Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp199944imm; Thu, 10 May 2018 18:37:58 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpcNnuyoI/iFsoXmvRfqefhllZM3rCF+8SfTozZDTg17Ee8sHCkHBsGb9E376Dv2MTVWmKd X-Received: by 2002:a17:902:6ac3:: with SMTP id i3-v6mr3440656plt.378.1526002678868; Thu, 10 May 2018 18:37:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526002678; cv=none; d=google.com; s=arc-20160816; b=CLu98/viV6I/B3oVWte8oIoKVGHS8eTenbTJy7aBY1l4sBwRuCcQd03ZPu7i+cKtk7 xHUdbdoRYA7Q1PysyUC2DM9ZnsBl3mKLsI1Ou5FxFWl4dFU2qEibsNs7gK7lx+F0MycC yo3mIf5gUBCrJFJldlr5RK6/6ZroQGm+biqfDa5cluQ+RWh2M2n2pJzsr9DQUl483n5D rjlYc9Xo1OaDiqIOllQkm4KmSC2Epl184DuJnu9o8a25ilLH3d0AYsrutRaCIOeFKE/I LC7F7O6mEQF4l6jAs/ewegMbXUzvSm0OnDyoon1Lkf7a5H+d+5OONgla7UtpUDbW633D WnqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from:arc-authentication-results; bh=Eg25fwzVjIcc2Ycv9xL0Lz/AATa0R6MEEJrOIOOINuI=; b=JjJPrbfuxtzK8yM7+KLou52xmpghV6QC0Flv/5xf2SK0uOjQKUPePmx7i2+VazrZm5 TCTiCFUTbUX8+ScFFko4ZxVezHlLCS/SKgcksbJ02lUqmf4317bQzcsSvDtFYMNzmlR7 Wb++LQ+5lRUQMn2vsb5bHA44XY51CCzSYYAblvOTfjScGmHMbvogSCWXWxvajsa3qco6 SYZ6wjfVe5TDd8ehpmibrluxoHWv/tsNKyFvXBmxm/mt1kQHKdUFj1hL+Iqx6oGQ48nd DwF1LVJvxNkxKFKV2/u0m1ceVmvuqMTcChJxvplH1B0G8Pckn/PFDSkpQt6U8Pqpjxzk uc6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o17-v6si1703113pge.198.2018.05.10.18.37.44; Thu, 10 May 2018 18:37:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752141AbeEKBhI (ORCPT + 99 others); Thu, 10 May 2018 21:37:08 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:56966 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752113AbeEKBhG (ORCPT ); Thu, 10 May 2018 21:37:06 -0400 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4B1Ynr1000547 for ; Thu, 10 May 2018 21:37:05 -0400 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0b-001b2d01.pphosted.com with ESMTP id 2hvvvga272-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 10 May 2018 21:37:05 -0400 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 11 May 2018 02:37:03 +0100 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 11 May 2018 02:37:00 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4B1axal8388994; Fri, 11 May 2018 01:36:59 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3ECF211C04A; Fri, 11 May 2018 02:28:23 +0100 (BST) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E98F811C04C; Fri, 11 May 2018 02:28:21 +0100 (BST) Received: from localhost.ibm.com (unknown [9.80.104.201]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 11 May 2018 02:28:21 +0100 (BST) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Eric Biederman , David Howells , Mimi Zohar , linux-security-module@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Kees Cook , Matthew Garrett , Casey Schaufler Subject: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall Date: Thu, 10 May 2018 21:36:47 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1526002608-27474-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1526002608-27474-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18051101-0020-0000-0000-0000041C145B X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051101-0021-0000-0000-000042B114E8 Message-Id: <1526002608-27474-3-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-11_01:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805110009 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In order for LSMs and IMA-appraisal to differentiate between the kexec_load and kexec_file_load_syscalls, an LSM call needs to be added to the original kexec_load syscall. From a technical perspective there is no need for defining a new LSM hook, as the existing security_kernel_kexec_load() works just fine. However, the name is confusing. For this reason, instead of defining a new LSM hook, this patch defines security_kexec_load() as a wrapper for the existing LSM security_kernel_file_read() hook. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Kees Cook Cc: David Howells Cc: Matthew Garrett Cc: Casey Schaufler Changelog v1: - Define and call security_kexec_load(), a wrapper for security_kernel_read_file(). --- include/linux/security.h | 6 ++++++ kernel/kexec.c | 11 +++++++++++ security/security.c | 6 ++++++ 3 files changed, 23 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 63030c85ee19..26f6d85903ed 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -323,6 +323,7 @@ int security_kernel_module_request(char *kmod_name); int security_kernel_read_file(struct file *file, enum kernel_read_file_id id); int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id); +int security_kexec_load(void); int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags); int security_task_setpgid(struct task_struct *p, pid_t pgid); @@ -922,6 +923,11 @@ static inline int security_kernel_post_read_file(struct file *file, return 0; } +static inline int security_kexec_load(void) +{ + return 0; +} + static inline int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags) diff --git a/kernel/kexec.c b/kernel/kexec.c index aed8fb2564b3..6b44b0e9a60b 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -195,11 +196,21 @@ static int do_kexec_load(unsigned long entry, unsigned long nr_segments, static inline int kexec_load_check(unsigned long nr_segments, unsigned long flags) { + int result; + /* We only trust the superuser with rebooting the system. */ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) return -EPERM; /* + * Allow LSMs and IMA to differentiate between kexec_load and + * kexec_file_load syscalls. + */ + result = security_kexec_load(); + if (result < 0) + return result; + + /* * Verify we have a legal set of flags * This leaves us room for future extensions. */ diff --git a/security/security.c b/security/security.c index 68f46d849abe..0f3390000156 100644 --- a/security/security.c +++ b/security/security.c @@ -1044,6 +1044,12 @@ int security_kernel_read_file(struct file *file, enum kernel_read_file_id id) } EXPORT_SYMBOL_GPL(security_kernel_read_file); +int security_kexec_load() +{ + return security_kernel_read_file(NULL, READING_KEXEC_IMAGE); +} +EXPORT_SYMBOL_GPL(security_kexec_load); + int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id) { -- 2.7.5