Received: by 10.192.165.156 with SMTP id m28csp1116485imm;
        Wed, 11 Apr 2018 12:44:56 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/iVw2SsPq9IyGdN8PxpkslDfnsshKSdf6PZTd1UFw4CvSXgu1gM9nU8jaDQ/IYrSvV2u/g
X-Received: by 10.101.74.69 with SMTP id a5mr4545753pgu.32.1523475896877;
        Wed, 11 Apr 2018 12:44:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523475896; cv=none;
        d=google.com; s=arc-20160816;
        b=HsENCgy5t9D6uyb5jcSyVba/QBvnvh53YRlm9bbdrz34VY+sk0QCr6b6Yi2/uwLWTi
         fcPZC3S87QcecpIV8lON6QeHqlDzyYpv405znxoRRYVe2KjNSru0IM3VApnCceSwJVeA
         Jk/vd5g8CRH0xDzFwC0gZ5p8mnOzLJr2YvYpOXSIHHZTqj6EKfbKwaAUpD7zObxGXSkd
         7lZJ7+fqh4qAMs/0zM1el81Bm0K1Tzpn129eQS70nQeN8dt7HOolrxnIIsyQYufkSYxu
         WVEU03zlKa1+QgZKolW6yHZYgCzDr+x1XM+2OsliUWFHls2+Tftry4gl5DBOQVyJ/+C6
         XFSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:subject:mime-version:user-agent
         :message-id:in-reply-to:date:references:cc:to:from
         :arc-authentication-results;
        bh=kHdA/pFl/IfmoHUJf4fa7EKDP0pLpCjnNYmPhPehavk=;
        b=B5sqg8hmu3dEq19pKqnba7g94nKEURuFA5qNTqsa2AFY9W6hkT0Ox2ag0diX3BMtEV
         7BIiLJZafvy/Q693aYdfWQC0Lyrs95zOEloR9uFSMwgxbtLgBf52VoATtjgbu7U6l+jH
         0fKBI2Pm3DwQ8BrIq187Q8qCL6d8u07AegalWs+4OXVY2Gl8LnZiB1tCkClWEuqqG8v8
         KBSzBvOe77SA55TYpXH36Gwbm+dnMDPs79CXkIJthW3hTV/rxcZ2AlVenDrKbFlfgOQu
         LQXlTvHRAs0+uxPYuPrlkZuUmQLzggJfP9PEEf93SeU3McEywQS1SfewtSgkWLZOkq81
         CGvQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 13si1358039pfn.1.2018.04.11.12.44.19;
        Wed, 11 Apr 2018 12:44:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934268AbeDKTBi (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Wed, 11 Apr 2018 15:01:38 -0400
Received: from out01.mta.xmission.com ([166.70.13.231]:46231 "EHLO
        out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1756848AbeDKTBd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Apr 2018 15:01:33 -0400
Received: from in02.mta.xmission.com ([166.70.13.52])
        by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1f6Kzs-0008Vz-Ot; Wed, 11 Apr 2018 13:01:32 -0600
Received: from [97.119.140.30] (helo=x220.xmission.com)
        by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1f6Kzs-0000BD-4M; Wed, 11 Apr 2018 13:01:32 -0600
From:   ebiederm@xmission.com (Eric W. Biederman)
To:     David Howells <dhowells@redhat.com>
Cc:     torvalds@linux-foundation.org, linux-man@vger.kernel.org,
        linux-api@vger.kernel.org, jmorris@namei.org,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk>
        <152346391877.4030.6270466586590461223.stgit@warthog.procyon.org.uk>
Date:   Wed, 11 Apr 2018 14:00:17 -0500
In-Reply-To: <152346391877.4030.6270466586590461223.stgit@warthog.procyon.org.uk>
        (David Howells's message of "Wed, 11 Apr 2018 17:25:18 +0100")
Message-ID: <87po35k1q6.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1f6Kzs-0000BD-4M;;;mid=<87po35k1q6.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=97.119.140.30;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX18Pn83xbg+a6bSqYlat/91KeajAvE0rELQ=
X-SA-Exim-Connect-IP: 97.119.140.30
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa04.xmission.com
X-Spam-Level: **
X-Spam-Status: No, score=2.0 required=8.0 tests=ALL_TRUSTED,BAYES_50,
        DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,XMNoVowels,XMSubLong
        autolearn=disabled version=3.4.1
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  1.5 XMNoVowels Alpha-numberic number with no vowels
        *  0.7 XMSubLong Long Subject
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4992]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa04 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: **;David Howells <dhowells@redhat.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 251 ms - load_scoreonly_sql: 0.05 (0.0%),
        signal_user_changed: 3.4 (1.4%), b_tie_ro: 2.5 (1.0%), parse: 1.49 (0.6%),
        extract_message_metadata: 34 (13.6%), get_uri_detail_list: 3.2 (1.3%),
        tests_pri_-1000: 18 (7.2%), tests_pri_-950: 1.42 (0.6%), tests_pri_-900: 1.17
        (0.5%), tests_pri_-400: 23 (9.3%), check_bayes: 22 (8.8%), b_tokenize: 8
        (3.2%), b_tok_get_all: 6 (2.5%), b_comp_prob: 2.4 (1.0%), b_tok_touch_all:
        2.9 (1.1%), b_finish: 0.71 (0.3%), tests_pri_0: 156 (61.9%),
        check_dkim_signature: 0.78 (0.3%), check_dkim_adsp: 7 (2.7%), tests_pri_500:
        9 (3.4%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

David Howells <dhowells@redhat.com> writes:

> From: Matthew Garrett <mjg59@srcf.ucam.org>
>
> The kexec_load() syscall permits the loading and execution of arbitrary
> code in ring 0, which is something that lock-down is meant to prevent. It
> makes sense to disable kexec_load() in this situation.
>
> This does not affect kexec_file_load() syscall which can check for a
> signature on the image to be booted.

Maybing I am missing it but I am not seeing anything that would require
kexec_file_load be configured such that it checks the loaded kernel.

Without that I don't see the point of disabling kexec_load.

Nacked-by: "Eric W. Biederman" <ebiederm@xmission.com>


Eric




> Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Acked-by: Dave Young <dyoung@redhat.com>
> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
> Reviewed-by: James Morris <james.l.morris@oracle.com>
> cc: kexec@lists.infradead.org
> ---
>
>  kernel/kexec.c |    7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index aed8fb2564b3..1553ac765e73 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -199,6 +199,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
>  	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
>  		return -EPERM;
>  
> +	/*
> +	 * kexec can be used to circumvent module loading restrictions, so
> +	 * prevent loading in that case
> +	 */
> +	if (kernel_is_locked_down("kexec of unsigned images"))
> +		return -EPERM;
> +
>  	/*
>  	 * Verify we have a legal set of flags
>  	 * This leaves us room for future extensions.