Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6091539ybh; Wed, 7 Aug 2019 17:11:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqxGwNMtJr2B/fPra5Cw5IHSUUuyXWn+9akJ2TtSw4nLVckhFZlqG/YOkWbvJ0vYlSe7M3pg X-Received: by 2002:a17:90a:970a:: with SMTP id x10mr1090196pjo.12.1565223118345; Wed, 07 Aug 2019 17:11:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565223118; cv=none; d=google.com; s=arc-20160816; b=OVL4mReIp85JFZMx8lMw6a2EDeKMrcADPAZfLHDNkDNbIYF3UuEWFQAh7Hp0QVV+hR 9vQiRLTB3qZ+rUwiAaj2t23sOKSBS40Arlz0K3Si8fYhecCZPQPjyEA88wlniUNePkIg SrJhYut/aXftIqdnvnsN9TvyGZsVUSZLZZoYzMBANPm/RoFRbPhI/8ZrMPrCXUiqT5RJ P0ylhohWGap4KLSmCuQsx/Uyk2VOpxdY9S5ZvQofHO6+y086kMP7KegHoQZL6x2lCbpp cb5hGEpfsXB/EcbjhwumE0EEK5aFUjrMS8qdVhkroP2CQYec0u9fZ/SccfifK224X7T7 1r3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=HYGYby6crp40dCLBmhgwCvdnfCZZwxit6AHkXOrrVgc=; b=ofuARwBJ+S69J0MXWbkYrYb4SeVlWdoKs5+EENI9hnoTVjpWVX+IkCaEIf9JbYWRH8 M8G5NodQgHb8n5BJhigBCI4Kia82naXS3IlIeV6qKq/1fbrc37zSSIjHnuKQBEHhhp3h aKjak1zyaA9UBqQ3VcCSRutM86Cf8F4WqXWoup7mUQ4+jTz21Ixw7O+d58jjNdjnIUW0 0+bo/fFxPWlu2E0aPVyPKDPBUm4/ivZJ33LBx4RdUY9h87SEttLn1r2nnzhBSqacCC5Q 6mAl4g8uEB2ID0+89PcFQK26iol0jWoklxU7fOQBC5C04R0HVAXDxgvxJHFeboQtypdo RmyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DvXSmx2j; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t29si53719473pfq.272.2019.08.07.17.11.43; Wed, 07 Aug 2019 17:11:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DvXSmx2j; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389855AbfHHAJX (ORCPT + 99 others); Wed, 7 Aug 2019 20:09:23 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:41404 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389631AbfHHAIB (ORCPT ); Wed, 7 Aug 2019 20:08:01 -0400 Received: by mail-pf1-f202.google.com with SMTP id q14so57849698pff.8 for ; Wed, 07 Aug 2019 17:08:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=HYGYby6crp40dCLBmhgwCvdnfCZZwxit6AHkXOrrVgc=; b=DvXSmx2jhj8bHAJU1Vj7/I5jwoEGF0urfO5A+cbejgX5sC7HbhpImArmayvvTCoUPr 8CDNZqiGvkgLyIndEE2bIpdXQKsGV+IzSKMADXRvJbxdCmJzcyduT0fzwY8j8HBIeFYI RvCnY4x/jhRG2B8teqWoFjV0y6rMXouhVAx17hc4EKRJbm8hEKs0tT4SIXVmOEIhLC6v yTB2E30QNR055+D8sK0S4jRtnpv5pwNKN8is+YqcKHE+YQ5p6TGqyjJFMBfSxBa2sK7x Ief6Shz1b+MwK7E52j+iUBDuJQ+EkUpEeD1pTIXnzK8lUWVelsBBWtqaYI9MAeyOe4cr Ms6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=HYGYby6crp40dCLBmhgwCvdnfCZZwxit6AHkXOrrVgc=; b=LiaOPEP125f9cI/MuXVubqNFJ8dAfRXnmm9nWhp1Ow9bmqDDiMjWpt2d/HObWkl3jc oyiwOW43zW5n+nGb0/xpFZtlZsWH3gtUJ79+BH2QbvPOdVDP3tUSO7RAzMyDEZFxx45Z SQCw6mVi5FX1G4xizlQrK1l2BpJxqOHyFrdIEZ2jtbFloqkEEQICiyG61QwXx+gZhVvy GyCL6KEQLYfbgjVyV+Vuhu9RVhS/tmorTuo3p6n3xv3H7GmaNFbRqIM1B7PFkB8FJtnL /sVMLxG0YKSkovlJWErKb4iJ04MxkW6EaaFOE4nr8BFKFIm6vPzLDvxcsP3T2GNXZRGe PR8A== X-Gm-Message-State: APjAAAVqFUxCq0L4cIzlGKWsBB3QoZ71dnP+3lU2Vb6NsyDAYEibKzmr 5uVR7albgZeBfTf3bHUjhSOvtmqiIF6C7kv+QjSOeQ== X-Received: by 2002:a63:1b56:: with SMTP id b22mr9895821pgm.265.1565222880106; Wed, 07 Aug 2019 17:08:00 -0700 (PDT) Date: Wed, 7 Aug 2019 17:07:06 -0700 In-Reply-To: <20190808000721.124691-1-matthewgarrett@google.com> Message-Id: <20190808000721.124691-15-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190808000721.124691-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V38 14/29] ACPI: Limit access to custom_method when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , linux-acpi@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: linux-acpi@vger.kernel.org --- drivers/acpi/custom_method.c | 6 ++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 8 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index b2ef4c2ec955..7031307becd7 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -9,6 +9,7 @@ #include #include #include +#include #include "internal.h" @@ -29,6 +30,11 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + int ret; + + ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + if (ret) + return ret; if (!(*ppos)) { /* parse the table header to get the table length */ diff --git a/include/linux/security.h b/include/linux/security.h index 155ff026eca4..1c32522b3c5a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -110,6 +110,7 @@ enum lockdown_reason { LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, LOCKDOWN_MSR, + LOCKDOWN_ACPI_TABLES, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d99c0bee739d..ecb51b1a5c03 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -25,6 +25,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", + [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.770.g0f2c4a37fd-goog