Received: by 10.192.165.156 with SMTP id m28csp1116485imm; Wed, 11 Apr 2018 12:44:56 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/iVw2SsPq9IyGdN8PxpkslDfnsshKSdf6PZTd1UFw4CvSXgu1gM9nU8jaDQ/IYrSvV2u/g X-Received: by 10.101.74.69 with SMTP id a5mr4545753pgu.32.1523475896877; Wed, 11 Apr 2018 12:44:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523475896; cv=none; d=google.com; s=arc-20160816; b=HsENCgy5t9D6uyb5jcSyVba/QBvnvh53YRlm9bbdrz34VY+sk0QCr6b6Yi2/uwLWTi fcPZC3S87QcecpIV8lON6QeHqlDzyYpv405znxoRRYVe2KjNSru0IM3VApnCceSwJVeA Jk/vd5g8CRH0xDzFwC0gZ5p8mnOzLJr2YvYpOXSIHHZTqj6EKfbKwaAUpD7zObxGXSkd 7lZJ7+fqh4qAMs/0zM1el81Bm0K1Tzpn129eQS70nQeN8dt7HOolrxnIIsyQYufkSYxu WVEU03zlKa1+QgZKolW6yHZYgCzDr+x1XM+2OsliUWFHls2+Tftry4gl5DBOQVyJ/+C6 XFSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from :arc-authentication-results; bh=kHdA/pFl/IfmoHUJf4fa7EKDP0pLpCjnNYmPhPehavk=; b=B5sqg8hmu3dEq19pKqnba7g94nKEURuFA5qNTqsa2AFY9W6hkT0Ox2ag0diX3BMtEV 7BIiLJZafvy/Q693aYdfWQC0Lyrs95zOEloR9uFSMwgxbtLgBf52VoATtjgbu7U6l+jH 0fKBI2Pm3DwQ8BrIq187Q8qCL6d8u07AegalWs+4OXVY2Gl8LnZiB1tCkClWEuqqG8v8 KBSzBvOe77SA55TYpXH36Gwbm+dnMDPs79CXkIJthW3hTV/rxcZ2AlVenDrKbFlfgOQu LQXlTvHRAs0+uxPYuPrlkZuUmQLzggJfP9PEEf93SeU3McEywQS1SfewtSgkWLZOkq81 CGvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 13si1358039pfn.1.2018.04.11.12.44.19; Wed, 11 Apr 2018 12:44:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934268AbeDKTBi (ORCPT + 99 others); Wed, 11 Apr 2018 15:01:38 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:46231 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756848AbeDKTBd (ORCPT ); Wed, 11 Apr 2018 15:01:33 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1f6Kzs-0008Vz-Ot; Wed, 11 Apr 2018 13:01:32 -0600 Received: from [97.119.140.30] (helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1f6Kzs-0000BD-4M; Wed, 11 Apr 2018 13:01:32 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: David Howells Cc: torvalds@linux-foundation.org, linux-man@vger.kernel.org, linux-api@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346391877.4030.6270466586590461223.stgit@warthog.procyon.org.uk> Date: Wed, 11 Apr 2018 14:00:17 -0500 In-Reply-To: <152346391877.4030.6270466586590461223.stgit@warthog.procyon.org.uk> (David Howells's message of "Wed, 11 Apr 2018 17:25:18 +0100") Message-ID: <87po35k1q6.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1f6Kzs-0000BD-4M;;;mid=<87po35k1q6.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=97.119.140.30;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18Pn83xbg+a6bSqYlat/91KeajAvE0rELQ= X-SA-Exim-Connect-IP: 97.119.140.30 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa04.xmission.com X-Spam-Level: ** X-Spam-Status: No, score=2.0 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,XMNoVowels,XMSubLong autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4992] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;David Howells X-Spam-Relay-Country: X-Spam-Timing: total 251 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.4 (1.4%), b_tie_ro: 2.5 (1.0%), parse: 1.49 (0.6%), extract_message_metadata: 34 (13.6%), get_uri_detail_list: 3.2 (1.3%), tests_pri_-1000: 18 (7.2%), tests_pri_-950: 1.42 (0.6%), tests_pri_-900: 1.17 (0.5%), tests_pri_-400: 23 (9.3%), check_bayes: 22 (8.8%), b_tokenize: 8 (3.2%), b_tok_get_all: 6 (2.5%), b_comp_prob: 2.4 (1.0%), b_tok_touch_all: 2.9 (1.1%), b_finish: 0.71 (0.3%), tests_pri_0: 156 (61.9%), check_dkim_signature: 0.78 (0.3%), check_dkim_adsp: 7 (2.7%), tests_pri_500: 9 (3.4%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org David Howells writes: > From: Matthew Garrett > > The kexec_load() syscall permits the loading and execution of arbitrary > code in ring 0, which is something that lock-down is meant to prevent. It > makes sense to disable kexec_load() in this situation. > > This does not affect kexec_file_load() syscall which can check for a > signature on the image to be booted. Maybing I am missing it but I am not seeing anything that would require kexec_file_load be configured such that it checks the loaded kernel. Without that I don't see the point of disabling kexec_load. Nacked-by: "Eric W. Biederman" Eric > Signed-off-by: Matthew Garrett > Signed-off-by: David Howells > Acked-by: Dave Young > Reviewed-by: "Lee, Chun-Yi" > Reviewed-by: James Morris > cc: kexec@lists.infradead.org > --- > > kernel/kexec.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/kernel/kexec.c b/kernel/kexec.c > index aed8fb2564b3..1553ac765e73 100644 > --- a/kernel/kexec.c > +++ b/kernel/kexec.c > @@ -199,6 +199,13 @@ static inline int kexec_load_check(unsigned long nr_segments, > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > return -EPERM; > > + /* > + * kexec can be used to circumvent module loading restrictions, so > + * prevent loading in that case > + */ > + if (kernel_is_locked_down("kexec of unsigned images")) > + return -EPERM; > + > /* > * Verify we have a legal set of flags > * This leaves us room for future extensions.