| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| From: Jeremy Cline <jcline@redhat.com> |
| Date: Mon, 30 Sep 2019 21:22:47 +0000 |
| Subject: [PATCH] security: lockdown: expose a hook to lock the kernel down |
| |
| In order to automatically lock down kernels running on UEFI machines |
| booted in Secure Boot mode, expose the lock_kernel_down() hook. |
| |
| Upstream Status: RHEL only |
| Signed-off-by: Jeremy Cline <jcline@redhat.com> |
| |
| include/linux/lsm_hook_defs.h | 2 ++ |
| include/linux/lsm_hooks.h | 6 ++++++ |
| include/linux/security.h | 5 +++++ |
| security/lockdown/lockdown.c | 1 + |
| security/security.c | 6 ++++++ |
| 5 files changed, 20 insertions(+) |
| |
| diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h |
| index 2a8c74d99015..0d3129588b78 100644 |
| |
| |
| @@ -383,6 +383,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux) |
| #endif /* CONFIG_BPF_SYSCALL */ |
| |
| LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) |
| +LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level) |
| + |
| |
| #ifdef CONFIG_PERF_EVENTS |
| LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) |
| diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h |
| index 9e2e3e63719d..317660f68b4f 100644 |
| |
| |
| @@ -1507,6 +1507,12 @@ |
| * |
| * @what: kernel feature being accessed |
| * |
| + * @lock_kernel_down |
| + * Put the kernel into lock-down mode. |
| + * |
| + * @where: Where the lock-down is originating from (e.g. command line option) |
| + * @level: The lock-down level (can only increase) |
| + * |
| * Security hooks for perf events |
| * |
| * @perf_event_open: |
| diff --git a/include/linux/security.h b/include/linux/security.h |
| index 0a0a03b36a3b..26869f44416b 100644 |
| |
| |
| @@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); |
| int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); |
| int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); |
| int security_locked_down(enum lockdown_reason what); |
| +int security_lock_kernel_down(const char *where, enum lockdown_reason level); |
| #else /* CONFIG_SECURITY */ |
| |
| static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) |
| @@ -1291,6 +1292,10 @@ static inline int security_locked_down(enum lockdown_reason what) |
| { |
| return 0; |
| } |
| +static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level) |
| +{ |
| + return 0; |
| +} |
| #endif /* CONFIG_SECURITY */ |
| |
| #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) |
| diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c |
| index 87cbdc64d272..18555cf18da7 100644 |
| |
| |
| @@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what) |
| |
| static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { |
| LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), |
| + LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down), |
| }; |
| |
| static int __init lockdown_lsm_init(void) |
| diff --git a/security/security.c b/security/security.c |
| index 70a7ad357bc6..23e16e773bc2 100644 |
| |
| |
| @@ -2516,6 +2516,12 @@ int security_locked_down(enum lockdown_reason what) |
| } |
| EXPORT_SYMBOL(security_locked_down); |
| |
| +int security_lock_kernel_down(const char *where, enum lockdown_reason level) |
| +{ |
| + return call_int_hook(lock_kernel_down, 0, where, level); |
| +} |
| +EXPORT_SYMBOL(security_lock_kernel_down); |
| + |
| #ifdef CONFIG_PERF_EVENTS |
| int security_perf_event_open(struct perf_event_attr *attr, int type) |
| { |
| -- |
| 2.28.0 |
| |