Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4544908img;
        Tue, 26 Mar 2019 11:30:20 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxDVXmmtdkUUECOA9KBkNmVq6GKm7JzPzmM8i0LvkN6m+nSXZpC0jE0jb92NO3T32JrlHc0
X-Received: by 2002:a62:1cc7:: with SMTP id c190mr9774580pfc.246.1553625020013;
        Tue, 26 Mar 2019 11:30:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553625020; cv=none;
        d=google.com; s=arc-20160816;
        b=HwxQDzE/sNoawqoWrp8JTgabmmW7S44mA67KrT/j1kpMsJx/YyiDlfUFj4Wvhex+aY
         CBjh2yC+Bwy4oCsQM4sK16kAhwpUXBBWRpd2zIyknCtdmZ58tgRGaOAzKOcG6IoKZiOQ
         18VoEpWuklIRVAjkPEL7atMoVed/WiHcmLUselebfMf7hciphh2R/UmhPYFPO36wvEn7
         qjmRkBwCUvJhTtR/6+Wf0oc3+XVkDukKC09mG2eCBrI4flF5wbUzR+kU3clT3BxobFZt
         /l2ew4G/OjbfMdm8/UEIC9GV2s7MmEIKiLXZj40ibMek82jbuOhUVppeUFphVblA0wac
         D3jg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=IoXKM0YaE9Y+1YAYJ3jkE86oI9WuPOYgAsUS7wsInCs=;
        b=eDTRORjvCByLoAg4QDwd+MWi3XrRZ6rj14DmE0wr9euWGbgMtet/9upOKYvilzk6Gw
         gCJRsf9UVUYvPWye+ItQXQiTmUQao5Cr6lyMjWfLnYa1HYkOSMCzG2dz4Sl4LYFSNiDm
         PP8vn6XwaIpDrVxajlNws4sYy1lvxwvigScb2HSTrE4blTihB3nRPeOzRu9kUtyZJwjF
         q64CrxqSqrCEnRgCwo89WbNCRsvf65iGnhEPx/ffMZaCY8Mqk2/UjHEfhr5GeNHT7XqK
         4uCObs9hWWYsnAYb7NPtVcLvob26gx+GaztisiOig08r5NNuXG1PvIFyyV8a1PvaASOm
         TQxg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=kKv5y01A;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k7si10118232pgq.74.2019.03.26.11.30.05;
        Tue, 26 Mar 2019 11:30:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=kKv5y01A;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732922AbfCZS3F (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Tue, 26 Mar 2019 14:29:05 -0400
Received: from mail-oi1-f202.google.com ([209.85.167.202]:50515 "EHLO
        mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732899AbfCZS26 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Mar 2019 14:28:58 -0400
Received: by mail-oi1-f202.google.com with SMTP id x125so857811oix.17
        for <linux-kernel@vger.kernel.org>; Tue, 26 Mar 2019 11:28:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=IoXKM0YaE9Y+1YAYJ3jkE86oI9WuPOYgAsUS7wsInCs=;
        b=kKv5y01A21+36GWT1D4YyTFV1FMwIxaRgmZ3DkG7OUNg1kOgHEFkifuJwfBADEAl9r
         UlrestlL5PTDbdz6BL4gJKhnoOiL1vt6dr3ZdGRhdBSNCWdatU+k6Gy8qNWZ8Fgoq+cp
         kt6JGA6vd9D1HMp1m015CDo9jp4DqGO8Z74WjSl6r2+IwhvaZfdS/iDxhepP7yVB2vYB
         pZ2hOElr5UfIyrvrEG3cWvVCW8h/vbp0iVdw4EvRzjyGPIHw2gzZ9ejJQczvsuqGkRn4
         k3vQ6Ka5ApjuDBzlYiMO2QHGnjvPuRgtounl5Od9RHGDOsC40Fg7QEqqHostyWFT5ZvV
         VewQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=IoXKM0YaE9Y+1YAYJ3jkE86oI9WuPOYgAsUS7wsInCs=;
        b=tU35xsIMncbwyZiZQplJVzlDx3b6aDqL3zqkUopK3YZYE0lhMlrQGXZ2dukEWdY8Mt
         biPO+BEgamIk2MEdehogPgC29xa70oGki53RaIRjT/N3Y6EtiWFPJVksZqrmn7KBT4P6
         04AiO/rm03XuzrV65s176n5uMzDSsodZVG8KlTqSdJu6L8SVOVDMCEUmyVqtJbgnPf43
         y1FQ+mqwSyWwII9rjSRiqIlJQ1PL1Ye+J+tiER8KSBdAT/2nDqhhEZvt3zDhgJa2AyOZ
         0A5ix5eDkpdlSNfJZ/1KTYxlQE0ASH7adByhaMB5esg9YB4Mx3qM+Si6uytCZuj9RTsb
         bOlA==
X-Gm-Message-State: APjAAAXxmlWEyQf9OVd47GVT8NcZOM/hsTJovX/p8kSRCV3skKig7N6v
        GgFFzgNLiKj96ANqVRzYFFW5bnJFFcTKW4cbtC//4A==
X-Received: by 2002:aca:4b56:: with SMTP id y83mr16163700oia.63.1553624937594;
 Tue, 26 Mar 2019 11:28:57 -0700 (PDT)
Date:   Tue, 26 Mar 2019 11:27:41 -0700
In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com>
Message-Id: <20190326182742.16950-26-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190326182742.16950-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@google.com>, gregkh@linuxfoundation.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Matthew Garrett <mjg59@google.com>

debugfs has not been meaningfully audited in terms of ensuring that
userland cannot trample over the kernel. At Greg's request, disable
access to it entirely when the kernel is locked down. This is done at
open() time rather than init time as the kernel lockdown status may be
made stricter at runtime.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: gregkh@linuxfoundation.org
---
 fs/debugfs/file.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 4fce1da7db23..9ae12ef29ba0 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -142,6 +142,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
 	const struct file_operations *real_fops = NULL;
 	int r;
 
+	if (kernel_is_locked_down("debugfs", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	r = debugfs_file_get(dentry);
 	if (r)
 		return r == -EIO ? -ENOENT : r;
@@ -267,6 +270,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
 	struct file_operations *proxy_fops = NULL;
 	int r;
 
+	if (kernel_is_locked_down("debugfs", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	r = debugfs_file_get(dentry);
 	if (r)
 		return r == -EIO ? -ENOENT : r;
-- 
2.21.0.392.gf8f6787159e-goog