Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp85596ybi; Thu, 20 Jun 2019 18:24:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqyfZOJi0bhUEDsRFJltagfe0K0nGZqVP3CmfVJMe1uw07KW+COk3KNmeSxlcv4HsldRloQy X-Received: by 2002:a63:490d:: with SMTP id w13mr15656531pga.355.1561080240192; Thu, 20 Jun 2019 18:24:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561080240; cv=none; d=google.com; s=arc-20160816; b=Gd9Xq2zvdH1yoAUa7oLcLkowWBMIIROhkD+KmFseWGf/S7u1mKL7EmVFy4r//UgBqc Pnsab42J0CTAA9dHmfvUxmRrlOHit+uaf6OugaEHenBITsWTZ0OGAVIlBauLdiFhHMKo 8uLsPhanbCbT5btnq2dRdP3MvH3F8x2xzI9Udxg0czdFJ5+Qouxf0mcDtbwLpdTiOaAH q3OC5syJ4sKZH7UHkCtvDNueKCnfYdNEpjLTU2TXYMMu4y2qfJ1jIpQTGWDk+I8KIrAZ 0yA/1Fki43wAsYJvIMeXv5JyWkpxGoIQZ43Rz6WjQGwKH+LLVHW2YC2mr3e7dIf8f2Dc /Qow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=NgELRMteSmX1KpxuaMDKOBuc0VBFM90Hd4coc/TmqVU=; b=sgg0vXWYtpuuPyuLp6Q6Lh3SJXIq9PZCFb4aJhm/FX8gCr/hwQkZ0kw63XI00GMGu4 nSpCrO31fRrKivhsb/T41QwSiGxt8LoLNtu1EYKsoYiJDocjQwf0ziHkgAMxqaIs9xRR sT5EN6X5Bsrnz/q8HdCOZdOzNFGiBsYPusTibWGC3I3IPn9GPJnV03LKnJ2i0ZOisymS ntF4lwXXw2/pjnXzpYDlTtaX5rxdcmO86W7cembVfKgBrnMfhcDJQ1AcaIfXu85uhalf 3ofFP8FqQFXLH4WvOVLVTHCY3b1Nrb1HEvHLlrXCLHYeCjjP6iI+Yp4SwxlyRoOHuWS/ IIfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ACSqKMI7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q12si1074116pgv.225.2019.06.20.18.23.43; Thu, 20 Jun 2019 18:24:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ACSqKMI7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726466AbfFUBUF (ORCPT + 99 others); Thu, 20 Jun 2019 21:20:05 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:43860 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726420AbfFUBUC (ORCPT ); Thu, 20 Jun 2019 21:20:02 -0400 Received: by mail-pg1-f201.google.com with SMTP id p7so2971112pgr.10 for ; Thu, 20 Jun 2019 18:20:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=NgELRMteSmX1KpxuaMDKOBuc0VBFM90Hd4coc/TmqVU=; b=ACSqKMI7rVvJrlydZWykRsEZ0OCQUb++cj7uLN+4lQThNhHP3k3PG9zYi37SyH9Dpn rd2VqHFnVXRkQl9OcOSg70pc13+aZIlScD9U8dcWo2cnsffi9SMnRtCCLkwSJ0mOuUL7 HxS13GpMnI1s5UUVef6KmTow2HmUvlz+z2/jwv6EB2+Vd+0o+rxbiAQ7aKx0ceJZlWUx 08Bf4/6Jk9EOtgPklFeXx8UuKWqzGkRSE0Bi3XuuN4S6b9RjFN4tCcO2oRFCm8p1OFSu JrFkr9Y8BMSFxcV1Zw74qQw28i5Vn+1ZzPo8Kme5IKT7/nwJUbJ5w2XPDlwhLIPqRESj ANTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=NgELRMteSmX1KpxuaMDKOBuc0VBFM90Hd4coc/TmqVU=; b=Zo1Br3+rl9H+QXxY220oyhFnhRlzPYVCzTohlIm6glAZlXF9lTBLOmxXn+FabZyVJF ync7FOPWlaaHg2E50yGSZrq/z82AamZ+5tZqBfHjpxGUeoHiwyHxQbjSp5HtDZ0V+du7 eC5utB/mKmdRvmH3BuRMhpPDEN/gRUhQHPy5XDU7eVIJ2gljEE8u3caJR8n05uMV7t/D vSFc2fGvU+9E2rtvFFiSSdRCEx34Px7HzuQwsj5ui2atBt1gk+bP1Yr+L8Rt8aEDKhRe svuzPUSh8/HKcn5kEf0OvFVOITsa4JbyqRxMl0DSl+gXYHK83tcnkFKtMu+91mf9HUpL vVvw== X-Gm-Message-State: APjAAAW0kYXcv1dECspyIT3JEqbrJKzaxQcsuXITQ4woF+NtmC5TPZn+ fkD+Q8HIE+JeGDt87vc7AyOA6EhGwzsDEdbJnH+21g== X-Received: by 2002:a63:5a4b:: with SMTP id k11mr15535306pgm.143.1561080001656; Thu, 20 Jun 2019 18:20:01 -0700 (PDT) Date: Thu, 20 Jun 2019 18:19:17 -0700 In-Reply-To: <20190621011941.186255-1-matthewgarrett@google.com> Message-Id: <20190621011941.186255-7-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190621011941.186255-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V33 06/30] kexec_load: Disable at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Dave Young , kexec@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Dave Young cc: kexec@lists.infradead.org --- include/linux/security.h | 1 + kernel/kexec.c | 7 +++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 034a8d54687f..2d3c69b9fd04 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -84,6 +84,7 @@ enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, + LOCKDOWN_KEXEC, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/kexec.c b/kernel/kexec.c index 68559808fdfa..040819d7b11b 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -207,6 +207,13 @@ static inline int kexec_load_check(unsigned long nr_segments, if (result < 0) return result; + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (security_is_locked_down(LOCKDOWN_KEXEC)) + return -EPERM; + /* * Verify we have a legal set of flags * This leaves us room for future extensions. diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 43a049b3b66a..94af1c3583d8 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -20,6 +20,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", + [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog