pengqianheng / rpms / kernel

Forked from rpms/kernel a year ago
Clone
Pablo Greco 7b2c62
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
Pablo Greco 7b2c62
From: Jeremy Cline <jcline@redhat.com>
Pablo Greco 7b2c62
Date: Mon, 30 Sep 2019 21:22:47 +0000
Pablo Greco 7b2c62
Subject: [PATCH] security: lockdown: expose a hook to lock the kernel down
Pablo Greco 7b2c62
Pablo Greco 7b2c62
In order to automatically lock down kernels running on UEFI machines
Pablo Greco 7b2c62
booted in Secure Boot mode, expose the lock_kernel_down() hook.
Pablo Greco 7b2c62
Pablo Greco 7b2c62
Upstream Status: RHEL only
Pablo Greco 7b2c62
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Pablo Greco 7b2c62
---
Pablo Greco 7b2c62
 include/linux/lsm_hook_defs.h | 2 ++
Pablo Greco 7b2c62
 include/linux/lsm_hooks.h     | 6 ++++++
Pablo Greco 7b2c62
 include/linux/security.h      | 5 +++++
Pablo Greco 7b2c62
 security/lockdown/lockdown.c  | 1 +
Pablo Greco 7b2c62
 security/security.c           | 6 ++++++
Pablo Greco 7b2c62
 5 files changed, 20 insertions(+)
Pablo Greco 7b2c62
Pablo Greco 7b2c62
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
Pablo Greco 7b2c62
index 2a8c74d99015..0d3129588b78 100644
Pablo Greco 7b2c62
--- a/include/linux/lsm_hook_defs.h
Pablo Greco 7b2c62
+++ b/include/linux/lsm_hook_defs.h
Pablo Greco 7b2c62
@@ -383,6 +383,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
Pablo Greco 7b2c62
 #endif /* CONFIG_BPF_SYSCALL */
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
Pablo Greco 7b2c62
+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 #ifdef CONFIG_PERF_EVENTS
Pablo Greco 7b2c62
 LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
Pablo Greco 7b2c62
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
Pablo Greco 7b2c62
index 9e2e3e63719d..317660f68b4f 100644
Pablo Greco 7b2c62
--- a/include/linux/lsm_hooks.h
Pablo Greco 7b2c62
+++ b/include/linux/lsm_hooks.h
Pablo Greco 7b2c62
@@ -1507,6 +1507,12 @@
Pablo Greco 7b2c62
  *
Pablo Greco 7b2c62
  *     @what: kernel feature being accessed
Pablo Greco 7b2c62
  *
Pablo Greco 7b2c62
+ * @lock_kernel_down
Pablo Greco 7b2c62
+ * 	Put the kernel into lock-down mode.
Pablo Greco 7b2c62
+ *
Pablo Greco 7b2c62
+ * 	@where: Where the lock-down is originating from (e.g. command line option)
Pablo Greco 7b2c62
+ * 	@level: The lock-down level (can only increase)
Pablo Greco 7b2c62
+ *
Pablo Greco 7b2c62
  * Security hooks for perf events
Pablo Greco 7b2c62
  *
Pablo Greco 7b2c62
  * @perf_event_open:
Pablo Greco 7b2c62
diff --git a/include/linux/security.h b/include/linux/security.h
Pablo Greco 7b2c62
index 0a0a03b36a3b..26869f44416b 100644
Pablo Greco 7b2c62
--- a/include/linux/security.h
Pablo Greco 7b2c62
+++ b/include/linux/security.h
Pablo Greco 7b2c62
@@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
Pablo Greco 7b2c62
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
Pablo Greco 7b2c62
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
Pablo Greco 7b2c62
 int security_locked_down(enum lockdown_reason what);
Pablo Greco 7b2c62
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
Pablo Greco 7b2c62
 #else /* CONFIG_SECURITY */
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
Pablo Greco 7b2c62
@@ -1291,6 +1292,10 @@ static inline int security_locked_down(enum lockdown_reason what)
Pablo Greco 7b2c62
 {
Pablo Greco 7b2c62
 	return 0;
Pablo Greco 7b2c62
 }
Pablo Greco 7b2c62
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
Pablo Greco 7b2c62
+{
Pablo Greco 7b2c62
+	return 0;
Pablo Greco 7b2c62
+}
Pablo Greco 7b2c62
 #endif	/* CONFIG_SECURITY */
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
Pablo Greco 7b2c62
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
Pablo Greco 7b2c62
index 87cbdc64d272..18555cf18da7 100644
Pablo Greco 7b2c62
--- a/security/lockdown/lockdown.c
Pablo Greco 7b2c62
+++ b/security/lockdown/lockdown.c
Pablo Greco 7b2c62
@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
Pablo Greco 7b2c62
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
Pablo Greco 7b2c62
+	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
Pablo Greco 7b2c62
 };
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 static int __init lockdown_lsm_init(void)
Pablo Greco 7b2c62
diff --git a/security/security.c b/security/security.c
Pablo Greco 7b2c62
index 70a7ad357bc6..23e16e773bc2 100644
Pablo Greco 7b2c62
--- a/security/security.c
Pablo Greco 7b2c62
+++ b/security/security.c
Pablo Greco 7b2c62
@@ -2516,6 +2516,12 @@ int security_locked_down(enum lockdown_reason what)
Pablo Greco 7b2c62
 }
Pablo Greco 7b2c62
 EXPORT_SYMBOL(security_locked_down);
Pablo Greco 7b2c62
Pablo Greco 7b2c62
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
Pablo Greco 7b2c62
+{
Pablo Greco 7b2c62
+	return call_int_hook(lock_kernel_down, 0, where, level);
Pablo Greco 7b2c62
+}
Pablo Greco 7b2c62
+EXPORT_SYMBOL(security_lock_kernel_down);
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
 #ifdef CONFIG_PERF_EVENTS
Pablo Greco 7b2c62
 int security_perf_event_open(struct perf_event_attr *attr, int type)
Pablo Greco 7b2c62
 {
Pablo Greco 7b2c62
-- 
Pablo Greco 7b2c62
2.28.0
Pablo Greco 7b2c62