8cf006
From 73958cc1f78cfc69f3b1ec26a3406b3c45f6d202 Mon Sep 17 00:00:00 2001
962ea4
From: David Howells <dhowells@redhat.com>
8cf006
Date: Mon, 9 Apr 2018 09:52:45 +0100
8cf006
Subject: [PATCH 01/24] Add the ability to lock down access to the running
006f5b
 kernel image
962ea4
962ea4
Provide a single call to allow kernel code to determine whether the system
962ea4
should be locked down, thereby disallowing various accesses that might
8cf006
allow the running kernel image to be changed, including:
8cf006
8cf006
 - /dev/mem and similar
8cf006
 - Loading of unauthorised modules
8cf006
 - Fiddling with MSR registers
8cf006
 - Suspend to disk managed by the kernel
8cf006
 - Use of device DMA
8cf006
8cf006
Two kernel configuration options are provided:
8cf006
8cf006
 (*) CONFIG_LOCK_DOWN_KERNEL
8cf006
8cf006
     This makes lockdown available and applies it to all the points that
8cf006
     need to be locked down if the mode is set.  Lockdown mode can be
8cf006
     enabled by providing:
8cf006
8cf006
	lockdown=1
8cf006
8cf006
     on the command line.
8cf006
8cf006
 (*) CONFIG_LOCK_DOWN_MANDATORY
8cf006
8cf006
     This forces lockdown on at compile time, overriding the command line
8cf006
     option.
8cf006
8cf006
init_lockdown() is used as a hook from which lockdown can be managed in
8cf006
future.  It has to be called from arch setup code before things like ACPI
8cf006
are enabled.
8cf006
8cf006
Note that, with the other changes in this series, if lockdown mode is
8cf006
enabled, the kernel will not be able to use certain drivers as the ability
8cf006
to manually configure hardware parameters would then be prohibited.  This
8cf006
primarily applies to ISA hardware devices.
962ea4
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
962ea4
---
8cf006
 arch/x86/kernel/setup.c |  2 ++
8cf006
 include/linux/kernel.h  | 32 ++++++++++++++++++++++++
8cf006
 security/Kconfig        | 23 ++++++++++++++++-
8cf006
 security/Makefile       |  3 +++
8cf006
 security/lock_down.c    | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
8cf006
 5 files changed, 124 insertions(+), 1 deletion(-)
962ea4
 create mode 100644 security/lock_down.c
962ea4
8cf006
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
8cf006
index 6285697b6e56..566f0f447053 100644
8cf006
--- a/arch/x86/kernel/setup.c
8cf006
+++ b/arch/x86/kernel/setup.c
8cf006
@@ -996,6 +996,8 @@ void __init setup_arch(char **cmdline_p)
8cf006
 	if (efi_enabled(EFI_BOOT))
8cf006
 		efi_init();
8cf006
8cf006
+	init_lockdown();
8cf006
+
8cf006
 	dmi_scan_machine();
8cf006
 	dmi_memdev_walk();
8cf006
 	dmi_set_dump_stack_arch_desc();
962ea4
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
8cf006
index 4ae1dfd9bf05..7d085cca9cee 100644
962ea4
--- a/include/linux/kernel.h
962ea4
+++ b/include/linux/kernel.h
8cf006
@@ -306,6 +306,38 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
59566d
 { }
59566d
 #endif
135abd
962ea4
+#ifdef CONFIG_LOCK_DOWN_KERNEL
8cf006
+extern void __init init_lockdown(void);
59566d
+extern bool __kernel_is_locked_down(const char *what, bool first);
962ea4
+
8cf006
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
59566d
+#define kernel_is_locked_down(what)					\
59566d
+	({								\
59566d
+		static bool message_given;				\
59566d
+		bool locked_down = __kernel_is_locked_down(what, !message_given); \
59566d
+		message_given = true;					\
59566d
+		locked_down;						\
59566d
+	})
8cf006
+#else
8cf006
+#define kernel_is_locked_down(what)					\
8cf006
+	({								\
8cf006
+		static bool message_given;				\
8cf006
+		__kernel_is_locked_down(what, !message_given);		\
8cf006
+		message_given = true;					\
8cf006
+		true;							\
8cf006
+	})
8cf006
+#endif
962ea4
+#else
135abd
+static inline void __init init_lockdown(void)
962ea4
+{
962ea4
+}
8cf006
+static inline bool __kernel_is_locked_down(const char *what, bool first)
8cf006
+{
8cf006
+	return false;
8cf006
+}
8cf006
+#define kernel_is_locked_down(what) ({ false; })
962ea4
+#endif
962ea4
+
8cf006
 /* Internal, do not use. */
8cf006
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
8cf006
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
962ea4
diff --git a/security/Kconfig b/security/Kconfig
8cf006
index c4302067a3ad..a68e5bdebad5 100644
962ea4
--- a/security/Kconfig
962ea4
+++ b/security/Kconfig
8cf006
@@ -231,6 +231,28 @@ config STATIC_USERMODEHELPER_PATH
c796f8
 	  If you wish for all usermode helper programs to be disabled,
c796f8
 	  specify an empty string here (i.e. "").
135abd
962ea4
+config LOCK_DOWN_KERNEL
962ea4
+	bool "Allow the kernel to be 'locked down'"
962ea4
+	help
8cf006
+	  Allow the kernel to be locked down.  Locking down the kernel turns
8cf006
+	  off various features that might otherwise allow access to the kernel
8cf006
+	  image (eg. setting MSR registers).
8cf006
+
8cf006
+	  Note, however, that locking down your kernel will prevent some
8cf006
+	  drivers from functioning because allowing manual configuration of
8cf006
+	  hardware parameters is forbidden, lest a device be used to access the
8cf006
+	  kernel by DMA.  This mostly applies to ISA devices.
8cf006
+
8cf006
+	  The kernel lockdown can be triggered by adding lockdown=1 to the
8cf006
+	  kernel command line.
8cf006
+
8cf006
+config LOCK_DOWN_MANDATORY
8cf006
+	bool "Make kernel lockdown mandatory"
8cf006
+	depends on LOCK_DOWN_KERNEL
8cf006
+	help
8cf006
+	  Makes the lockdown non-negotiable.  It is always on and cannot be
8cf006
+	  disabled.
962ea4
+
962ea4
 source security/selinux/Kconfig
962ea4
 source security/smack/Kconfig
962ea4
 source security/tomoyo/Kconfig
8cf006
@@ -278,4 +300,3 @@ config DEFAULT_SECURITY
8cf006
 	default "" if DEFAULT_SECURITY_DAC
8cf006
8cf006
 endmenu
8cf006
-
962ea4
diff --git a/security/Makefile b/security/Makefile
f20e0a
index 4d2d3782ddef..507ac8c520ce 100644
962ea4
--- a/security/Makefile
962ea4
+++ b/security/Makefile
f20e0a
@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
962ea4
 # Object integrity file lists
962ea4
 subdir-$(CONFIG_INTEGRITY)		+= integrity
962ea4
 obj-$(CONFIG_INTEGRITY)			+= integrity/
962ea4
+
962ea4
+# Allow the kernel to be locked down
962ea4
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
962ea4
diff --git a/security/lock_down.c b/security/lock_down.c
962ea4
new file mode 100644
8cf006
index 000000000000..f35ffdd096ad
962ea4
--- /dev/null
962ea4
+++ b/security/lock_down.c
8cf006
@@ -0,0 +1,65 @@
962ea4
+/* Lock down the kernel
962ea4
+ *
962ea4
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
962ea4
+ * Written by David Howells (dhowells@redhat.com)
962ea4
+ *
962ea4
+ * This program is free software; you can redistribute it and/or
962ea4
+ * modify it under the terms of the GNU General Public Licence
962ea4
+ * as published by the Free Software Foundation; either version
962ea4
+ * 2 of the Licence, or (at your option) any later version.
962ea4
+ */
962ea4
+
962ea4
+#include <linux/export.h>
8cf006
+#include <linux/sched.h>
962ea4
+
8cf006
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
59566d
+static __ro_after_init bool kernel_locked_down;
8cf006
+#else
8cf006
+#define kernel_locked_down true
8cf006
+#endif
962ea4
+
962ea4
+/*
962ea4
+ * Put the kernel into lock-down mode.
962ea4
+ */
59566d
+static void __init lock_kernel_down(const char *where)
59566d
+{
8cf006
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
59566d
+	if (!kernel_locked_down) {
59566d
+		kernel_locked_down = true;
59566d
+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
59566d
+			  where);
59566d
+	}
8cf006
+#endif
59566d
+}
59566d
+
59566d
+static int __init lockdown_param(char *ignored)
962ea4
+{
59566d
+	lock_kernel_down("command line");
59566d
+	return 0;
962ea4
+}
962ea4
+
59566d
+early_param("lockdown", lockdown_param);
59566d
+
962ea4
+/*
59566d
+ * Lock the kernel down from very early in the arch setup.  This must happen
59566d
+ * prior to things like ACPI being initialised.
962ea4
+ */
59566d
+void __init init_lockdown(void)
962ea4
+{
8cf006
+#ifdef CONFIG_LOCK_DOWN_MANDATORY
8cf006
+	pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n");
59566d
+#endif
962ea4
+}
962ea4
+
962ea4
+/**
962ea4
+ * kernel_is_locked_down - Find out if the kernel is locked down
59566d
+ * @what: Tag to use in notice generated if lockdown is in effect
962ea4
+ */
59566d
+bool __kernel_is_locked_down(const char *what, bool first)
962ea4
+{
59566d
+	if (what && first && kernel_locked_down)
8cf006
+		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
8cf006
+			  current->comm, what);
962ea4
+	return kernel_locked_down;
962ea4
+}
59566d
+EXPORT_SYMBOL(__kernel_is_locked_down);
135abd
-- 
f20e0a
2.14.3
962ea4
8cf006
From 13dada34d9aa56ac4ee5438c7ebefde2d30d5542 Mon Sep 17 00:00:00 2001
59566d
From: Kyle McMartin <kyle@redhat.com>
8cf006
Date: Mon, 9 Apr 2018 09:52:45 +0100
8cf006
Subject: [PATCH 02/24] Add a SysRq option to lift kernel lockdown
962ea4
59566d
Make an option to provide a sysrq key that will lift the kernel lockdown,
59566d
thereby allowing the running kernel image to be accessed and modified.
962ea4
f20e0a
On x86 this is triggered with SysRq+x, but this key may not be available on
f20e0a
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
f20e0a
Since this macro must be defined in an arch to be able to use this facility
f20e0a
for that arch, the Kconfig option is restricted to arches that support it.
962ea4
59566d
Signed-off-by: Kyle McMartin <kyle@redhat.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: x86@kernel.org
962ea4
---
135abd
 arch/x86/include/asm/setup.h |  2 ++
135abd
 drivers/input/misc/uinput.c  |  1 +
135abd
 drivers/tty/sysrq.c          | 19 ++++++++++++------
135abd
 include/linux/input.h        |  5 +++++
135abd
 include/linux/sysrq.h        |  8 +++++++-
135abd
 kernel/debug/kdb/kdb_main.c  |  2 +-
8cf006
 security/Kconfig             | 11 +++++++++++
135abd
 security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++++++++++
8cf006
 8 files changed, 87 insertions(+), 8 deletions(-)
59566d
59566d
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
f20e0a
index ae13bc974416..3108e297d87d 100644
59566d
--- a/arch/x86/include/asm/setup.h
59566d
+++ b/arch/x86/include/asm/setup.h
f20e0a
@@ -9,6 +9,8 @@
59566d
 #include <linux/linkage.h>
59566d
 #include <asm/page_types.h>
135abd
59566d
+#define LOCKDOWN_LIFT_KEY 'x'
962ea4
+
59566d
 #ifdef __i386__
135abd
59566d
 #include <linux/pfn.h>
962ea4
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
f20e0a
index 96a887f33698..027c730631cc 100644
962ea4
--- a/drivers/input/misc/uinput.c
962ea4
+++ b/drivers/input/misc/uinput.c
f20e0a
@@ -365,6 +365,7 @@ static int uinput_create_device(struct uinput_device *udev)
e1d147
 		dev->flush = uinput_dev_flush;
e1d147
 	}
f20e0a
e1d147
+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
e1d147
 	dev->event = uinput_dev_event;
f20e0a
962ea4
 	input_set_drvdata(udev->dev, udev);
962ea4
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
8cf006
index 6364890575ec..ffeb3aa86cd1 100644
962ea4
--- a/drivers/tty/sysrq.c
962ea4
+++ b/drivers/tty/sysrq.c
f20e0a
@@ -487,6 +487,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
962ea4
 	/* x: May be registered on mips for TLB dump */
962ea4
 	/* x: May be registered on ppc/powerpc for xmon */
962ea4
 	/* x: May be registered on sparc64 for global PMU dump */
962ea4
+	/* x: May be registered on x86_64 for disabling secure boot */
962ea4
 	NULL,				/* x */
962ea4
 	/* y: May be registered on sparc64 for global register dump */
962ea4
 	NULL,				/* y */
f20e0a
@@ -530,7 +531,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
962ea4
                 sysrq_key_table[i] = op_p;
962ea4
 }
135abd
962ea4
-void __handle_sysrq(int key, bool check_mask)
962ea4
+void __handle_sysrq(int key, unsigned int from)
962ea4
 {
962ea4
 	struct sysrq_key_op *op_p;
962ea4
 	int orig_log_level;
f20e0a
@@ -550,11 +551,15 @@ void __handle_sysrq(int key, bool check_mask)
135abd
962ea4
         op_p = __sysrq_get_key_op(key);
962ea4
         if (op_p) {
962ea4
+		/* Ban synthetic events from some sysrq functionality */
962ea4
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
962ea4
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
962ea4
+			printk("This sysrq operation is disabled from userspace.\n");
962ea4
 		/*
962ea4
 		 * Should we check for enabled operations (/proc/sysrq-trigger
962ea4
 		 * should not) and is the invoked operation enabled?
962ea4
 		 */
962ea4
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
962ea4
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
962ea4
 			pr_cont("%s\n", op_p->action_msg);
962ea4
 			console_loglevel = orig_log_level;
962ea4
 			op_p->handler(key);
f20e0a
@@ -586,7 +591,7 @@ void __handle_sysrq(int key, bool check_mask)
962ea4
 void handle_sysrq(int key)
962ea4
 {
962ea4
 	if (sysrq_on())
962ea4
-		__handle_sysrq(key, true);
962ea4
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
962ea4
 }
962ea4
 EXPORT_SYMBOL(handle_sysrq);
135abd
f20e0a
@@ -667,7 +672,7 @@ static void sysrq_do_reset(struct timer_list *t)
962ea4
 static void sysrq_handle_reset_request(struct sysrq_state *state)
962ea4
 {
962ea4
 	if (state->reset_requested)
962ea4
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
962ea4
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
135abd
962ea4
 	if (sysrq_reset_downtime_ms)
962ea4
 		mod_timer(&state->keyreset_timer,
f20e0a
@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
135abd
962ea4
 	default:
962ea4
 		if (sysrq->active && value && value != 2) {
962ea4
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
962ea4
+					SYSRQ_FROM_SYNTHETIC : 0;
962ea4
 			sysrq->need_reinject = false;
962ea4
-			__handle_sysrq(sysrq_xlate[code], true);
962ea4
+			__handle_sysrq(sysrq_xlate[code], from);
962ea4
 		}
962ea4
 		break;
962ea4
 	}
f20e0a
@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
135abd
962ea4
 		if (get_user(c, buf))
962ea4
 			return -EFAULT;
962ea4
-		__handle_sysrq(c, false);
962ea4
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
962ea4
 	}
135abd
962ea4
 	return count;
962ea4
diff --git a/include/linux/input.h b/include/linux/input.h
f20e0a
index 7c7516eb7d76..38cd0ea72c37 100644
962ea4
--- a/include/linux/input.h
962ea4
+++ b/include/linux/input.h
962ea4
@@ -42,6 +42,7 @@ struct input_value {
962ea4
  * @phys: physical path to the device in the system hierarchy
962ea4
  * @uniq: unique identification code for the device (if device has it)
962ea4
  * @id: id of the device (struct input_id)
962ea4
+ * @flags: input device flags (SYNTHETIC, etc.)
962ea4
  * @propbit: bitmap of device properties and quirks
962ea4
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
962ea4
  *	EV_REL, etc.)
962ea4
@@ -124,6 +125,8 @@ struct input_dev {
962ea4
 	const char *uniq;
962ea4
 	struct input_id id;
135abd
962ea4
+	unsigned int flags;
962ea4
+
962ea4
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
135abd
962ea4
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
962ea4
@@ -190,6 +193,8 @@ struct input_dev {
962ea4
 };
962ea4
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
135abd
962ea4
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
962ea4
+
962ea4
 /*
962ea4
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
962ea4
  */
962ea4
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
f20e0a
index 8c71874e8485..7de1f08b60a9 100644
962ea4
--- a/include/linux/sysrq.h
962ea4
+++ b/include/linux/sysrq.h
f20e0a
@@ -29,6 +29,8 @@
962ea4
 #define SYSRQ_ENABLE_BOOT	0x0080
962ea4
 #define SYSRQ_ENABLE_RTNICE	0x0100
135abd
962ea4
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
962ea4
+
962ea4
 struct sysrq_key_op {
962ea4
 	void (*handler)(int);
962ea4
 	char *help_msg;
f20e0a
@@ -43,8 +45,12 @@ struct sysrq_key_op {
962ea4
  * are available -- else NULL's).
962ea4
  */
135abd
962ea4
+#define SYSRQ_FROM_KERNEL	0x0001
962ea4
+#define SYSRQ_FROM_PROC		0x0002
962ea4
+#define SYSRQ_FROM_SYNTHETIC	0x0004
962ea4
+
962ea4
 void handle_sysrq(int key);
962ea4
-void __handle_sysrq(int key, bool check_mask);
962ea4
+void __handle_sysrq(int key, unsigned int from);
962ea4
 int register_sysrq_key(int key, struct sysrq_key_op *op);
962ea4
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
962ea4
 struct sysrq_key_op *__sysrq_get_key_op(int key);
962ea4
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
f20e0a
index dbb0781a0533..aae9a0f44058 100644
962ea4
--- a/kernel/debug/kdb/kdb_main.c
962ea4
+++ b/kernel/debug/kdb/kdb_main.c
59566d
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
962ea4
 		return KDB_ARGCOUNT;
135abd
962ea4
 	kdb_trap_printk++;
962ea4
-	__handle_sysrq(*argv[1], check_mask);
962ea4
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
962ea4
 	kdb_trap_printk--;
135abd
962ea4
 	return 0;
59566d
diff --git a/security/Kconfig b/security/Kconfig
8cf006
index a68e5bdebad5..46967ee77dfd 100644
59566d
--- a/security/Kconfig
59566d
+++ b/security/Kconfig
8cf006
@@ -253,6 +253,17 @@ config LOCK_DOWN_MANDATORY
8cf006
 	  Makes the lockdown non-negotiable.  It is always on and cannot be
8cf006
 	  disabled.
135abd
59566d
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
59566d
+	bool "Allow the kernel lockdown to be lifted by SysRq"
f20e0a
+	depends on LOCK_DOWN_KERNEL
8cf006
+	depends on !LOCK_DOWN_MANDATORY
f20e0a
+	depends on MAGIC_SYSRQ
f20e0a
+	depends on X86
59566d
+	help
59566d
+	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
8cf006
+	  combination on a wired keyboard.  On x86, this is SysRq+x.
59566d
+
59566d
+
59566d
 source security/selinux/Kconfig
59566d
 source security/smack/Kconfig
59566d
 source security/tomoyo/Kconfig
59566d
diff --git a/security/lock_down.c b/security/lock_down.c
8cf006
index f35ffdd096ad..2615669dbf03 100644
59566d
--- a/security/lock_down.c
59566d
+++ b/security/lock_down.c
8cf006
@@ -11,9 +11,15 @@
135abd
59566d
 #include <linux/export.h>
8cf006
 #include <linux/sched.h>
59566d
+#include <linux/sysrq.h>
135abd
+#include <asm/setup.h>
135abd
8cf006
 #ifndef CONFIG_LOCK_DOWN_MANDATORY
135abd
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
59566d
+static __read_mostly bool kernel_locked_down;
59566d
+#else
59566d
 static __ro_after_init bool kernel_locked_down;
59566d
+#endif
8cf006
 #else
8cf006
 #define kernel_locked_down true
8cf006
 #endif
8cf006
@@ -63,3 +69,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
59566d
 	return kernel_locked_down;
59566d
 }
59566d
 EXPORT_SYMBOL(__kernel_is_locked_down);
59566d
+
135abd
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
135abd
+
59566d
+/*
59566d
+ * Take the kernel out of lockdown mode.
59566d
+ */
59566d
+static void lift_kernel_lockdown(void)
59566d
+{
59566d
+	pr_notice("Lifting lockdown\n");
59566d
+	kernel_locked_down = false;
59566d
+}
59566d
+
59566d
+/*
59566d
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
59566d
+ * echoing the appropriate letter into the sysrq-trigger file).
59566d
+ */
59566d
+static void sysrq_handle_lockdown_lift(int key)
59566d
+{
59566d
+	if (kernel_locked_down)
59566d
+		lift_kernel_lockdown();
59566d
+}
59566d
+
59566d
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
59566d
+	.handler	= sysrq_handle_lockdown_lift,
59566d
+	.help_msg	= "unSB(x)",
59566d
+	.action_msg	= "Disabling Secure Boot restrictions",
59566d
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
59566d
+};
59566d
+
59566d
+static int __init lockdown_lift_sysrq(void)
59566d
+{
59566d
+	if (kernel_locked_down) {
59566d
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
59566d
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
59566d
+	}
59566d
+	return 0;
59566d
+}
59566d
+
59566d
+late_initcall(lockdown_lift_sysrq);
59566d
+
135abd
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
135abd
-- 
f20e0a
2.14.3
f20e0a
8cf006
From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001
f20e0a
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
8cf006
Date: Mon, 9 Apr 2018 09:52:45 +0100
8cf006
Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode
f20e0a
f20e0a
Require the "secure_boot" rules, whether or not it is specified
f20e0a
on the boot command line, for both the builtin and custom policies
f20e0a
in secure boot lockdown mode.
f20e0a
f20e0a
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
f20e0a
Signed-off-by: David Howells <dhowells@redhat.com>
f20e0a
---
f20e0a
 security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++----------
f20e0a
 1 file changed, 29 insertions(+), 10 deletions(-)
f20e0a
f20e0a
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
8cf006
index d89bebf85421..da6f55c96a61 100644
f20e0a
--- a/security/integrity/ima/ima_policy.c
f20e0a
+++ b/security/integrity/ima/ima_policy.c
8cf006
@@ -443,14 +443,21 @@ void ima_update_policy_flag(void)
f20e0a
  */
f20e0a
 void __init ima_init_policy(void)
f20e0a
 {
f20e0a
-	int i, measure_entries, appraise_entries, secure_boot_entries;
f20e0a
+	int i;
f20e0a
+	int measure_entries = 0;
f20e0a
+	int appraise_entries = 0;
f20e0a
+	int secure_boot_entries = 0;
f20e0a
+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
f20e0a
f20e0a
 	/* if !ima_policy set entries = 0 so we load NO default rules */
f20e0a
-	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
f20e0a
-	appraise_entries = ima_use_appraise_tcb ?
f20e0a
-			 ARRAY_SIZE(default_appraise_rules) : 0;
f20e0a
-	secure_boot_entries = ima_use_secure_boot ?
f20e0a
-			ARRAY_SIZE(secure_boot_rules) : 0;
f20e0a
+	if (ima_policy)
f20e0a
+		measure_entries = ARRAY_SIZE(dont_measure_rules);
f20e0a
+
f20e0a
+	if (ima_use_appraise_tcb)
f20e0a
+		appraise_entries = ARRAY_SIZE(default_appraise_rules);
f20e0a
+
f20e0a
+	if (ima_use_secure_boot || kernel_locked_down)
f20e0a
+		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
f20e0a
f20e0a
 	for (i = 0; i < measure_entries; i++)
f20e0a
 		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
8cf006
@@ -471,11 +478,23 @@ void __init ima_init_policy(void)
f20e0a
f20e0a
 	/*
f20e0a
 	 * Insert the appraise rules requiring file signatures, prior to
f20e0a
-	 * any other appraise rules.
f20e0a
+	 * any other appraise rules.  In secure boot lock-down mode, also
f20e0a
+	 * require these appraise rules for custom policies.
f20e0a
 	 */
f20e0a
-	for (i = 0; i < secure_boot_entries; i++)
f20e0a
-		list_add_tail(&secure_boot_rules[i].list,
f20e0a
-			      &ima_default_rules);
f20e0a
+	for (i = 0; i < secure_boot_entries; i++) {
f20e0a
+		struct ima_rule_entry *entry;
f20e0a
+
f20e0a
+		/* Include for builtin policies */
f20e0a
+		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
f20e0a
+
f20e0a
+		/* Include for custom policies */
f20e0a
+		if (kernel_locked_down) {
f20e0a
+			entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
f20e0a
+					GFP_KERNEL);
f20e0a
+			if (entry)
f20e0a
+				list_add_tail(&entry->list, &ima_policy_rules);
f20e0a
+		}
f20e0a
+	}
59566d
f20e0a
 	for (i = 0; i < appraise_entries; i++) {
f20e0a
 		list_add_tail(&default_appraise_rules[i].list,
f20e0a
-- 
f20e0a
2.14.3
f20e0a
8cf006
From 64b01ecc309c8ae79209e00dd8b95a549e5050b7 Mon Sep 17 00:00:00 2001
59566d
From: David Howells <dhowells@redhat.com>
8cf006
Date: Mon, 9 Apr 2018 09:52:46 +0100
8cf006
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
59566d
59566d
If the kernel is locked down, require that all modules have valid
f20e0a
signatures that we can verify or that IMA can validate the file.
f20e0a
f20e0a
I have adjusted the errors generated:
f20e0a
f20e0a
 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
f20e0a
     ENOKEY), then:
f20e0a
f20e0a
     (a) If signatures are enforced then EKEYREJECTED is returned.
f20e0a
f20e0a
     (b) If IMA will have validated the image, return 0 (okay).
f20e0a
f20e0a
     (c) If there's no signature or we can't check it, but the kernel is
f20e0a
	 locked down then EPERM is returned (this is then consistent with
f20e0a
	 other lockdown cases).
f20e0a
f20e0a
 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
f20e0a
     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
f20e0a
     return the error we got.
f20e0a
f20e0a
Note that the X.509 code doesn't check for key expiry as the RTC might not
f20e0a
be valid or might not have been transferred to the kernel's clock yet.
59566d
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
f20e0a
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
f20e0a
cc: "Lee, Chun-Yi" <jlee@suse.com>
f20e0a
cc: James Morris <james.l.morris@oracle.com>
59566d
---
f20e0a
 kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++++++++-------------
f20e0a
 1 file changed, 43 insertions(+), 13 deletions(-)
59566d
59566d
diff --git a/kernel/module.c b/kernel/module.c
8cf006
index a6e43a5806a1..9c1709a05037 100644
59566d
--- a/kernel/module.c
59566d
+++ b/kernel/module.c
f20e0a
@@ -64,6 +64,7 @@
f20e0a
 #include <linux/bsearch.h>
f20e0a
 #include <linux/dynamic_debug.h>
f20e0a
 #include <linux/audit.h>
f20e0a
+#include <linux/ima.h>
f20e0a
 #include <uapi/linux/module.h>
f20e0a
 #include "module-internal.h"
f20e0a
8cf006
@@ -2761,10 +2762,12 @@ static inline void kmemleak_load_module(const struct module *mod,
f20e0a
 #endif
f20e0a
f20e0a
 #ifdef CONFIG_MODULE_SIG
f20e0a
-static int module_sig_check(struct load_info *info, int flags)
f20e0a
+static int module_sig_check(struct load_info *info, int flags,
f20e0a
+			    bool can_do_ima_check)
f20e0a
 {
f20e0a
-	int err = -ENOKEY;
f20e0a
+	int err = -ENODATA;
f20e0a
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
f20e0a
+	const char *reason;
f20e0a
 	const void *mod = info->hdr;
f20e0a
f20e0a
 	/*
8cf006
@@ -2779,19 +2782,46 @@ static int module_sig_check(struct load_info *info, int flags)
f20e0a
 		err = mod_verify_sig(mod, &info->len);
59566d
 	}
135abd
f20e0a
-	if (!err) {
f20e0a
+	switch (err) {
f20e0a
+	case 0:
f20e0a
 		info->sig_ok = true;
f20e0a
 		return 0;
f20e0a
-	}
f20e0a
f20e0a
-	/* Not having a signature is only an error if we're strict. */
59566d
-	if (err == -ENOKEY && !sig_enforce)
f20e0a
-		err = 0;
f20e0a
+		/* We don't permit modules to be loaded into trusted kernels
f20e0a
+		 * without a valid signature on them, but if we're not
f20e0a
+		 * enforcing, certain errors are non-fatal.
f20e0a
+		 */
f20e0a
+	case -ENODATA:
f20e0a
+		reason = "Loading of unsigned module";
f20e0a
+		goto decide;
f20e0a
+	case -ENOPKG:
f20e0a
+		reason = "Loading of module with unsupported crypto";
f20e0a
+		goto decide;
f20e0a
+	case -ENOKEY:
f20e0a
+		reason = "Loading of module with unavailable key";
f20e0a
+	decide:
f20e0a
+		if (sig_enforce) {
f20e0a
+			pr_notice("%s is rejected\n", reason);
f20e0a
+			return -EKEYREJECTED;
f20e0a
+		}
f20e0a
f20e0a
-	return err;
f20e0a
+		if (can_do_ima_check && is_ima_appraise_enabled())
f20e0a
+			return 0;
f20e0a
+		if (kernel_is_locked_down(reason))
f20e0a
+			return -EPERM;
f20e0a
+		return 0;
f20e0a
+
f20e0a
+		/* All other errors are fatal, including nomem, unparseable
f20e0a
+		 * signatures and signature check failures - even if signatures
f20e0a
+		 * aren't required.
f20e0a
+		 */
f20e0a
+	default:
f20e0a
+		return err;
f20e0a
+	}
f20e0a
 }
f20e0a
 #else /* !CONFIG_MODULE_SIG */
f20e0a
-static int module_sig_check(struct load_info *info, int flags)
f20e0a
+static int module_sig_check(struct load_info *info, int flags,
f20e0a
+			    bool can_do_ima_check)
f20e0a
 {
f20e0a
 	return 0;
f20e0a
 }
8cf006
@@ -3651,13 +3681,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
f20e0a
 /* Allocate and load the module: note that size of section 0 is always
f20e0a
    zero, and we rely on this for optional sections. */
f20e0a
 static int load_module(struct load_info *info, const char __user *uargs,
f20e0a
-		       int flags)
f20e0a
+		       int flags, bool can_do_ima_check)
f20e0a
 {
f20e0a
 	struct module *mod;
f20e0a
 	long err;
f20e0a
 	char *after_dashes;
f20e0a
f20e0a
-	err = module_sig_check(info, flags);
f20e0a
+	err = module_sig_check(info, flags, can_do_ima_check);
f20e0a
 	if (err)
f20e0a
 		goto free_copy;
f20e0a
8cf006
@@ -3846,7 +3876,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
f20e0a
 	if (err)
f20e0a
 		return err;
f20e0a
f20e0a
-	return load_module(&info, uargs, 0);
f20e0a
+	return load_module(&info, uargs, 0, false);
f20e0a
 }
f20e0a
f20e0a
 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
8cf006
@@ -3873,7 +3903,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
f20e0a
 	info.hdr = hdr;
f20e0a
 	info.len = size;
f20e0a
f20e0a
-	return load_module(&info, uargs, flags);
f20e0a
+	return load_module(&info, uargs, flags, true);
f20e0a
 }
59566d
f20e0a
 static inline int within(unsigned long addr, void *start, unsigned long size)
135abd
-- 
f20e0a
2.14.3
59566d
8cf006
From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
8cf006
Date: Mon, 9 Apr 2018 09:52:46 +0100
8cf006
Subject: [PATCH 05/24] Restrict /dev/{mem,kmem,port} when the kernel is locked
006f5b
 down
006f5b
006f5b
Allowing users to read and write to core kernel memory makes it possible
006f5b
for the kernel to be subverted, avoiding module loading restrictions, and
006f5b
also to steal cryptographic information.
006f5b
006f5b
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
006f5b
been locked down to prevent this.
59566d
006f5b
Also disallow /dev/port from being opened to prevent raw ioport access and
006f5b
thus DMA from being used to accomplish the same thing.
59566d
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
---
006f5b
 drivers/char/mem.c | 2 ++
006f5b
 1 file changed, 2 insertions(+)
59566d
59566d
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
8cf006
index ffeb60d3434c..b2fca26e5765 100644
59566d
--- a/drivers/char/mem.c
59566d
+++ b/drivers/char/mem.c
f20e0a
@@ -784,6 +784,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
135abd
006f5b
 static int open_port(struct inode *inode, struct file *filp)
006f5b
 {
006f5b
+	if (kernel_is_locked_down("/dev/mem,kmem,port"))
59566d
+		return -EPERM;
006f5b
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
006f5b
 }
135abd
135abd
-- 
f20e0a
2.14.3
59566d
8cf006
From a19b6b9637f114388cc7087176860eee962cac79 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
8cf006
Date: Mon, 9 Apr 2018 09:52:46 +0100
8cf006
Subject: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked
f20e0a
 down
962ea4
f20e0a
The kexec_load() syscall permits the loading and execution of arbitrary
f20e0a
code in ring 0, which is something that lock-down is meant to prevent. It
f20e0a
makes sense to disable kexec_load() in this situation.
962ea4
f20e0a
This does not affect kexec_file_load() syscall which can check for a
f20e0a
signature on the image to be booted.
962ea4
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Dave Young <dyoung@redhat.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
006f5b
Reviewed-by: James Morris <james.l.morris@oracle.com>
59566d
cc: kexec@lists.infradead.org
962ea4
---
135abd
 kernel/kexec.c | 7 +++++++
962ea4
 1 file changed, 7 insertions(+)
962ea4
962ea4
diff --git a/kernel/kexec.c b/kernel/kexec.c
8cf006
index aed8fb2564b3..1553ac765e73 100644
962ea4
--- a/kernel/kexec.c
962ea4
+++ b/kernel/kexec.c
8cf006
@@ -199,6 +199,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
f20e0a
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
962ea4
 		return -EPERM;
135abd
f20e0a
+	/*
962ea4
+	 * kexec can be used to circumvent module loading restrictions, so
962ea4
+	 * prevent loading in that case
962ea4
+	 */
59566d
+	if (kernel_is_locked_down("kexec of unsigned images"))
962ea4
+		return -EPERM;
962ea4
+
f20e0a
 	/*
962ea4
 	 * Verify we have a legal set of flags
962ea4
 	 * This leaves us room for future extensions.
135abd
-- 
f20e0a
2.14.3
962ea4
8cf006
From aed8ee965258e3926be6aaeb57aef8a9a03c9989 Mon Sep 17 00:00:00 2001
962ea4
From: Josh Boyer <jwboyer@fedoraproject.org>
8cf006
Date: Mon, 9 Apr 2018 09:52:47 +0100
8cf006
Subject: [PATCH 07/24] hibernate: Disable when the kernel is locked down
962ea4
962ea4
There is currently no way to verify the resume image when returning
962ea4
from hibernate.  This might compromise the signed modules trust model,
962ea4
so until we can work with signed hibernate images we disable it when the
962ea4
kernel is locked down.
962ea4
962ea4
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
cc: linux-pm@vger.kernel.org
962ea4
---
135abd
 kernel/power/hibernate.c | 2 +-
962ea4
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4
962ea4
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
8cf006
index 5454cc639a8d..629f158f5a0c 100644
962ea4
--- a/kernel/power/hibernate.c
962ea4
+++ b/kernel/power/hibernate.c
59566d
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
135abd
962ea4
 bool hibernation_available(void)
962ea4
 {
962ea4
-	return (nohibernate == 0);
59566d
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
962ea4
 }
962ea4
135abd
 /**
135abd
-- 
f20e0a
2.14.3
59566d
8cf006
From 8732c1663d7c0305ae01ba5a1ee4d2299b7b4612 Mon Sep 17 00:00:00 2001
962ea4
From: Matthew Garrett <mjg59@srcf.ucam.org>
8cf006
Date: Mon, 9 Apr 2018 09:52:47 +0100
8cf006
Subject: [PATCH 08/24] uswsusp: Disable when the kernel is locked down
962ea4
962ea4
uswsusp allows a user process to dump and then restore kernel state, which
962ea4
makes it possible to modify the running kernel.  Disable this if the kernel
962ea4
is locked down.
962ea4
962ea4
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
006f5b
Reviewed-by: James Morris <james.l.morris@oracle.com>
59566d
cc: linux-pm@vger.kernel.org
962ea4
---
135abd
 kernel/power/user.c | 3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/kernel/power/user.c b/kernel/power/user.c
8cf006
index 75c959de4b29..959b336d8eca 100644
962ea4
--- a/kernel/power/user.c
962ea4
+++ b/kernel/power/user.c
962ea4
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
962ea4
 	if (!hibernation_available())
962ea4
 		return -EPERM;
135abd
59566d
+	if (kernel_is_locked_down("/dev/snapshot"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	lock_system_sleep();
962ea4
135abd
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
135abd
-- 
f20e0a
2.14.3
59566d
8cf006
From 4f5f0aae410d1929872eec346954c85e3a85f4f3 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
8cf006
Date: Mon, 9 Apr 2018 09:52:48 +0100
8cf006
Subject: [PATCH 09/24] PCI: Lock down BAR access when the kernel is locked
135abd
 down
962ea4
962ea4
Any hardware that can potentially generate DMA has to be locked down in
962ea4
order to avoid it being possible for an attacker to modify kernel code,
962ea4
allowing them to circumvent disabled module loading or module signing.
962ea4
Default to paranoid - in future we can potentially relax this for
962ea4
sufficiently IOMMU-isolated devices.
962ea4
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
cc: linux-pci@vger.kernel.org
962ea4
---
135abd
 drivers/pci/pci-sysfs.c | 9 +++++++++
135abd
 drivers/pci/proc.c      | 9 ++++++++-
135abd
 drivers/pci/syscall.c   | 3 ++-
59566d
 3 files changed, 19 insertions(+), 2 deletions(-)
962ea4
962ea4
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
8cf006
index 366d93af051d..1e149ec006a4 100644
962ea4
--- a/drivers/pci/pci-sysfs.c
962ea4
+++ b/drivers/pci/pci-sysfs.c
8cf006
@@ -903,6 +903,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
962ea4
 	loff_t init_off = off;
962ea4
 	u8 *data = (u8 *) buf;
135abd
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (off > dev->cfg_size)
962ea4
 		return 0;
962ea4
 	if (off + count > dev->cfg_size) {
8cf006
@@ -1165,6 +1168,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
bd3278
 	enum pci_mmap_state mmap_type;
bd3278
 	struct resource *res = &pdev->resource[bar];
135abd
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
bd3278
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
bd3278
 		return -EINVAL;
135abd
8cf006
@@ -1240,6 +1246,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
962ea4
 				     struct bin_attribute *attr, char *buf,
962ea4
 				     loff_t off, size_t count)
962ea4
 {
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
962ea4
 }
135abd
962ea4
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
8cf006
index 1ee8927a0635..469445a9019b 100644
962ea4
--- a/drivers/pci/proc.c
962ea4
+++ b/drivers/pci/proc.c
f20e0a
@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
962ea4
 	int size = dev->cfg_size;
962ea4
 	int cnt;
135abd
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (pos >= size)
962ea4
 		return 0;
962ea4
 	if (nbytes >= size)
f20e0a
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
962ea4
 #endif /* HAVE_PCI_MMAP */
962ea4
 	int ret = 0;
135abd
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	switch (cmd) {
962ea4
 	case PCIIOC_CONTROLLER:
962ea4
 		ret = pci_domain_nr(dev->bus);
f20e0a
@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
962ea4
 	struct pci_filp_private *fpriv = file->private_data;
bd3278
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
135abd
962ea4
-	if (!capable(CAP_SYS_RAWIO))
59566d
+	if (!capable(CAP_SYS_RAWIO) ||
59566d
+	    kernel_is_locked_down("Direct PCI access"))
962ea4
 		return -EPERM;
135abd
bd3278
 	if (fpriv->mmap_state == pci_mmap_io) {
962ea4
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
8cf006
index d96626c614f5..b8a08d3166a1 100644
962ea4
--- a/drivers/pci/syscall.c
962ea4
+++ b/drivers/pci/syscall.c
8cf006
@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
962ea4
 	u32 dword;
962ea4
 	int err = 0;
135abd
962ea4
-	if (!capable(CAP_SYS_ADMIN))
59566d
+	if (!capable(CAP_SYS_ADMIN) ||
59566d
+	    kernel_is_locked_down("Direct PCI access"))
962ea4
 		return -EPERM;
962ea4
bf681f
 	dev = pci_get_domain_bus_and_slot(0, bus, dfn);
135abd
-- 
f20e0a
2.14.3
59566d
8cf006
From 677537cdec42804f1936b57ffaa6181f633bc015 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
8cf006
Date: Mon, 9 Apr 2018 09:52:48 +0100
8cf006
Subject: [PATCH 10/24] x86: Lock down IO port access when the kernel is locked
135abd
 down
962ea4
962ea4
IO port access would permit users to gain access to PCI configuration
962ea4
registers, which in turn (on a lot of hardware) give access to MMIO
962ea4
register space. This would potentially permit root to trigger arbitrary
962ea4
DMA, so lock it down by default.
962ea4
962ea4
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
962ea4
KDDISABIO console ioctls.
962ea4
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
cc: x86@kernel.org
962ea4
---
135abd
 arch/x86/kernel/ioport.c | 6 ++++--
006f5b
 1 file changed, 4 insertions(+), 2 deletions(-)
962ea4
962ea4
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
8cf006
index 0fe1c8782208..abc702a6ae9c 100644
962ea4
--- a/arch/x86/kernel/ioport.c
962ea4
+++ b/arch/x86/kernel/ioport.c
8cf006
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
135abd
962ea4
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
962ea4
 		return -EINVAL;
962ea4
-	if (turn_on && !capable(CAP_SYS_RAWIO))
59566d
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
59566d
+			kernel_is_locked_down("ioperm")))
962ea4
 		return -EPERM;
135abd
962ea4
 	/*
8cf006
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
962ea4
 		return -EINVAL;
962ea4
 	/* Trying to gain more privileges? */
962ea4
 	if (level > old) {
962ea4
-		if (!capable(CAP_SYS_RAWIO))
59566d
+		if (!capable(CAP_SYS_RAWIO) ||
59566d
+		    kernel_is_locked_down("iopl"))
962ea4
 			return -EPERM;
962ea4
 	}
962ea4
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
135abd
-- 
f20e0a
2.14.3
59566d
8cf006
From f005be07fababf8c698a556fe465871ad168c9d9 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
8cf006
Date: Mon, 9 Apr 2018 09:52:48 +0100
8cf006
Subject: [PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked
135abd
 down
962ea4
962ea4
Writing to MSRs should not be allowed if the kernel is locked down, since
962ea4
it could lead to execution of arbitrary code in kernel mode.  Based on a
962ea4
patch by Kees Cook.
962ea4
006f5b
MSR accesses are logged for the purposes of building up a whitelist as per
006f5b
Alan Cox's suggestion.
006f5b
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Kees Cook <keescook@chromium.org>
59566d
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
cc: x86@kernel.org
962ea4
---
006f5b
 arch/x86/kernel/msr.c | 10 ++++++++++
006f5b
 1 file changed, 10 insertions(+)
962ea4
962ea4
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
006f5b
index ef688804f80d..dfb61d358196 100644
962ea4
--- a/arch/x86/kernel/msr.c
962ea4
+++ b/arch/x86/kernel/msr.c
006f5b
@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
962ea4
 	int err = 0;
962ea4
 	ssize_t bytes = 0;
135abd
006f5b
+	if (kernel_is_locked_down("Direct MSR access")) {
006f5b
+		pr_info("Direct access to MSR %x\n", reg);
962ea4
+		return -EPERM;
006f5b
+	}
962ea4
+
962ea4
 	if (count % 8)
962ea4
 		return -EINVAL;	/* Invalid chunk size */
135abd
006f5b
@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
006f5b
 			err = -EFAULT;
962ea4
 			break;
962ea4
 		}
59566d
+		if (kernel_is_locked_down("Direct MSR access")) {
006f5b
+			pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
962ea4
+			err = -EPERM;
962ea4
+			break;
962ea4
+		}
006f5b
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
006f5b
 		if (err)
962ea4
 			break;
135abd
-- 
f20e0a
2.14.3
135abd
8cf006
From 0a48b7c936757dda851ab2d3ecde7f6a79de7a5b Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
8cf006
Date: Mon, 9 Apr 2018 09:52:48 +0100
8cf006
Subject: [PATCH 12/24] ACPI: Limit access to custom_method when the kernel is
135abd
 locked down
962ea4
962ea4
custom_method effectively allows arbitrary access to system memory, making
962ea4
it possible for an attacker to circumvent restrictions on module loading.
962ea4
Disable it if the kernel is locked down.
962ea4
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
cc: linux-acpi@vger.kernel.org
962ea4
---
135abd
 drivers/acpi/custom_method.c | 3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
8cf006
index e967c1173ba3..a07fbe999eb6 100644
962ea4
--- a/drivers/acpi/custom_method.c
962ea4
+++ b/drivers/acpi/custom_method.c
962ea4
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
962ea4
 	struct acpi_table_header table;
962ea4
 	acpi_status status;
135abd
59566d
+	if (kernel_is_locked_down("ACPI custom methods"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (!(*ppos)) {
962ea4
 		/* parse the table header to get the table length */
962ea4
 		if (count <= sizeof(struct acpi_table_header))
135abd
-- 
f20e0a
2.14.3
962ea4
8cf006
From 2ed74b084366d7dba7b4a611ba13d99b82c4e11e Mon Sep 17 00:00:00 2001
962ea4
From: Josh Boyer <jwboyer@redhat.com>
8cf006
Date: Mon, 9 Apr 2018 09:52:49 +0100
8cf006
Subject: [PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
135abd
 been locked down
962ea4
962ea4
This option allows userspace to pass the RSDP address to the kernel, which
59566d
makes it possible for a user to modify the workings of hardware .  Reject
59566d
the option when the kernel is locked down.
962ea4
962ea4
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
cc: Dave Young <dyoung@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
962ea4
---
135abd
 drivers/acpi/osl.c | 2 +-
962ea4
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4
962ea4
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
8cf006
index 7ca41bf023c9..34e4ce7939f4 100644
962ea4
--- a/drivers/acpi/osl.c
962ea4
+++ b/drivers/acpi/osl.c
c796f8
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
71c4e8
 	acpi_physical_address pa;
135abd
962ea4
 #ifdef CONFIG_KEXEC
962ea4
-	if (acpi_rsdp)
59566d
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
962ea4
 		return acpi_rsdp;
962ea4
 #endif
71c4e8
 	pa = acpi_arch_get_root_pointer();
135abd
-- 
f20e0a
2.14.3
59566d
8cf006
From 7fb2ddf683c23cc4b227d7d75a5d039970ca910e Mon Sep 17 00:00:00 2001
962ea4
From: Linn Crosetto <linn@hpe.com>
8cf006
Date: Mon, 9 Apr 2018 09:52:49 +0100
8cf006
Subject: [PATCH 14/24] acpi: Disable ACPI table override if the kernel is
135abd
 locked down
962ea4
135abd
From the kernel documentation (initrd_table_override.txt):
962ea4
962ea4
  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
962ea4
  to override nearly any ACPI table provided by the BIOS with an
962ea4
  instrumented, modified one.
962ea4
962ea4
When securelevel is set, the kernel should disallow any unauthenticated
962ea4
changes to kernel space.  ACPI tables contain code invoked by the kernel,
962ea4
so do not allow ACPI tables to be overridden if the kernel is locked down.
962ea4
962ea4
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
cc: linux-acpi@vger.kernel.org
962ea4
---
135abd
 drivers/acpi/tables.c | 5 +++++
962ea4
 1 file changed, 5 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
8cf006
index 849c4fb19b03..6c5ee7e66842 100644
962ea4
--- a/drivers/acpi/tables.c
962ea4
+++ b/drivers/acpi/tables.c
f20e0a
@@ -527,6 +527,11 @@ void __init acpi_table_upgrade(void)
962ea4
 	if (table_nr == 0)
962ea4
 		return;
135abd
59566d
+	if (kernel_is_locked_down("ACPI table override")) {
962ea4
+		pr_notice("kernel is locked down, ignoring table override\n");
962ea4
+		return;
962ea4
+	}
962ea4
+
962ea4
 	acpi_tables_addr =
962ea4
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
962ea4
 				       all_tables_size, PAGE_SIZE);
135abd
-- 
f20e0a
2.14.3
962ea4
8cf006
From d1ff6505c76cec9438217f2c284f024a1ac2ac59 Mon Sep 17 00:00:00 2001
962ea4
From: Linn Crosetto <linn@hpe.com>
8cf006
Date: Mon, 9 Apr 2018 09:52:50 +0100
8cf006
Subject: [PATCH 15/24] acpi: Disable APEI error injection if the kernel is
135abd
 locked down
962ea4
962ea4
ACPI provides an error injection mechanism, EINJ, for debugging and testing
962ea4
the ACPI Platform Error Interface (APEI) and other RAS features.  If
962ea4
supported by the firmware, ACPI specification 5.0 and later provide for a
962ea4
way to specify a physical memory address to which to inject the error.
962ea4
962ea4
Injecting errors through EINJ can produce errors which to the platform are
962ea4
indistinguishable from real hardware errors.  This can have undesirable
962ea4
side-effects, such as causing the platform to mark hardware as needing
962ea4
replacement.
962ea4
962ea4
While it does not provide a method to load unauthenticated privileged code,
962ea4
the effect of these errors may persist across reboots and affect trust in
962ea4
the underlying hardware, so disable error injection through EINJ if
962ea4
the kernel is locked down.
962ea4
962ea4
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
135abd
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
59566d
cc: linux-acpi@vger.kernel.org
962ea4
---
135abd
 drivers/acpi/apei/einj.c | 3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
59566d
index b38737c83a24..6d71e1e97b20 100644
962ea4
--- a/drivers/acpi/apei/einj.c
962ea4
+++ b/drivers/acpi/apei/einj.c
962ea4
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
962ea4
 	int rc;
962ea4
 	u64 base_addr, size;
135abd
59566d
+	if (kernel_is_locked_down("ACPI error injection"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	/* If user manually set "flags", make sure it is legal */
962ea4
 	if (flags && (flags &
962ea4
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
135abd
-- 
f20e0a
2.14.3
962ea4
8cf006
From 3153be0328e3a752aacab95d503fbd460f517402 Mon Sep 17 00:00:00 2001
962ea4
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:37 +0100
8cf006
Subject: [PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked
135abd
 down
962ea4
962ea4
Prohibit replacement of the PCMCIA Card Information Structure when the
962ea4
kernel is locked down.
962ea4
59566d
Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-pcmcia@lists.infradead.org
962ea4
---
135abd
 drivers/pcmcia/cistpl.c | 3 +++
59566d
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
f20e0a
index 102646fedb56..e46c948d7246 100644
962ea4
--- a/drivers/pcmcia/cistpl.c
962ea4
+++ b/drivers/pcmcia/cistpl.c
59566d
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
962ea4
 	struct pcmcia_socket *s;
962ea4
 	int error;
135abd
59566d
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	s = to_socket(container_of(kobj, struct device, kobj));
135abd
962ea4
 	if (off)
135abd
-- 
f20e0a
2.14.3
962ea4
8cf006
From 9fedc1427e8589edf2e16a481f8588711adba69a Mon Sep 17 00:00:00 2001
962ea4
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:37 +0100
8cf006
Subject: [PATCH 17/24] Lock down TIOCSSERIAL
962ea4
962ea4
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
962ea4
settings on a serial port.  This only appears to be an issue for the serial
962ea4
drivers that use the core serial code.  All other drivers seem to either
962ea4
ignore attempts to change port/irq or give an error.
962ea4
962ea4
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: Jiri Slaby <jslaby@suse.com>
962ea4
---
135abd
 drivers/tty/serial/serial_core.c | 6 ++++++
962ea4
 1 file changed, 6 insertions(+)
962ea4
962ea4
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
8cf006
index 0466f9f08a91..360f8e4416c4 100644
962ea4
--- a/drivers/tty/serial/serial_core.c
962ea4
+++ b/drivers/tty/serial/serial_core.c
f20e0a
@@ -829,6 +829,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
7c0c57
 	new_flags = (__force upf_t)new_info->flags;
962ea4
 	old_custom_divisor = uport->custom_divisor;
135abd
59566d
+	if ((change_port || change_irq) &&
59566d
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
962ea4
+		retval = -EPERM;
962ea4
+		goto exit;
962ea4
+	}
962ea4
+
962ea4
 	if (!capable(CAP_SYS_ADMIN)) {
962ea4
 		retval = -EPERM;
962ea4
 		if (change_irq || change_port ||
135abd
-- 
f20e0a
2.14.3
c796f8
8cf006
From f8fd52e2b077ce5a993807f8fc6e27a17cf4d19f Mon Sep 17 00:00:00 2001
59566d
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:37 +0100
8cf006
Subject: [PATCH 18/24] Lock down module params that specify hardware
135abd
 parameters (eg. ioport)
59566d
59566d
Provided an annotation for module parameters that specify hardware
59566d
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
59566d
dma buffers and other types).
59566d
59566d
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
---
135abd
 kernel/params.c | 26 +++++++++++++++++++++-----
59566d
 1 file changed, 21 insertions(+), 5 deletions(-)
59566d
59566d
diff --git a/kernel/params.c b/kernel/params.c
f20e0a
index cc9108c2a1fd..2c08c4aa376b 100644
59566d
--- a/kernel/params.c
59566d
+++ b/kernel/params.c
59566d
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
59566d
 	return parameqn(a, b, strlen(a)+1);
59566d
 }
135abd
59566d
-static void param_check_unsafe(const struct kernel_param *kp)
59566d
+static bool param_check_unsafe(const struct kernel_param *kp,
59566d
+			       const char *doing)
59566d
 {
59566d
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
df0ed2
 		pr_notice("Setting dangerous option %s - tainting kernel\n",
df0ed2
 			  kp->name);
59566d
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
59566d
 	}
59566d
+
59566d
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
59566d
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
59566d
+		return false;
59566d
+	return true;
59566d
 }
135abd
59566d
 static int parse_one(char *param,
59566d
@@ -144,8 +150,10 @@ static int parse_one(char *param,
59566d
 			pr_debug("handling %s with %p\n", param,
59566d
 				params[i].ops->set);
59566d
 			kernel_param_lock(params[i].mod);
59566d
-			param_check_unsafe(&params[i]);
59566d
-			err = params[i].ops->set(val, &params[i]);
59566d
+			if (param_check_unsafe(&params[i], doing))
59566d
+				err = params[i].ops->set(val, &params[i]);
59566d
+			else
59566d
+				err = -EPERM;
59566d
 			kernel_param_unlock(params[i].mod);
59566d
 			return err;
59566d
 		}
f20e0a
@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
59566d
 	return count;
59566d
 }
135abd
59566d
+#ifdef CONFIG_MODULES
59566d
+#define mod_name(mod) (mod)->name
59566d
+#else
59566d
+#define mod_name(mod) "unknown"
59566d
+#endif
59566d
+
59566d
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
59566d
 static ssize_t param_attr_store(struct module_attribute *mattr,
59566d
 				struct module_kobject *mk,
f20e0a
@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
59566d
 		return -EPERM;
135abd
59566d
 	kernel_param_lock(mk->mod);
59566d
-	param_check_unsafe(attribute->param);
59566d
-	err = attribute->param->ops->set(buf, attribute->param);
59566d
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
59566d
+		err = attribute->param->ops->set(buf, attribute->param);
59566d
+	else
59566d
+		err = -EPERM;
59566d
 	kernel_param_unlock(mk->mod);
59566d
 	if (!err)
59566d
 		return len;
135abd
-- 
f20e0a
2.14.3
59566d
8cf006
From 9c88e2ab392f5ac9c80529e43175fe65d00cdb67 Mon Sep 17 00:00:00 2001
59566d
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:38 +0100
8cf006
Subject: [PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module
59566d
59566d
The testmmiotrace module shouldn't be permitted when the kernel is locked
59566d
down as it can be used to arbitrarily read and write MMIO space.
59566d
59566d
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
59566d
Signed-off-by: David Howells 
59566d
cc: Thomas Gleixner <tglx@linutronix.de>
59566d
cc: Steven Rostedt <rostedt@goodmis.org>
59566d
cc: Ingo Molnar <mingo@kernel.org>
59566d
cc: "H. Peter Anvin" <hpa@zytor.com>
59566d
cc: x86@kernel.org
59566d
---
135abd
 arch/x86/mm/testmmiotrace.c | 3 +++
59566d
 1 file changed, 3 insertions(+)
59566d
59566d
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
59566d
index f6ae6830b341..bbaad357f5d7 100644
59566d
--- a/arch/x86/mm/testmmiotrace.c
59566d
+++ b/arch/x86/mm/testmmiotrace.c
59566d
@@ -115,6 +115,9 @@ static int __init init(void)
59566d
 {
59566d
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
135abd
59566d
+	if (kernel_is_locked_down("MMIO trace testing"))
59566d
+		return -EPERM;
59566d
+
59566d
 	if (mmio_address == 0) {
59566d
 		pr_err("you have to use the module argument mmio_address.\n");
59566d
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
135abd
-- 
f20e0a
2.14.3
f20e0a
8cf006
From 256e20401f9f5dd19028d4220095897a15daa67c Mon Sep 17 00:00:00 2001
f20e0a
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:38 +0100
8cf006
Subject: [PATCH 20/24] Lock down /proc/kcore
f20e0a
f20e0a
Disallow access to /proc/kcore when the kernel is locked down to prevent
f20e0a
access to cryptographic data.
f20e0a
f20e0a
Signed-off-by: David Howells <dhowells@redhat.com>
f20e0a
Reviewed-by: James Morris <james.l.morris@oracle.com>
f20e0a
---
f20e0a
 fs/proc/kcore.c | 2 ++
f20e0a
 1 file changed, 2 insertions(+)
f20e0a
f20e0a
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
f20e0a
index d1e82761de81..cdebdee81719 100644
f20e0a
--- a/fs/proc/kcore.c
f20e0a
+++ b/fs/proc/kcore.c
f20e0a
@@ -546,6 +546,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
f20e0a
f20e0a
 static int open_kcore(struct inode *inode, struct file *filp)
f20e0a
 {
f20e0a
+	if (kernel_is_locked_down("/proc/kcore"))
f20e0a
+		return -EPERM;
f20e0a
 	if (!capable(CAP_SYS_RAWIO))
f20e0a
 		return -EPERM;
f20e0a
f20e0a
-- 
f20e0a
2.14.3
f20e0a
8cf006
From f68ca24bc8d8a64cf30e59a595fad0e6782e933f Mon Sep 17 00:00:00 2001
f20e0a
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:38 +0100
8cf006
Subject: [PATCH 21/24] Lock down kprobes
f20e0a
f20e0a
Disallow the creation of kprobes when the kernel is locked down by
f20e0a
preventing their registration.  This prevents kprobes from being used to
f20e0a
access kernel memory, either to make modifications or to steal crypto data.
f20e0a
f20e0a
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
f20e0a
Signed-off-by: David Howells <dhowells@redhat.com>
f20e0a
---
f20e0a
 kernel/kprobes.c | 3 +++
f20e0a
 1 file changed, 3 insertions(+)
f20e0a
f20e0a
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
f20e0a
index 102160ff5c66..4f5757732553 100644
f20e0a
--- a/kernel/kprobes.c
f20e0a
+++ b/kernel/kprobes.c
f20e0a
@@ -1561,6 +1561,9 @@ int register_kprobe(struct kprobe *p)
f20e0a
 	struct module *probed_mod;
f20e0a
 	kprobe_opcode_t *addr;
f20e0a
f20e0a
+	if (kernel_is_locked_down("Use of kprobes"))
f20e0a
+		return -EPERM;
f20e0a
+
f20e0a
 	/* Adjust probe address from symbol */
f20e0a
 	addr = kprobe_addr(p);
f20e0a
 	if (IS_ERR(addr))
f20e0a
-- 
f20e0a
2.14.3
f20e0a
8cf006
From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001
f20e0a
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:38 +0100
8cf006
Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the
f20e0a
 kernel is locked down
f20e0a
f20e0a
There are some bpf functions can be used to read kernel memory:
f20e0a
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
f20e0a
private keys in kernel memory (e.g. the hibernation image signing key) to
8cf006
be read by an eBPF program.
f20e0a
f20e0a
Completely prohibit the use of BPF when the kernel is locked down.
f20e0a
f20e0a
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
f20e0a
Signed-off-by: David Howells <dhowells@redhat.com>
f20e0a
cc: netdev@vger.kernel.org
f20e0a
cc: Chun-Yi Lee <jlee@suse.com>
f20e0a
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
f20e0a
---
f20e0a
 kernel/bpf/syscall.c | 3 +++
f20e0a
 1 file changed, 3 insertions(+)
f20e0a
f20e0a
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
8cf006
index 0244973ee544..7457f2676c6d 100644
f20e0a
--- a/kernel/bpf/syscall.c
f20e0a
+++ b/kernel/bpf/syscall.c
8cf006
@@ -2031,6 +2031,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
a253e4
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
f20e0a
 		return -EPERM;
f20e0a
f20e0a
+	if (kernel_is_locked_down("BPF"))
f20e0a
+		return -EPERM;
f20e0a
+
f20e0a
 	err = check_uarg_tail_zero(uattr, sizeof(attr), size);
f20e0a
 	if (err)
f20e0a
 		return err;
f20e0a
-- 
f20e0a
2.14.3
f20e0a
8cf006
From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
f20e0a
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:38 +0100
8cf006
Subject: [PATCH 23/24] Lock down perf
f20e0a
f20e0a
Disallow the use of certain perf facilities that might allow userspace to
f20e0a
access kernel data.
f20e0a
f20e0a
Signed-off-by: David Howells <dhowells@redhat.com>
f20e0a
---
f20e0a
 kernel/events/core.c | 5 +++++
f20e0a
 1 file changed, 5 insertions(+)
f20e0a
f20e0a
diff --git a/kernel/events/core.c b/kernel/events/core.c
8cf006
index fc1c330c6bd6..1922f2e0980a 100644
f20e0a
--- a/kernel/events/core.c
f20e0a
+++ b/kernel/events/core.c
8cf006
@@ -10407,6 +10407,11 @@ SYSCALL_DEFINE5(perf_event_open,
f20e0a
 			return -EINVAL;
f20e0a
 	}
f20e0a
f20e0a
+	if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
f20e0a
+	    kernel_is_locked_down("PERF_SAMPLE_REGS_INTR"))
f20e0a
+		/* REGS_INTR can leak data, lockdown must prevent this */
f20e0a
+		return -EPERM;
f20e0a
+
f20e0a
 	/* Only privileged users can get physical addresses */
f20e0a
 	if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
f20e0a
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
f20e0a
-- 
f20e0a
2.14.3
59566d
8cf006
From fe5091f97838c8c64b891280bcd30367e71cd5c3 Mon Sep 17 00:00:00 2001
59566d
From: David Howells <dhowells@redhat.com>
8cf006
Date: Wed, 4 Apr 2018 14:45:38 +0100
8cf006
Subject: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked
f20e0a
 down
f20e0a
f20e0a
Disallow opening of debugfs files that might be used to muck around when
f20e0a
the kernel is locked down as various drivers give raw access to hardware
f20e0a
through debugfs.  Given the effort of auditing all 2000 or so files and
f20e0a
manually fixing each one as necessary, I've chosen to apply a heuristic
f20e0a
instead.  The following changes are made:
f20e0a
f20e0a
 (1) chmod and chown are disallowed on debugfs objects (though the root dir
f20e0a
     can be modified by mount and remount, but I'm not worried about that).
59566d
f20e0a
 (2) When the kernel is locked down, only files with the following criteria
f20e0a
     are permitted to be opened:
59566d
f20e0a
	- The file must have mode 00444
f20e0a
	- The file must not have ioctl methods
f20e0a
	- The file must not have mmap
59566d
f20e0a
 (3) When the kernel is locked down, files may only be opened for reading.
f20e0a
f20e0a
Normal device interaction should be done through configfs, sysfs or a
f20e0a
miscdev, not debugfs.
59566d
59566d
Note that this makes it unnecessary to specifically lock down show_dsts(),
59566d
show_devs() and show_call() in the asus-wmi driver.
59566d
f20e0a
I would actually prefer to lock down all files by default and have the
f20e0a
the files unlocked by the creator.  This is tricky to manage correctly,
f20e0a
though, as there are 19 creation functions and ~1600 call sites (some of
f20e0a
them in loops scanning tables).
f20e0a
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
59566d
cc: acpi4asus-user@lists.sourceforge.net
59566d
cc: platform-driver-x86@vger.kernel.org
f20e0a
cc: Matthew Garrett <mjg59@srcf.ucam.org>
59566d
cc: Thomas Gleixner <tglx@linutronix.de>
59566d
---
f20e0a
 fs/debugfs/file.c  | 28 ++++++++++++++++++++++++++++
f20e0a
 fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
f20e0a
 2 files changed, 56 insertions(+), 2 deletions(-)
59566d
59566d
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
f20e0a
index 1f99678ff5d3..51cb894c21f2 100644
59566d
--- a/fs/debugfs/file.c
59566d
+++ b/fs/debugfs/file.c
f20e0a
@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
f20e0a
 }
f20e0a
 EXPORT_SYMBOL_GPL(debugfs_file_put);
f20e0a
f20e0a
+/*
f20e0a
+ * Only permit access to world-readable files when the kernel is locked down.
f20e0a
+ * We also need to exclude any file that has ways to write or alter it as root
f20e0a
+ * can bypass the permissions check.
f20e0a
+ */
f20e0a
+static bool debugfs_is_locked_down(struct inode *inode,
f20e0a
+				   struct file *filp,
f20e0a
+				   const struct file_operations *real_fops)
f20e0a
+{
f20e0a
+	if ((inode->i_mode & 07777) == 0444 &&
f20e0a
+	    !(filp->f_mode & FMODE_WRITE) &&
f20e0a
+	    !real_fops->unlocked_ioctl &&
f20e0a
+	    !real_fops->compat_ioctl &&
f20e0a
+	    !real_fops->mmap)
f20e0a
+		return false;
59566d
+
f20e0a
+	return kernel_is_locked_down("debugfs");
f20e0a
+}
8221dd
+
f20e0a
 static int open_proxy_open(struct inode *inode, struct file *filp)
f20e0a
 {
f20e0a
 	struct dentry *dentry = F_DENTRY(filp);
f20e0a
@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
8221dd
 		return r == -EIO ? -ENOENT : r;
f20e0a
f20e0a
 	real_fops = debugfs_real_fops(filp);
f20e0a
+
f20e0a
+	r = -EPERM;
f20e0a
+	if (debugfs_is_locked_down(inode, filp, real_fops))
f20e0a
+		goto out;
59566d
+
f20e0a
 	real_fops = fops_get(real_fops);
f20e0a
 	if (!real_fops) {
f20e0a
 		/* Huh? Module did not clean up after itself at exit? */
f20e0a
@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
8221dd
 		return r == -EIO ? -ENOENT : r;
59566d
f20e0a
 	real_fops = debugfs_real_fops(filp);
f20e0a
+	r = -EPERM;
f20e0a
+	if (debugfs_is_locked_down(inode, filp, real_fops))
f20e0a
+		goto out;
f20e0a
+
f20e0a
 	real_fops = fops_get(real_fops);
f20e0a
 	if (!real_fops) {
f20e0a
 		/* Huh? Module did not cleanup after itself at exit? */
f20e0a
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
8cf006
index 13b01351dd1c..4daec17b8215 100644
f20e0a
--- a/fs/debugfs/inode.c
f20e0a
+++ b/fs/debugfs/inode.c
f20e0a
@@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount;
f20e0a
 static int debugfs_mount_count;
f20e0a
 static bool debugfs_registered;
135abd
f20e0a
+/*
f20e0a
+ * Don't allow access attributes to be changed whilst the kernel is locked down
f20e0a
+ * so that we can use the file mode as part of a heuristic to determine whether
f20e0a
+ * to lock down individual files.
f20e0a
+ */
f20e0a
+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
f20e0a
+{
f20e0a
+	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
f20e0a
+	    kernel_is_locked_down("debugfs"))
59566d
+		return -EPERM;
f20e0a
+	return simple_setattr(dentry, ia);
f20e0a
+}
f20e0a
+
f20e0a
+static const struct inode_operations debugfs_file_inode_operations = {
f20e0a
+	.setattr	= debugfs_setattr,
f20e0a
+};
f20e0a
+static const struct inode_operations debugfs_dir_inode_operations = {
f20e0a
+	.lookup		= simple_lookup,
f20e0a
+	.setattr	= debugfs_setattr,
f20e0a
+};
f20e0a
+static const struct inode_operations debugfs_symlink_inode_operations = {
f20e0a
+	.get_link	= simple_get_link,
f20e0a
+	.setattr	= debugfs_setattr,
f20e0a
+};
f20e0a
+
f20e0a
 static struct inode *debugfs_get_inode(struct super_block *sb)
f20e0a
 {
f20e0a
 	struct inode *inode = new_inode(sb);
8cf006
@@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
f20e0a
 	inode->i_mode = mode;
f20e0a
 	inode->i_private = data;
f20e0a
f20e0a
+	inode->i_op = &debugfs_file_inode_operations;
f20e0a
 	inode->i_fop = proxy_fops;
f20e0a
 	dentry->d_fsdata = (void *)((unsigned long)real_fops |
f20e0a
 				DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
8cf006
@@ -513,7 +539,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
f20e0a
 		return failed_creating(dentry);
f20e0a
f20e0a
 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
f20e0a
-	inode->i_op = &simple_dir_inode_operations;
f20e0a
+	inode->i_op = &debugfs_dir_inode_operations;
f20e0a
 	inode->i_fop = &simple_dir_operations;
f20e0a
f20e0a
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
8cf006
@@ -608,7 +634,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
f20e0a
 		return failed_creating(dentry);
f20e0a
 	}
f20e0a
 	inode->i_mode = S_IFLNK | S_IRWXUGO;
f20e0a
-	inode->i_op = &simple_symlink_inode_operations;
f20e0a
+	inode->i_op = &debugfs_symlink_inode_operations;
f20e0a
 	inode->i_link = link;
f20e0a
 	d_instantiate(dentry, inode);
f20e0a
 	return end_creating(dentry);
135abd
-- 
f20e0a
2.14.3
135abd