Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4544463img;
        Tue, 26 Mar 2019 11:29:47 -0700 (PDT)
X-Google-Smtp-Source: APXvYqw60kyn3J02ftH4o3i9rsfNLCSYPqR4qGJz644FtAeqkofu/FTKmAmCMAbgR1aPAjDDp1He
X-Received: by 2002:a17:902:2963:: with SMTP id g90mr32976567plb.182.1553624987591;
        Tue, 26 Mar 2019 11:29:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553624987; cv=none;
        d=google.com; s=arc-20160816;
        b=sSgItNlGgbRQC1CHJCcTuP+g0M+K9a8Qce8LP9izR5nFlp9HDabQYpLXz2Qx5jhy6H
         S9oWoDJtBQgAMAeNmLmKYcKV1Xsyorwx25ARc+R+G5freJ5xkfjYAd3U3EVrq/uE27ZJ
         GDrgi0LO/ThtkKLtjL+FFx5jsiH70HpiUS268xzkcxatlG/y7xm2NsBGw6ZLGqPqS2QK
         P89DVJxYScnqsrGAFfcv6lUb+WBxwhegKy0BDoYgqRnKZgQKMcQdFfAsRYK8CK71VI+7
         rFHKphnXCRgJAYDFdAt7Ml2MzRSmw2MGt8/fU9ERfQ7oMTErHaMsXjnRaK3+V6Qmopvs
         W5Ig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=;
        b=I6JcT0sYahiIWEOPZzCg0nv3eR3MDK3MokFg+uiusv9la6DNUwZKnGKFccoUSBpHlI
         L9JdPos/ZhRM1qvPXHTidJ70JvqduxwdRqa8sHTs+BX7HPIjEdGx1gqHctT2omQJnu8U
         943jIpU9sOyAG+SZggt0xxlkZ5vxz2lHrcsZRmlMf55cNGo4XtjbXBGpaH9N2DKRDeOb
         Vsr3t5dh9qCpP4zMiwKZglk9yRM8jZ0FbNF/deUzUShmlYXom/Ve3WARCMm7FTmQK1Q/
         rf2C5S0tGYIFjJmHNt0iEz/3SiOI2lpEVqqz7sLnukk+sfL5hTLxysPRNFrOlgb9vin8
         7pGg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QSA3jV9B;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m10si4041896pgi.417.2019.03.26.11.29.32;
        Tue, 26 Mar 2019 11:29:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QSA3jV9B;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732742AbfCZS22 (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Tue, 26 Mar 2019 14:28:28 -0400
Received: from mail-yw1-f74.google.com ([209.85.161.74]:37389 "EHLO
        mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732726AbfCZS20 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Mar 2019 14:28:26 -0400
Received: by mail-yw1-f74.google.com with SMTP id x185so19969069ywd.4
        for <linux-kernel@vger.kernel.org>; Tue, 26 Mar 2019 11:28:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=;
        b=QSA3jV9BWatdGl7hVSyhHwxLAxTneVkVg14uAJ/VF/6Frih2P7oXfTEv9kMP9G6XvB
         HEOGTc5uUxEQVWGmCh16CeR2IwnyK1KEWe+pwfhYfgXyj7bxXTdw9tKhsEjRGPG6ArGf
         qjggUxIgwpRtfAPv2l9cbaEcSWEgwDoxZkkEkMYKJh+bakWOkmpkPFLrGS1LnsvYGQuo
         Wh2GSZNqJwd+KUkfQlegDvzkqx/b3gLT9LlY1/YbcrJdfresNx4cOhRBgKV40TW1CyVL
         y8hFknGmWJARHvfiwFgL/XqzMwUY7qIZmWfCXy3Y6k4nk5qc1EVpbSGWzm9iUJ2bhVMd
         QkwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=;
        b=azma4+XaGVZbU+es5nEzMKAY/0wN41+ooo8J8qolXH9nZdQIGymWWbuHXqXK9ZbHDP
         0pqnsuyz0l7fsmC8+FP8xfw1XAH4BiXJ7rIoKQ4i6BWX5Io78XlOxMrABc6Ef3d98YM+
         PiENffw+1sGlIur7+kaZ/zWv+H9cWP3dH2T6fEU8DeVFtPwid76wdeAJXvUvDqHZ+k/r
         qM3kv1chvbsNV8+7x58mwmgUaXisTnhiwiGy8OllyCsCFAVW+0aef5EoqSoPK2MthNR4
         r7hgeNTN9Z6SnfIko/4RQloQONM6RfFdbyD899M/MHQZ+iEyMmmYe6HYyzd9RJp1krXz
         Uutw==
X-Gm-Message-State: APjAAAX7fewpqZowlYcY5kl53U0A/pEP+cshLPHhs+Zhw/yY0vJYW7dZ
        sjUwFoiZZYl9S71BKC03ocN89k8T6+FJf1Ggq07YXA==
X-Received: by 2002:a25:1d04:: with SMTP id d4mr2412901ybd.517.1553624905627;
 Tue, 26 Mar 2019 11:28:25 -0700 (PDT)
Date:   Tue, 26 Mar 2019 11:27:28 -0700
In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com>
Message-Id: <20190326182742.16950-13-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190326182742.16950-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V31 12/25] x86/msr: Restrict MSR access when the kernel is
 locked down
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>,
        Kees Cook <keescook@chromium.org>,
        Thomas Gleixner <tglx@linutronix.de>, x86@kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Matthew Garrett <mjg59@srcf.ucam.org>

Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode.  Based on a
patch by Kees Cook.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
cc: x86@kernel.org
---
 arch/x86/kernel/msr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 4588414e2561..731be1be52b6 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
 	int err = 0;
 	ssize_t bytes = 0;
 
+	if (kernel_is_locked_down("Direct MSR access", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	if (count % 8)
 		return -EINVAL;	/* Invalid chunk size */
 
@@ -135,6 +138,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
 			err = -EFAULT;
 			break;
 		}
+		if (kernel_is_locked_down("Direct MSR access",
+					  LOCKDOWN_INTEGRITY)) {
+			err = -EPERM;
+			break;
+		}
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
 		if (err)
 			break;
-- 
2.21.0.392.gf8f6787159e-goog