Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6479004ybi; Wed, 31 Jul 2019 15:21:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqzMM6jNlexfH75Gy5274S3TL2+LEodSTQfrwAyMBedaubl0T8jSd+WETtPMAMp0oBdsC4Tj X-Received: by 2002:a17:902:2ac7:: with SMTP id j65mr123614663plb.242.1564611685889; Wed, 31 Jul 2019 15:21:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564611685; cv=none; d=google.com; s=arc-20160816; b=eSWIsoSQUQuZiyrL/ZAxLRYrBUlquKE62c7Vim1t3Hlg5eONz1WXHLj37Erih/0fYc uWXFFIlrQzdklwOeio68zhoZom9gWAjjbauNCWvT7bfkCQrz9F0iU7/W8MZyO1HgBv7g yqXP0oeqTmM/P/TWQFsJpseoIlWvgAJgNnhluiPw0y43nlcbQIZZGNMFCuxzNyOuwbMW HttekBCk9+YY4PDLqYkITGCOlejQu3po5jJm95R+nmLGwZTeBmNuwh8U+Mj2H3J/cHzp hwlLihzgqsuHo/YY0W8/y44KemsD8QUxhbKxrJVmxhwl24B1PxwzNiFf7zSHoWhOWVDR gm/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=gySahCCzgGb/Q58L8c20Lrjjix8qIZkrCOd+PLUQfB8=; b=QfzmJjFNesISZW0e+3mVoVr9gjlVcrWj7StFuCLqp0Ng//F5pCYQxgHZ5NItMI7QWP gUkZXTzNTXwq6toI2MyCQVXyuvpGA0lFXG6mLpy5ZhEJ9+X+T30NHWL8pNMVXK/lMc7T LeWbsfXJm12DMvbDzkwyxYv3VWmpWZ4Bcyc34UDn23scZl/p2EsswSnDsheA/WurhiQn jikJZpDVrZQ59EXjUpc/YfOaPSS6pbC7Te/ecmQoMVS8SfMZFnDbG4CmEs2DJOd6PmlU cqQEHpf8/4w9Ud4eR54y4rrPyzplJH8TmaPiNEV86hsorgHe7BcShlPNAYSQLynt35JV N/nw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cmIx1daq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q191si31725578pfq.63.2019.07.31.15.21.10; Wed, 31 Jul 2019 15:21:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cmIx1daq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731237AbfGaWQw (ORCPT + 99 others); Wed, 31 Jul 2019 18:16:52 -0400 Received: from mail-ua1-f74.google.com ([209.85.222.74]:35907 "EHLO mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731235AbfGaWQu (ORCPT ); Wed, 31 Jul 2019 18:16:50 -0400 Received: by mail-ua1-f74.google.com with SMTP id r11so7252329uao.3 for ; Wed, 31 Jul 2019 15:16:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=gySahCCzgGb/Q58L8c20Lrjjix8qIZkrCOd+PLUQfB8=; b=cmIx1daqZEKRBkMW2JYQfOqzUiRs2oBlgGsfJ136BcTbgFMR1CJl2NqSDVgDe896Bx mpbcsPT67i243WQ4vLJxFNcPA4oGZ3Cz6MDwB0lBJSVHyXdZ+LTkkVhocNH63pmKpNYi jzKaCCH1ri5of7nbJCrFDV2szkQzQ4/IyfgIxl0y5Pz8cdpCVYSWtX3QdnT/0R1pxHJ8 86aVpuAguhOmGJFr5DCnDbgOLeH53KoQruXbdg8fiqbjwqEj4qIljZP/1qVz6Wc3j62q w8/FDQdrnu0IDQzCJ94OCBvj1zAWNGFs45jfQtd1ADYZiLLYm6kZQGlGm22DObG2SgD+ u1qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=gySahCCzgGb/Q58L8c20Lrjjix8qIZkrCOd+PLUQfB8=; b=Uhg6qMlNAg6CtLmjICrFgeex+rS2LQwSfTH+LexWF6fpQI5OG5NPs/HUr7hdx5hEqy yCpgF+ZwUsufWtAOnoku9yWQu3/NCr5MalJd2Ycky0++VYrof3xwqDEWB+l4IyC6UqQe npQnkUjMweohiDwNhBsEWI0at2f4n9YOBv1yOINoobOjhUDCDzQ3FaA7Dx79RkY44mEK qHGAm+zmDz7f80nHDGcNClzNpWoiDTVfTMTKI1Z8YJ7RDSuEPC0dg8S61eoBe9H5Wcsw fvJZIV8aHayrTnR5gZWRVQfqf7swRdKmQp751610GjgrrOpV5isYqtsbYcwFMwCKZ4FO PQMQ== X-Gm-Message-State: APjAAAX2RM9vfDvc9dt+jjA0OUz3Z+J2C3EUmy8dkwiN0QfS8JEGnk/Q r5kNaPAW+ZnrFzB3LK8Xeu+D3BgNDRo90dIlWo6mVw== X-Received: by 2002:ab0:60b9:: with SMTP id f25mr62470698uam.111.1564611409165; Wed, 31 Jul 2019 15:16:49 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:57 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 09/29] kexec_file: Restrict at runtime if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , Kees Cook , kexec@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Bohac When KEXEC_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down. [Modified by David Howells to fit with modifications to the previous patch and to return -EPERM if the kernel is locked down for consistency with other lockdowns. Modified by Matthew Garrett to remove the IMA integration, which will be replaced by integrating with the IMA architecture policy patches.] Signed-off-by: Jiri Bohac Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Jiri Bohac Reviewed-by: Kees Cook cc: kexec@lists.infradead.org --- kernel/kexec_file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 875482c34154..dd06f1070d66 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -228,7 +228,10 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, goto out; } - ret = 0; + ret = security_locked_down(LOCKDOWN_KEXEC); + if (ret) + goto out; + break; /* All other errors are fatal, including nomem, unparseable -- 2.22.0.770.g0f2c4a37fd-goog