Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4432imb; Thu, 28 Feb 2019 14:10:35 -0800 (PST) X-Google-Smtp-Source: APXvYqzP+BcMxZ/aZx+YAw9MUBBqjgUkpctXhDwE63loHKmPHob7OsYVBvqGMjxhNjIM2xApxbX5 X-Received: by 2002:a65:60c7:: with SMTP id r7mr1451037pgv.37.1551391835871; Thu, 28 Feb 2019 14:10:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551391835; cv=none; d=google.com; s=arc-20160816; b=PkPIpfAfYyRxYqyz9Zvzw1daZm9LQh0iGUG5R+OHfJfzFqQdeLcHpIjM6d0FEfT5Rn 00gUSzG/9ah7YAhA8x5doL/j8p7xmVTb5mnBOPmp9YAONcoYG5GbRRGZT45OLYxf6Fl2 wtkvJe/GYgOU1yRPNbFH1yfydyk5lvNjGYuuho6MiGbXGoWYbHFhES4kuLME/F8Q4aQZ pUbAiSKtoBPKuIAd+qbfGj5WdStjtDVNH8hF/LZuGv3Q5mBmq+xuIjH8ayyxdFWffHPj SQ99kiHoCrTLitaZJMGp46ubVwJQ8NM2oI/LIPWGeZ2FCOxE1fYxY4aXU3wsKssG+Vki RaYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature; bh=lo/JvVTQE4I5wGCfn1vSplMk3xnMhXABB2NqHLEsaQA=; b=rRNOJvSiX7M7imythyGb9OBfTjdjURwcnNmeRJyexwRk32cPIwu+txO2d9AMYC4nPG fBbBEiy5b7dyl0F4rXEjuwRR5wR2K+c99HxVnC0EF5ZWn0X0g2lWr4U4rS3wbml7MGE7 8h6ssENi0yYoXGx6DCCctwcWTNZiQpDO1zoP3mLRuvrp3P7RoD69sMaPhLogKMADvAM7 ljooqzt2bSe2NYbh/tVfKJKhk9dHtcZSkfpZXU8Nu/1YnUHz9tfdmedUguWTCSRHDFqG AF0LBFf7Q+MQHs215e4X+7CoJeNj4qil71ZrQq3BHSjAHhXMWF5czDjRyCzHsDWx+Af+ 9lyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=U6XmUlHD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j9si18017892plk.359.2019.02.28.14.10.20; Thu, 28 Feb 2019 14:10:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=U6XmUlHD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729671AbfB1V2z (ORCPT + 99 others); Thu, 28 Feb 2019 16:28:55 -0500 Received: from mail-it1-f182.google.com ([209.85.166.182]:33306 "EHLO mail-it1-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729540AbfB1V2z (ORCPT ); Thu, 28 Feb 2019 16:28:55 -0500 Received: by mail-it1-f182.google.com with SMTP id f186so8743638ita.0 for ; Thu, 28 Feb 2019 13:28:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=lo/JvVTQE4I5wGCfn1vSplMk3xnMhXABB2NqHLEsaQA=; b=U6XmUlHDnLJfCGWgF07dSdGO071uAEjd33/xkwWOT1c9407Jc1lDOhN4sQ7d5YMebu ewTrnSzJsbd0J8Fem0bcH/R68GjBUeknJY5aeeMG0jdeoAAFGI/lgkpXFBSRegmI+mI+ XI7k9cy2L1gx+tpq/F6cnzvq031ciUz9nEsyVf2XEmUrGlbUOHSxBkfBl6QLsGtz1NpG YAepPzkkDEdwsUgM+E1S3siWB1JIiho67SCv1AZJTfotaSEUzpJuG0xei77+d9kdTKa5 yfqnPi49ta4thwL6FCHOXP3iMKuj5Zaq8ue2P7AqaQL3WlVO89kdOxyC6L+eO+kOam6/ IQhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=lo/JvVTQE4I5wGCfn1vSplMk3xnMhXABB2NqHLEsaQA=; b=Fi6wM1+NM5kDs9mQTgeEafd04dC5HeZY/hfPR51tC82pYKIBbSUwcEJBufgCU9NR3f OQdY4IAwN+t0RjOhNQX11N/h7gTKSDC7GZA0guTAhxqp6aoz/5n8N93hY2UjhmypWsv/ m47qIXYXuyPeUaO2/os8k1gR5wmMJzR0WyOC4o1Dq6amMwOmSx3XS02YL988NA8BH211 Dj7H/C2OoOYDmhJEfACOAu2s3idILbDLKuLGeGwfR9+h579u6C3nPg3KxS7kVFec9APe /NlH5MM+o+biHfqyqnE65QSPHrJr21SsCm48eFpAxyTKNSGrUhZrjZl8bod5v4GlxNrX TqvA== X-Gm-Message-State: APjAAAXKaGMxPDDcmPO7zBYYcD4TtdRgtf6Qx7E+mPNBFyvD9Gak7czy WBojUZgT7xKc3jyIf2gK/LhXsXdfBTbghQc5I4Vl+J09uiSvgg== X-Received: by 2002:a24:7908:: with SMTP id z8mr1381172itc.16.1551389333486; Thu, 28 Feb 2019 13:28:53 -0800 (PST) MIME-Version: 1.0 From: Matthew Garrett Date: Thu, 28 Feb 2019 13:28:42 -0800 Message-ID: Subject: [PULL REQUEST] Lock down patches To: jmorris@namei.org Cc: LSM List , Linux Kernel Mailing List , David Howells Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi James, David is low on cycles at the moment, so I'm taking over for this time round. This patchset introduces an optional kernel lockdown feature, intended to strengthen the boundary between UID 0 and the kernel. When enabled and active (by enabling the config option and passing the "lockdown" option on the kernel command line), various pieces of kernel functionality are restricted. Applications that rely on low-level access to either hardware or the kernel may cease working as a result - therefore this should not be enabled without appropriate evaluation beforehand. The majority of mainstream distributions have been carrying variants of this patchset for many years now, so there's value in providing a unified upstream implementation to reduce the delta. This PR probably doesn't meet every distribution requirement, but gets us much closer to not requiring external patches. This PR is mostly the same as the previous attempt, but with the following changes: 1) The integration between EFI secure boot and the lockdown state has been removed 2) A new CONFIG_KERNEL_LOCK_DOWN_FORCE kconfig option has been added, which will always enable lockdown regardless of the kernel command line 3) The integration with IMA has been dropped for now. Requiring the use of the IMA secure boot policy when lockdown is enabled isn't practical for most distributions at the moment, as there's still not a great deal of infrastructure for shipping packages with appropriate IMA signatures, and it makes it complicated for end users to manage custom IMA policies. The following changes since commit a3b22b9f11d9fbc48b0291ea92259a5a810e9438: Linux 5.0-rc7 (2019-02-17 18:46:40 -0800) are available in the Git repository at: https://github.com/mjg59/linux lock_down for you to fetch changes up to 43e004ecae91bf9159b8e91cd1d613e58b8f63f8: lockdown: Print current->comm in restriction messages (2019-02-28 11:19:23 -0800) ---------------------------------------------------------------- Dave Young (1): Copy secure_boot flag in boot params across kexec reboot David Howells (12): Add the ability to lock down access to the running kernel image Enforce module signatures if the kernel is locked down Prohibit PCMCIA CIS storage when the kernel is locked down Lock down TIOCSSERIAL Lock down module params that specify hardware parameters (eg. ioport) x86/mmiotrace: Lock down the testmmiotrace module Lock down /proc/kcore Lock down kprobes bpf: Restrict kernel image access functions when the kernel is locked down Lock down perf debugfs: Restrict debugfs when the kernel is locked down lockdown: Print current->comm in restriction messages Jiri Bohac (2): kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE kexec_file: Restrict at runtime if the kernel is locked down Josh Boyer (2): hibernate: Disable when the kernel is locked down acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down Kyle McMartin (1): Add a SysRq option to lift kernel lockdown Linn Crosetto (2): acpi: Disable ACPI table override if the kernel is locked down acpi: Disable APEI error injection if the kernel is locked down Matthew Garrett (7): Restrict /dev/{mem,kmem,port} when the kernel is locked down kexec_load: Disable at runtime if the kernel is locked down uswsusp: Disable when the kernel is locked down PCI: Lock down BAR access when the kernel is locked down x86: Lock down IO port access when the kernel is locked down x86/msr: Restrict MSR access when the kernel is locked down ACPI: Limit access to custom_method when the kernel is locked down arch/x86/Kconfig | 20 ++++++++++++----- arch/x86/include/asm/setup.h | 2 ++ arch/x86/kernel/ioport.c | 6 ++++-- arch/x86/kernel/kexec-bzimage64.c | 1 + arch/x86/kernel/msr.c | 10 +++++++++ arch/x86/mm/testmmiotrace.c | 3 +++ crypto/asymmetric_keys/verify_pefile.c | 4 +++- drivers/acpi/apei/einj.c | 3 +++ drivers/acpi/custom_method.c | 3 +++ drivers/acpi/osl.c | 2 +- drivers/acpi/tables.c | 5 +++++ drivers/char/mem.c | 2 ++ drivers/input/misc/uinput.c | 1 + drivers/pci/pci-sysfs.c | 9 ++++++++ drivers/pci/proc.c | 9 +++++++- drivers/pci/syscall.c | 3 ++- drivers/pcmcia/cistpl.c | 3 +++ drivers/tty/serial/serial_core.c | 6 ++++++ drivers/tty/sysrq.c | 19 +++++++++++------ fs/debugfs/file.c | 28 ++++++++++++++++++++++++ fs/debugfs/inode.c | 30 ++++++++++++++++++++++++-- fs/proc/kcore.c | 2 ++ include/linux/ima.h | 6 ++++++ include/linux/input.h | 5 +++++ include/linux/kernel.h | 17 +++++++++++++++ include/linux/kexec.h | 4 ++-- include/linux/security.h | 9 +++++++- include/linux/sysrq.h | 8 ++++++- kernel/bpf/syscall.c | 3 +++ kernel/debug/kdb/kdb_main.c | 2 +- kernel/events/core.c | 5 +++++ kernel/kexec.c | 7 ++++++ kernel/kexec_file.c | 56 ++++++++++++++++++++++++++++++++++++++++++------ kernel/kprobes.c | 3 +++ kernel/module.c | 56 ++++++++++++++++++++++++++++++++++++------------ kernel/params.c | 26 ++++++++++++++++++----- kernel/power/hibernate.c | 2 +- kernel/power/user.c | 3 +++ security/Kconfig | 24 +++++++++++++++++++++ security/Makefile | 3 +++ security/lock_down.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 41 files changed, 466 insertions(+), 50 deletions(-) create mode 100644 security/lock_down.c