hitmoon / rpms / kernel

Forked from rpms/kernel 4 years ago
Clone
e336be
From 73958cc1f78cfc69f3b1ec26a3406b3c45f6d202 Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Mon, 9 Apr 2018 09:52:45 +0100
e336be
Subject: [PATCH 01/24] Add the ability to lock down access to the running
e336be
 kernel image
e336be
e336be
Provide a single call to allow kernel code to determine whether the system
e336be
should be locked down, thereby disallowing various accesses that might
e336be
allow the running kernel image to be changed, including:
e336be
e336be
 - /dev/mem and similar
e336be
 - Loading of unauthorised modules
e336be
 - Fiddling with MSR registers
e336be
 - Suspend to disk managed by the kernel
e336be
 - Use of device DMA
e336be
e336be
Two kernel configuration options are provided:
e336be
e336be
 (*) CONFIG_LOCK_DOWN_KERNEL
e336be
e336be
     This makes lockdown available and applies it to all the points that
e336be
     need to be locked down if the mode is set.  Lockdown mode can be
e336be
     enabled by providing:
e336be
e336be
	lockdown=1
e336be
e336be
     on the command line.
e336be
e336be
 (*) CONFIG_LOCK_DOWN_MANDATORY
e336be
e336be
     This forces lockdown on at compile time, overriding the command line
e336be
     option.
e336be
e336be
init_lockdown() is used as a hook from which lockdown can be managed in
e336be
future.  It has to be called from arch setup code before things like ACPI
e336be
are enabled.
e336be
e336be
Note that, with the other changes in this series, if lockdown mode is
e336be
enabled, the kernel will not be able to use certain drivers as the ability
e336be
to manually configure hardware parameters would then be prohibited.  This
e336be
primarily applies to ISA hardware devices.
e336be
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
---
e336be
 arch/x86/kernel/setup.c |  2 ++
e336be
 include/linux/kernel.h  | 32 ++++++++++++++++++++++++
e336be
 security/Kconfig        | 23 ++++++++++++++++-
e336be
 security/Makefile       |  3 +++
e336be
 security/lock_down.c    | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
e336be
 5 files changed, 124 insertions(+), 1 deletion(-)
e336be
 create mode 100644 security/lock_down.c
e336be
e336be
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
e336be
index 6285697b6e56..566f0f447053 100644
e336be
--- a/arch/x86/kernel/setup.c
e336be
+++ b/arch/x86/kernel/setup.c
e336be
@@ -996,6 +996,8 @@ void __init setup_arch(char **cmdline_p)
e336be
 	if (efi_enabled(EFI_BOOT))
e336be
 		efi_init();
e336be
e336be
+	init_lockdown();
e336be
+
e336be
 	dmi_scan_machine();
e336be
 	dmi_memdev_walk();
e336be
 	dmi_set_dump_stack_arch_desc();
e336be
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
e336be
index 4ae1dfd9bf05..7d085cca9cee 100644
e336be
--- a/include/linux/kernel.h
e336be
+++ b/include/linux/kernel.h
e336be
@@ -306,6 +306,38 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
e336be
 { }
e336be
 #endif
e336be
e336be
+#ifdef CONFIG_LOCK_DOWN_KERNEL
e336be
+extern void __init init_lockdown(void);
e336be
+extern bool __kernel_is_locked_down(const char *what, bool first);
e336be
+
e336be
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
e336be
+#define kernel_is_locked_down(what)					\
e336be
+	({								\
e336be
+		static bool message_given;				\
e336be
+		bool locked_down = __kernel_is_locked_down(what, !message_given); \
e336be
+		message_given = true;					\
e336be
+		locked_down;						\
e336be
+	})
e336be
+#else
e336be
+#define kernel_is_locked_down(what)					\
e336be
+	({								\
e336be
+		static bool message_given;				\
e336be
+		__kernel_is_locked_down(what, !message_given);		\
e336be
+		message_given = true;					\
e336be
+		true;							\
e336be
+	})
e336be
+#endif
e336be
+#else
e336be
+static inline void __init init_lockdown(void)
e336be
+{
e336be
+}
e336be
+static inline bool __kernel_is_locked_down(const char *what, bool first)
e336be
+{
e336be
+	return false;
e336be
+}
e336be
+#define kernel_is_locked_down(what) ({ false; })
e336be
+#endif
e336be
+
e336be
 /* Internal, do not use. */
e336be
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
e336be
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
e336be
diff --git a/security/Kconfig b/security/Kconfig
e336be
index c4302067a3ad..a68e5bdebad5 100644
e336be
--- a/security/Kconfig
e336be
+++ b/security/Kconfig
e336be
@@ -231,6 +231,28 @@ config STATIC_USERMODEHELPER_PATH
e336be
 	  If you wish for all usermode helper programs to be disabled,
e336be
 	  specify an empty string here (i.e. "").
e336be
e336be
+config LOCK_DOWN_KERNEL
e336be
+	bool "Allow the kernel to be 'locked down'"
e336be
+	help
e336be
+	  Allow the kernel to be locked down.  Locking down the kernel turns
e336be
+	  off various features that might otherwise allow access to the kernel
e336be
+	  image (eg. setting MSR registers).
e336be
+
e336be
+	  Note, however, that locking down your kernel will prevent some
e336be
+	  drivers from functioning because allowing manual configuration of
e336be
+	  hardware parameters is forbidden, lest a device be used to access the
e336be
+	  kernel by DMA.  This mostly applies to ISA devices.
e336be
+
e336be
+	  The kernel lockdown can be triggered by adding lockdown=1 to the
e336be
+	  kernel command line.
e336be
+
e336be
+config LOCK_DOWN_MANDATORY
e336be
+	bool "Make kernel lockdown mandatory"
e336be
+	depends on LOCK_DOWN_KERNEL
e336be
+	help
e336be
+	  Makes the lockdown non-negotiable.  It is always on and cannot be
e336be
+	  disabled.
e336be
+
e336be
 source security/selinux/Kconfig
e336be
 source security/smack/Kconfig
e336be
 source security/tomoyo/Kconfig
e336be
@@ -278,4 +300,3 @@ config DEFAULT_SECURITY
e336be
 	default "" if DEFAULT_SECURITY_DAC
e336be
e336be
 endmenu
e336be
-
e336be
diff --git a/security/Makefile b/security/Makefile
e336be
index 4d2d3782ddef..507ac8c520ce 100644
e336be
--- a/security/Makefile
e336be
+++ b/security/Makefile
e336be
@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
e336be
 # Object integrity file lists
e336be
 subdir-$(CONFIG_INTEGRITY)		+= integrity
e336be
 obj-$(CONFIG_INTEGRITY)			+= integrity/
e336be
+
e336be
+# Allow the kernel to be locked down
e336be
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
e336be
diff --git a/security/lock_down.c b/security/lock_down.c
e336be
new file mode 100644
e336be
index 000000000000..f35ffdd096ad
e336be
--- /dev/null
e336be
+++ b/security/lock_down.c
e336be
@@ -0,0 +1,65 @@
e336be
+/* Lock down the kernel
e336be
+ *
e336be
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
e336be
+ * Written by David Howells (dhowells@redhat.com)
e336be
+ *
e336be
+ * This program is free software; you can redistribute it and/or
e336be
+ * modify it under the terms of the GNU General Public Licence
e336be
+ * as published by the Free Software Foundation; either version
e336be
+ * 2 of the Licence, or (at your option) any later version.
e336be
+ */
e336be
+
e336be
+#include <linux/export.h>
e336be
+#include <linux/sched.h>
e336be
+
e336be
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
e336be
+static __ro_after_init bool kernel_locked_down;
e336be
+#else
e336be
+#define kernel_locked_down true
e336be
+#endif
e336be
+
e336be
+/*
e336be
+ * Put the kernel into lock-down mode.
e336be
+ */
e336be
+static void __init lock_kernel_down(const char *where)
e336be
+{
e336be
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
e336be
+	if (!kernel_locked_down) {
e336be
+		kernel_locked_down = true;
e336be
+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
e336be
+			  where);
e336be
+	}
e336be
+#endif
e336be
+}
e336be
+
e336be
+static int __init lockdown_param(char *ignored)
e336be
+{
e336be
+	lock_kernel_down("command line");
e336be
+	return 0;
e336be
+}
e336be
+
e336be
+early_param("lockdown", lockdown_param);
e336be
+
e336be
+/*
e336be
+ * Lock the kernel down from very early in the arch setup.  This must happen
e336be
+ * prior to things like ACPI being initialised.
e336be
+ */
e336be
+void __init init_lockdown(void)
e336be
+{
e336be
+#ifdef CONFIG_LOCK_DOWN_MANDATORY
e336be
+	pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n");
e336be
+#endif
e336be
+}
e336be
+
e336be
+/**
e336be
+ * kernel_is_locked_down - Find out if the kernel is locked down
e336be
+ * @what: Tag to use in notice generated if lockdown is in effect
e336be
+ */
e336be
+bool __kernel_is_locked_down(const char *what, bool first)
e336be
+{
e336be
+	if (what && first && kernel_locked_down)
e336be
+		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
e336be
+			  current->comm, what);
e336be
+	return kernel_locked_down;
e336be
+}
e336be
+EXPORT_SYMBOL(__kernel_is_locked_down);
e336be
-- 
e336be
2.14.3
e336be
e336be
From 13dada34d9aa56ac4ee5438c7ebefde2d30d5542 Mon Sep 17 00:00:00 2001
e336be
From: Kyle McMartin <kyle@redhat.com>
e336be
Date: Mon, 9 Apr 2018 09:52:45 +0100
e336be
Subject: [PATCH 02/24] Add a SysRq option to lift kernel lockdown
e336be
e336be
Make an option to provide a sysrq key that will lift the kernel lockdown,
e336be
thereby allowing the running kernel image to be accessed and modified.
e336be
e336be
On x86 this is triggered with SysRq+x, but this key may not be available on
e336be
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
e336be
Since this macro must be defined in an arch to be able to use this facility
e336be
for that arch, the Kconfig option is restricted to arches that support it.
e336be
e336be
Signed-off-by: Kyle McMartin <kyle@redhat.com>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
cc: x86@kernel.org
e336be
---
e336be
 arch/x86/include/asm/setup.h |  2 ++
e336be
 drivers/input/misc/uinput.c  |  1 +
e336be
 drivers/tty/sysrq.c          | 19 ++++++++++++------
e336be
 include/linux/input.h        |  5 +++++
e336be
 include/linux/sysrq.h        |  8 +++++++-
e336be
 kernel/debug/kdb/kdb_main.c  |  2 +-
e336be
 security/Kconfig             | 11 +++++++++++
e336be
 security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++++++++++
e336be
 8 files changed, 87 insertions(+), 8 deletions(-)
e336be
e336be
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
e336be
index ae13bc974416..3108e297d87d 100644
e336be
--- a/arch/x86/include/asm/setup.h
e336be
+++ b/arch/x86/include/asm/setup.h
e336be
@@ -9,6 +9,8 @@
e336be
 #include <linux/linkage.h>
e336be
 #include <asm/page_types.h>
e336be
e336be
+#define LOCKDOWN_LIFT_KEY 'x'
e336be
+
e336be
 #ifdef __i386__
e336be
e336be
 #include <linux/pfn.h>
e336be
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
e336be
index 96a887f33698..027c730631cc 100644
e336be
--- a/drivers/input/misc/uinput.c
e336be
+++ b/drivers/input/misc/uinput.c
e336be
@@ -365,6 +365,7 @@ static int uinput_create_device(struct uinput_device *udev)
e336be
 		dev->flush = uinput_dev_flush;
e336be
 	}
e336be
e336be
+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
e336be
 	dev->event = uinput_dev_event;
e336be
e336be
 	input_set_drvdata(udev->dev, udev);
e336be
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
e336be
index 6364890575ec..ffeb3aa86cd1 100644
e336be
--- a/drivers/tty/sysrq.c
e336be
+++ b/drivers/tty/sysrq.c
e336be
@@ -487,6 +487,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
e336be
 	/* x: May be registered on mips for TLB dump */
e336be
 	/* x: May be registered on ppc/powerpc for xmon */
e336be
 	/* x: May be registered on sparc64 for global PMU dump */
e336be
+	/* x: May be registered on x86_64 for disabling secure boot */
e336be
 	NULL,				/* x */
e336be
 	/* y: May be registered on sparc64 for global register dump */
e336be
 	NULL,				/* y */
e336be
@@ -530,7 +531,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
e336be
                 sysrq_key_table[i] = op_p;
e336be
 }
e336be
e336be
-void __handle_sysrq(int key, bool check_mask)
e336be
+void __handle_sysrq(int key, unsigned int from)
e336be
 {
e336be
 	struct sysrq_key_op *op_p;
e336be
 	int orig_log_level;
e336be
@@ -550,11 +551,15 @@ void __handle_sysrq(int key, bool check_mask)
e336be
e336be
         op_p = __sysrq_get_key_op(key);
e336be
         if (op_p) {
e336be
+		/* Ban synthetic events from some sysrq functionality */
e336be
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
e336be
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
e336be
+			printk("This sysrq operation is disabled from userspace.\n");
e336be
 		/*
e336be
 		 * Should we check for enabled operations (/proc/sysrq-trigger
e336be
 		 * should not) and is the invoked operation enabled?
e336be
 		 */
e336be
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
e336be
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
Pablo Greco aac169
 			pr_info("%s\n", op_p->action_msg);
e336be
 			console_loglevel = orig_log_level;
e336be
 			op_p->handler(key);
e336be
@@ -586,7 +591,7 @@ void __handle_sysrq(int key, bool check_mask)
e336be
 void handle_sysrq(int key)
e336be
 {
e336be
 	if (sysrq_on())
e336be
-		__handle_sysrq(key, true);
e336be
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
e336be
 }
e336be
 EXPORT_SYMBOL(handle_sysrq);
e336be
e336be
@@ -667,7 +672,7 @@ static void sysrq_do_reset(struct timer_list *t)
e336be
 static void sysrq_handle_reset_request(struct sysrq_state *state)
e336be
 {
e336be
 	if (state->reset_requested)
e336be
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
e336be
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
e336be
e336be
 	if (sysrq_reset_downtime_ms)
e336be
 		mod_timer(&state->keyreset_timer,
e336be
@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
e336be
e336be
 	default:
e336be
 		if (sysrq->active && value && value != 2) {
e336be
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
e336be
+					SYSRQ_FROM_SYNTHETIC : 0;
e336be
 			sysrq->need_reinject = false;
e336be
-			__handle_sysrq(sysrq_xlate[code], true);
e336be
+			__handle_sysrq(sysrq_xlate[code], from);
e336be
 		}
e336be
 		break;
e336be
 	}
e336be
@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
e336be
e336be
 		if (get_user(c, buf))
e336be
 			return -EFAULT;
e336be
-		__handle_sysrq(c, false);
e336be
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
e336be
 	}
e336be
e336be
 	return count;
e336be
diff --git a/include/linux/input.h b/include/linux/input.h
e336be
index 7c7516eb7d76..38cd0ea72c37 100644
e336be
--- a/include/linux/input.h
e336be
+++ b/include/linux/input.h
e336be
@@ -42,6 +42,7 @@ struct input_value {
e336be
  * @phys: physical path to the device in the system hierarchy
e336be
  * @uniq: unique identification code for the device (if device has it)
e336be
  * @id: id of the device (struct input_id)
e336be
+ * @flags: input device flags (SYNTHETIC, etc.)
e336be
  * @propbit: bitmap of device properties and quirks
e336be
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
e336be
  *	EV_REL, etc.)
e336be
@@ -124,6 +125,8 @@ struct input_dev {
e336be
 	const char *uniq;
e336be
 	struct input_id id;
e336be
e336be
+	unsigned int flags;
e336be
+
e336be
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
e336be
e336be
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
e336be
@@ -190,6 +193,8 @@ struct input_dev {
e336be
 };
e336be
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
e336be
e336be
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
e336be
+
e336be
 /*
e336be
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
e336be
  */
e336be
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
e336be
index 8c71874e8485..7de1f08b60a9 100644
e336be
--- a/include/linux/sysrq.h
e336be
+++ b/include/linux/sysrq.h
e336be
@@ -29,6 +29,8 @@
e336be
 #define SYSRQ_ENABLE_BOOT	0x0080
e336be
 #define SYSRQ_ENABLE_RTNICE	0x0100
e336be
e336be
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
e336be
+
e336be
 struct sysrq_key_op {
e336be
 	void (*handler)(int);
e336be
 	char *help_msg;
e336be
@@ -43,8 +45,12 @@ struct sysrq_key_op {
e336be
  * are available -- else NULL's).
e336be
  */
e336be
e336be
+#define SYSRQ_FROM_KERNEL	0x0001
e336be
+#define SYSRQ_FROM_PROC		0x0002
e336be
+#define SYSRQ_FROM_SYNTHETIC	0x0004
e336be
+
e336be
 void handle_sysrq(int key);
e336be
-void __handle_sysrq(int key, bool check_mask);
e336be
+void __handle_sysrq(int key, unsigned int from);
e336be
 int register_sysrq_key(int key, struct sysrq_key_op *op);
e336be
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
e336be
 struct sysrq_key_op *__sysrq_get_key_op(int key);
e336be
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
e336be
index dbb0781a0533..aae9a0f44058 100644
e336be
--- a/kernel/debug/kdb/kdb_main.c
e336be
+++ b/kernel/debug/kdb/kdb_main.c
e336be
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
e336be
 		return KDB_ARGCOUNT;
e336be
e336be
 	kdb_trap_printk++;
e336be
-	__handle_sysrq(*argv[1], check_mask);
e336be
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
e336be
 	kdb_trap_printk--;
e336be
e336be
 	return 0;
e336be
diff --git a/security/Kconfig b/security/Kconfig
e336be
index a68e5bdebad5..46967ee77dfd 100644
e336be
--- a/security/Kconfig
e336be
+++ b/security/Kconfig
e336be
@@ -253,6 +253,17 @@ config LOCK_DOWN_MANDATORY
e336be
 	  Makes the lockdown non-negotiable.  It is always on and cannot be
e336be
 	  disabled.
e336be
e336be
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
e336be
+	bool "Allow the kernel lockdown to be lifted by SysRq"
e336be
+	depends on LOCK_DOWN_KERNEL
e336be
+	depends on !LOCK_DOWN_MANDATORY
e336be
+	depends on MAGIC_SYSRQ
e336be
+	depends on X86
e336be
+	help
e336be
+	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
e336be
+	  combination on a wired keyboard.  On x86, this is SysRq+x.
e336be
+
e336be
+
e336be
 source security/selinux/Kconfig
e336be
 source security/smack/Kconfig
e336be
 source security/tomoyo/Kconfig
e336be
diff --git a/security/lock_down.c b/security/lock_down.c
e336be
index f35ffdd096ad..2615669dbf03 100644
e336be
--- a/security/lock_down.c
e336be
+++ b/security/lock_down.c
e336be
@@ -11,9 +11,15 @@
e336be
e336be
 #include <linux/export.h>
e336be
 #include <linux/sched.h>
e336be
+#include <linux/sysrq.h>
e336be
+#include <asm/setup.h>
e336be
e336be
 #ifndef CONFIG_LOCK_DOWN_MANDATORY
e336be
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
e336be
+static __read_mostly bool kernel_locked_down;
e336be
+#else
e336be
 static __ro_after_init bool kernel_locked_down;
e336be
+#endif
e336be
 #else
e336be
 #define kernel_locked_down true
e336be
 #endif
e336be
@@ -63,3 +69,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
e336be
 	return kernel_locked_down;
e336be
 }
e336be
 EXPORT_SYMBOL(__kernel_is_locked_down);
e336be
+
e336be
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
e336be
+
e336be
+/*
e336be
+ * Take the kernel out of lockdown mode.
e336be
+ */
e336be
+static void lift_kernel_lockdown(void)
e336be
+{
e336be
+	pr_notice("Lifting lockdown\n");
e336be
+	kernel_locked_down = false;
e336be
+}
e336be
+
e336be
+/*
e336be
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
e336be
+ * echoing the appropriate letter into the sysrq-trigger file).
e336be
+ */
e336be
+static void sysrq_handle_lockdown_lift(int key)
e336be
+{
e336be
+	if (kernel_locked_down)
e336be
+		lift_kernel_lockdown();
e336be
+}
e336be
+
e336be
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
e336be
+	.handler	= sysrq_handle_lockdown_lift,
e336be
+	.help_msg	= "unSB(x)",
e336be
+	.action_msg	= "Disabling Secure Boot restrictions",
e336be
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
e336be
+};
e336be
+
e336be
+static int __init lockdown_lift_sysrq(void)
e336be
+{
e336be
+	if (kernel_locked_down) {
e336be
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
e336be
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
e336be
+	}
e336be
+	return 0;
e336be
+}
e336be
+
e336be
+late_initcall(lockdown_lift_sysrq);
e336be
+
e336be
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
e336be
-- 
e336be
2.14.3
e336be
e336be
From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001
e336be
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
e336be
Date: Mon, 9 Apr 2018 09:52:45 +0100
e336be
Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode
e336be
e336be
Require the "secure_boot" rules, whether or not it is specified
e336be
on the boot command line, for both the builtin and custom policies
e336be
in secure boot lockdown mode.
e336be
e336be
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
---
e336be
 security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------
e336be
 1 file changed, 27 insertions(+), 7 deletions(-)
e336be
e336be
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
e336be
index 8c9499867c91..f8428f579924 100644
e336be
--- a/security/integrity/ima/ima_policy.c
e336be
+++ b/security/integrity/ima/ima_policy.c
e336be
@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func)
e336be
  */
e336be
 void __init ima_init_policy(void)
e336be
 {
e336be
-	int i, measure_entries, appraise_entries, secure_boot_entries;
e336be
+	int i;
e336be
+	int measure_entries = 0;
e336be
+	int appraise_entries = 0;
e336be
+	int secure_boot_entries = 0;
e336be
+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
e336be
 
e336be
 	/* if !ima_policy set entries = 0 so we load NO default rules */
e336be
-	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
e336be
-	appraise_entries = ima_use_appraise_tcb ?
e336be
-			 ARRAY_SIZE(default_appraise_rules) : 0;
e336be
-	secure_boot_entries = ima_use_secure_boot ?
e336be
-			ARRAY_SIZE(secure_boot_rules) : 0;
e336be
+	if (ima_policy)
e336be
+		measure_entries = ARRAY_SIZE(dont_measure_rules);
e336be
+
e336be
+	if (ima_use_appraise_tcb)
e336be
+		appraise_entries = ARRAY_SIZE(default_appraise_rules);
e336be
+
e336be
+	if (ima_use_secure_boot || kernel_locked_down)
e336be
+		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
e336be
 
e336be
 	for (i = 0; i < measure_entries; i++)
e336be
 		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
e336be
@@ -509,12 +516,25 @@ void __init ima_init_policy(void)
e336be
 
e336be
 	/*
e336be
 	 * Insert the builtin "secure_boot" policy rules requiring file
e336be
-	 * signatures, prior to any other appraise rules.
e336be
+	 * signatures, prior to any other appraise rules.  In secure boot
e336be
+	 * lock-down mode, also require these appraise rules for custom
e336be
+	 * policies.
e336be
 	 */
e336be
 	for (i = 0; i < secure_boot_entries; i++) {
e336be
+		struct ima_rule_entry *entry;
e336be
+
e336be
+		/* Include for builtin policies */
e336be
 		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
e336be
 		temp_ima_appraise |=
e336be
 		    ima_appraise_flag(secure_boot_rules[i].func);
e336be
+
e336be
+		/* Include for custom policies */
e336be
+		if (kernel_locked_down) {
e336be
+			entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
e336be
+					GFP_KERNEL);
e336be
+			if (entry)
e336be
+				list_add_tail(&entry->list, &ima_policy_rules);
e336be
+		}
e336be
 	}
e336be
 
e336be
 	/*
e336be
-- 
e336be
2.17.1
e336be
e336be
From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Mon, 9 Apr 2018 09:52:46 +0100
e336be
Subject: [PATCH] Enforce module signatures if the kernel is locked down
e336be
e336be
If the kernel is locked down, require that all modules have valid
e336be
signatures that we can verify or that IMA can validate the file.
e336be
e336be
I have adjusted the errors generated:
e336be
e336be
 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
e336be
     ENOKEY), then:
e336be
e336be
     (a) If signatures are enforced then EKEYREJECTED is returned.
e336be
e336be
     (b) If IMA will have validated the image, return 0 (okay).
e336be
e336be
     (c) If there's no signature or we can't check it, but the kernel is
e336be
	 locked down then EPERM is returned (this is then consistent with
e336be
	 other lockdown cases).
e336be
e336be
 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
e336be
     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
e336be
     return the error we got.
e336be
e336be
Note that the X.509 code doesn't check for key expiry as the RTC might not
e336be
be valid or might not have been transferred to the kernel's clock yet.
e336be
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
e336be
cc: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: James Morris <james.l.morris@oracle.com>
e336be
---
e336be
 kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------
e336be
 1 file changed, 43 insertions(+), 13 deletions(-)
e336be
e336be
diff --git a/kernel/module.c b/kernel/module.c
e336be
index b046a32520d8..3bb0722c106e 100644
e336be
--- a/kernel/module.c
e336be
+++ b/kernel/module.c
e336be
@@ -64,6 +64,7 @@
e336be
 #include <linux/bsearch.h>
e336be
 #include <linux/dynamic_debug.h>
e336be
 #include <linux/audit.h>
e336be
+#include <linux/ima.h>
e336be
 #include <uapi/linux/module.h>
e336be
 #include "module-internal.h"
e336be
 
e336be
@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod,
e336be
 #endif
e336be
 
e336be
 #ifdef CONFIG_MODULE_SIG
e336be
-static int module_sig_check(struct load_info *info, int flags)
e336be
+static int module_sig_check(struct load_info *info, int flags,
e336be
+			    bool can_do_ima_check)
e336be
 {
e336be
-	int err = -ENOKEY;
e336be
+	int err = -ENODATA;
e336be
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
e336be
+	const char *reason;
e336be
 	const void *mod = info->hdr;
e336be
 
e336be
 	/*
e336be
@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags)
e336be
 		err = mod_verify_sig(mod, info);
e336be
 	}
e336be
 
e336be
-	if (!err) {
e336be
+	switch (err) {
e336be
+	case 0:
e336be
 		info->sig_ok = true;
e336be
 		return 0;
e336be
-	}
e336be
 
e336be
-	/* Not having a signature is only an error if we're strict. */
e336be
-	if (err == -ENOKEY && !is_module_sig_enforced())
e336be
-		err = 0;
e336be
+		/* We don't permit modules to be loaded into trusted kernels
e336be
+		 * without a valid signature on them, but if we're not
e336be
+		 * enforcing, certain errors are non-fatal.
e336be
+		 */
e336be
+	case -ENODATA:
e336be
+		reason = "Loading of unsigned module";
e336be
+		goto decide;
e336be
+	case -ENOPKG:
e336be
+		reason = "Loading of module with unsupported crypto";
e336be
+		goto decide;
e336be
+	case -ENOKEY:
e336be
+		reason = "Loading of module with unavailable key";
e336be
+	decide:
e336be
+		if (sig_enforce) {
e336be
+			pr_notice("%s is rejected\n", reason);
e336be
+			return -EKEYREJECTED;
e336be
+		}
e336be
 
e336be
-	return err;
e336be
+		if (can_do_ima_check && is_ima_appraise_enabled())
e336be
+			return 0;
e336be
+		if (kernel_is_locked_down(reason))
e336be
+			return -EPERM;
e336be
+		return 0;
e336be
+
e336be
+		/* All other errors are fatal, including nomem, unparseable
e336be
+		 * signatures and signature check failures - even if signatures
e336be
+		 * aren't required.
e336be
+		 */
e336be
+	default:
e336be
+		return err;
e336be
+	}
e336be
 }
e336be
 #else /* !CONFIG_MODULE_SIG */
e336be
-static int module_sig_check(struct load_info *info, int flags)
e336be
+static int module_sig_check(struct load_info *info, int flags,
e336be
+			    bool can_do_ima_check)
e336be
 {
e336be
 	return 0;
e336be
 }
e336be
@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
e336be
 /* Allocate and load the module: note that size of section 0 is always
e336be
    zero, and we rely on this for optional sections. */
e336be
 static int load_module(struct load_info *info, const char __user *uargs,
e336be
-		       int flags)
e336be
+		       int flags, bool can_do_ima_check)
e336be
 {
e336be
 	struct module *mod;
e336be
 	long err = 0;
e336be
@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
e336be
 		goto free_copy;
e336be
 	}
e336be
 
e336be
-	err = module_sig_check(info, flags);
e336be
+	err = module_sig_check(info, flags, can_do_ima_check);
e336be
 	if (err)
e336be
 		goto free_copy;
e336be
 
e336be
@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
e336be
 	if (err)
e336be
 		return err;
e336be
 
e336be
-	return load_module(&info, uargs, 0);
e336be
+	return load_module(&info, uargs, 0, false);
e336be
 }
e336be
 
e336be
 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
e336be
@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
e336be
 	info.hdr = hdr;
e336be
 	info.len = size;
e336be
 
e336be
-	return load_module(&info, uargs, flags);
e336be
+	return load_module(&info, uargs, flags, true);
e336be
 }
e336be
 
e336be
 static inline int within(unsigned long addr, void *start, unsigned long size)
e336be
-- 
e336be
2.17.1
e336be
e336be
From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001
e336be
From: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Date: Mon, 9 Apr 2018 09:52:46 +0100
e336be
Subject: [PATCH 05/24] Restrict /dev/{mem,kmem,port} when the kernel is locked
e336be
 down
e336be
e336be
Allowing users to read and write to core kernel memory makes it possible
e336be
for the kernel to be subverted, avoiding module loading restrictions, and
e336be
also to steal cryptographic information.
e336be
e336be
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
e336be
been locked down to prevent this.
e336be
e336be
Also disallow /dev/port from being opened to prevent raw ioport access and
e336be
thus DMA from being used to accomplish the same thing.
e336be
e336be
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
---
e336be
 drivers/char/mem.c | 2 ++
e336be
 1 file changed, 2 insertions(+)
e336be
e336be
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
e336be
index ffeb60d3434c..b2fca26e5765 100644
e336be
--- a/drivers/char/mem.c
e336be
+++ b/drivers/char/mem.c
e336be
@@ -784,6 +784,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
e336be
e336be
 static int open_port(struct inode *inode, struct file *filp)
e336be
 {
e336be
+	if (kernel_is_locked_down("/dev/mem,kmem,port"))
e336be
+		return -EPERM;
e336be
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
e336be
 }
e336be
e336be
-- 
e336be
2.14.3
e336be
e336be
From a19b6b9637f114388cc7087176860eee962cac79 Mon Sep 17 00:00:00 2001
e336be
From: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Date: Mon, 9 Apr 2018 09:52:46 +0100
e336be
Subject: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked
e336be
 down
e336be
e336be
The kexec_load() syscall permits the loading and execution of arbitrary
e336be
code in ring 0, which is something that lock-down is meant to prevent. It
e336be
makes sense to disable kexec_load() in this situation.
e336be
e336be
This does not affect kexec_file_load() syscall which can check for a
e336be
signature on the image to be booted.
e336be
e336be
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Acked-by: Dave Young <dyoung@redhat.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
Reviewed-by: James Morris <james.l.morris@oracle.com>
e336be
cc: kexec@lists.infradead.org
e336be
---
e336be
 kernel/kexec.c | 7 +++++++
e336be
 1 file changed, 7 insertions(+)
e336be
e336be
diff --git a/kernel/kexec.c b/kernel/kexec.c
e336be
index 68559808fdfa..041d505070e1 100644
e336be
--- a/kernel/kexec.c
e336be
+++ b/kernel/kexec.c
e336be
@@ -202,6 +202,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
e336be
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
e336be
 		return -EPERM;
e336be
 
e336be
+	/*
e336be
+	 * kexec can be used to circumvent module loading restrictions, so
e336be
+	 * prevent loading in that case
e336be
+	 */
e336be
+	if (kernel_is_locked_down("kexec of unsigned images"))
e336be
+		return -EPERM;
e336be
+
e336be
 	/* Permit LSMs and IMA to fail the kexec */
e336be
 	result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
e336be
 	if (result < 0)
e336be
-- 
e336be
2.17.1
e336be
e336be
From aed8ee965258e3926be6aaeb57aef8a9a03c9989 Mon Sep 17 00:00:00 2001
e336be
From: Josh Boyer <jwboyer@fedoraproject.org>
e336be
Date: Mon, 9 Apr 2018 09:52:47 +0100
e336be
Subject: [PATCH 07/24] hibernate: Disable when the kernel is locked down
e336be
e336be
There is currently no way to verify the resume image when returning
e336be
from hibernate.  This might compromise the signed modules trust model,
e336be
so until we can work with signed hibernate images we disable it when the
e336be
kernel is locked down.
e336be
e336be
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: linux-pm@vger.kernel.org
e336be
---
e336be
 kernel/power/hibernate.c | 2 +-
e336be
 1 file changed, 1 insertion(+), 1 deletion(-)
e336be
e336be
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
e336be
index 5454cc639a8d..629f158f5a0c 100644
e336be
--- a/kernel/power/hibernate.c
e336be
+++ b/kernel/power/hibernate.c
e336be
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
e336be
e336be
 bool hibernation_available(void)
e336be
 {
e336be
-	return (nohibernate == 0);
e336be
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
e336be
 }
e336be
e336be
 /**
e336be
-- 
e336be
2.14.3
e336be
e336be
From 8732c1663d7c0305ae01ba5a1ee4d2299b7b4612 Mon Sep 17 00:00:00 2001
e336be
From: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Date: Mon, 9 Apr 2018 09:52:47 +0100
e336be
Subject: [PATCH 08/24] uswsusp: Disable when the kernel is locked down
e336be
e336be
uswsusp allows a user process to dump and then restore kernel state, which
e336be
makes it possible to modify the running kernel.  Disable this if the kernel
e336be
is locked down.
e336be
e336be
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
Reviewed-by: James Morris <james.l.morris@oracle.com>
e336be
cc: linux-pm@vger.kernel.org
e336be
---
e336be
 kernel/power/user.c | 3 +++
e336be
 1 file changed, 3 insertions(+)
e336be
e336be
diff --git a/kernel/power/user.c b/kernel/power/user.c
e336be
index 75c959de4b29..959b336d8eca 100644
e336be
--- a/kernel/power/user.c
e336be
+++ b/kernel/power/user.c
e336be
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
e336be
 	if (!hibernation_available())
e336be
 		return -EPERM;
e336be
e336be
+	if (kernel_is_locked_down("/dev/snapshot"))
e336be
+		return -EPERM;
e336be
+
e336be
 	lock_system_sleep();
e336be
e336be
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
e336be
-- 
e336be
2.14.3
e336be
e336be
From 4f5f0aae410d1929872eec346954c85e3a85f4f3 Mon Sep 17 00:00:00 2001
e336be
From: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Date: Mon, 9 Apr 2018 09:52:48 +0100
e336be
Subject: [PATCH 09/24] PCI: Lock down BAR access when the kernel is locked
e336be
 down
e336be
e336be
Any hardware that can potentially generate DMA has to be locked down in
e336be
order to avoid it being possible for an attacker to modify kernel code,
e336be
allowing them to circumvent disabled module loading or module signing.
e336be
Default to paranoid - in future we can potentially relax this for
e336be
sufficiently IOMMU-isolated devices.
e336be
e336be
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: linux-pci@vger.kernel.org
e336be
---
e336be
 drivers/pci/pci-sysfs.c | 9 +++++++++
e336be
 drivers/pci/proc.c      | 9 ++++++++-
e336be
 drivers/pci/syscall.c   | 3 ++-
e336be
 3 files changed, 19 insertions(+), 2 deletions(-)
e336be
e336be
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
e336be
index 366d93af051d..1e149ec006a4 100644
e336be
--- a/drivers/pci/pci-sysfs.c
e336be
+++ b/drivers/pci/pci-sysfs.c
e336be
@@ -903,6 +903,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
e336be
 	loff_t init_off = off;
e336be
 	u8 *data = (u8 *) buf;
e336be
e336be
+	if (kernel_is_locked_down("Direct PCI access"))
e336be
+		return -EPERM;
e336be
+
e336be
 	if (off > dev->cfg_size)
e336be
 		return 0;
e336be
 	if (off + count > dev->cfg_size) {
e336be
@@ -1165,6 +1168,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
e336be
 	enum pci_mmap_state mmap_type;
e336be
 	struct resource *res = &pdev->resource[bar];
e336be
e336be
+	if (kernel_is_locked_down("Direct PCI access"))
e336be
+		return -EPERM;
e336be
+
e336be
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
e336be
 		return -EINVAL;
e336be
e336be
@@ -1240,6 +1246,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
e336be
 				     struct bin_attribute *attr, char *buf,
e336be
 				     loff_t off, size_t count)
e336be
 {
e336be
+	if (kernel_is_locked_down("Direct PCI access"))
e336be
+		return -EPERM;
e336be
+
e336be
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
e336be
 }
e336be
e336be
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
e336be
index 1ee8927a0635..469445a9019b 100644
e336be
--- a/drivers/pci/proc.c
e336be
+++ b/drivers/pci/proc.c
e336be
@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
e336be
 	int size = dev->cfg_size;
e336be
 	int cnt;
e336be
e336be
+	if (kernel_is_locked_down("Direct PCI access"))
e336be
+		return -EPERM;
e336be
+
e336be
 	if (pos >= size)
e336be
 		return 0;
e336be
 	if (nbytes >= size)
e336be
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
e336be
 #endif /* HAVE_PCI_MMAP */
e336be
 	int ret = 0;
e336be
e336be
+	if (kernel_is_locked_down("Direct PCI access"))
e336be
+		return -EPERM;
e336be
+
e336be
 	switch (cmd) {
e336be
 	case PCIIOC_CONTROLLER:
e336be
 		ret = pci_domain_nr(dev->bus);
e336be
@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
e336be
 	struct pci_filp_private *fpriv = file->private_data;
e336be
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
e336be
e336be
-	if (!capable(CAP_SYS_RAWIO))
e336be
+	if (!capable(CAP_SYS_RAWIO) ||
e336be
+	    kernel_is_locked_down("Direct PCI access"))
e336be
 		return -EPERM;
e336be
e336be
 	if (fpriv->mmap_state == pci_mmap_io) {
e336be
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
e336be
index d96626c614f5..b8a08d3166a1 100644
e336be
--- a/drivers/pci/syscall.c
e336be
+++ b/drivers/pci/syscall.c
e336be
@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
e336be
 	u32 dword;
e336be
 	int err = 0;
e336be
e336be
-	if (!capable(CAP_SYS_ADMIN))
e336be
+	if (!capable(CAP_SYS_ADMIN) ||
e336be
+	    kernel_is_locked_down("Direct PCI access"))
e336be
 		return -EPERM;
e336be
e336be
 	dev = pci_get_domain_bus_and_slot(0, bus, dfn);
e336be
-- 
e336be
2.14.3
e336be
e336be
From 677537cdec42804f1936b57ffaa6181f633bc015 Mon Sep 17 00:00:00 2001
e336be
From: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Date: Mon, 9 Apr 2018 09:52:48 +0100
e336be
Subject: [PATCH 10/24] x86: Lock down IO port access when the kernel is locked
e336be
 down
e336be
e336be
IO port access would permit users to gain access to PCI configuration
e336be
registers, which in turn (on a lot of hardware) give access to MMIO
e336be
register space. This would potentially permit root to trigger arbitrary
e336be
DMA, so lock it down by default.
e336be
e336be
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
e336be
KDDISABIO console ioctls.
e336be
e336be
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: x86@kernel.org
e336be
---
e336be
 arch/x86/kernel/ioport.c | 6 ++++--
e336be
 1 file changed, 4 insertions(+), 2 deletions(-)
e336be
e336be
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
e336be
index 0fe1c8782208..abc702a6ae9c 100644
e336be
--- a/arch/x86/kernel/ioport.c
e336be
+++ b/arch/x86/kernel/ioport.c
e336be
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
e336be
e336be
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
e336be
 		return -EINVAL;
e336be
-	if (turn_on && !capable(CAP_SYS_RAWIO))
e336be
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
e336be
+			kernel_is_locked_down("ioperm")))
e336be
 		return -EPERM;
e336be
e336be
 	/*
e336be
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
e336be
 		return -EINVAL;
e336be
 	/* Trying to gain more privileges? */
e336be
 	if (level > old) {
e336be
-		if (!capable(CAP_SYS_RAWIO))
e336be
+		if (!capable(CAP_SYS_RAWIO) ||
e336be
+		    kernel_is_locked_down("iopl"))
e336be
 			return -EPERM;
e336be
 	}
e336be
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
e336be
-- 
e336be
2.14.3
e336be
e336be
From f005be07fababf8c698a556fe465871ad168c9d9 Mon Sep 17 00:00:00 2001
e336be
From: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Date: Mon, 9 Apr 2018 09:52:48 +0100
e336be
Subject: [PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked
e336be
 down
e336be
e336be
Writing to MSRs should not be allowed if the kernel is locked down, since
e336be
it could lead to execution of arbitrary code in kernel mode.  Based on a
e336be
patch by Kees Cook.
e336be
e336be
MSR accesses are logged for the purposes of building up a whitelist as per
e336be
Alan Cox's suggestion.
e336be
e336be
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Acked-by: Kees Cook <keescook@chromium.org>
e336be
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: x86@kernel.org
e336be
---
e336be
 arch/x86/kernel/msr.c | 10 ++++++++++
e336be
 1 file changed, 10 insertions(+)
e336be
e336be
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
e336be
index ef688804f80d..dfb61d358196 100644
e336be
--- a/arch/x86/kernel/msr.c
e336be
+++ b/arch/x86/kernel/msr.c
e336be
@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
e336be
 	int err = 0;
e336be
 	ssize_t bytes = 0;
e336be
e336be
+	if (kernel_is_locked_down("Direct MSR access")) {
e336be
+		pr_info("Direct access to MSR %x\n", reg);
e336be
+		return -EPERM;
e336be
+	}
e336be
+
e336be
 	if (count % 8)
e336be
 		return -EINVAL;	/* Invalid chunk size */
e336be
e336be
@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
e336be
 			err = -EFAULT;
e336be
 			break;
e336be
 		}
e336be
+		if (kernel_is_locked_down("Direct MSR access")) {
e336be
+			pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
e336be
+			err = -EPERM;
e336be
+			break;
e336be
+		}
e336be
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
e336be
 		if (err)
e336be
 			break;
e336be
-- 
e336be
2.14.3
e336be
e336be
From 0a48b7c936757dda851ab2d3ecde7f6a79de7a5b Mon Sep 17 00:00:00 2001
e336be
From: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Date: Mon, 9 Apr 2018 09:52:48 +0100
e336be
Subject: [PATCH 12/24] ACPI: Limit access to custom_method when the kernel is
e336be
 locked down
e336be
e336be
custom_method effectively allows arbitrary access to system memory, making
e336be
it possible for an attacker to circumvent restrictions on module loading.
e336be
Disable it if the kernel is locked down.
e336be
e336be
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: linux-acpi@vger.kernel.org
e336be
---
e336be
 drivers/acpi/custom_method.c | 3 +++
e336be
 1 file changed, 3 insertions(+)
e336be
e336be
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
e336be
index e967c1173ba3..a07fbe999eb6 100644
e336be
--- a/drivers/acpi/custom_method.c
e336be
+++ b/drivers/acpi/custom_method.c
e336be
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
e336be
 	struct acpi_table_header table;
e336be
 	acpi_status status;
e336be
e336be
+	if (kernel_is_locked_down("ACPI custom methods"))
e336be
+		return -EPERM;
e336be
+
e336be
 	if (!(*ppos)) {
e336be
 		/* parse the table header to get the table length */
e336be
 		if (count <= sizeof(struct acpi_table_header))
e336be
-- 
e336be
2.14.3
e336be
e336be
From 2ed74b084366d7dba7b4a611ba13d99b82c4e11e Mon Sep 17 00:00:00 2001
e336be
From: Josh Boyer <jwboyer@redhat.com>
e336be
Date: Mon, 9 Apr 2018 09:52:49 +0100
e336be
Subject: [PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
e336be
 been locked down
e336be
e336be
This option allows userspace to pass the RSDP address to the kernel, which
e336be
makes it possible for a user to modify the workings of hardware .  Reject
e336be
the option when the kernel is locked down.
e336be
e336be
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: Dave Young <dyoung@redhat.com>
e336be
cc: linux-acpi@vger.kernel.org
e336be
---
e336be
 drivers/acpi/osl.c | 2 +-
e336be
 1 file changed, 1 insertion(+), 1 deletion(-)
e336be
e336be
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
e336be
index 7ca41bf023c9..34e4ce7939f4 100644
e336be
--- a/drivers/acpi/osl.c
e336be
+++ b/drivers/acpi/osl.c
e336be
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
e336be
 	acpi_physical_address pa;
e336be
e336be
 #ifdef CONFIG_KEXEC
e336be
-	if (acpi_rsdp)
e336be
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
e336be
 		return acpi_rsdp;
e336be
 #endif
e336be
 	pa = acpi_arch_get_root_pointer();
e336be
-- 
e336be
2.14.3
e336be
e336be
From 7fb2ddf683c23cc4b227d7d75a5d039970ca910e Mon Sep 17 00:00:00 2001
e336be
From: Linn Crosetto <linn@hpe.com>
e336be
Date: Mon, 9 Apr 2018 09:52:49 +0100
e336be
Subject: [PATCH 14/24] acpi: Disable ACPI table override if the kernel is
e336be
 locked down
e336be
e336be
From the kernel documentation (initrd_table_override.txt):
e336be
e336be
  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
e336be
  to override nearly any ACPI table provided by the BIOS with an
e336be
  instrumented, modified one.
e336be
e336be
When securelevel is set, the kernel should disallow any unauthenticated
e336be
changes to kernel space.  ACPI tables contain code invoked by the kernel,
e336be
so do not allow ACPI tables to be overridden if the kernel is locked down.
e336be
e336be
Signed-off-by: Linn Crosetto <linn@hpe.com>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: linux-acpi@vger.kernel.org
e336be
---
e336be
 drivers/acpi/tables.c | 5 +++++
e336be
 1 file changed, 5 insertions(+)
e336be
e336be
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
e336be
index 849c4fb19b03..6c5ee7e66842 100644
e336be
--- a/drivers/acpi/tables.c
e336be
+++ b/drivers/acpi/tables.c
e336be
@@ -527,6 +527,11 @@ void __init acpi_table_upgrade(void)
e336be
 	if (table_nr == 0)
e336be
 		return;
e336be
e336be
+	if (kernel_is_locked_down("ACPI table override")) {
e336be
+		pr_notice("kernel is locked down, ignoring table override\n");
e336be
+		return;
e336be
+	}
e336be
+
e336be
 	acpi_tables_addr =
e336be
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
e336be
 				       all_tables_size, PAGE_SIZE);
e336be
-- 
e336be
2.14.3
e336be
e336be
From d1ff6505c76cec9438217f2c284f024a1ac2ac59 Mon Sep 17 00:00:00 2001
e336be
From: Linn Crosetto <linn@hpe.com>
e336be
Date: Mon, 9 Apr 2018 09:52:50 +0100
e336be
Subject: [PATCH 15/24] acpi: Disable APEI error injection if the kernel is
e336be
 locked down
e336be
e336be
ACPI provides an error injection mechanism, EINJ, for debugging and testing
e336be
the ACPI Platform Error Interface (APEI) and other RAS features.  If
e336be
supported by the firmware, ACPI specification 5.0 and later provide for a
e336be
way to specify a physical memory address to which to inject the error.
e336be
e336be
Injecting errors through EINJ can produce errors which to the platform are
e336be
indistinguishable from real hardware errors.  This can have undesirable
e336be
side-effects, such as causing the platform to mark hardware as needing
e336be
replacement.
e336be
e336be
While it does not provide a method to load unauthenticated privileged code,
e336be
the effect of these errors may persist across reboots and affect trust in
e336be
the underlying hardware, so disable error injection through EINJ if
e336be
the kernel is locked down.
e336be
e336be
Signed-off-by: Linn Crosetto <linn@hpe.com>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
e336be
cc: linux-acpi@vger.kernel.org
e336be
---
e336be
 drivers/acpi/apei/einj.c | 3 +++
e336be
 1 file changed, 3 insertions(+)
e336be
e336be
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
e336be
index b38737c83a24..6d71e1e97b20 100644
e336be
--- a/drivers/acpi/apei/einj.c
e336be
+++ b/drivers/acpi/apei/einj.c
e336be
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
e336be
 	int rc;
e336be
 	u64 base_addr, size;
e336be
e336be
+	if (kernel_is_locked_down("ACPI error injection"))
e336be
+		return -EPERM;
e336be
+
e336be
 	/* If user manually set "flags", make sure it is legal */
e336be
 	if (flags && (flags &
e336be
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
e336be
-- 
e336be
2.14.3
e336be
e336be
From 3153be0328e3a752aacab95d503fbd460f517402 Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Wed, 4 Apr 2018 14:45:37 +0100
e336be
Subject: [PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked
e336be
 down
e336be
e336be
Prohibit replacement of the PCMCIA Card Information Structure when the
e336be
kernel is locked down.
e336be
e336be
Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
cc: linux-pcmcia@lists.infradead.org
e336be
---
e336be
 drivers/pcmcia/cistpl.c | 3 +++
e336be
 1 file changed, 3 insertions(+)
e336be
e336be
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
e336be
index 102646fedb56..e46c948d7246 100644
e336be
--- a/drivers/pcmcia/cistpl.c
e336be
+++ b/drivers/pcmcia/cistpl.c
e336be
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
e336be
 	struct pcmcia_socket *s;
e336be
 	int error;
e336be
e336be
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
e336be
+		return -EPERM;
e336be
+
e336be
 	s = to_socket(container_of(kobj, struct device, kobj));
e336be
e336be
 	if (off)
e336be
-- 
e336be
2.14.3
e336be
e336be
From 9fedc1427e8589edf2e16a481f8588711adba69a Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Wed, 4 Apr 2018 14:45:37 +0100
e336be
Subject: [PATCH 17/24] Lock down TIOCSSERIAL
e336be
e336be
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
e336be
settings on a serial port.  This only appears to be an issue for the serial
e336be
drivers that use the core serial code.  All other drivers seem to either
e336be
ignore attempts to change port/irq or give an error.
e336be
e336be
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
cc: Jiri Slaby <jslaby@suse.com>
e336be
---
e336be
 drivers/tty/serial/serial_core.c | 6 ++++++
e336be
 1 file changed, 6 insertions(+)
e336be
e336be
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
e336be
index 0466f9f08a91..360f8e4416c4 100644
e336be
--- a/drivers/tty/serial/serial_core.c
e336be
+++ b/drivers/tty/serial/serial_core.c
e336be
@@ -829,6 +829,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
e336be
 	new_flags = (__force upf_t)new_info->flags;
e336be
 	old_custom_divisor = uport->custom_divisor;
e336be
e336be
+	if ((change_port || change_irq) &&
e336be
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
e336be
+		retval = -EPERM;
e336be
+		goto exit;
e336be
+	}
e336be
+
e336be
 	if (!capable(CAP_SYS_ADMIN)) {
e336be
 		retval = -EPERM;
e336be
 		if (change_irq || change_port ||
e336be
-- 
e336be
2.14.3
e336be
e336be
From f8fd52e2b077ce5a993807f8fc6e27a17cf4d19f Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Wed, 4 Apr 2018 14:45:37 +0100
e336be
Subject: [PATCH 18/24] Lock down module params that specify hardware
e336be
 parameters (eg. ioport)
e336be
e336be
Provided an annotation for module parameters that specify hardware
e336be
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
e336be
dma buffers and other types).
e336be
e336be
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
---
e336be
 kernel/params.c | 26 +++++++++++++++++++++-----
e336be
 1 file changed, 21 insertions(+), 5 deletions(-)
e336be
e336be
diff --git a/kernel/params.c b/kernel/params.c
e336be
index cc9108c2a1fd..2c08c4aa376b 100644
e336be
--- a/kernel/params.c
e336be
+++ b/kernel/params.c
e336be
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
e336be
 	return parameqn(a, b, strlen(a)+1);
e336be
 }
e336be
e336be
-static void param_check_unsafe(const struct kernel_param *kp)
e336be
+static bool param_check_unsafe(const struct kernel_param *kp,
e336be
+			       const char *doing)
e336be
 {
e336be
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
e336be
 		pr_notice("Setting dangerous option %s - tainting kernel\n",
e336be
 			  kp->name);
e336be
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
e336be
 	}
e336be
+
e336be
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
e336be
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
e336be
+		return false;
e336be
+	return true;
e336be
 }
e336be
e336be
 static int parse_one(char *param,
e336be
@@ -144,8 +150,10 @@ static int parse_one(char *param,
e336be
 			pr_debug("handling %s with %p\n", param,
e336be
 				params[i].ops->set);
e336be
 			kernel_param_lock(params[i].mod);
e336be
-			param_check_unsafe(&params[i]);
e336be
-			err = params[i].ops->set(val, &params[i]);
e336be
+			if (param_check_unsafe(&params[i], doing))
e336be
+				err = params[i].ops->set(val, &params[i]);
e336be
+			else
e336be
+				err = -EPERM;
e336be
 			kernel_param_unlock(params[i].mod);
e336be
 			return err;
e336be
 		}
e336be
@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
e336be
 	return count;
e336be
 }
e336be
e336be
+#ifdef CONFIG_MODULES
e336be
+#define mod_name(mod) (mod)->name
e336be
+#else
e336be
+#define mod_name(mod) "unknown"
e336be
+#endif
e336be
+
e336be
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
e336be
 static ssize_t param_attr_store(struct module_attribute *mattr,
e336be
 				struct module_kobject *mk,
e336be
@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
e336be
 		return -EPERM;
e336be
e336be
 	kernel_param_lock(mk->mod);
e336be
-	param_check_unsafe(attribute->param);
e336be
-	err = attribute->param->ops->set(buf, attribute->param);
e336be
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
e336be
+		err = attribute->param->ops->set(buf, attribute->param);
e336be
+	else
e336be
+		err = -EPERM;
e336be
 	kernel_param_unlock(mk->mod);
e336be
 	if (!err)
e336be
 		return len;
e336be
-- 
e336be
2.14.3
e336be
e336be
From 9c88e2ab392f5ac9c80529e43175fe65d00cdb67 Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Wed, 4 Apr 2018 14:45:38 +0100
e336be
Subject: [PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module
e336be
e336be
The testmmiotrace module shouldn't be permitted when the kernel is locked
e336be
down as it can be used to arbitrarily read and write MMIO space.
e336be
e336be
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
e336be
Signed-off-by: David Howells 
e336be
cc: Thomas Gleixner <tglx@linutronix.de>
e336be
cc: Steven Rostedt <rostedt@goodmis.org>
e336be
cc: Ingo Molnar <mingo@kernel.org>
e336be
cc: "H. Peter Anvin" <hpa@zytor.com>
e336be
cc: x86@kernel.org
e336be
---
e336be
 arch/x86/mm/testmmiotrace.c | 3 +++
e336be
 1 file changed, 3 insertions(+)
e336be
e336be
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
e336be
index f6ae6830b341..bbaad357f5d7 100644
e336be
--- a/arch/x86/mm/testmmiotrace.c
e336be
+++ b/arch/x86/mm/testmmiotrace.c
e336be
@@ -115,6 +115,9 @@ static int __init init(void)
e336be
 {
e336be
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
e336be
e336be
+	if (kernel_is_locked_down("MMIO trace testing"))
e336be
+		return -EPERM;
e336be
+
e336be
 	if (mmio_address == 0) {
e336be
 		pr_err("you have to use the module argument mmio_address.\n");
e336be
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
e336be
-- 
e336be
2.14.3
e336be
e336be
From 256e20401f9f5dd19028d4220095897a15daa67c Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Wed, 4 Apr 2018 14:45:38 +0100
e336be
Subject: [PATCH 20/24] Lock down /proc/kcore
e336be
e336be
Disallow access to /proc/kcore when the kernel is locked down to prevent
e336be
access to cryptographic data.
e336be
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
Reviewed-by: James Morris <james.l.morris@oracle.com>
e336be
---
e336be
 fs/proc/kcore.c | 2 ++
e336be
 1 file changed, 2 insertions(+)
e336be
e336be
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
e336be
index d1e82761de81..cdebdee81719 100644
e336be
--- a/fs/proc/kcore.c
e336be
+++ b/fs/proc/kcore.c
e336be
@@ -546,6 +546,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
e336be
e336be
 static int open_kcore(struct inode *inode, struct file *filp)
e336be
 {
e336be
+	if (kernel_is_locked_down("/proc/kcore"))
e336be
+		return -EPERM;
e336be
 	if (!capable(CAP_SYS_RAWIO))
e336be
 		return -EPERM;
e336be
e336be
-- 
e336be
2.14.3
e336be
e336be
From f68ca24bc8d8a64cf30e59a595fad0e6782e933f Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Wed, 4 Apr 2018 14:45:38 +0100
e336be
Subject: [PATCH 21/24] Lock down kprobes
e336be
e336be
Disallow the creation of kprobes when the kernel is locked down by
e336be
preventing their registration.  This prevents kprobes from being used to
e336be
access kernel memory, either to make modifications or to steal crypto data.
e336be
e336be
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
---
e336be
 kernel/kprobes.c | 3 +++
e336be
 1 file changed, 3 insertions(+)
e336be
e336be
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
e336be
index 102160ff5c66..4f5757732553 100644
e336be
--- a/kernel/kprobes.c
e336be
+++ b/kernel/kprobes.c
e336be
@@ -1561,6 +1561,9 @@ int register_kprobe(struct kprobe *p)
e336be
 	struct module *probed_mod;
e336be
 	kprobe_opcode_t *addr;
e336be
e336be
+	if (kernel_is_locked_down("Use of kprobes"))
e336be
+		return -EPERM;
e336be
+
e336be
 	/* Adjust probe address from symbol */
e336be
 	addr = kprobe_addr(p);
e336be
 	if (IS_ERR(addr))
e336be
-- 
e336be
2.14.3
e336be
e336be
From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Wed, 4 Apr 2018 14:45:38 +0100
e336be
Subject: [PATCH 23/24] Lock down perf
e336be
e336be
Disallow the use of certain perf facilities that might allow userspace to
e336be
access kernel data.
e336be
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
---
e336be
 kernel/events/core.c | 5 +++++
e336be
 1 file changed, 5 insertions(+)
e336be
e336be
diff --git a/kernel/events/core.c b/kernel/events/core.c
e336be
index fc1c330c6bd6..1922f2e0980a 100644
e336be
--- a/kernel/events/core.c
e336be
+++ b/kernel/events/core.c
e336be
@@ -10407,6 +10407,11 @@ SYSCALL_DEFINE5(perf_event_open,
e336be
 			return -EINVAL;
e336be
 	}
e336be
e336be
+	if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
e336be
+	    kernel_is_locked_down("PERF_SAMPLE_REGS_INTR"))
e336be
+		/* REGS_INTR can leak data, lockdown must prevent this */
e336be
+		return -EPERM;
e336be
+
e336be
 	/* Only privileged users can get physical addresses */
e336be
 	if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
e336be
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
e336be
-- 
e336be
2.14.3
e336be
e336be
From fe5091f97838c8c64b891280bcd30367e71cd5c3 Mon Sep 17 00:00:00 2001
e336be
From: David Howells <dhowells@redhat.com>
e336be
Date: Wed, 4 Apr 2018 14:45:38 +0100
e336be
Subject: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked
e336be
 down
e336be
e336be
Disallow opening of debugfs files that might be used to muck around when
e336be
the kernel is locked down as various drivers give raw access to hardware
e336be
through debugfs.  Given the effort of auditing all 2000 or so files and
e336be
manually fixing each one as necessary, I've chosen to apply a heuristic
e336be
instead.  The following changes are made:
e336be
e336be
 (1) chmod and chown are disallowed on debugfs objects (though the root dir
e336be
     can be modified by mount and remount, but I'm not worried about that).
e336be
e336be
 (2) When the kernel is locked down, only files with the following criteria
e336be
     are permitted to be opened:
e336be
e336be
	- The file must have mode 00444
e336be
	- The file must not have ioctl methods
e336be
	- The file must not have mmap
e336be
e336be
 (3) When the kernel is locked down, files may only be opened for reading.
e336be
e336be
Normal device interaction should be done through configfs, sysfs or a
e336be
miscdev, not debugfs.
e336be
e336be
Note that this makes it unnecessary to specifically lock down show_dsts(),
e336be
show_devs() and show_call() in the asus-wmi driver.
e336be
e336be
I would actually prefer to lock down all files by default and have the
e336be
the files unlocked by the creator.  This is tricky to manage correctly,
e336be
though, as there are 19 creation functions and ~1600 call sites (some of
e336be
them in loops scanning tables).
e336be
e336be
Signed-off-by: David Howells <dhowells@redhat.com>
e336be
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
e336be
cc: acpi4asus-user@lists.sourceforge.net
e336be
cc: platform-driver-x86@vger.kernel.org
e336be
cc: Matthew Garrett <mjg59@srcf.ucam.org>
e336be
cc: Thomas Gleixner <tglx@linutronix.de>
e336be
---
e336be
 fs/debugfs/file.c  | 28 ++++++++++++++++++++++++++++
e336be
 fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
e336be
 2 files changed, 56 insertions(+), 2 deletions(-)
e336be
e336be
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
e336be
index 1f99678ff5d3..51cb894c21f2 100644
e336be
--- a/fs/debugfs/file.c
e336be
+++ b/fs/debugfs/file.c
e336be
@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
e336be
 }
e336be
 EXPORT_SYMBOL_GPL(debugfs_file_put);
e336be
e336be
+/*
e336be
+ * Only permit access to world-readable files when the kernel is locked down.
e336be
+ * We also need to exclude any file that has ways to write or alter it as root
e336be
+ * can bypass the permissions check.
e336be
+ */
e336be
+static bool debugfs_is_locked_down(struct inode *inode,
e336be
+				   struct file *filp,
e336be
+				   const struct file_operations *real_fops)
e336be
+{
e336be
+	if ((inode->i_mode & 07777) == 0444 &&
e336be
+	    !(filp->f_mode & FMODE_WRITE) &&
e336be
+	    !real_fops->unlocked_ioctl &&
e336be
+	    !real_fops->compat_ioctl &&
e336be
+	    !real_fops->mmap)
e336be
+		return false;
e336be
+
e336be
+	return kernel_is_locked_down("debugfs");
e336be
+}
e336be
+
e336be
 static int open_proxy_open(struct inode *inode, struct file *filp)
e336be
 {
e336be
 	struct dentry *dentry = F_DENTRY(filp);
e336be
@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
e336be
 		return r == -EIO ? -ENOENT : r;
e336be
e336be
 	real_fops = debugfs_real_fops(filp);
e336be
+
e336be
+	r = -EPERM;
e336be
+	if (debugfs_is_locked_down(inode, filp, real_fops))
e336be
+		goto out;
e336be
+
e336be
 	real_fops = fops_get(real_fops);
e336be
 	if (!real_fops) {
e336be
 		/* Huh? Module did not clean up after itself at exit? */
e336be
@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
e336be
 		return r == -EIO ? -ENOENT : r;
e336be
e336be
 	real_fops = debugfs_real_fops(filp);
e336be
+	r = -EPERM;
e336be
+	if (debugfs_is_locked_down(inode, filp, real_fops))
e336be
+		goto out;
e336be
+
e336be
 	real_fops = fops_get(real_fops);
e336be
 	if (!real_fops) {
e336be
 		/* Huh? Module did not cleanup after itself at exit? */
e336be
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
e336be
index 13b01351dd1c..4daec17b8215 100644
e336be
--- a/fs/debugfs/inode.c
e336be
+++ b/fs/debugfs/inode.c
e336be
@@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount;
e336be
 static int debugfs_mount_count;
e336be
 static bool debugfs_registered;
e336be
e336be
+/*
e336be
+ * Don't allow access attributes to be changed whilst the kernel is locked down
e336be
+ * so that we can use the file mode as part of a heuristic to determine whether
e336be
+ * to lock down individual files.
e336be
+ */
e336be
+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
e336be
+{
e336be
+	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
e336be
+	    kernel_is_locked_down("debugfs"))
e336be
+		return -EPERM;
e336be
+	return simple_setattr(dentry, ia);
e336be
+}
e336be
+
e336be
+static const struct inode_operations debugfs_file_inode_operations = {
e336be
+	.setattr	= debugfs_setattr,
e336be
+};
e336be
+static const struct inode_operations debugfs_dir_inode_operations = {
e336be
+	.lookup		= simple_lookup,
e336be
+	.setattr	= debugfs_setattr,
e336be
+};
e336be
+static const struct inode_operations debugfs_symlink_inode_operations = {
e336be
+	.get_link	= simple_get_link,
e336be
+	.setattr	= debugfs_setattr,
e336be
+};
e336be
+
e336be
 static struct inode *debugfs_get_inode(struct super_block *sb)
e336be
 {
e336be
 	struct inode *inode = new_inode(sb);
e336be
@@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
e336be
 	inode->i_mode = mode;
e336be
 	inode->i_private = data;
e336be
e336be
+	inode->i_op = &debugfs_file_inode_operations;
e336be
 	inode->i_fop = proxy_fops;
e336be
 	dentry->d_fsdata = (void *)((unsigned long)real_fops |
e336be
 				DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
e336be
@@ -515,7 +541,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
e336be
 		return failed_creating(dentry);
e336be
 
e336be
 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
e336be
-	inode->i_op = &simple_dir_inode_operations;
e336be
+	inode->i_op = &debugfs_dir_inode_operations;
e336be
 	inode->i_fop = &simple_dir_operations;
e336be
e336be
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
e336be
@@ -608,7 +634,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
e336be
 		return failed_creating(dentry);
e336be
 	}
e336be
 	inode->i_mode = S_IFLNK | S_IRWXUGO;
e336be
-	inode->i_op = &simple_symlink_inode_operations;
e336be
+	inode->i_op = &debugfs_symlink_inode_operations;
e336be
 	inode->i_link = link;
e336be
 	d_instantiate(dentry, inode);
e336be
 	return end_creating(dentry);
e336be
-- 
e336be
2.14.3
e336be