Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4684539ybi; Mon, 15 Jul 2019 13:01:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqyvCLrJ7gpYE6n9elsUabO/XTbeDxM6pT4gQzpE0w2YkxG4oQ0MII5FVi49k6CgGkIly9ZM X-Received: by 2002:a17:902:7887:: with SMTP id q7mr30758967pll.129.1563220889032; Mon, 15 Jul 2019 13:01:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563220889; cv=none; d=google.com; s=arc-20160816; b=fEG4+sAmY8BStVSd1guVkUgxkezWIUY9KM3XaLT/NACd1Tbbu4w1vgvrvLEtoRAOM7 f0Zvvid+7IY/JCbm/j2g7HdIEp/foLyg+CsxhpiLi+4d0Viyq5BoLQPa8o4zM59m8vFX Yi9PTnR0G0T3pAQC9cDHVE2p/vKsoKkuFzpNxXutgemT+ogvZy/X0iB0SRz+hQEovIlJ wuw3HzOPeJofQnQpyOFaQTYuUdJuXKY0vHb18TmRuk9R65HmK5Q8nGsvL2Yr4QT6yQ1t hnbygl2vpMqZp99CY83X7OoerM3Q+GCFI7iv8ZpUuC58GAzQj0cBmsELQKjpbZaj4Nn0 X/qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=9fXbmdfL5KhuvIZCfCGIG29n6zuww7qo8MROnWxS5+E=; b=IdPTVVLQyVBIVKaOy96ehUeDlJo9lHCl4HU0cPSX4ySdhJZnpWs/bBh7JKdQoJGhrY eK6bzK1v7knpP0fRCnL+CaIWjD+THuUoJGOsTxcJjvWSdJTy4uz5/jJqdA60fsHk0Rex j96tmM8VupK43wIZfxbuzEPIPBREh1z5tr+te0qpMpX9kL3gBz14nrRbghLijCclZg2h aKFGytM4e0aeo0d0ac7OPRqxQDOSo+jE/Wzm5Nt4gZgBR16RFPensyG/bMWoCNbhWYYR OBj0ZRBMz9CHIkaT0FjhfobCGu7VHBiWgbg610RnMYvmmSPvKrJCDNkc3a5OMo8KKAbD ZcMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=JPp3v2OP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x2si17726512pfi.163.2019.07.15.13.01.07; Mon, 15 Jul 2019 13:01:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=JPp3v2OP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732349AbfGOUAW (ORCPT + 99 others); Mon, 15 Jul 2019 16:00:22 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:47131 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732322AbfGOUAS (ORCPT ); Mon, 15 Jul 2019 16:00:18 -0400 Received: by mail-pf1-f202.google.com with SMTP id f25so10830682pfk.14 for ; Mon, 15 Jul 2019 13:00:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=9fXbmdfL5KhuvIZCfCGIG29n6zuww7qo8MROnWxS5+E=; b=JPp3v2OPQVj5mQJ/3b5Yokag8YTSA13e3ADgk52AJxxllBnhkjU93txgGax0+MtozO 26npTj2DMHNGP+TUBNZNV0ZhOD85M1Dq+QQ9kYUVPt28DoNQvCjG+QQHwGm6kxbIX3zE bc/r3C46ba2V3MCrciOB1HN57gPuvCJn5Cgltuz2ShtXDuI6cZqwi8Aeo1nOyb6sQ8YR QEswHcPf2gsuizE5pTK7+h04w+vZ5zRxYx/AtW8kIIjFRAXWGUco5+7wsec28LI6f9s8 klefOADpWTmW2jS+yNC1A6YoHbtJ5rZxucOV9+SbKsLuPFcZM4VP0TNv2nw+RJr7PKg/ JWPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=9fXbmdfL5KhuvIZCfCGIG29n6zuww7qo8MROnWxS5+E=; b=BUC/APU10n1YLwzX4MVNIcb5+Lx7fwqQ1s9DCCFugvXkuM04oKHa++/bpKnpdkv3yo XQ2b3uvfX/0nihgxL2tvQNqvV0h+pMf1PUHFLOI03LARfcXMDn8WOFY+xUBvgA+MQiuv kJmZmIg+9lYdMQnZcoK6tAoIB1Ptai7EZnRn+xvApmwyaVi5PWNLKLZHRZZegzUe3fQK nKUlKcVSEiXtxzIq4IuzxZhyHCSz61As6kBE2XhdDtQG/X2a/LyFsZHFhfEOEaAgV4NF 8tTO5wIIGfsRisLTMF45WV1vBldSB+uj0k60vgQ0JtQIDKPPSqIjktjP3VGUZqTFJ6JZ h99w== X-Gm-Message-State: APjAAAVLk6suaBn6KRv5m899noB9JiML8dP0fEvL2vf4MYD6uPls750M N+ii+YNDb9vS1O97l3hv3a5BhleE0eRLvSQGIV/z7Q== X-Received: by 2002:a63:2004:: with SMTP id g4mr27570338pgg.97.1563220817485; Mon, 15 Jul 2019 13:00:17 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:26 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 09/29] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , Kees Cook , kexec@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- kernel/kexec_file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 875482c34154..dd06f1070d66 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -228,7 +228,10 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = 0; + ret = security_locked_down(LOCKDOWN_KEXEC); + if (ret) + goto out; + break; /* All other errors are fatal, including nomem, unparseable -- 2.22.0.510.g264f2c817a-goog