From 73958cc1f78cfc69f3b1ec26a3406b3c45f6d202 Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 9 Apr 2018 09:52:45 +0100

Subject: [PATCH 01/24] Add the ability to lock down access to the running

 kernel image

Provide a single call to allow kernel code to determine whether the system

should be locked down, thereby disallowing various accesses that might

allow the running kernel image to be changed, including:

 - /dev/mem and similar

 - Loading of unauthorised modules

 - Fiddling with MSR registers

 - Suspend to disk managed by the kernel

 - Use of device DMA

Two kernel configuration options are provided:

 (*) CONFIG_LOCK_DOWN_KERNEL

     This makes lockdown available and applies it to all the points that

     need to be locked down if the mode is set.  Lockdown mode can be

     enabled by providing:

	lockdown=1

     on the command line.

 (*) CONFIG_LOCK_DOWN_MANDATORY

     This forces lockdown on at compile time, overriding the command line

     option.

init_lockdown() is used as a hook from which lockdown can be managed in

future.  It has to be called from arch setup code before things like ACPI

are enabled.

Note that, with the other changes in this series, if lockdown mode is

enabled, the kernel will not be able to use certain drivers as the ability

to manually configure hardware parameters would then be prohibited.  This

primarily applies to ISA hardware devices.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 arch/x86/kernel/setup.c |  2 ++

 include/linux/kernel.h  | 32 ++++++++++++++++++++++++

 security/Kconfig        | 23 ++++++++++++++++-

 security/Makefile       |  3 +++

 security/lock_down.c    | 65 +++++++++++++++++++++++++++++++++++++++++++++++++

 5 files changed, 124 insertions(+), 1 deletion(-)

 create mode 100644 security/lock_down.c

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c

index 6285697b6e56..566f0f447053 100644

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -996,6 +996,8 @@ void __init setup_arch(char **cmdline_p)

 	if (efi_enabled(EFI_BOOT))

 		efi_init();

+	init_lockdown();

+

 	dmi_scan_machine();

 	dmi_memdev_walk();

 	dmi_set_dump_stack_arch_desc();

diff --git a/include/linux/kernel.h b/include/linux/kernel.h

index 4ae1dfd9bf05..7d085cca9cee 100644

--- a/include/linux/kernel.h

+++ b/include/linux/kernel.h

@@ -306,6 +306,38 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)

 { }

 #endif

+#ifdef CONFIG_LOCK_DOWN_KERNEL

+extern void __init init_lockdown(void);

+extern bool __kernel_is_locked_down(const char *what, bool first);

+

+#ifndef CONFIG_LOCK_DOWN_MANDATORY

+#define kernel_is_locked_down(what)					\

+	({								\

+		static bool message_given;				\

+		bool locked_down = __kernel_is_locked_down(what, !message_given); \

+		message_given = true;					\

+		locked_down;						\

+	})

+#else

+#define kernel_is_locked_down(what)					\

+	({								\

+		static bool message_given;				\

+		__kernel_is_locked_down(what, !message_given);		\

+		message_given = true;					\

+		true;							\

+	})

+#endif

+#else

+static inline void __init init_lockdown(void)

+{

+}

+static inline bool __kernel_is_locked_down(const char *what, bool first)

+{

+	return false;

+}

+#define kernel_is_locked_down(what) ({ false; })

+#endif

+

 /* Internal, do not use. */

 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);

 int __must_check _kstrtol(const char *s, unsigned int base, long *res);

diff --git a/security/Kconfig b/security/Kconfig

index c4302067a3ad..a68e5bdebad5 100644

--- a/security/Kconfig

+++ b/security/Kconfig

@@ -231,6 +231,28 @@ config STATIC_USERMODEHELPER_PATH

 	  If you wish for all usermode helper programs to be disabled,

 	  specify an empty string here (i.e. "").

+config LOCK_DOWN_KERNEL

+	bool "Allow the kernel to be 'locked down'"

+	help

+	  Allow the kernel to be locked down.  Locking down the kernel turns

+	  off various features that might otherwise allow access to the kernel

+	  image (eg. setting MSR registers).

+

+	  Note, however, that locking down your kernel will prevent some

+	  drivers from functioning because allowing manual configuration of

+	  hardware parameters is forbidden, lest a device be used to access the

+	  kernel by DMA.  This mostly applies to ISA devices.

+

+	  The kernel lockdown can be triggered by adding lockdown=1 to the

+	  kernel command line.

+

+config LOCK_DOWN_MANDATORY

+	bool "Make kernel lockdown mandatory"

+	depends on LOCK_DOWN_KERNEL

+	help

+	  Makes the lockdown non-negotiable.  It is always on and cannot be

+	  disabled.

+

 source security/selinux/Kconfig

 source security/smack/Kconfig

 source security/tomoyo/Kconfig

@@ -278,4 +300,3 @@ config DEFAULT_SECURITY

 	default "" if DEFAULT_SECURITY_DAC

 endmenu

-

diff --git a/security/Makefile b/security/Makefile

index 4d2d3782ddef..507ac8c520ce 100644

--- a/security/Makefile

+++ b/security/Makefile

@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o

 # Object integrity file lists

 subdir-$(CONFIG_INTEGRITY)		+= integrity

 obj-$(CONFIG_INTEGRITY)			+= integrity/

+

+# Allow the kernel to be locked down

+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o

diff --git a/security/lock_down.c b/security/lock_down.c

new file mode 100644

index 000000000000..f35ffdd096ad

--- /dev/null

+++ b/security/lock_down.c

@@ -0,0 +1,65 @@

+/* Lock down the kernel

+ *

+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.

+ * Written by David Howells (dhowells@redhat.com)

+ *

+ * This program is free software; you can redistribute it and/or

+ * modify it under the terms of the GNU General Public Licence

+ * as published by the Free Software Foundation; either version

+ * 2 of the Licence, or (at your option) any later version.

+ */

+

+#include <linux/export.h>

+#include <linux/sched.h>

+

+#ifndef CONFIG_LOCK_DOWN_MANDATORY

+static __ro_after_init bool kernel_locked_down;

+#else

+#define kernel_locked_down true

+#endif

+

+/*

+ * Put the kernel into lock-down mode.

+ */

+static void __init lock_kernel_down(const char *where)

+{

+#ifndef CONFIG_LOCK_DOWN_MANDATORY

+	if (!kernel_locked_down) {

+		kernel_locked_down = true;

+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",

+			  where);

+	}

+#endif

+}

+

+static int __init lockdown_param(char *ignored)

+{

+	lock_kernel_down("command line");

+	return 0;

+}

+

+early_param("lockdown", lockdown_param);

+

+/*

+ * Lock the kernel down from very early in the arch setup.  This must happen

+ * prior to things like ACPI being initialised.

+ */

+void __init init_lockdown(void)

+{

+#ifdef CONFIG_LOCK_DOWN_MANDATORY

+	pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n");

+#endif

+}

+

+/**

+ * kernel_is_locked_down - Find out if the kernel is locked down

+ * @what: Tag to use in notice generated if lockdown is in effect

+ */

+bool __kernel_is_locked_down(const char *what, bool first)

+{

+	if (what && first && kernel_locked_down)

+		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",

+			  current->comm, what);

+	return kernel_locked_down;

+}

+EXPORT_SYMBOL(__kernel_is_locked_down);

-- 

2.14.3

From 13dada34d9aa56ac4ee5438c7ebefde2d30d5542 Mon Sep 17 00:00:00 2001

From: Kyle McMartin <kyle@redhat.com>

Date: Mon, 9 Apr 2018 09:52:45 +0100

Subject: [PATCH 02/24] Add a SysRq option to lift kernel lockdown

Make an option to provide a sysrq key that will lift the kernel lockdown,

thereby allowing the running kernel image to be accessed and modified.

On x86 this is triggered with SysRq+x, but this key may not be available on

all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.

Since this macro must be defined in an arch to be able to use this facility

for that arch, the Kconfig option is restricted to arches that support it.

Signed-off-by: Kyle McMartin <kyle@redhat.com>

Signed-off-by: David Howells <dhowells@redhat.com>

cc: x86@kernel.org

---

 arch/x86/include/asm/setup.h |  2 ++

 drivers/input/misc/uinput.c  |  1 +

 drivers/tty/sysrq.c          | 19 ++++++++++++------

 include/linux/input.h        |  5 +++++

 include/linux/sysrq.h        |  8 +++++++-

 kernel/debug/kdb/kdb_main.c  |  2 +-

 security/Kconfig             | 11 +++++++++++

 security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++++++++++

 8 files changed, 87 insertions(+), 8 deletions(-)

diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h

index ae13bc974416..3108e297d87d 100644

--- a/arch/x86/include/asm/setup.h

+++ b/arch/x86/include/asm/setup.h

@@ -9,6 +9,8 @@

 #include <linux/linkage.h>

 #include <asm/page_types.h>

+#define LOCKDOWN_LIFT_KEY 'x'

+

 #ifdef __i386__

 #include <linux/pfn.h>

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c

index 96a887f33698..027c730631cc 100644

--- a/drivers/input/misc/uinput.c

+++ b/drivers/input/misc/uinput.c

@@ -365,6 +365,7 @@ static int uinput_create_device(struct uinput_device *udev)

 		dev->flush = uinput_dev_flush;

 	}

+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;

 	dev->event = uinput_dev_event;

 	input_set_drvdata(udev->dev, udev);

diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c

index 6364890575ec..ffeb3aa86cd1 100644

--- a/drivers/tty/sysrq.c

+++ b/drivers/tty/sysrq.c

@@ -487,6 +487,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {

 	/* x: May be registered on mips for TLB dump */

 	/* x: May be registered on ppc/powerpc for xmon */

 	/* x: May be registered on sparc64 for global PMU dump */

+	/* x: May be registered on x86_64 for disabling secure boot */

 	NULL,				/* x */

 	/* y: May be registered on sparc64 for global register dump */

 	NULL,				/* y */

@@ -530,7 +531,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)

                 sysrq_key_table[i] = op_p;

 }

-void __handle_sysrq(int key, bool check_mask)

+void __handle_sysrq(int key, unsigned int from)

 {

 	struct sysrq_key_op *op_p;

 	int orig_log_level;

@@ -550,11 +551,15 @@ void __handle_sysrq(int key, bool check_mask)

         op_p = __sysrq_get_key_op(key);

         if (op_p) {

+		/* Ban synthetic events from some sysrq functionality */

+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&

+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)

+			printk("This sysrq operation is disabled from userspace.\n");

 		/*

 		 * Should we check for enabled operations (/proc/sysrq-trigger

 		 * should not) and is the invoked operation enabled?

 		 */

-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {

+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {

 			pr_cont("%s\n", op_p->action_msg);

 			console_loglevel = orig_log_level;

 			op_p->handler(key);

@@ -586,7 +591,7 @@ void __handle_sysrq(int key, bool check_mask)

 void handle_sysrq(int key)

 {

 	if (sysrq_on())

-		__handle_sysrq(key, true);

+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);

 }

 EXPORT_SYMBOL(handle_sysrq);

@@ -667,7 +672,7 @@ static void sysrq_do_reset(struct timer_list *t)

 static void sysrq_handle_reset_request(struct sysrq_state *state)

 {

 	if (state->reset_requested)

-		__handle_sysrq(sysrq_xlate[KEY_B], false);

+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);

 	if (sysrq_reset_downtime_ms)

 		mod_timer(&state->keyreset_timer,

@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,

 	default:

 		if (sysrq->active && value && value != 2) {

+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?

+					SYSRQ_FROM_SYNTHETIC : 0;

 			sysrq->need_reinject = false;

-			__handle_sysrq(sysrq_xlate[code], true);

+			__handle_sysrq(sysrq_xlate[code], from);

 		}

 		break;

 	}

@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,

 		if (get_user(c, buf))

 			return -EFAULT;

-		__handle_sysrq(c, false);

+		__handle_sysrq(c, SYSRQ_FROM_PROC);

 	}

 	return count;

diff --git a/include/linux/input.h b/include/linux/input.h

index 7c7516eb7d76..38cd0ea72c37 100644

--- a/include/linux/input.h

+++ b/include/linux/input.h

@@ -42,6 +42,7 @@ struct input_value {

  * @phys: physical path to the device in the system hierarchy

  * @uniq: unique identification code for the device (if device has it)

  * @id: id of the device (struct input_id)

+ * @flags: input device flags (SYNTHETIC, etc.)

  * @propbit: bitmap of device properties and quirks

  * @evbit: bitmap of types of events supported by the device (EV_KEY,

  *	EV_REL, etc.)

@@ -124,6 +125,8 @@ struct input_dev {

 	const char *uniq;

 	struct input_id id;

+	unsigned int flags;

+

 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];

 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];

@@ -190,6 +193,8 @@ struct input_dev {

 };

 #define to_input_dev(d) container_of(d, struct input_dev, dev)

+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001

+

 /*

  * Verify that we are in sync with input_device_id mod_devicetable.h #defines

  */

diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h

index 8c71874e8485..7de1f08b60a9 100644

--- a/include/linux/sysrq.h

+++ b/include/linux/sysrq.h

@@ -29,6 +29,8 @@

 #define SYSRQ_ENABLE_BOOT	0x0080

 #define SYSRQ_ENABLE_RTNICE	0x0100

+#define SYSRQ_DISABLE_USERSPACE	0x00010000

+

 struct sysrq_key_op {

 	void (*handler)(int);

 	char *help_msg;

@@ -43,8 +45,12 @@ struct sysrq_key_op {

  * are available -- else NULL's).

  */

+#define SYSRQ_FROM_KERNEL	0x0001

+#define SYSRQ_FROM_PROC		0x0002

+#define SYSRQ_FROM_SYNTHETIC	0x0004

+

 void handle_sysrq(int key);

-void __handle_sysrq(int key, bool check_mask);

+void __handle_sysrq(int key, unsigned int from);

 int register_sysrq_key(int key, struct sysrq_key_op *op);

 int unregister_sysrq_key(int key, struct sysrq_key_op *op);

 struct sysrq_key_op *__sysrq_get_key_op(int key);

diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c

index dbb0781a0533..aae9a0f44058 100644

--- a/kernel/debug/kdb/kdb_main.c

+++ b/kernel/debug/kdb/kdb_main.c

@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)

 		return KDB_ARGCOUNT;

 	kdb_trap_printk++;

-	__handle_sysrq(*argv[1], check_mask);

+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);

 	kdb_trap_printk--;

 	return 0;

diff --git a/security/Kconfig b/security/Kconfig

index a68e5bdebad5..46967ee77dfd 100644

--- a/security/Kconfig

+++ b/security/Kconfig

@@ -253,6 +253,17 @@ config LOCK_DOWN_MANDATORY

 	  Makes the lockdown non-negotiable.  It is always on and cannot be

 	  disabled.

+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ

+	bool "Allow the kernel lockdown to be lifted by SysRq"

+	depends on LOCK_DOWN_KERNEL

+	depends on !LOCK_DOWN_MANDATORY

+	depends on MAGIC_SYSRQ

+	depends on X86

+	help

+	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key

+	  combination on a wired keyboard.  On x86, this is SysRq+x.

+

+

 source security/selinux/Kconfig

 source security/smack/Kconfig

 source security/tomoyo/Kconfig

diff --git a/security/lock_down.c b/security/lock_down.c

index f35ffdd096ad..2615669dbf03 100644

--- a/security/lock_down.c

+++ b/security/lock_down.c

@@ -11,9 +11,15 @@

 #include <linux/export.h>

 #include <linux/sched.h>

+#include <linux/sysrq.h>

+#include <asm/setup.h>

 #ifndef CONFIG_LOCK_DOWN_MANDATORY

+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ

+static __read_mostly bool kernel_locked_down;

+#else

 static __ro_after_init bool kernel_locked_down;

+#endif

 #else

 #define kernel_locked_down true

 #endif

@@ -63,3 +69,44 @@ bool __kernel_is_locked_down(const char *what, bool first)

 	return kernel_locked_down;

 }

 EXPORT_SYMBOL(__kernel_is_locked_down);

+

+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ

+

+/*

+ * Take the kernel out of lockdown mode.

+ */

+static void lift_kernel_lockdown(void)

+{

+	pr_notice("Lifting lockdown\n");

+	kernel_locked_down = false;

+}

+

+/*

+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by

+ * echoing the appropriate letter into the sysrq-trigger file).

+ */

+static void sysrq_handle_lockdown_lift(int key)

+{

+	if (kernel_locked_down)

+		lift_kernel_lockdown();

+}

+

+static struct sysrq_key_op lockdown_lift_sysrq_op = {

+	.handler	= sysrq_handle_lockdown_lift,

+	.help_msg	= "unSB(x)",

+	.action_msg	= "Disabling Secure Boot restrictions",

+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,

+};

+

+static int __init lockdown_lift_sysrq(void)

+{

+	if (kernel_locked_down) {

+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;

+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);

+	}

+	return 0;

+}

+

+late_initcall(lockdown_lift_sysrq);

+

+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */

-- 

2.14.3

From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001

From: Mimi Zohar <zohar@linux.vnet.ibm.com>

Date: Mon, 9 Apr 2018 09:52:45 +0100

Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode

Require the "secure_boot" rules, whether or not it is specified

on the boot command line, for both the builtin and custom policies

in secure boot lockdown mode.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------

 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c

index 8c9499867c91..f8428f579924 100644

--- a/security/integrity/ima/ima_policy.c

+++ b/security/integrity/ima/ima_policy.c

@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func)

  */

 void __init ima_init_policy(void)

 {

-	int i, measure_entries, appraise_entries, secure_boot_entries;

+	int i;

+	int measure_entries = 0;

+	int appraise_entries = 0;

+	int secure_boot_entries = 0;

+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);

 	/* if !ima_policy set entries = 0 so we load NO default rules */

-	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;

-	appraise_entries = ima_use_appraise_tcb ?

-			 ARRAY_SIZE(default_appraise_rules) : 0;

-	secure_boot_entries = ima_use_secure_boot ?

-			ARRAY_SIZE(secure_boot_rules) : 0;

+	if (ima_policy)

+		measure_entries = ARRAY_SIZE(dont_measure_rules);

+

+	if (ima_use_appraise_tcb)

+		appraise_entries = ARRAY_SIZE(default_appraise_rules);

+

+	if (ima_use_secure_boot || kernel_locked_down)

+		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);

 	for (i = 0; i < measure_entries; i++)

 		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);

@@ -509,12 +516,25 @@ void __init ima_init_policy(void)

 	/*

 	 * Insert the builtin "secure_boot" policy rules requiring file

-	 * signatures, prior to any other appraise rules.

+	 * signatures, prior to any other appraise rules.  In secure boot

+	 * lock-down mode, also require these appraise rules for custom

+	 * policies.

 	 */

 	for (i = 0; i < secure_boot_entries; i++) {

+		struct ima_rule_entry *entry;

+

+		/* Include for builtin policies */

 		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);

 		temp_ima_appraise |=

 		    ima_appraise_flag(secure_boot_rules[i].func);

+

+		/* Include for custom policies */

+		if (kernel_locked_down) {

+			entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),

+					GFP_KERNEL);

+			if (entry)

+				list_add_tail(&entry->list, &ima_policy_rules);

+		}

 	}

 	/*

-- 

2.17.1

From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 9 Apr 2018 09:52:46 +0100

Subject: [PATCH] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid

signatures that we can verify or that IMA can validate the file.

I have adjusted the errors generated:

 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,

     ENOKEY), then:

     (a) If signatures are enforced then EKEYREJECTED is returned.

     (b) If IMA will have validated the image, return 0 (okay).

     (c) If there's no signature or we can't check it, but the kernel is

	 locked down then EPERM is returned (this is then consistent with

	 other lockdown cases).

 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails

     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we

     return the error we got.

Note that the X.509 code doesn't check for key expiry as the RTC might not

be valid or might not have been transferred to the kernel's clock yet.

Signed-off-by: David Howells <dhowells@redhat.com>

Reviewed-by: Jiri Bohac <jbohac@suse.cz>

cc: "Lee, Chun-Yi" <jlee@suse.com>

cc: James Morris <james.l.morris@oracle.com>

---

 kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------

 1 file changed, 43 insertions(+), 13 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c

index b046a32520d8..3bb0722c106e 100644

--- a/kernel/module.c

+++ b/kernel/module.c

@@ -64,6 +64,7 @@

 #include <linux/bsearch.h>

 #include <linux/dynamic_debug.h>

 #include <linux/audit.h>

+#include <linux/ima.h>

 #include <uapi/linux/module.h>

 #include "module-internal.h"

@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod,

 #endif

 #ifdef CONFIG_MODULE_SIG

-static int module_sig_check(struct load_info *info, int flags)

+static int module_sig_check(struct load_info *info, int flags,

+			    bool can_do_ima_check)

 {

-	int err = -ENOKEY;

+	int err = -ENODATA;

 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;

+	const char *reason;

 	const void *mod = info->hdr;

 	/*

@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags)

 		err = mod_verify_sig(mod, info);

 	}

-	if (!err) {

+	switch (err) {

+	case 0:

 		info->sig_ok = true;

 		return 0;

-	}

-	/* Not having a signature is only an error if we're strict. */

-	if (err == -ENOKEY && !is_module_sig_enforced())

-		err = 0;

+		/* We don't permit modules to be loaded into trusted kernels

+		 * without a valid signature on them, but if we're not

+		 * enforcing, certain errors are non-fatal.

+		 */

+	case -ENODATA:

+		reason = "Loading of unsigned module";

+		goto decide;

+	case -ENOPKG:

+		reason = "Loading of module with unsupported crypto";

+		goto decide;

+	case -ENOKEY:

+		reason = "Loading of module with unavailable key";

+	decide:

+		if (sig_enforce) {

+			pr_notice("%s is rejected\n", reason);

+			return -EKEYREJECTED;

+		}

-	return err;

+		if (can_do_ima_check && is_ima_appraise_enabled())

+			return 0;

+		if (kernel_is_locked_down(reason))

+			return -EPERM;

+		return 0;

+

+		/* All other errors are fatal, including nomem, unparseable

+		 * signatures and signature check failures - even if signatures

+		 * aren't required.

+		 */

+	default:

+		return err;

+	}

 }

 #else /* !CONFIG_MODULE_SIG */

-static int module_sig_check(struct load_info *info, int flags)

+static int module_sig_check(struct load_info *info, int flags,

+			    bool can_do_ima_check)

 {

 	return 0;

 }

@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,

 /* Allocate and load the module: note that size of section 0 is always

    zero, and we rely on this for optional sections. */

 static int load_module(struct load_info *info, const char __user *uargs,

-		       int flags)

+		       int flags, bool can_do_ima_check)