Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2699870ybi;
        Thu, 18 Jul 2019 12:45:26 -0700 (PDT)
X-Google-Smtp-Source: APXvYqw1h6lksA4W4cZN8N3IDlu9nYbbxq34GRXfmf0kgiHvTBisqHK7Yd7JvItbV8oT0WQESeRw
X-Received: by 2002:a63:fe15:: with SMTP id p21mr50005843pgh.149.1563479126003;
        Thu, 18 Jul 2019 12:45:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1563479125; cv=none;
        d=google.com; s=arc-20160816;
        b=zXWSXKRpgPHS2eoo510CieHspzyax/5vr2FvXO6xLT6EqdbxyiUKrwmt8OGzdCASZt
         MdtISy7svVHr+yA8VRZi6dnabt95jQY+qylgX1uC3LN9sUxvVGZEsgje2B/f3jut88Tv
         nH8IEwcVh4WpXnMmiMF7XC5azoHmvX55zxQ4hDJwtVH4TpDhI2VeiblBO6fZbQYn7i6L
         q8JzPFKep6XPPIg2yqQb4cvRStpUdGgXlej8dd5zh6m/hzfkr/udDNi7aqLGXwjDYRxp
         l9nUMQaPsqCpttPW1FKYX8Ks8O3Q4Aya6Yi0DRtMCVvbiVzM4RZmqAhNVghiHCQrK7nM
         D4Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=eu667FWqsyv1eiS+2MgLd1pI1Yi90NnjxQ1QKJHeSZs=;
        b=IvzB+YSz1A+ED5vp46Ozpv0SinkaraciUbcpGpK2bqLShdLYrkNQrO+Gon9z900cEM
         Y8HDHDHupRH8PdxlFg6u/tCUXNyk07VoZ1pg/OulJ3cgQJZnym5s4EmevSVmWVExV3R1
         +UyWc0uHXRN8/7M9pq/anDs5oKFsoRVMK3v6P0XNOZ/NrDVjEjR1hnV8dZvDVqWy0TMH
         8vt7dJQAvBozi8orn27f9a1VnCgwGhkiX18JMIexTh3FWwXtiPey5EleLQRJyqw8Pvoa
         o27tx6eqI4UorU/zy1BNDxWkNTvxs/aQ2WnzrMLmsM3kxIxhg9ojEYrjS47t64cjaREH
         msNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ohrtYog4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 7si3097553pfh.38.2019.07.18.12.45.10;
        Thu, 18 Jul 2019 12:45:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ohrtYog4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2391573AbfGRToi (ORCPT <rfc822;speed.demon0047@gmail.com>
        + 99 others); Thu, 18 Jul 2019 15:44:38 -0400
Received: from mail-pg1-f201.google.com ([209.85.215.201]:53876 "EHLO
        mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2391523AbfGRTof (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jul 2019 15:44:35 -0400
Received: by mail-pg1-f201.google.com with SMTP id t18so7274904pgu.20
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jul 2019 12:44:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=eu667FWqsyv1eiS+2MgLd1pI1Yi90NnjxQ1QKJHeSZs=;
        b=ohrtYog4gGPeInnSgPNEoQxrDXPaBrUloNn0kHObJFwMww/WL/1QitIjfRTdQ7Io3l
         3SFmno+zU0LHqnjj1iwf/EcXC0mkATM1jwJSktN3EWogC7qhjF9T+4Vc2XXS/dPtmlKX
         mz5jQECVWQ2KxykCHqcx7Q4Oj8ogBpTDoACnxdCUgqa3Ot4HPl0AkiJXF4fk6mY7//oL
         7PbCHo+Yh6dVRTJvVO6GMzSfDJ2XD8gX5qc9TCAmUHKXJA2d2DOUhz+oq/Fg4W64rGof
         PvjyvsAmKWx9isgpl4njBFhx7acc40bmEcgvG4s2a7Usp9NXUY50lVDgZ8lf+u3ipVh8
         +y9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=eu667FWqsyv1eiS+2MgLd1pI1Yi90NnjxQ1QKJHeSZs=;
        b=dH8yRuJCKUL4pm6SBJD4o9eb/maSKjy8wEYmSCpk/ZqyqyeJ+cUiGj90ugs770ydk0
         4QdBfj3pWQv3eHN/CPopnqb58G964JO6b243iW99SMUhoImh4GaOkDKOC7erEb4tTZ+5
         kkP6jtFkk53knP2NzwLGbGP1HQLFpDH2kD2xcKNFb0e9+/C/b4G8BpcPJZUELFvcZI+b
         zNpJ+64TjR8gBAQz0skkqE0U1nMTjImcw0GWePb8fhlnrxCru8uDYIP0rfBTdGuQKD+b
         flxrPxDcoyw7FylpcgvnY11NZ/5B+sEMkuGFt6ccpa+kZf4CWfJ4We6U5OYR34P3yVxd
         FP2g==
X-Gm-Message-State: APjAAAWRVraNksknDHayYg3LbYqJFle8wmnLfou0GqD7w5GsPy63CE1h
        /SP/2sEUxr7+6HGzTiD9p6yw3F96THh15Xu9fmlseQ==
X-Received: by 2002:a65:500d:: with SMTP id f13mr48703316pgo.151.1563479074121;
 Thu, 18 Jul 2019 12:44:34 -0700 (PDT)
Date:   Thu, 18 Jul 2019 12:43:52 -0700
In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com>
Message-Id: <20190718194415.108476-7-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190718194415.108476-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog
Subject: [PATCH V36 06/29] kexec_load: Disable at runtime if the kernel is
 locked down
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        David Howells <dhowells@redhat.com>,
        Matthew Garrett <mjg59@google.com>,
        Dave Young <dyoung@redhat.com>,
        Kees Cook <keescook@chromium.org>, kexec@lists.infradead.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Matthew Garrett <mjg59@srcf.ucam.org>

The kexec_load() syscall permits the loading and execution of arbitrary
code in ring 0, which is something that lock-down is meant to prevent. It
makes sense to disable kexec_load() in this situation.

This does not affect kexec_file_load() syscall which can check for a
signature on the image to be booted.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Dave Young <dyoung@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
cc: kexec@lists.infradead.org
---
 include/linux/security.h     | 1 +
 kernel/kexec.c               | 8 ++++++++
 security/lockdown/lockdown.c | 1 +
 3 files changed, 10 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 9458152601b5..69c5de539e9a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -105,6 +105,7 @@ enum lockdown_reason {
 	LOCKDOWN_NONE,
 	LOCKDOWN_MODULE_SIGNATURE,
 	LOCKDOWN_DEV_MEM,
+	LOCKDOWN_KEXEC,
 	LOCKDOWN_INTEGRITY_MAX,
 	LOCKDOWN_CONFIDENTIALITY_MAX,
 };
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 1b018f1a6e0d..bc933c0db9bf 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -205,6 +205,14 @@ static inline int kexec_load_check(unsigned long nr_segments,
 	if (result < 0)
 		return result;
 
+	/*
+	 * kexec can be used to circumvent module loading restrictions, so
+	 * prevent loading in that case
+	 */
+	result = security_locked_down(LOCKDOWN_KEXEC);
+	if (result)
+		return result;
+
 	/*
 	 * Verify we have a legal set of flags
 	 * This leaves us room for future extensions.
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index d2ef29d9f0b2..6f302c156bc8 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -20,6 +20,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_NONE] = "none",
 	[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
 	[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
+	[LOCKDOWN_KEXEC] = "kexec of unsigned images",
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
 };
-- 
2.22.0.510.g264f2c817a-goog