Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1558884imm; Wed, 10 Oct 2018 17:20:20 -0700 (PDT) X-Google-Smtp-Source: ACcGV62P4di5e0UtCFZMfpS2m3mFxMM2bMkr+2Tpp2T+yzpGhHxSlJl4KBLPbIdHGkgfilS7VGVZ X-Received: by 2002:a17:902:7142:: with SMTP id u2-v6mr35517955plm.154.1539217220233; Wed, 10 Oct 2018 17:20:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539217220; cv=none; d=google.com; s=arc-20160816; b=nBtY/KiTUt8V5gfeUFAbxOg2Y7vpa9DNgaxAQD5+FG3EZcGL/aVFQIca202dNqYcdA 2YUVcHs3Z/aOomIq2MELS4p81rSZdqPKoM1BCrkBvna33j0ZNOXNlP2sQsV9JoLWBrzm sQ0ILWUTZHFo5tzs78FuUFXyWBqAySLb4J8O0SILjRaT2MAJ+6hHxHfPqbxeu38lSPci F61KMtADqNJIS3mq4JCFptAEzs7/876V/IqnIoDRSdfzDFDjvjr3/WAp1MHuoI4kHPkt 1oPDRDLfZIISmXRIZ/Xobcr5eyNbXq4gvZUKpuO+u0MEswnXwF11kb/nbDAlY7YaRvvg Xp6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=9oGsxFd1lYWYAorYyN9hIBrjHAPxot319f0edyopgaA=; b=Qj38YjTR62mkMuhYkyEhms0yapNZ8PXQh/zEBN6zOLPFyAbgb7EHJId2INcNLF2aFT xIl4U3GK4OzQkQa2B5av8nTH/uYJdrL/K5uF6O2wm1h8396jgyQNYW+bM7ejCv5gyHnl hkY4KozBgT+OJecTUvPV/jKdMfdQApue9SggTDnMAZsgXfPoSLAaB7NjDuGQZ/ZIbmSg /JUvDlAuN/g4vUghAd+ndDiWlDoCnc0kWsnpsT3+poW4WYQEe1dWX/KXp7Ti8UkyW8dw z/KhpQvBy8STIiXpV4aqczAsllQkN2DHgJossCb2rLcmg7gVO+Mvl4WK6gGxnWOjONh/ XcPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=anZ9tL1P; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4-v6si1143387plz.158.2018.10.10.17.20.05; Wed, 10 Oct 2018 17:20:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=anZ9tL1P; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727362AbeJKHno (ORCPT + 99 others); Thu, 11 Oct 2018 03:43:44 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:41986 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727332AbeJKHnn (ORCPT ); Thu, 11 Oct 2018 03:43:43 -0400 Received: by mail-pg1-f195.google.com with SMTP id i4-v6so3267060pgq.9 for ; Wed, 10 Oct 2018 17:19:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=9oGsxFd1lYWYAorYyN9hIBrjHAPxot319f0edyopgaA=; b=anZ9tL1PA/A7rUVRlnGvXfA1RrTh3Rl+L9f8RGaTp3W6wYeJEIdrEvUDt+++H9nwI5 +SSz/JUU3Fj6H3VQP4MEL83+vnQ4ISidqkmm6l19mIxm+FslYKv5SHX4K0daMZ7riVM/ 8PrbhtZGbF/S8ELKZ8XiOBJqS1BJafhlmhcpQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=9oGsxFd1lYWYAorYyN9hIBrjHAPxot319f0edyopgaA=; b=JGtFmtT6Da2ghVe3R8IiaXpP9yiu9WuTwRbPn9IOG2Z8MwlNR2vf0BN0wu9g4gqHUn HywipjWE+ySPS3upwNGlNXOIBktPmZvbqBCpW58Mlh0ikZe0MNzV0TgdPY8WnlyL5RJY 18c0MqLs6RpYAfVdMUCiBiSXZV5JAg8eCPCHYaTcdrYRl1vlfWLI1JTZLiro6mgYsbLg gQ05ZxYzHy2DZY3FLX0Vs4cOmvvcCqWpS+KUCTMfe81OihViBZ5Q7hA+s14itI2qYfBm m/DSk7L5WXlYYeC6YCQO8NABSL3A/d1gBu2NUzEJ9WhvbePktEebb5UpIFV1277wMFzJ z+5w== X-Gm-Message-State: ABuFfohiMDfGTm399JG3A15ZxybY7HHnRmWnk259R+jmX/DYLeDrh9br e9ynCVBxiCH+wmN7f/YvPvZ5Fg== X-Received: by 2002:a62:c2c1:: with SMTP id w62-v6mr16418780pfk.35.1539217148718; Wed, 10 Oct 2018 17:19:08 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r65-v6sm35307981pfj.5.2018.10.10.17.18.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Oct 2018 17:19:06 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Stephen Smalley , Paul Moore , Tetsuo Handa , Mimi Zohar , Randy Dunlap , Jordan Glover , LSM , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v5 13/30] LoadPin: Rename boot param "enabled" to "enforce" Date: Wed, 10 Oct 2018 17:18:29 -0700 Message-Id: <20181011001846.30964-14-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181011001846.30964-1-keescook@chromium.org> References: <20181011001846.30964-1-keescook@chromium.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org LoadPin's "enabled" setting is really about enforcement, not whether or not the LSM is using LSM hooks. Instead, split this out so that LSM enabling can be logically distinct from whether enforcement is happening (for example, the pinning happens when the LSM is enabled, but the pin is only checked when "enforce" is set). This allows LoadPin to continue to operate sanely in test environments once LSM enable/disable is centrally handled (i.e. we want LoadPin to be enabled separately from its enforcement). Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- security/loadpin/Kconfig | 4 ++-- security/loadpin/loadpin.c | 21 +++++++++++---------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index dd01aa91e521..a0d70d82b98e 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -10,10 +10,10 @@ config SECURITY_LOADPIN have a root filesystem backed by a read-only device such as dm-verity or a CDROM. -config SECURITY_LOADPIN_ENABLED +config SECURITY_LOADPIN_ENFORCE bool "Enforce LoadPin at boot" depends on SECURITY_LOADPIN help If selected, LoadPin will enforce pinning at boot. If not selected, it can be enabled at boot with the kernel parameter - "loadpin.enabled=1". + "loadpin.enforce=1". diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 0716af28808a..a2dc146b6364 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -44,7 +44,7 @@ static void report_load(const char *origin, struct file *file, char *operation) kfree(pathname); } -static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED); +static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE); static struct super_block *pinned_root; static DEFINE_SPINLOCK(pinned_root_spinlock); @@ -60,8 +60,8 @@ static struct ctl_path loadpin_sysctl_path[] = { static struct ctl_table loadpin_sysctl_table[] = { { - .procname = "enabled", - .data = &enabled, + .procname = "enforce", + .data = &enforce, .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec_minmax, @@ -97,7 +97,7 @@ static void check_pinning_enforcement(struct super_block *mnt_sb) loadpin_sysctl_table)) pr_notice("sysctl registration failed!\n"); else - pr_info("load pinning can be disabled.\n"); + pr_info("enforcement can be disabled.\n"); } else pr_info("load pinning engaged.\n"); } @@ -128,7 +128,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) /* This handles the older init_module API that has a NULL file. */ if (!file) { - if (!enabled) { + if (!enforce) { report_load(origin, NULL, "old-api-pinning-ignored"); return 0; } @@ -151,7 +151,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) * Unlock now since it's only pinned_root we care about. * In the worst case, we will (correctly) report pinning * failures before we have announced that pinning is - * enabled. This would be purely cosmetic. + * enforcing. This would be purely cosmetic. */ spin_unlock(&pinned_root_spinlock); check_pinning_enforcement(pinned_root); @@ -161,7 +161,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) } if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) { - if (unlikely(!enabled)) { + if (unlikely(!enforce)) { report_load(origin, file, "pinning-ignored"); return 0; } @@ -186,10 +186,11 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { void __init loadpin_add_hooks(void) { - pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis"); + pr_info("ready to pin (currently %senforcing)\n", + enforce ? "" : "not "); security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); } /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ -module_param(enabled, int, 0); -MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)"); +module_param(enforce, int, 0); +MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning"); -- 2.17.1