 +++++++ + kernel/kexec_file.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c @@ -701,7 +632,7 @@ index 9f48f4412297..ff6523f2dcc2 100644 @@ -255,6 +255,13 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) return -EPERM; - + + /* Don't permit images to be loaded into trusted kernels if we're not + * going to verify the signature on them + */ @@ -712,22 +643,13 @@ index 9f48f4412297..ff6523f2dcc2 100644 /* Make sure we have a legal set of flags */ if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL; +-- +2.13.5 -From patchwork Thu Oct 19 14:51:34 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [08/27] hibernate: Disable when the kernel is locked down -From: David Howells -X-Patchwork-Id: 10017345 -Message-Id: <150842469486.7923.10376463083069013490.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:51:34 +0100 - +From 18eab166de1f6e89ca75e6d6056cdbb10cce9b1a Mon Sep 17 00:00:00 2001 From: Josh Boyer +Date: Wed, 24 May 2017 14:56:03 +0100 +Subject: [PATCH 07/25] hibernate: Disable when the kernel is locked down There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -736,10 +658,10 @@ kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" cc: linux-pm@vger.kernel.org --- - - kernel/power/hibernate.c | 2 +- + kernel/power/hibernate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c @@ -747,30 +669,21 @@ index a5c36e9c56a6..f2eafefeec50 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; - + bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); } - - /** -From patchwork Thu Oct 19 14:51:42 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [09/27] uswsusp: Disable when the kernel is locked down -From: David Howells -X-Patchwork-Id: 10017347 -Message-Id: <150842470227.7923.15293760935442172683.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:51:42 +0100 + /** +-- +2.13.5 +From 0faef5cb3afb04f0c33ffcc923d86e49353b36da Mon Sep 17 00:00:00 2001 From: Matthew Garrett +Date: Wed, 24 May 2017 14:56:03 +0100 +Subject: [PATCH 08/25] uswsusp: Disable when the kernel is locked down uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel @@ -778,10 +691,10 @@ is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" cc: linux-pm@vger.kernel.org --- - - kernel/power/user.c | 3 +++ + kernel/power/user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c @@ -791,29 +704,21 @@ index 22df9f7ff672..678ade9decfe 100644 @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) if (!hibernation_available()) return -EPERM; - + + if (kernel_is_locked_down("/dev/snapshot")) + return -EPERM; + lock_system_sleep(); - - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -From patchwork Thu Oct 19 14:51:49 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [10/27] PCI: Lock down BAR access when the kernel is locked down -From: David Howells -X-Patchwork-Id: 10017349 -Message-Id: <150842470945.7923.134066103094708461.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:51:49 +0100 + if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { +-- +2.13.5 +From 2aa540f7f43590b14e01327c631bbe42ba3e8baf Mon Sep 17 00:00:00 2001 From: Matthew Garrett +Date: Wed, 24 May 2017 14:56:03 +0100 +Subject: [PATCH 09/25] PCI: Lock down BAR access when the kernel is locked + down Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, @@ -824,12 +729,12 @@ sufficiently IOMMU-isolated devices. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Bjorn Helgaas +Reviewed-by: "Lee, Chun-Yi" cc: linux-pci@vger.kernel.org --- - - drivers/pci/pci-sysfs.c | 9 +++++++++ - drivers/pci/proc.c | 9 ++++++++- - drivers/pci/syscall.c | 3 ++- + drivers/pci/pci-sysfs.c | 9 +++++++++ + drivers/pci/proc.c | 9 ++++++++- + drivers/pci/syscall.c | 3 ++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c @@ -839,7 +744,7 @@ index 1eecfa301f7f..e1a3b0e765c2 100644 @@ -881,6 +881,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; - + + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + @@ -849,13 +754,13 @@ index 1eecfa301f7f..e1a3b0e765c2 100644 @@ -1175,6 +1178,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; - + + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; - + @@ -1255,6 +1261,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) @@ -865,7 +770,7 @@ index 1eecfa301f7f..e1a3b0e765c2 100644 + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } - + diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 098360d7ff81..a6c53d855daa 100644 --- a/drivers/pci/proc.c @@ -873,7 +778,7 @@ index 098360d7ff81..a6c53d855daa 100644 @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, int size = dev->cfg_size; int cnt; - + + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + @@ -883,7 +788,7 @@ index 098360d7ff81..a6c53d855daa 100644 @@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; - + + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + @@ -893,12 +798,12 @@ index 098360d7ff81..a6c53d855daa 100644 @@ -236,7 +242,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - + - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; - + if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index 9bf993e1f71e..afa01cc3ceec 100644 @@ -907,29 +812,21 @@ index 9bf993e1f71e..afa01cc3ceec 100644 @@ -92,7 +92,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - + - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; - - dev = pci_get_bus_and_slot(bus, dfn); -From patchwork Thu Oct 19 14:51:56 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [11/27] x86: Lock down IO port access when the kernel is locked down -From: David Howells -X-Patchwork-Id: 10017351 -Message-Id: <150842471673.7923.7676307847318724274.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:51:56 +0100 + dev = pci_get_bus_and_slot(bus, dfn); +-- +2.13.5 +From 9dd0a9e68cf8e066e101a4fabd1ec62f6c22de2f Mon Sep 17 00:00:00 2001 From: Matthew Garrett +Date: Wed, 24 May 2017 14:56:04 +0100 +Subject: [PATCH 10/25] x86: Lock down IO port access when the kernel is locked + down IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO @@ -942,11 +839,11 @@ KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Thomas Gleixner +Reviewed-by: "Lee, Chun-Yi" cc: x86@kernel.org --- - - arch/x86/kernel/ioport.c | 6 ++++-- - drivers/char/mem.c | 2 ++ + arch/x86/kernel/ioport.c | 6 ++++-- + drivers/char/mem.c | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c @@ -954,14 +851,14 @@ index 9c3cf0944bce..2c0f058651c5 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -30,7 +30,8 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm"))) return -EPERM; - + /* @@ -120,7 +121,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; @@ -978,30 +875,22 @@ index b7c36898b689..0875b3d47773 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) - + static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("Direct ioport access")) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } - -From patchwork Thu Oct 19 14:52:04 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [12/27] x86/msr: Restrict MSR access when the kernel is locked down -From: David Howells -X-Patchwork-Id: 10017353 -Message-Id: <150842472452.7923.2592278090192179002.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:52:04 +0100 +-- +2.13.5 +From ecec11fa386fc7c8f6865b4721eaa46360b89622 Mon Sep 17 00:00:00 2001 From: Matthew Garrett +Date: Wed, 24 May 2017 14:56:04 +0100 +Subject: [PATCH 11/25] x86/msr: Restrict MSR access when the kernel is locked + down Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a @@ -1011,10 +900,10 @@ Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner +Reviewed-by: "Lee, Chun-Yi" cc: x86@kernel.org --- - - arch/x86/kernel/msr.c | 7 +++++++ + arch/x86/kernel/msr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c @@ -1024,13 +913,13 @@ index ef688804f80d..a05a97863286 100644 @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; - + + if (kernel_is_locked_down("Direct MSR access")) + return -EPERM; + if (count % 8) return -EINVAL; /* Invalid chunk size */ - + @@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EBADF; break; @@ -1042,23 +931,14 @@ index ef688804f80d..a05a97863286 100644 if (copy_from_user(®s, uregs, sizeof regs)) { err = -EFAULT; break; +-- +2.13.5 -From patchwork Thu Oct 19 14:52:11 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [13/27] asus-wmi: Restrict debugfs interface when the kernel is - locked down -From: David Howells -X-Patchwork-Id: 10017355 -Message-Id: <150842473184.7923.9538070958624850416.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:52:11 +0100 - +From 09e16301455c0a8a4ee405ad531c231b70610b5b Mon Sep 17 00:00:00 2001 From: Matthew Garrett +Date: Wed, 24 May 2017 14:56:04 +0100 +Subject: [PATCH 12/25] asus-wmi: Restrict debugfs interface when the kernel is + locked down We have no way of validating what all of the Asus WMI methods do on a given machine - and there's a risk that some will allow hardware state to be @@ -1068,11 +948,11 @@ kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org --- - - drivers/platform/x86/asus-wmi.c | 9 +++++++++ + drivers/platform/x86/asus-wmi.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c @@ -1082,50 +962,41 @@ index 48e1541dc8d4..ef5587469337 100644 @@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data) int err; u32 retval = -1; - + + if (kernel_is_locked_down("Asus WMI")) + return -EPERM; + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); - + if (err < 0) @@ -1921,6 +1924,9 @@ static int show_devs(struct seq_file *m, void *data) int err; u32 retval = -1; - + + if (kernel_is_locked_down("Asus WMI")) + return -EPERM; + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, &retval); - + @@ -1945,6 +1951,9 @@ static int show_call(struct seq_file *m, void *data) union acpi_object *obj; acpi_status status; - + + if (kernel_is_locked_down("Asus WMI")) + return -EPERM; + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, 0, asus->debug.method_id, &input, &output); +-- +2.13.5 -From patchwork Thu Oct 19 14:52:19 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [14/27] ACPI: Limit access to custom_method when the kernel is locked - down -From: David Howells -X-Patchwork-Id: 10017357 -Message-Id: <150842473899.7923.6590815561953001126.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:52:19 +0100 - +From 2f2199e407b1e0b3254a61236cd3e6a6efff170a Mon Sep 17 00:00:00 2001 From: Matthew Garrett +Date: Wed, 24 May 2017 14:56:04 +0100 +Subject: [PATCH 13/25] ACPI: Limit access to custom_method when the kernel is + locked down custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. @@ -1133,10 +1004,10 @@ Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" cc: linux-acpi@vger.kernel.org --- - - drivers/acpi/custom_method.c | 3 +++ + drivers/acpi/custom_method.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c @@ -1146,30 +1017,21 @@ index c68e72414a67..b33fba70ec51 100644 @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; - + + if (kernel_is_locked_down("ACPI custom methods")) + return -EPERM; + if (!(*ppos)) { /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) +-- +2.13.5 -From patchwork Thu Oct 19 14:52:27 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been - locked down -From: David Howells -X-Patchwork-Id: 10017359 -Message-Id: <150842474713.7923.4851355698276917280.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:52:27 +0100 - +From a71db99ed6004cdc5fa9d91cc964712103a606a0 Mon Sep 17 00:00:00 2001 From: Josh Boyer +Date: Wed, 24 May 2017 14:56:05 +0100 +Subject: [PATCH 14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has + been locked down This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to modify the workings of hardware . Reject @@ -1177,11 +1039,11 @@ the option when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" cc: Dave Young cc: linux-acpi@vger.kernel.org --- - - drivers/acpi/osl.c | 2 +- + drivers/acpi/osl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c @@ -1190,31 +1052,23 @@ index db78d353bab1..36c6527c1b0a 100644 +++ b/drivers/acpi/osl.c @@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address pa = 0; - + #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) return acpi_rsdp; #endif - -From patchwork Thu Oct 19 14:52:34 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [16/27] acpi: Disable ACPI table override if the kernel is locked down -From: David Howells -X-Patchwork-Id: 10017361 -Message-Id: <150842475442.7923.12198790224494561644.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:52:34 +0100 +-- +2.13.5 +From 23cf57806ecd304a5f25e50f3292b0dfeb5a33b1 Mon Sep 17 00:00:00 2001 From: Linn Crosetto +Date: Wed, 24 May 2017 14:56:05 +0100 +Subject: [PATCH 15/25] acpi: Disable ACPI table override if the kernel is + locked down ->From the kernel documentation (initrd_table_override.txt): +From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an @@ -1226,10 +1080,10 @@ so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" cc: linux-acpi@vger.kernel.org --- - - drivers/acpi/tables.c | 5 +++++ + drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c @@ -1239,7 +1093,7 @@ index 80ce2a7d224b..5cc13c42daf9 100644 @@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; - + + if (kernel_is_locked_down("ACPI table override")) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; @@ -1248,23 +1102,14 @@ index 80ce2a7d224b..5cc13c42daf9 100644 acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); +-- +2.13.5 -From patchwork Thu Oct 19 14:52:41 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [17/27] acpi: Disable APEI error injection if the kernel is locked - down -From: David Howells -X-Patchwork-Id: 10017363 -Message-Id: <150842476188.7923.14340260837257633120.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:52:41 +0100 - +From a0d24f5ce005a299a2d8ff31350fe9415648c732 Mon Sep 17 00:00:00 2001 From: Linn Crosetto +Date: Wed, 24 May 2017 14:56:05 +0100 +Subject: [PATCH 16/25] acpi: Disable APEI error injection if the kernel is + locked down ACPI provides an error injection mechanism, EINJ, for debugging and testing the ACPI Platform Error Interface (APEI) and other RAS features. If @@ -1283,10 +1128,10 @@ the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells +Reviewed-by: "Lee, Chun-Yi" cc: linux-acpi@vger.kernel.org --- - - drivers/acpi/apei/einj.c | 3 +++ + drivers/acpi/apei/einj.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c @@ -1296,95 +1141,20 @@ index b38737c83a24..6d71e1e97b20 100644 @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, int rc; u64 base_addr, size; - + + if (kernel_is_locked_down("ACPI error injection")) + return -EPERM; + /* If user manually set "flags", make sure it is legal */ if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) +-- +2.13.5 -From patchwork Thu Oct 19 14:52:49 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [18/27] bpf: Restrict kernel image access functions when the kernel - is locked down -From: David Howells -X-Patchwork-Id: 10017365 -Message-Id: <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:52:49 +0100 - -From: Chun-Yi Lee - -There are some bpf functions can be used to read kernel memory: -bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow -private keys in kernel memory (e.g. the hibernation image signing key) to -be read by an eBPF program. Prohibit those functions when the kernel is -locked down. - -Signed-off-by: Chun-Yi Lee -Signed-off-by: David Howells -cc: netdev@vger.kernel.org ---- - - kernel/trace/bpf_trace.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c -index dc498b605d5d..35e85a3fdb37 100644 ---- a/kernel/trace/bpf_trace.c -+++ b/kernel/trace/bpf_trace.c -@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) - { - int ret; - -+ if (kernel_is_locked_down("BPF")) { -+ memset(dst, 0, size); -+ return -EPERM; -+ } -+ - ret = probe_kernel_read(dst, unsafe_ptr, size); - if (unlikely(ret < 0)) - memset(dst, 0, size); -@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = { - BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, - u32, size) - { -+ if (kernel_is_locked_down("BPF")) -+ return -EPERM; -+ - /* - * Ensure we're in user context which is safe for the helper to - * run. This helper has no business in a kthread. -@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, - if (fmt[--fmt_size] != 0) - return -EINVAL; - -+ if (kernel_is_locked_down("BPF")) -+ return __trace_printk(1, fmt, 0, 0, 0); -+ - /* check format string for allowed specifiers */ - for (i = 0; i < fmt_size; i++) { - if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) - -From patchwork Thu Oct 19 14:52:57 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [19/27] scsi: Lock down the eata driver +From bfb5183f23fa4369b1c0897bb0afcb73540a7de2 Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017367 -Message-Id: <150842477698.7923.15570916285929038112.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:52:57 +0100 +Date: Wed, 24 May 2017 14:56:06 +0100 +Subject: [PATCH 17/25] scsi: Lock down the eata driver When the kernel is running in secure boot mode, we lock down the kernel to prevent userspace from modifying the running kernel image. Whilst this @@ -1403,8 +1173,7 @@ cc: "James E.J. Bottomley" cc: "Martin K. Petersen" cc: linux-scsi@vger.kernel.org --- - - drivers/scsi/eata.c | 5 ++++- + drivers/scsi/eata.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c @@ -1412,32 +1181,26 @@ index 6501c330d8c8..72fceaa8f3da 100644 --- a/drivers/scsi/eata.c +++ b/drivers/scsi/eata.c @@ -1552,8 +1552,11 @@ static int eata2x_detect(struct scsi_host_template *tpnt) - + tpnt->proc_name = "eata2x"; - + - if (strlen(boot_options)) + if (strlen(boot_options)) { + if (kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) + return -EPERM; option_setup(boot_options); + } - + #if defined(MODULE) /* io_port could have been modified when loading as a module */ +-- +2.13.5 -From patchwork Thu Oct 19 14:53:04 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [20/27] Prohibit PCMCIA CIS storage when the kernel is locked down +From 0f263953a98b222cc942e1cbba977fc1a351272f Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017369 -Message-Id: <150842478444.7923.5111743275510836636.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:53:04 +0100 +Date: Wed, 24 May 2017 14:56:06 +0100 +Subject: [PATCH 18/25] Prohibit PCMCIA CIS storage when the kernel is locked + down Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. @@ -1446,8 +1209,7 @@ Suggested-by: Dominik Brodowski Signed-off-by: David Howells cc: linux-pcmcia@lists.infradead.org --- - - drivers/pcmcia/cistpl.c | 3 +++ + drivers/pcmcia/cistpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c @@ -1457,27 +1219,20 @@ index 55ef7d1fd8da..b7a0e42eeb25 100644 @@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, struct pcmcia_socket *s; int error; - + + if (kernel_is_locked_down("Direct PCMCIA CIS storage")) + return -EPERM; + s = to_socket(container_of(kobj, struct device, kobj)); - + if (off) +-- +2.13.5 -From patchwork Thu Oct 19 14:53:12 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [21/27] Lock down TIOCSSERIAL +From 17c75715372a9d913b7396c1f5c1db9627988cb7 Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017371 -Message-Id: <150842479208.7923.3429065489239605709.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:53:12 +0100 +Date: Wed, 24 May 2017 14:56:06 +0100 +Subject: [PATCH 19/25] Lock down TIOCSSERIAL Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial @@ -1488,8 +1243,7 @@ Reported-by: Greg Kroah-Hartman Signed-off-by: David Howells cc: Jiri Slaby --- - - drivers/tty/serial/serial_core.c | 6 ++++++ + drivers/tty/serial/serial_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c @@ -1499,7 +1253,7 @@ index 3a14cccbd7ff..41f0922ad842 100644 @@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; - + + if ((change_port || change_irq) && + kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { + retval = -EPERM; @@ -1509,21 +1263,14 @@ index 3a14cccbd7ff..41f0922ad842 100644 if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port || +-- +2.13.5 -From patchwork Thu Oct 19 14:53:19 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [22/27] Lock down module params that specify hardware parameters (eg. - ioport) +From f2b94788dc56591fb3b422187de511bfc7039468 Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017373 -Message-Id: <150842479932.7923.8106830872069353117.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:53:19 +0100 +Date: Wed, 24 May 2017 14:56:06 +0100 +Subject: [PATCH 20/25] Lock down module params that specify hardware + parameters (eg. ioport) Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed @@ -1532,8 +1279,7 @@ dma buffers and other types). Suggested-by: Alan Cox Signed-off-by: David Howells --- - - kernel/params.c | 26 +++++++++++++++++++++----- + kernel/params.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/kernel/params.c b/kernel/params.c @@ -1543,7 +1289,7 @@ index 60b2d8101355..422979adb60a 100644 @@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b) return parameqn(a, b, strlen(a)+1); } - + -static void param_check_unsafe(const struct kernel_param *kp) +static bool param_check_unsafe(const struct kernel_param *kp, + const char *doing) @@ -1559,7 +1305,7 @@ index 60b2d8101355..422979adb60a 100644 + return false; + return true; } - + static int parse_one(char *param, @@ -144,8 +150,10 @@ static int parse_one(char *param, pr_debug("handling %s with %p\n", param, @@ -1577,7 +1323,7 @@ index 60b2d8101355..422979adb60a 100644 @@ -556,6 +564,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, return count; } - + +#ifdef CONFIG_MODULES +#define mod_name(mod) (mod)->name +#else @@ -1589,7 +1335,7 @@ index 60b2d8101355..422979adb60a 100644 struct module_kobject *mk, @@ -568,8 +582,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, return -EPERM; - + kernel_param_lock(mk->mod); - param_check_unsafe(attribute->param); - err = attribute->param->ops->set(buf, attribute->param); @@ -1600,20 +1346,13 @@ index 60b2d8101355..422979adb60a 100644 kernel_param_unlock(mk->mod); if (!err) return len; +-- +2.13.5 -From patchwork Thu Oct 19 14:53:26 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [23/27] x86/mmiotrace: Lock down the testmmiotrace module +From a07442e78c95f0169e18198cd5be997aa6db6b7d Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017375 -Message-Id: <150842480649.7923.13997201431299349211.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:53:26 +0100 +Date: Wed, 24 May 2017 14:56:07 +0100 +Subject: [PATCH 21/25] x86/mmiotrace: Lock down the testmmiotrace module The testmmiotrace module shouldn't be permitted when the kernel is locked down as it can be used to arbitrarily read and write MMIO space. @@ -1626,8 +1365,7 @@ cc: Ingo Molnar cc: "H. Peter Anvin" cc: x86@kernel.org --- - - arch/x86/mm/testmmiotrace.c | 3 +++ + arch/x86/mm/testmmiotrace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c @@ -1637,28 +1375,21 @@ index f6ae6830b341..bbaad357f5d7 100644 @@ -115,6 +115,9 @@ static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); - + + if (kernel_is_locked_down("MMIO trace testing")) + return -EPERM; + if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); +-- +2.13.5 -From patchwork Thu Oct 19 14:53:33 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [24/27] debugfs: Disallow use of debugfs files when the kernel is - locked down +From 1f3edea46a5e15484369bbda67bcee1b91c269a0 Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017379 -Message-Id: <150842481363.7923.13021827051686067882.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:53:33 +0100 +Date: Wed, 18 Oct 2017 17:28:02 +0100 +Subject: [PATCH 22/25] debugfs: Disallow use of debugfs files when the kernel + is locked down Disallow opening of debugfs files when the kernel is locked down as various drivers give raw access to hardware through debugfs. @@ -1679,8 +1410,7 @@ cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner --- - - fs/debugfs/file.c | 6 ++++++ + fs/debugfs/file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c @@ -1690,7 +1420,7 @@ index 6dabc4a10396..32b5168a7e91 100644 @@ -103,6 +103,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp) const struct file_operations *real_fops = NULL; int srcu_idx, r; - + + if (kernel_is_locked_down("debugfs")) + return -EPERM; + @@ -1700,35 +1430,27 @@ index 6dabc4a10396..32b5168a7e91 100644 @@ -232,6 +235,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp) struct file_operations *proxy_fops = NULL; int srcu_idx, r; - + + if (kernel_is_locked_down("debugfs")) + return -EPERM; + r = debugfs_use_file_start(dentry, &srcu_idx); if (r) { r = -ENOENT; +-- +2.13.5 -From patchwork Thu Oct 19 14:53:42 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [25/27] Lock down /proc/kcore +From e54bd739a12f56ca39cf106bae995f59c5e40447 Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017381 -Message-Id: <150842482228.7923.9630520914833154257.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:53:42 +0100 +Date: Thu, 19 Oct 2017 13:58:19 +0100 +Subject: [PATCH 23/25] Lock down /proc/kcore Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. Signed-off-by: David Howells --- - - fs/proc/kcore.c | 2 ++ + fs/proc/kcore.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c @@ -1736,28 +1458,22 @@ index 45629f4b5402..176cf749e650 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -549,6 +549,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) - + static int open_kcore(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/proc/kcore")) + return -EPERM; if (!capable(CAP_SYS_RAWIO)) return -EPERM; - -From patchwork Thu Oct 19 14:53:51 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode +-- +2.13.5 + +From 8294fa5b470e1736f0f54f97154d83883522e09a Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017383 -Message-Id: <150842483172.7923.2791223614506312745.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:53:51 +0100 +Date: Thu, 19 Oct 2017 14:18:53 +0100 +Subject: [PATCH 24/25] efi: Add an EFI_SECURE_BOOT flag to indicate secure + boot mode UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT flag that can be passed to efi_enabled() to find out whether secure boot is @@ -1771,11 +1487,10 @@ Signed-off-by: David Howells Reviewed-by: Ard Biesheuvel cc: linux-efi@vger.kernel.org --- - - arch/x86/kernel/setup.c | 14 +------------- - drivers/firmware/efi/Makefile | 1 + - drivers/firmware/efi/secureboot.c | 37 +++++++++++++++++++++++++++++++++++++ - include/linux/efi.h | 16 ++++++++++------ + arch/x86/kernel/setup.c | 14 +------------- + drivers/firmware/efi/Makefile | 1 + + drivers/firmware/efi/secureboot.c | 37 +++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 16 ++++++++++------ 4 files changed, 49 insertions(+), 19 deletions(-) create mode 100644 drivers/firmware/efi/secureboot.c @@ -1786,7 +1501,7 @@ index 0957dd73d127..7c2162f9e769 100644 @@ -1197,19 +1197,7 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); - + - if (efi_enabled(EFI_BOOT)) { - switch (boot_params.secure_boot) { - case efi_secureboot_mode_disabled: @@ -1801,9 +1516,9 @@ index 0957dd73d127..7c2162f9e769 100644 - } - } + efi_set_secure_boot(boot_params.secure_boot); - + reserve_initrd(); - + diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index 0329d319d89a..883f9f7eefc6 100644 --- a/drivers/firmware/efi/Makefile @@ -1814,7 +1529,7 @@ index 0329d319d89a..883f9f7eefc6 100644 obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o +obj-$(CONFIG_EFI) += secureboot.o obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o - + arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c new file mode 100644 @@ -1875,12 +1590,12 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644 + efi_secureboot_mode_disabled, + efi_secureboot_mode_enabled, +}; - + #ifdef CONFIG_EFI /* @@ -1115,6 +1123,7 @@ static inline bool efi_enabled(int feature) extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); - + extern bool efi_is_table_address(unsigned long phys_addr); +extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); #else @@ -1892,12 +1607,12 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644 } +static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} #endif - + extern int efi_status_to_err(efi_status_t status); @@ -1518,12 +1528,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg, bool efi_runtime_disabled(void); extern void efi_call_virt_check_flags(unsigned long flags, const char *call); - + -enum efi_secureboot_mode { - efi_secureboot_mode_unset, - efi_secureboot_mode_unknown, @@ -1905,22 +1620,15 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644 - efi_secureboot_mode_enabled, -}; enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table); - + #ifdef CONFIG_RESET_ATTACK_MITIGATION +-- +2.13.5 -From patchwork Thu Oct 19 14:53:59 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [27/27] efi: Lock down the kernel if booted in secure boot mode +From 49f2160cce8c14a53eb09f052064921a93eb9fb5 Mon Sep 17 00:00:00 2001 From: David Howells -X-Patchwork-Id: 10017385 -Message-Id: <150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk> -To: linux-security-module@vger.kernel.org -Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, - matthew.garrett@nebula.com, gregkh@linuxfoundation.org, - linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com -Date: Thu, 19 Oct 2017 15:53:59 +0100 +Date: Thu, 19 Oct 2017 14:05:02 +0100 +Subject: [PATCH 25/25] efi: Lock down the kernel if booted in secure boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -1932,10 +1640,9 @@ Signed-off-by: David Howells Acked-by: Ard Biesheuvel cc: linux-efi@vger.kernel.org --- - - arch/x86/kernel/setup.c | 6 ++++-- - security/Kconfig | 14 ++++++++++++++ - security/lock_down.c | 1 + + arch/x86/kernel/setup.c | 6 ++++-- + security/Kconfig | 14 ++++++++++++++ + security/lock_down.c | 1 + 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c @@ -1947,13 +1654,13 @@ index 7c2162f9e769..4e38327efb2e 100644 #include #include +#include - + #include #include @@ -1039,6 +1040,9 @@ void __init setup_arch(char **cmdline_p) if (efi_enabled(EFI_BOOT)) efi_init(); - + + efi_set_secure_boot(boot_params.secure_boot); + init_lockdown(); + @@ -1963,20 +1670,20 @@ index 7c2162f9e769..4e38327efb2e 100644 @@ -1197,8 +1201,6 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); - + - efi_set_secure_boot(boot_params.secure_boot); - reserve_initrd(); - + acpi_table_upgrade(); diff --git a/security/Kconfig b/security/Kconfig -index 4be6be71e075..e1756039dc0a 100644 +index 453cc89c198a..974731ac4f85 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -227,6 +227,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ +@@ -220,6 +220,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ Allow the lockdown on a kernel to be lifted, by pressing a SysRq key combination on a wired keyboard. - + +config LOCK_DOWN_IN_EFI_SECURE_BOOT + bool "Lock down the kernel in EFI Secure Boot mode" + default n @@ -1991,11 +1698,11 @@ index 4be6be71e075..e1756039dc0a 100644 + Enabling this option turns on results in kernel lockdown being + triggered if EFI Secure Boot is set. + - + source security/selinux/Kconfig source security/smack/Kconfig diff --git a/security/lock_down.c b/security/lock_down.c -index f71118c340d2..12c3bc204c4e 100644 +index 2c6b00f0c229..527f7e51dc8d 100644 --- a/security/lock_down.c +++ b/security/lock_down.c @@ -12,6 +12,7 @@ @@ -2003,6 +1710,9 @@ index f71118c340d2..12c3bc204c4e 100644 #include #include +#include - - #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT - static __read_mostly bool kernel_locked_down; + #include + + #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ +-- +2.13.5 + diff --git a/gitrev b/gitrev index 147737f92..fbf66c048 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -73d3393ada4f70fa3df5639c8d438f2f034c0ecb +9a27ded2195aaec2041ed2525ba7f373c60920c7 diff --git a/kernel.spec b/kernel.spec index 22b4a11c1..1d0031721 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 5 # The git snapshot level -%define gitrev 3 +%define gitrev 4 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -639,7 +639,6 @@ Patch502: CVE-2017-7477.patch # rhbz 1498016 1498017 Patch503: KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch -Patch504: KEYS-fix-race-between-updating-and-finding-negative-.patch # 600 - Patches for improved Bay and Cherry Trail device support # Below patches are submitted upstream, awaiting review / merging @@ -2213,6 +2212,9 @@ fi # # %changelog +* Fri Oct 20 2017 Justin M. Forbes - 4.14.0-0.rc5.git4.1 +- Linux v4.14-rc5-94-g9a27ded2195a + * Thu Oct 19 2017 Justin M. Forbes - 4.14.0-0.rc5.git3.1 - Linux v4.14-rc5-31-g73d3393ada4f diff --git a/sources b/sources index d22fc1619..cc3f2ceda 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03 SHA512 (patch-4.14-rc5.xz) = 1b09fa9e2fae3b6ac172b2f130a84c9a1ea7c6ea89e0b799013814216dd0c5ba7eeae5b0abcd7dad289fd695abc5663b5fdd92cb7993729c52c08c538b73ace2 -SHA512 (patch-4.14-rc5-git3.xz) = 89722c66100c36aaa1fba4b4181cf06b4582852429e701bbd5fbedaa5760fb04efa3b9a12f45672cbbfe089f80c4783caf943dedbe70e40a53400461cff52b63 +SHA512 (patch-4.14-rc5-git4.xz) = d8d992d3e244c27318807dcf1079f47f4de7db3f5fd695fc1006f78e0120eba3813aadaba4ff9ccbd5c4d5a63c763381eef1db8502b33ec3815fbbb8660c45b8 -- cgit