b1f0987
From 73958cc1f78cfc69f3b1ec26a3406b3c45f6d202 Mon Sep 17 00:00:00 2001
962ea4f
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Mon, 9 Apr 2018 09:52:45 +0100
b1f0987
Subject: [PATCH 01/24] Add the ability to lock down access to the running
962ea4f
 kernel image
962ea4f
962ea4f
Provide a single call to allow kernel code to determine whether the system
962ea4f
should be locked down, thereby disallowing various accesses that might
b1f0987
allow the running kernel image to be changed, including:
b1f0987
b1f0987
 - /dev/mem and similar
b1f0987
 - Loading of unauthorised modules
b1f0987
 - Fiddling with MSR registers
b1f0987
 - Suspend to disk managed by the kernel
b1f0987
 - Use of device DMA
b1f0987
b1f0987
Two kernel configuration options are provided:
b1f0987
b1f0987
 (*) CONFIG_LOCK_DOWN_KERNEL
b1f0987
b1f0987
     This makes lockdown available and applies it to all the points that
b1f0987
     need to be locked down if the mode is set.  Lockdown mode can be
b1f0987
     enabled by providing:
b1f0987
b1f0987
	lockdown=1
b1f0987
b1f0987
     on the command line.
b1f0987
b1f0987
 (*) CONFIG_LOCK_DOWN_MANDATORY
b1f0987
b1f0987
     This forces lockdown on at compile time, overriding the command line
b1f0987
     option.
b1f0987
b1f0987
init_lockdown() is used as a hook from which lockdown can be managed in
b1f0987
future.  It has to be called from arch setup code before things like ACPI
b1f0987
are enabled.
b1f0987
b1f0987
Note that, with the other changes in this series, if lockdown mode is
b1f0987
enabled, the kernel will not be able to use certain drivers as the ability
b1f0987
to manually configure hardware parameters would then be prohibited.  This
b1f0987
primarily applies to ISA hardware devices.
962ea4f
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
962ea4f
---
b1f0987
 arch/x86/kernel/setup.c |  2 ++
b1f0987
 include/linux/kernel.h  | 32 ++++++++++++++++++++++++
b1f0987
 security/Kconfig        | 23 ++++++++++++++++-
b1f0987
 security/Makefile       |  3 +++
b1f0987
 security/lock_down.c    | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
b1f0987
 5 files changed, 124 insertions(+), 1 deletion(-)
962ea4f
 create mode 100644 security/lock_down.c
962ea4f
b1f0987
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
b1f0987
index 6285697b6e56..566f0f447053 100644
b1f0987
--- a/arch/x86/kernel/setup.c
b1f0987
+++ b/arch/x86/kernel/setup.c
b1f0987
@@ -996,6 +996,8 @@ void __init setup_arch(char **cmdline_p)
b1f0987
 	if (efi_enabled(EFI_BOOT))
b1f0987
 		efi_init();
b1f0987
b1f0987
+	init_lockdown();
b1f0987
+
b1f0987
 	dmi_scan_machine();
b1f0987
 	dmi_memdev_walk();
b1f0987
 	dmi_set_dump_stack_arch_desc();
962ea4f
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
b1f0987
index 4ae1dfd9bf05..7d085cca9cee 100644
962ea4f
--- a/include/linux/kernel.h
962ea4f
+++ b/include/linux/kernel.h
b1f0987
@@ -306,6 +306,38 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
c5708d5
 { }
c5708d5
 #endif
c5708d5
962ea4f
+#ifdef CONFIG_LOCK_DOWN_KERNEL
b1f0987
+extern void __init init_lockdown(void);
c5708d5
+extern bool __kernel_is_locked_down(const char *what, bool first);
962ea4f
+
b1f0987
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
c5708d5
+#define kernel_is_locked_down(what)					\
c5708d5
+	({								\
c5708d5
+		static bool message_given;				\
c5708d5
+		bool locked_down = __kernel_is_locked_down(what, !message_given); \
c5708d5
+		message_given = true;					\
c5708d5
+		locked_down;						\
c5708d5
+	})
b1f0987
+#else
b1f0987
+#define kernel_is_locked_down(what)					\
b1f0987
+	({								\
b1f0987
+		static bool message_given;				\
b1f0987
+		__kernel_is_locked_down(what, !message_given);		\
b1f0987
+		message_given = true;					\
b1f0987
+		true;							\
b1f0987
+	})
b1f0987
+#endif
962ea4f
+#else
c5708d5
+static inline void __init init_lockdown(void)
962ea4f
+{
962ea4f
+}
b1f0987
+static inline bool __kernel_is_locked_down(const char *what, bool first)
b1f0987
+{
b1f0987
+	return false;
b1f0987
+}
b1f0987
+#define kernel_is_locked_down(what) ({ false; })
962ea4f
+#endif
962ea4f
+
b1f0987
 /* Internal, do not use. */
b1f0987
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
b1f0987
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
962ea4f
diff --git a/security/Kconfig b/security/Kconfig
b1f0987
index c4302067a3ad..a68e5bdebad5 100644
962ea4f
--- a/security/Kconfig
962ea4f
+++ b/security/Kconfig
b1f0987
@@ -231,6 +231,28 @@ config STATIC_USERMODEHELPER_PATH
c796f87
 	  If you wish for all usermode helper programs to be disabled,
c796f87
 	  specify an empty string here (i.e. "").
c5708d5
962ea4f
+config LOCK_DOWN_KERNEL
962ea4f
+	bool "Allow the kernel to be 'locked down'"
962ea4f
+	help
b1f0987
+	  Allow the kernel to be locked down.  Locking down the kernel turns
b1f0987
+	  off various features that might otherwise allow access to the kernel
b1f0987
+	  image (eg. setting MSR registers).
b1f0987
+
b1f0987
+	  Note, however, that locking down your kernel will prevent some
b1f0987
+	  drivers from functioning because allowing manual configuration of
b1f0987
+	  hardware parameters is forbidden, lest a device be used to access the
b1f0987
+	  kernel by DMA.  This mostly applies to ISA devices.
b1f0987
+
b1f0987
+	  The kernel lockdown can be triggered by adding lockdown=1 to the
b1f0987
+	  kernel command line.
b1f0987
+
b1f0987
+config LOCK_DOWN_MANDATORY
b1f0987
+	bool "Make kernel lockdown mandatory"
b1f0987
+	depends on LOCK_DOWN_KERNEL
b1f0987
+	help
b1f0987
+	  Makes the lockdown non-negotiable.  It is always on and cannot be
b1f0987
+	  disabled.
962ea4f
+
962ea4f
 source security/selinux/Kconfig
962ea4f
 source security/smack/Kconfig
962ea4f
 source security/tomoyo/Kconfig
b1f0987
@@ -278,4 +300,3 @@ config DEFAULT_SECURITY
b1f0987
 	default "" if DEFAULT_SECURITY_DAC
b1f0987
b1f0987
 endmenu
b1f0987
-
962ea4f
diff --git a/security/Makefile b/security/Makefile
37d0749
index 4d2d3782ddef..507ac8c520ce 100644
962ea4f
--- a/security/Makefile
962ea4f
+++ b/security/Makefile
37d0749
@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
962ea4f
 # Object integrity file lists
962ea4f
 subdir-$(CONFIG_INTEGRITY)		+= integrity
962ea4f
 obj-$(CONFIG_INTEGRITY)			+= integrity/
962ea4f
+
962ea4f
+# Allow the kernel to be locked down
962ea4f
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
962ea4f
diff --git a/security/lock_down.c b/security/lock_down.c
962ea4f
new file mode 100644
b1f0987
index 000000000000..f35ffdd096ad
962ea4f
--- /dev/null
962ea4f
+++ b/security/lock_down.c
b1f0987
@@ -0,0 +1,65 @@
962ea4f
+/* Lock down the kernel
962ea4f
+ *
962ea4f
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
962ea4f
+ * Written by David Howells (dhowells@redhat.com)
962ea4f
+ *
962ea4f
+ * This program is free software; you can redistribute it and/or
962ea4f
+ * modify it under the terms of the GNU General Public Licence
962ea4f
+ * as published by the Free Software Foundation; either version
962ea4f
+ * 2 of the Licence, or (at your option) any later version.
962ea4f
+ */
962ea4f
+
962ea4f
+#include <linux/export.h>
b1f0987
+#include <linux/sched.h>
962ea4f
+
b1f0987
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
c5708d5
+static __ro_after_init bool kernel_locked_down;
b1f0987
+#else
b1f0987
+#define kernel_locked_down true
b1f0987
+#endif
962ea4f
+
962ea4f
+/*
962ea4f
+ * Put the kernel into lock-down mode.
962ea4f
+ */
c5708d5
+static void __init lock_kernel_down(const char *where)
962ea4f
+{
b1f0987
+#ifndef CONFIG_LOCK_DOWN_MANDATORY
c5708d5
+	if (!kernel_locked_down) {
c5708d5
+		kernel_locked_down = true;
c5708d5
+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
c5708d5
+			  where);
c5708d5
+	}
b1f0987
+#endif
962ea4f
+}
962ea4f
+
c5708d5
+static int __init lockdown_param(char *ignored)
c5708d5
+{
c5708d5
+	lock_kernel_down("command line");
c5708d5
+	return 0;
c5708d5
+}
c5708d5
+
c5708d5
+early_param("lockdown", lockdown_param);
c5708d5
+
962ea4f
+/*
c5708d5
+ * Lock the kernel down from very early in the arch setup.  This must happen
c5708d5
+ * prior to things like ACPI being initialised.
962ea4f
+ */
c5708d5
+void __init init_lockdown(void)
962ea4f
+{
b1f0987
+#ifdef CONFIG_LOCK_DOWN_MANDATORY
b1f0987
+	pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n");
c5708d5
+#endif
962ea4f
+}
962ea4f
+
962ea4f
+/**
962ea4f
+ * kernel_is_locked_down - Find out if the kernel is locked down
c5708d5
+ * @what: Tag to use in notice generated if lockdown is in effect
962ea4f
+ */
c5708d5
+bool __kernel_is_locked_down(const char *what, bool first)
962ea4f
+{
c5708d5
+	if (what && first && kernel_locked_down)
b1f0987
+		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
b1f0987
+			  current->comm, what);
962ea4f
+	return kernel_locked_down;
962ea4f
+}
c5708d5
+EXPORT_SYMBOL(__kernel_is_locked_down);
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 13dada34d9aa56ac4ee5438c7ebefde2d30d5542 Mon Sep 17 00:00:00 2001
c5708d5
From: Kyle McMartin <kyle@redhat.com>
b1f0987
Date: Mon, 9 Apr 2018 09:52:45 +0100
b1f0987
Subject: [PATCH 02/24] Add a SysRq option to lift kernel lockdown
962ea4f
c5708d5
Make an option to provide a sysrq key that will lift the kernel lockdown,
c5708d5
thereby allowing the running kernel image to be accessed and modified.
962ea4f
37d0749
On x86 this is triggered with SysRq+x, but this key may not be available on
37d0749
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
37d0749
Since this macro must be defined in an arch to be able to use this facility
37d0749
for that arch, the Kconfig option is restricted to arches that support it.
962ea4f
c5708d5
Signed-off-by: Kyle McMartin <kyle@redhat.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
cc: x86@kernel.org
962ea4f
---
c5708d5
 arch/x86/include/asm/setup.h |  2 ++
c5708d5
 drivers/input/misc/uinput.c  |  1 +
c5708d5
 drivers/tty/sysrq.c          | 19 ++++++++++++------
c5708d5
 include/linux/input.h        |  5 +++++
c5708d5
 include/linux/sysrq.h        |  8 +++++++-
c5708d5
 kernel/debug/kdb/kdb_main.c  |  2 +-
b1f0987
 security/Kconfig             | 11 +++++++++++
c5708d5
 security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++++++++++
b1f0987
 8 files changed, 87 insertions(+), 8 deletions(-)
c5708d5
c5708d5
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
37d0749
index ae13bc974416..3108e297d87d 100644
c5708d5
--- a/arch/x86/include/asm/setup.h
c5708d5
+++ b/arch/x86/include/asm/setup.h
37d0749
@@ -9,6 +9,8 @@
c5708d5
 #include <linux/linkage.h>
c5708d5
 #include <asm/page_types.h>
c5708d5
c5708d5
+#define LOCKDOWN_LIFT_KEY 'x'
962ea4f
+
c5708d5
 #ifdef __i386__
962ea4f
c5708d5
 #include <linux/pfn.h>
962ea4f
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
37d0749
index 96a887f33698..027c730631cc 100644
962ea4f
--- a/drivers/input/misc/uinput.c
962ea4f
+++ b/drivers/input/misc/uinput.c
37d0749
@@ -365,6 +365,7 @@ static int uinput_create_device(struct uinput_device *udev)
f8e9b44
 		dev->flush = uinput_dev_flush;
f8e9b44
 	}
37d0749
f8e9b44
+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
f8e9b44
 	dev->event = uinput_dev_event;
37d0749
962ea4f
 	input_set_drvdata(udev->dev, udev);
962ea4f
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
b1f0987
index 6364890575ec..ffeb3aa86cd1 100644
962ea4f
--- a/drivers/tty/sysrq.c
962ea4f
+++ b/drivers/tty/sysrq.c
37d0749
@@ -487,6 +487,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
962ea4f
 	/* x: May be registered on mips for TLB dump */
962ea4f
 	/* x: May be registered on ppc/powerpc for xmon */
962ea4f
 	/* x: May be registered on sparc64 for global PMU dump */
962ea4f
+	/* x: May be registered on x86_64 for disabling secure boot */
962ea4f
 	NULL,				/* x */
962ea4f
 	/* y: May be registered on sparc64 for global register dump */
962ea4f
 	NULL,				/* y */
37d0749
@@ -530,7 +531,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
962ea4f
                 sysrq_key_table[i] = op_p;
962ea4f
 }
c5708d5
962ea4f
-void __handle_sysrq(int key, bool check_mask)
962ea4f
+void __handle_sysrq(int key, unsigned int from)
962ea4f
 {
962ea4f
 	struct sysrq_key_op *op_p;
962ea4f
 	int orig_log_level;
37d0749
@@ -550,11 +551,15 @@ void __handle_sysrq(int key, bool check_mask)
c5708d5
962ea4f
         op_p = __sysrq_get_key_op(key);
962ea4f
         if (op_p) {
962ea4f
+		/* Ban synthetic events from some sysrq functionality */
962ea4f
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
962ea4f
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
962ea4f
+			printk("This sysrq operation is disabled from userspace.\n");
962ea4f
 		/*
962ea4f
 		 * Should we check for enabled operations (/proc/sysrq-trigger
962ea4f
 		 * should not) and is the invoked operation enabled?
962ea4f
 		 */
962ea4f
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
962ea4f
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
962ea4f
 			pr_cont("%s\n", op_p->action_msg);
962ea4f
 			console_loglevel = orig_log_level;
962ea4f
 			op_p->handler(key);
37d0749
@@ -586,7 +591,7 @@ void __handle_sysrq(int key, bool check_mask)
962ea4f
 void handle_sysrq(int key)
962ea4f
 {
962ea4f
 	if (sysrq_on())
962ea4f
-		__handle_sysrq(key, true);
962ea4f
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
962ea4f
 }
962ea4f
 EXPORT_SYMBOL(handle_sysrq);
c5708d5
37d0749
@@ -667,7 +672,7 @@ static void sysrq_do_reset(struct timer_list *t)
962ea4f
 static void sysrq_handle_reset_request(struct sysrq_state *state)
962ea4f
 {
962ea4f
 	if (state->reset_requested)
962ea4f
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
962ea4f
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
c5708d5
962ea4f
 	if (sysrq_reset_downtime_ms)
962ea4f
 		mod_timer(&state->keyreset_timer,
37d0749
@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
c5708d5
962ea4f
 	default:
962ea4f
 		if (sysrq->active && value && value != 2) {
962ea4f
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
962ea4f
+					SYSRQ_FROM_SYNTHETIC : 0;
962ea4f
 			sysrq->need_reinject = false;
962ea4f
-			__handle_sysrq(sysrq_xlate[code], true);
962ea4f
+			__handle_sysrq(sysrq_xlate[code], from);
962ea4f
 		}
962ea4f
 		break;
962ea4f
 	}
37d0749
@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
c5708d5
962ea4f
 		if (get_user(c, buf))
962ea4f
 			return -EFAULT;
962ea4f
-		__handle_sysrq(c, false);
962ea4f
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
962ea4f
 	}
c5708d5
962ea4f
 	return count;
962ea4f
diff --git a/include/linux/input.h b/include/linux/input.h
37d0749
index 7c7516eb7d76..38cd0ea72c37 100644
962ea4f
--- a/include/linux/input.h
962ea4f
+++ b/include/linux/input.h
962ea4f
@@ -42,6 +42,7 @@ struct input_value {
962ea4f
  * @phys: physical path to the device in the system hierarchy
962ea4f
  * @uniq: unique identification code for the device (if device has it)
962ea4f
  * @id: id of the device (struct input_id)
962ea4f
+ * @flags: input device flags (SYNTHETIC, etc.)
962ea4f
  * @propbit: bitmap of device properties and quirks
962ea4f
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
962ea4f
  *	EV_REL, etc.)
962ea4f
@@ -124,6 +125,8 @@ struct input_dev {
962ea4f
 	const char *uniq;
962ea4f
 	struct input_id id;
c5708d5
962ea4f
+	unsigned int flags;
962ea4f
+
962ea4f
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
c5708d5
962ea4f
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
962ea4f
@@ -190,6 +193,8 @@ struct input_dev {
962ea4f
 };
962ea4f
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
c5708d5
962ea4f
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
962ea4f
+
962ea4f
 /*
962ea4f
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
962ea4f
  */
962ea4f
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
37d0749
index 8c71874e8485..7de1f08b60a9 100644
962ea4f
--- a/include/linux/sysrq.h
962ea4f
+++ b/include/linux/sysrq.h
37d0749
@@ -29,6 +29,8 @@
962ea4f
 #define SYSRQ_ENABLE_BOOT	0x0080
962ea4f
 #define SYSRQ_ENABLE_RTNICE	0x0100
c5708d5
962ea4f
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
962ea4f
+
962ea4f
 struct sysrq_key_op {
962ea4f
 	void (*handler)(int);
962ea4f
 	char *help_msg;
37d0749
@@ -43,8 +45,12 @@ struct sysrq_key_op {
962ea4f
  * are available -- else NULL's).
962ea4f
  */
c5708d5
962ea4f
+#define SYSRQ_FROM_KERNEL	0x0001
962ea4f
+#define SYSRQ_FROM_PROC		0x0002
962ea4f
+#define SYSRQ_FROM_SYNTHETIC	0x0004
962ea4f
+
962ea4f
 void handle_sysrq(int key);
962ea4f
-void __handle_sysrq(int key, bool check_mask);
962ea4f
+void __handle_sysrq(int key, unsigned int from);
962ea4f
 int register_sysrq_key(int key, struct sysrq_key_op *op);
962ea4f
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
962ea4f
 struct sysrq_key_op *__sysrq_get_key_op(int key);
962ea4f
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
37d0749
index dbb0781a0533..aae9a0f44058 100644
962ea4f
--- a/kernel/debug/kdb/kdb_main.c
962ea4f
+++ b/kernel/debug/kdb/kdb_main.c
c5708d5
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
962ea4f
 		return KDB_ARGCOUNT;
c5708d5
962ea4f
 	kdb_trap_printk++;
962ea4f
-	__handle_sysrq(*argv[1], check_mask);
962ea4f
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
962ea4f
 	kdb_trap_printk--;
c5708d5
962ea4f
 	return 0;
c5708d5
diff --git a/security/Kconfig b/security/Kconfig
b1f0987
index a68e5bdebad5..46967ee77dfd 100644
c5708d5
--- a/security/Kconfig
c5708d5
+++ b/security/Kconfig
b1f0987
@@ -253,6 +253,17 @@ config LOCK_DOWN_MANDATORY
b1f0987
 	  Makes the lockdown non-negotiable.  It is always on and cannot be
b1f0987
 	  disabled.
c5708d5
c5708d5
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
c5708d5
+	bool "Allow the kernel lockdown to be lifted by SysRq"
37d0749
+	depends on LOCK_DOWN_KERNEL
b1f0987
+	depends on !LOCK_DOWN_MANDATORY
37d0749
+	depends on MAGIC_SYSRQ
37d0749
+	depends on X86
c5708d5
+	help
c5708d5
+	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
b1f0987
+	  combination on a wired keyboard.  On x86, this is SysRq+x.
c5708d5
+
c5708d5
+
c5708d5
 source security/selinux/Kconfig
c5708d5
 source security/smack/Kconfig
c5708d5
 source security/tomoyo/Kconfig
c5708d5
diff --git a/security/lock_down.c b/security/lock_down.c
b1f0987
index f35ffdd096ad..2615669dbf03 100644
c5708d5
--- a/security/lock_down.c
c5708d5
+++ b/security/lock_down.c
b1f0987
@@ -11,9 +11,15 @@
c5708d5
c5708d5
 #include <linux/export.h>
b1f0987
 #include <linux/sched.h>
c5708d5
+#include <linux/sysrq.h>
c5708d5
+#include <asm/setup.h>
c5708d5
b1f0987
 #ifndef CONFIG_LOCK_DOWN_MANDATORY
c5708d5
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
c5708d5
+static __read_mostly bool kernel_locked_down;
c5708d5
+#else
c5708d5
 static __ro_after_init bool kernel_locked_down;
c5708d5
+#endif
b1f0987
 #else
b1f0987
 #define kernel_locked_down true
b1f0987
 #endif
b1f0987
@@ -63,3 +69,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
c5708d5
 	return kernel_locked_down;
c5708d5
 }
c5708d5
 EXPORT_SYMBOL(__kernel_is_locked_down);
c5708d5
+
c5708d5
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
c5708d5
+
c5708d5
+/*
c5708d5
+ * Take the kernel out of lockdown mode.
c5708d5
+ */
c5708d5
+static void lift_kernel_lockdown(void)
c5708d5
+{
c5708d5
+	pr_notice("Lifting lockdown\n");
c5708d5
+	kernel_locked_down = false;
c5708d5
+}
c5708d5
+
c5708d5
+/*
c5708d5
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
c5708d5
+ * echoing the appropriate letter into the sysrq-trigger file).
c5708d5
+ */
c5708d5
+static void sysrq_handle_lockdown_lift(int key)
c5708d5
+{
c5708d5
+	if (kernel_locked_down)
c5708d5
+		lift_kernel_lockdown();
c5708d5
+}
c5708d5
+
c5708d5
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
c5708d5
+	.handler	= sysrq_handle_lockdown_lift,
c5708d5
+	.help_msg	= "unSB(x)",
c5708d5
+	.action_msg	= "Disabling Secure Boot restrictions",
c5708d5
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
c5708d5
+};
c5708d5
+
c5708d5
+static int __init lockdown_lift_sysrq(void)
c5708d5
+{
c5708d5
+	if (kernel_locked_down) {
c5708d5
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
c5708d5
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
c5708d5
+	}
c5708d5
+	return 0;
c5708d5
+}
c5708d5
+
c5708d5
+late_initcall(lockdown_lift_sysrq);
c5708d5
+
c5708d5
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
c5708d5
-- 
37d0749
2.14.3
37d0749
b1f0987
From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001
37d0749
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
b1f0987
Date: Mon, 9 Apr 2018 09:52:45 +0100
b1f0987
Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode
37d0749
37d0749
Require the "secure_boot" rules, whether or not it is specified
37d0749
on the boot command line, for both the builtin and custom policies
37d0749
in secure boot lockdown mode.
37d0749
37d0749
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
37d0749
Signed-off-by: David Howells <dhowells@redhat.com>
37d0749
---
37d0749
 security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++----------
37d0749
 1 file changed, 29 insertions(+), 10 deletions(-)
37d0749
37d0749
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
b1f0987
index d89bebf85421..da6f55c96a61 100644
37d0749
--- a/security/integrity/ima/ima_policy.c
37d0749
+++ b/security/integrity/ima/ima_policy.c
b1f0987
@@ -443,14 +443,21 @@ void ima_update_policy_flag(void)
37d0749
  */
37d0749
 void __init ima_init_policy(void)
37d0749
 {
37d0749
-	int i, measure_entries, appraise_entries, secure_boot_entries;
37d0749
+	int i;
37d0749
+	int measure_entries = 0;
37d0749
+	int appraise_entries = 0;
37d0749
+	int secure_boot_entries = 0;
37d0749
+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
37d0749
37d0749
 	/* if !ima_policy set entries = 0 so we load NO default rules */
37d0749
-	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
37d0749
-	appraise_entries = ima_use_appraise_tcb ?
37d0749
-			 ARRAY_SIZE(default_appraise_rules) : 0;
37d0749
-	secure_boot_entries = ima_use_secure_boot ?
37d0749
-			ARRAY_SIZE(secure_boot_rules) : 0;
37d0749
+	if (ima_policy)
37d0749
+		measure_entries = ARRAY_SIZE(dont_measure_rules);
37d0749
+
37d0749
+	if (ima_use_appraise_tcb)
37d0749
+		appraise_entries = ARRAY_SIZE(default_appraise_rules);
37d0749
+
37d0749
+	if (ima_use_secure_boot || kernel_locked_down)
37d0749
+		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
37d0749
37d0749
 	for (i = 0; i < measure_entries; i++)
37d0749
 		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
16fb238
@@ -487,12 +494,24 @@ void __init ima_init_policy(void)
16fb238
 
37d0749
 	/*
37d0749
 	 * Insert the appraise rules requiring file signatures, prior to
37d0749
-	 * any other appraise rules.
37d0749
+	 * any other appraise rules.  In secure boot lock-down mode, also
37d0749
+	 * require these appraise rules for custom policies.
37d0749
 	 */
16fb238
 	for (i = 0; i < secure_boot_entries; i++) {
37d0749
+		struct ima_rule_entry *entry;
37d0749
+
37d0749
+		/* Include for builtin policies */
16fb238
 		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
16fb238
 		temp_ima_appraise |=
16fb238
 		    ima_appraise_flag(secure_boot_rules[i].func);
37d0749
+
37d0749
+		/* Include for custom policies */
37d0749
+		if (kernel_locked_down) {
37d0749
+			entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
37d0749
+					GFP_KERNEL);
37d0749
+			if (entry)
37d0749
+				list_add_tail(&entry->list, &ima_policy_rules);
37d0749
+		}
16fb238
 	}
16fb238
 
37d0749
 	for (i = 0; i < appraise_entries; i++) {
37d0749
-- 
37d0749
2.14.3
37d0749
b1f0987
From 64b01ecc309c8ae79209e00dd8b95a549e5050b7 Mon Sep 17 00:00:00 2001
c5708d5
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Mon, 9 Apr 2018 09:52:46 +0100
b1f0987
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
c5708d5
c5708d5
If the kernel is locked down, require that all modules have valid
37d0749
signatures that we can verify or that IMA can validate the file.
37d0749
37d0749
I have adjusted the errors generated:
37d0749
37d0749
 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
37d0749
     ENOKEY), then:
37d0749
37d0749
     (a) If signatures are enforced then EKEYREJECTED is returned.
37d0749
37d0749
     (b) If IMA will have validated the image, return 0 (okay).
37d0749
37d0749
     (c) If there's no signature or we can't check it, but the kernel is
37d0749
	 locked down then EPERM is returned (this is then consistent with
37d0749
	 other lockdown cases).
37d0749
37d0749
 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
37d0749
     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
37d0749
     return the error we got.
37d0749
37d0749
Note that the X.509 code doesn't check for key expiry as the RTC might not
37d0749
be valid or might not have been transferred to the kernel's clock yet.
c5708d5
c5708d5
Signed-off-by: David Howells <dhowells@redhat.com>
37d0749
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
37d0749
cc: "Lee, Chun-Yi" <jlee@suse.com>
37d0749
cc: James Morris <james.l.morris@oracle.com>
c5708d5
---
37d0749
 kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++++++++-------------
37d0749
 1 file changed, 43 insertions(+), 13 deletions(-)
c5708d5
c5708d5
diff --git a/kernel/module.c b/kernel/module.c
b1f0987
index a6e43a5806a1..9c1709a05037 100644
c5708d5
--- a/kernel/module.c
c5708d5
+++ b/kernel/module.c
37d0749
@@ -64,6 +64,7 @@
37d0749
 #include <linux/bsearch.h>
37d0749
 #include <linux/dynamic_debug.h>
37d0749
 #include <linux/audit.h>
37d0749
+#include <linux/ima.h>
37d0749
 #include <uapi/linux/module.h>
37d0749
 #include "module-internal.h"
37d0749
b1f0987
@@ -2761,10 +2762,12 @@ static inline void kmemleak_load_module(const struct module *mod,
37d0749
 #endif
37d0749
37d0749
 #ifdef CONFIG_MODULE_SIG
37d0749
-static int module_sig_check(struct load_info *info, int flags)
37d0749
+static int module_sig_check(struct load_info *info, int flags,
37d0749
+			    bool can_do_ima_check)
37d0749
 {
37d0749
-	int err = -ENOKEY;
37d0749
+	int err = -ENODATA;
37d0749
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
37d0749
+	const char *reason;
37d0749
 	const void *mod = info->hdr;
37d0749
37d0749
 	/*
b1f0987
@@ -2779,19 +2782,46 @@ static int module_sig_check(struct load_info *info, int flags)
37d0749
 		err = mod_verify_sig(mod, &info->len);
c5708d5
 	}
c5708d5
37d0749
-	if (!err) {
37d0749
+	switch (err) {
37d0749
+	case 0:
37d0749
 		info->sig_ok = true;
37d0749
 		return 0;
37d0749
-	}
37d0749
37d0749
-	/* Not having a signature is only an error if we're strict. */
16fb238
-	if (err == -ENOKEY && !is_module_sig_enforced())
37d0749
-		err = 0;
37d0749
+		/* We don't permit modules to be loaded into trusted kernels
37d0749
+		 * without a valid signature on them, but if we're not
37d0749
+		 * enforcing, certain errors are non-fatal.
37d0749
+		 */
37d0749
+	case -ENODATA:
37d0749
+		reason = "Loading of unsigned module";
37d0749
+		goto decide;
37d0749
+	case -ENOPKG:
37d0749
+		reason = "Loading of module with unsupported crypto";
37d0749
+		goto decide;
37d0749
+	case -ENOKEY:
37d0749
+		reason = "Loading of module with unavailable key";
37d0749
+	decide:
37d0749
+		if (sig_enforce) {
37d0749
+			pr_notice("%s is rejected\n", reason);
37d0749
+			return -EKEYREJECTED;
37d0749
+		}
37d0749
37d0749
-	return err;
37d0749
+		if (can_do_ima_check && is_ima_appraise_enabled())
37d0749
+			return 0;
37d0749
+		if (kernel_is_locked_down(reason))
37d0749
+			return -EPERM;
37d0749
+		return 0;
37d0749
+
37d0749
+		/* All other errors are fatal, including nomem, unparseable
37d0749
+		 * signatures and signature check failures - even if signatures
37d0749
+		 * aren't required.
37d0749
+		 */
37d0749
+	default:
37d0749
+		return err;
37d0749
+	}
37d0749
 }
37d0749
 #else /* !CONFIG_MODULE_SIG */
37d0749
-static int module_sig_check(struct load_info *info, int flags)
37d0749
+static int module_sig_check(struct load_info *info, int flags,
37d0749
+			    bool can_do_ima_check)
37d0749
 {
37d0749
 	return 0;
37d0749
 }
b1f0987
@@ -3651,13 +3681,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
37d0749
 /* Allocate and load the module: note that size of section 0 is always
37d0749
    zero, and we rely on this for optional sections. */
37d0749
 static int load_module(struct load_info *info, const char __user *uargs,
37d0749
-		       int flags)
37d0749
+		       int flags, bool can_do_ima_check)
37d0749
 {
37d0749
 	struct module *mod;
37d0749
 	long err;
37d0749
 	char *after_dashes;
37d0749
37d0749
-	err = module_sig_check(info, flags);
37d0749
+	err = module_sig_check(info, flags, can_do_ima_check);
37d0749
 	if (err)
37d0749
 		goto free_copy;
37d0749
b1f0987
@@ -3846,7 +3876,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
37d0749
 	if (err)
37d0749
 		return err;
37d0749
37d0749
-	return load_module(&info, uargs, 0);
37d0749
+	return load_module(&info, uargs, 0, false);
37d0749
 }
37d0749
37d0749
 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
b1f0987
@@ -3873,7 +3903,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
37d0749
 	info.hdr = hdr;
37d0749
 	info.len = size;
37d0749
37d0749
-	return load_module(&info, uargs, flags);
37d0749
+	return load_module(&info, uargs, flags, true);
37d0749
 }
c5708d5
37d0749
 static inline int within(unsigned long addr, void *start, unsigned long size)
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001
37d0749
From: Matthew Garrett <mjg59@srcf.ucam.org>
b1f0987
Date: Mon, 9 Apr 2018 09:52:46 +0100
b1f0987
Subject: [PATCH 05/24] Restrict /dev/{mem,kmem,port} when the kernel is locked
c5708d5
 down
c5708d5
c5708d5
Allowing users to read and write to core kernel memory makes it possible
c5708d5
for the kernel to be subverted, avoiding module loading restrictions, and
c5708d5
also to steal cryptographic information.
c5708d5
c5708d5
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
c5708d5
been locked down to prevent this.
c5708d5
c5708d5
Also disallow /dev/port from being opened to prevent raw ioport access and
c5708d5
thus DMA from being used to accomplish the same thing.
c5708d5
37d0749
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
c5708d5
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
---
c5708d5
 drivers/char/mem.c | 2 ++
c5708d5
 1 file changed, 2 insertions(+)
c5708d5
c5708d5
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
b1f0987
index ffeb60d3434c..b2fca26e5765 100644
c5708d5
--- a/drivers/char/mem.c
c5708d5
+++ b/drivers/char/mem.c
37d0749
@@ -784,6 +784,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
c5708d5
c5708d5
 static int open_port(struct inode *inode, struct file *filp)
c5708d5
 {
c5708d5
+	if (kernel_is_locked_down("/dev/mem,kmem,port"))
c5708d5
+		return -EPERM;
c5708d5
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
c5708d5
 }
c5708d5
c5708d5
-- 
37d0749
2.14.3
c5708d5
b1f0987
From a19b6b9637f114388cc7087176860eee962cac79 Mon Sep 17 00:00:00 2001
37d0749
From: Matthew Garrett <mjg59@srcf.ucam.org>
b1f0987
Date: Mon, 9 Apr 2018 09:52:46 +0100
b1f0987
Subject: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked
37d0749
 down
962ea4f
37d0749
The kexec_load() syscall permits the loading and execution of arbitrary
37d0749
code in ring 0, which is something that lock-down is meant to prevent. It
37d0749
makes sense to disable kexec_load() in this situation.
962ea4f
37d0749
This does not affect kexec_file_load() syscall which can check for a
37d0749
signature on the image to be booted.
962ea4f
37d0749
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Acked-by: Dave Young <dyoung@redhat.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
Reviewed-by: James Morris <james.l.morris@oracle.com>
c5708d5
cc: kexec@lists.infradead.org
962ea4f
---
962ea4f
 kernel/kexec.c | 7 +++++++
962ea4f
 1 file changed, 7 insertions(+)
962ea4f
962ea4f
diff --git a/kernel/kexec.c b/kernel/kexec.c
b1f0987
index aed8fb2564b3..1553ac765e73 100644
962ea4f
--- a/kernel/kexec.c
962ea4f
+++ b/kernel/kexec.c
b1f0987
@@ -199,6 +199,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
37d0749
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
962ea4f
 		return -EPERM;
c5708d5
37d0749
+	/*
962ea4f
+	 * kexec can be used to circumvent module loading restrictions, so
962ea4f
+	 * prevent loading in that case
962ea4f
+	 */
c5708d5
+	if (kernel_is_locked_down("kexec of unsigned images"))
962ea4f
+		return -EPERM;
962ea4f
+
37d0749
 	/*
962ea4f
 	 * Verify we have a legal set of flags
962ea4f
 	 * This leaves us room for future extensions.
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From aed8ee965258e3926be6aaeb57aef8a9a03c9989 Mon Sep 17 00:00:00 2001
962ea4f
From: Josh Boyer <jwboyer@fedoraproject.org>
b1f0987
Date: Mon, 9 Apr 2018 09:52:47 +0100
b1f0987
Subject: [PATCH 07/24] hibernate: Disable when the kernel is locked down
962ea4f
962ea4f
There is currently no way to verify the resume image when returning
962ea4f
from hibernate.  This might compromise the signed modules trust model,
962ea4f
so until we can work with signed hibernate images we disable it when the
962ea4f
kernel is locked down.
962ea4f
962ea4f
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
cc: linux-pm@vger.kernel.org
962ea4f
---
962ea4f
 kernel/power/hibernate.c | 2 +-
962ea4f
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4f
962ea4f
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
b1f0987
index 5454cc639a8d..629f158f5a0c 100644
962ea4f
--- a/kernel/power/hibernate.c
962ea4f
+++ b/kernel/power/hibernate.c
c5708d5
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
c5708d5
962ea4f
 bool hibernation_available(void)
962ea4f
 {
962ea4f
-	return (nohibernate == 0);
c5708d5
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
962ea4f
 }
c5708d5
962ea4f
 /**
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 8732c1663d7c0305ae01ba5a1ee4d2299b7b4612 Mon Sep 17 00:00:00 2001
962ea4f
From: Matthew Garrett <mjg59@srcf.ucam.org>
b1f0987
Date: Mon, 9 Apr 2018 09:52:47 +0100
b1f0987
Subject: [PATCH 08/24] uswsusp: Disable when the kernel is locked down
962ea4f
962ea4f
uswsusp allows a user process to dump and then restore kernel state, which
962ea4f
makes it possible to modify the running kernel.  Disable this if the kernel
962ea4f
is locked down.
962ea4f
962ea4f
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
Reviewed-by: James Morris <james.l.morris@oracle.com>
c5708d5
cc: linux-pm@vger.kernel.org
962ea4f
---
962ea4f
 kernel/power/user.c | 3 +++
962ea4f
 1 file changed, 3 insertions(+)
962ea4f
962ea4f
diff --git a/kernel/power/user.c b/kernel/power/user.c
b1f0987
index 75c959de4b29..959b336d8eca 100644
962ea4f
--- a/kernel/power/user.c
962ea4f
+++ b/kernel/power/user.c
962ea4f
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
962ea4f
 	if (!hibernation_available())
962ea4f
 		return -EPERM;
c5708d5
c5708d5
+	if (kernel_is_locked_down("/dev/snapshot"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	lock_system_sleep();
c5708d5
962ea4f
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 4f5f0aae410d1929872eec346954c85e3a85f4f3 Mon Sep 17 00:00:00 2001
37d0749
From: Matthew Garrett <mjg59@srcf.ucam.org>
b1f0987
Date: Mon, 9 Apr 2018 09:52:48 +0100
b1f0987
Subject: [PATCH 09/24] PCI: Lock down BAR access when the kernel is locked
962ea4f
 down
962ea4f
962ea4f
Any hardware that can potentially generate DMA has to be locked down in
962ea4f
order to avoid it being possible for an attacker to modify kernel code,
962ea4f
allowing them to circumvent disabled module loading or module signing.
962ea4f
Default to paranoid - in future we can potentially relax this for
962ea4f
sufficiently IOMMU-isolated devices.
962ea4f
37d0749
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
cc: linux-pci@vger.kernel.org
962ea4f
---
962ea4f
 drivers/pci/pci-sysfs.c | 9 +++++++++
c5708d5
 drivers/pci/proc.c      | 9 ++++++++-
c5708d5
 drivers/pci/syscall.c   | 3 ++-
c5708d5
 3 files changed, 19 insertions(+), 2 deletions(-)
962ea4f
962ea4f
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
b1f0987
index 366d93af051d..1e149ec006a4 100644
962ea4f
--- a/drivers/pci/pci-sysfs.c
962ea4f
+++ b/drivers/pci/pci-sysfs.c
b1f0987
@@ -903,6 +903,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
962ea4f
 	loff_t init_off = off;
962ea4f
 	u8 *data = (u8 *) buf;
c5708d5
c5708d5
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	if (off > dev->cfg_size)
962ea4f
 		return 0;
962ea4f
 	if (off + count > dev->cfg_size) {
b1f0987
@@ -1165,6 +1168,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
bd32781
 	enum pci_mmap_state mmap_type;
bd32781
 	struct resource *res = &pdev->resource[bar];
c5708d5
c5708d5
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
bd32781
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
bd32781
 		return -EINVAL;
c5708d5
b1f0987
@@ -1240,6 +1246,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
962ea4f
 				     struct bin_attribute *attr, char *buf,
962ea4f
 				     loff_t off, size_t count)
962ea4f
 {
c5708d5
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
962ea4f
 }
c5708d5
962ea4f
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
b1f0987
index 1ee8927a0635..469445a9019b 100644
962ea4f
--- a/drivers/pci/proc.c
962ea4f
+++ b/drivers/pci/proc.c
37d0749
@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
962ea4f
 	int size = dev->cfg_size;
962ea4f
 	int cnt;
c5708d5
c5708d5
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	if (pos >= size)
962ea4f
 		return 0;
962ea4f
 	if (nbytes >= size)
37d0749
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
962ea4f
 #endif /* HAVE_PCI_MMAP */
962ea4f
 	int ret = 0;
c5708d5
c5708d5
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	switch (cmd) {
962ea4f
 	case PCIIOC_CONTROLLER:
962ea4f
 		ret = pci_domain_nr(dev->bus);
37d0749
@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
962ea4f
 	struct pci_filp_private *fpriv = file->private_data;
bd32781
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
c5708d5
962ea4f
-	if (!capable(CAP_SYS_RAWIO))
c5708d5
+	if (!capable(CAP_SYS_RAWIO) ||
c5708d5
+	    kernel_is_locked_down("Direct PCI access"))
962ea4f
 		return -EPERM;
c5708d5
bd32781
 	if (fpriv->mmap_state == pci_mmap_io) {
962ea4f
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
b1f0987
index d96626c614f5..b8a08d3166a1 100644
962ea4f
--- a/drivers/pci/syscall.c
962ea4f
+++ b/drivers/pci/syscall.c
b1f0987
@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
962ea4f
 	u32 dword;
962ea4f
 	int err = 0;
c5708d5
962ea4f
-	if (!capable(CAP_SYS_ADMIN))
c5708d5
+	if (!capable(CAP_SYS_ADMIN) ||
c5708d5
+	    kernel_is_locked_down("Direct PCI access"))
962ea4f
 		return -EPERM;
c5708d5
37d0749
 	dev = pci_get_domain_bus_and_slot(0, bus, dfn);
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 677537cdec42804f1936b57ffaa6181f633bc015 Mon Sep 17 00:00:00 2001
37d0749
From: Matthew Garrett <mjg59@srcf.ucam.org>
b1f0987
Date: Mon, 9 Apr 2018 09:52:48 +0100
b1f0987
Subject: [PATCH 10/24] x86: Lock down IO port access when the kernel is locked
962ea4f
 down
962ea4f
962ea4f
IO port access would permit users to gain access to PCI configuration
962ea4f
registers, which in turn (on a lot of hardware) give access to MMIO
962ea4f
register space. This would potentially permit root to trigger arbitrary
962ea4f
DMA, so lock it down by default.
962ea4f
962ea4f
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
962ea4f
KDDISABIO console ioctls.
962ea4f
37d0749
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
cc: x86@kernel.org
962ea4f
---
c5708d5
 arch/x86/kernel/ioport.c | 6 ++++--
c5708d5
 1 file changed, 4 insertions(+), 2 deletions(-)
962ea4f
962ea4f
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
b1f0987
index 0fe1c8782208..abc702a6ae9c 100644
962ea4f
--- a/arch/x86/kernel/ioport.c
962ea4f
+++ b/arch/x86/kernel/ioport.c
b1f0987
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
c5708d5
962ea4f
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
962ea4f
 		return -EINVAL;
962ea4f
-	if (turn_on && !capable(CAP_SYS_RAWIO))
c5708d5
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
c5708d5
+			kernel_is_locked_down("ioperm")))
962ea4f
 		return -EPERM;
c5708d5
962ea4f
 	/*
b1f0987
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
962ea4f
 		return -EINVAL;
962ea4f
 	/* Trying to gain more privileges? */
962ea4f
 	if (level > old) {
962ea4f
-		if (!capable(CAP_SYS_RAWIO))
c5708d5
+		if (!capable(CAP_SYS_RAWIO) ||
c5708d5
+		    kernel_is_locked_down("iopl"))
962ea4f
 			return -EPERM;
962ea4f
 	}
962ea4f
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From f005be07fababf8c698a556fe465871ad168c9d9 Mon Sep 17 00:00:00 2001
37d0749
From: Matthew Garrett <mjg59@srcf.ucam.org>
b1f0987
Date: Mon, 9 Apr 2018 09:52:48 +0100
b1f0987
Subject: [PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked
c5708d5
 down
962ea4f
962ea4f
Writing to MSRs should not be allowed if the kernel is locked down, since
962ea4f
it could lead to execution of arbitrary code in kernel mode.  Based on a
962ea4f
patch by Kees Cook.
962ea4f
c5708d5
MSR accesses are logged for the purposes of building up a whitelist as per
c5708d5
Alan Cox's suggestion.
c5708d5
37d0749
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Acked-by: Kees Cook <keescook@chromium.org>
c5708d5
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
cc: x86@kernel.org
962ea4f
---
c5708d5
 arch/x86/kernel/msr.c | 10 ++++++++++
c5708d5
 1 file changed, 10 insertions(+)
962ea4f
962ea4f
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
c5708d5
index ef688804f80d..dfb61d358196 100644
962ea4f
--- a/arch/x86/kernel/msr.c
962ea4f
+++ b/arch/x86/kernel/msr.c
c5708d5
@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
962ea4f
 	int err = 0;
962ea4f
 	ssize_t bytes = 0;
c5708d5
c5708d5
+	if (kernel_is_locked_down("Direct MSR access")) {
c5708d5
+		pr_info("Direct access to MSR %x\n", reg);
962ea4f
+		return -EPERM;
c5708d5
+	}
962ea4f
+
962ea4f
 	if (count % 8)
962ea4f
 		return -EINVAL;	/* Invalid chunk size */
c5708d5
c5708d5
@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
c5708d5
 			err = -EFAULT;
962ea4f
 			break;
962ea4f
 		}
c5708d5
+		if (kernel_is_locked_down("Direct MSR access")) {
c5708d5
+			pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
962ea4f
+			err = -EPERM;
962ea4f
+			break;
962ea4f
+		}
c5708d5
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
c5708d5
 		if (err)
962ea4f
 			break;
962ea4f
-- 
37d0749
2.14.3
c5708d5
b1f0987
From 0a48b7c936757dda851ab2d3ecde7f6a79de7a5b Mon Sep 17 00:00:00 2001
37d0749
From: Matthew Garrett <mjg59@srcf.ucam.org>
b1f0987
Date: Mon, 9 Apr 2018 09:52:48 +0100
b1f0987
Subject: [PATCH 12/24] ACPI: Limit access to custom_method when the kernel is
962ea4f
 locked down
962ea4f
962ea4f
custom_method effectively allows arbitrary access to system memory, making
962ea4f
it possible for an attacker to circumvent restrictions on module loading.
962ea4f
Disable it if the kernel is locked down.
962ea4f
37d0749
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
cc: linux-acpi@vger.kernel.org
962ea4f
---
962ea4f
 drivers/acpi/custom_method.c | 3 +++
962ea4f
 1 file changed, 3 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
b1f0987
index e967c1173ba3..a07fbe999eb6 100644
962ea4f
--- a/drivers/acpi/custom_method.c
962ea4f
+++ b/drivers/acpi/custom_method.c
962ea4f
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
962ea4f
 	struct acpi_table_header table;
962ea4f
 	acpi_status status;
c5708d5
c5708d5
+	if (kernel_is_locked_down("ACPI custom methods"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	if (!(*ppos)) {
962ea4f
 		/* parse the table header to get the table length */
962ea4f
 		if (count <= sizeof(struct acpi_table_header))
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 2ed74b084366d7dba7b4a611ba13d99b82c4e11e Mon Sep 17 00:00:00 2001
962ea4f
From: Josh Boyer <jwboyer@redhat.com>
b1f0987
Date: Mon, 9 Apr 2018 09:52:49 +0100
b1f0987
Subject: [PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
962ea4f
 been locked down
962ea4f
962ea4f
This option allows userspace to pass the RSDP address to the kernel, which
c5708d5
makes it possible for a user to modify the workings of hardware .  Reject
c5708d5
the option when the kernel is locked down.
962ea4f
962ea4f
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
cc: Dave Young <dyoung@redhat.com>
c5708d5
cc: linux-acpi@vger.kernel.org
962ea4f
---
962ea4f
 drivers/acpi/osl.c | 2 +-
962ea4f
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4f
962ea4f
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
b1f0987
index 7ca41bf023c9..34e4ce7939f4 100644
962ea4f
--- a/drivers/acpi/osl.c
962ea4f
+++ b/drivers/acpi/osl.c
c796f87
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
b1f0987
 	acpi_physical_address pa;
c5708d5
962ea4f
 #ifdef CONFIG_KEXEC
962ea4f
-	if (acpi_rsdp)
c5708d5
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
962ea4f
 		return acpi_rsdp;
962ea4f
 #endif
b1f0987
 	pa = acpi_arch_get_root_pointer();
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 7fb2ddf683c23cc4b227d7d75a5d039970ca910e Mon Sep 17 00:00:00 2001
962ea4f
From: Linn Crosetto <linn@hpe.com>
b1f0987
Date: Mon, 9 Apr 2018 09:52:49 +0100
b1f0987
Subject: [PATCH 14/24] acpi: Disable ACPI table override if the kernel is
962ea4f
 locked down
962ea4f
962ea4f
From the kernel documentation (initrd_table_override.txt):
962ea4f
962ea4f
  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
962ea4f
  to override nearly any ACPI table provided by the BIOS with an
962ea4f
  instrumented, modified one.
962ea4f
962ea4f
When securelevel is set, the kernel should disallow any unauthenticated
962ea4f
changes to kernel space.  ACPI tables contain code invoked by the kernel,
962ea4f
so do not allow ACPI tables to be overridden if the kernel is locked down.
962ea4f
962ea4f
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
cc: linux-acpi@vger.kernel.org
962ea4f
---
962ea4f
 drivers/acpi/tables.c | 5 +++++
962ea4f
 1 file changed, 5 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
b1f0987
index 849c4fb19b03..6c5ee7e66842 100644
962ea4f
--- a/drivers/acpi/tables.c
962ea4f
+++ b/drivers/acpi/tables.c
37d0749
@@ -527,6 +527,11 @@ void __init acpi_table_upgrade(void)
962ea4f
 	if (table_nr == 0)
962ea4f
 		return;
c5708d5
c5708d5
+	if (kernel_is_locked_down("ACPI table override")) {
962ea4f
+		pr_notice("kernel is locked down, ignoring table override\n");
962ea4f
+		return;
962ea4f
+	}
962ea4f
+
962ea4f
 	acpi_tables_addr =
962ea4f
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
962ea4f
 				       all_tables_size, PAGE_SIZE);
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From d1ff6505c76cec9438217f2c284f024a1ac2ac59 Mon Sep 17 00:00:00 2001
962ea4f
From: Linn Crosetto <linn@hpe.com>
b1f0987
Date: Mon, 9 Apr 2018 09:52:50 +0100
b1f0987
Subject: [PATCH 15/24] acpi: Disable APEI error injection if the kernel is
962ea4f
 locked down
962ea4f
962ea4f
ACPI provides an error injection mechanism, EINJ, for debugging and testing
962ea4f
the ACPI Platform Error Interface (APEI) and other RAS features.  If
962ea4f
supported by the firmware, ACPI specification 5.0 and later provide for a
962ea4f
way to specify a physical memory address to which to inject the error.
962ea4f
962ea4f
Injecting errors through EINJ can produce errors which to the platform are
962ea4f
indistinguishable from real hardware errors.  This can have undesirable
962ea4f
side-effects, such as causing the platform to mark hardware as needing
962ea4f
replacement.
962ea4f
962ea4f
While it does not provide a method to load unauthenticated privileged code,
962ea4f
the effect of these errors may persist across reboots and affect trust in
962ea4f
the underlying hardware, so disable error injection through EINJ if
962ea4f
the kernel is locked down.
962ea4f
962ea4f
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c5708d5
cc: linux-acpi@vger.kernel.org
962ea4f
---
962ea4f
 drivers/acpi/apei/einj.c | 3 +++
962ea4f
 1 file changed, 3 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
c5708d5
index b38737c83a24..6d71e1e97b20 100644
962ea4f
--- a/drivers/acpi/apei/einj.c
962ea4f
+++ b/drivers/acpi/apei/einj.c
962ea4f
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
962ea4f
 	int rc;
962ea4f
 	u64 base_addr, size;
c5708d5
c5708d5
+	if (kernel_is_locked_down("ACPI error injection"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	/* If user manually set "flags", make sure it is legal */
962ea4f
 	if (flags && (flags &
962ea4f
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 3153be0328e3a752aacab95d503fbd460f517402 Mon Sep 17 00:00:00 2001
962ea4f
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:37 +0100
b1f0987
Subject: [PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked
962ea4f
 down
962ea4f
962ea4f
Prohibit replacement of the PCMCIA Card Information Structure when the
962ea4f
kernel is locked down.
962ea4f
c5708d5
Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
cc: linux-pcmcia@lists.infradead.org
962ea4f
---
c5708d5
 drivers/pcmcia/cistpl.c | 3 +++
c5708d5
 1 file changed, 3 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
37d0749
index 102646fedb56..e46c948d7246 100644
962ea4f
--- a/drivers/pcmcia/cistpl.c
962ea4f
+++ b/drivers/pcmcia/cistpl.c
c5708d5
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
962ea4f
 	struct pcmcia_socket *s;
962ea4f
 	int error;
c5708d5
c5708d5
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	s = to_socket(container_of(kobj, struct device, kobj));
c5708d5
962ea4f
 	if (off)
962ea4f
-- 
37d0749
2.14.3
962ea4f
b1f0987
From 9fedc1427e8589edf2e16a481f8588711adba69a Mon Sep 17 00:00:00 2001
962ea4f
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:37 +0100
b1f0987
Subject: [PATCH 17/24] Lock down TIOCSSERIAL
962ea4f
962ea4f
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
962ea4f
settings on a serial port.  This only appears to be an issue for the serial
962ea4f
drivers that use the core serial code.  All other drivers seem to either
962ea4f
ignore attempts to change port/irq or give an error.
962ea4f
962ea4f
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
cc: Jiri Slaby <jslaby@suse.com>
962ea4f
---
962ea4f
 drivers/tty/serial/serial_core.c | 6 ++++++
962ea4f
 1 file changed, 6 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
b1f0987
index 0466f9f08a91..360f8e4416c4 100644
962ea4f
--- a/drivers/tty/serial/serial_core.c
962ea4f
+++ b/drivers/tty/serial/serial_core.c
37d0749
@@ -829,6 +829,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
c5708d5
 	new_flags = (__force upf_t)new_info->flags;
962ea4f
 	old_custom_divisor = uport->custom_divisor;
c5708d5
c5708d5
+	if ((change_port || change_irq) &&
c5708d5
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
962ea4f
+		retval = -EPERM;
962ea4f
+		goto exit;
962ea4f
+	}
962ea4f
+
962ea4f
 	if (!capable(CAP_SYS_ADMIN)) {
962ea4f
 		retval = -EPERM;
962ea4f
 		if (change_irq || change_port ||
962ea4f
-- 
37d0749
2.14.3
c5708d5
b1f0987
From f8fd52e2b077ce5a993807f8fc6e27a17cf4d19f Mon Sep 17 00:00:00 2001
c5708d5
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:37 +0100
b1f0987
Subject: [PATCH 18/24] Lock down module params that specify hardware
c5708d5
 parameters (eg. ioport)
c5708d5
c5708d5
Provided an annotation for module parameters that specify hardware
c5708d5
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
c5708d5
dma buffers and other types).
c5708d5
c5708d5
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
c5708d5
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
---
c5708d5
 kernel/params.c | 26 +++++++++++++++++++++-----
c5708d5
 1 file changed, 21 insertions(+), 5 deletions(-)
c5708d5
c5708d5
diff --git a/kernel/params.c b/kernel/params.c
37d0749
index cc9108c2a1fd..2c08c4aa376b 100644
c5708d5
--- a/kernel/params.c
c5708d5
+++ b/kernel/params.c
c5708d5
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
c5708d5
 	return parameqn(a, b, strlen(a)+1);
c5708d5
 }
c5708d5
c5708d5
-static void param_check_unsafe(const struct kernel_param *kp)
c5708d5
+static bool param_check_unsafe(const struct kernel_param *kp,
c5708d5
+			       const char *doing)
c5708d5
 {
c5708d5
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
b1f0987
 		pr_notice("Setting dangerous option %s - tainting kernel\n",
b1f0987
 			  kp->name);
c5708d5
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
c5708d5
 	}
c5708d5
+
c5708d5
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
c5708d5
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
c5708d5
+		return false;
c5708d5
+	return true;
c5708d5
 }
c5708d5
c5708d5
 static int parse_one(char *param,
c5708d5
@@ -144,8 +150,10 @@ static int parse_one(char *param,
c5708d5
 			pr_debug("handling %s with %p\n", param,
c5708d5
 				params[i].ops->set);
c5708d5
 			kernel_param_lock(params[i].mod);
c5708d5
-			param_check_unsafe(&params[i]);
c5708d5
-			err = params[i].ops->set(val, &params[i]);
c5708d5
+			if (param_check_unsafe(&params[i], doing))
c5708d5
+				err = params[i].ops->set(val, &params[i]);
c5708d5
+			else
c5708d5
+				err = -EPERM;
c5708d5
 			kernel_param_unlock(params[i].mod);
c5708d5
 			return err;
c5708d5
 		}
37d0749
@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
c5708d5
 	return count;
c5708d5
 }
c5708d5
c5708d5
+#ifdef CONFIG_MODULES
c5708d5
+#define mod_name(mod) (mod)->name
c5708d5
+#else
c5708d5
+#define mod_name(mod) "unknown"
c5708d5
+#endif
c5708d5
+
c5708d5
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
c5708d5
 static ssize_t param_attr_store(struct module_attribute *mattr,
c5708d5
 				struct module_kobject *mk,
37d0749
@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
c5708d5
 		return -EPERM;
c5708d5
c5708d5
 	kernel_param_lock(mk->mod);
c5708d5
-	param_check_unsafe(attribute->param);
c5708d5
-	err = attribute->param->ops->set(buf, attribute->param);
c5708d5
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
c5708d5
+		err = attribute->param->ops->set(buf, attribute->param);
c5708d5
+	else
c5708d5
+		err = -EPERM;
c5708d5
 	kernel_param_unlock(mk->mod);
c5708d5
 	if (!err)
c5708d5
 		return len;
c5708d5
-- 
37d0749
2.14.3
c5708d5
b1f0987
From 9c88e2ab392f5ac9c80529e43175fe65d00cdb67 Mon Sep 17 00:00:00 2001
c5708d5
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:38 +0100
b1f0987
Subject: [PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module
c5708d5
c5708d5
The testmmiotrace module shouldn't be permitted when the kernel is locked
c5708d5
down as it can be used to arbitrarily read and write MMIO space.
c5708d5
c5708d5
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
c5708d5
Signed-off-by: David Howells 
c5708d5
cc: Thomas Gleixner <tglx@linutronix.de>
c5708d5
cc: Steven Rostedt <rostedt@goodmis.org>
c5708d5
cc: Ingo Molnar <mingo@kernel.org>
c5708d5
cc: "H. Peter Anvin" <hpa@zytor.com>
c5708d5
cc: x86@kernel.org
c5708d5
---
c5708d5
 arch/x86/mm/testmmiotrace.c | 3 +++
c5708d5
 1 file changed, 3 insertions(+)
c5708d5
c5708d5
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
c5708d5
index f6ae6830b341..bbaad357f5d7 100644
c5708d5
--- a/arch/x86/mm/testmmiotrace.c
c5708d5
+++ b/arch/x86/mm/testmmiotrace.c
c5708d5
@@ -115,6 +115,9 @@ static int __init init(void)
c5708d5
 {
c5708d5
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
c5708d5
c5708d5
+	if (kernel_is_locked_down("MMIO trace testing"))
c5708d5
+		return -EPERM;
c5708d5
+
c5708d5
 	if (mmio_address == 0) {
c5708d5
 		pr_err("you have to use the module argument mmio_address.\n");
c5708d5
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
c5708d5
-- 
37d0749
2.14.3
37d0749
b1f0987
From 256e20401f9f5dd19028d4220095897a15daa67c Mon Sep 17 00:00:00 2001
37d0749
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:38 +0100
b1f0987
Subject: [PATCH 20/24] Lock down /proc/kcore
37d0749
37d0749
Disallow access to /proc/kcore when the kernel is locked down to prevent
37d0749
access to cryptographic data.
37d0749
37d0749
Signed-off-by: David Howells <dhowells@redhat.com>
37d0749
Reviewed-by: James Morris <james.l.morris@oracle.com>
37d0749
---
37d0749
 fs/proc/kcore.c | 2 ++
37d0749
 1 file changed, 2 insertions(+)
37d0749
37d0749
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
37d0749
index d1e82761de81..cdebdee81719 100644
37d0749
--- a/fs/proc/kcore.c
37d0749
+++ b/fs/proc/kcore.c
37d0749
@@ -546,6 +546,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
37d0749
37d0749
 static int open_kcore(struct inode *inode, struct file *filp)
37d0749
 {
37d0749
+	if (kernel_is_locked_down("/proc/kcore"))
37d0749
+		return -EPERM;
37d0749
 	if (!capable(CAP_SYS_RAWIO))
37d0749
 		return -EPERM;
37d0749
37d0749
-- 
37d0749
2.14.3
37d0749
b1f0987
From f68ca24bc8d8a64cf30e59a595fad0e6782e933f Mon Sep 17 00:00:00 2001
37d0749
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:38 +0100
b1f0987
Subject: [PATCH 21/24] Lock down kprobes
37d0749
37d0749
Disallow the creation of kprobes when the kernel is locked down by
37d0749
preventing their registration.  This prevents kprobes from being used to
37d0749
access kernel memory, either to make modifications or to steal crypto data.
37d0749
37d0749
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
37d0749
Signed-off-by: David Howells <dhowells@redhat.com>
37d0749
---
37d0749
 kernel/kprobes.c | 3 +++
37d0749
 1 file changed, 3 insertions(+)
37d0749
37d0749
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
37d0749
index 102160ff5c66..4f5757732553 100644
37d0749
--- a/kernel/kprobes.c
37d0749
+++ b/kernel/kprobes.c
37d0749
@@ -1561,6 +1561,9 @@ int register_kprobe(struct kprobe *p)
37d0749
 	struct module *probed_mod;
37d0749
 	kprobe_opcode_t *addr;
37d0749
37d0749
+	if (kernel_is_locked_down("Use of kprobes"))
37d0749
+		return -EPERM;
37d0749
+
37d0749
 	/* Adjust probe address from symbol */
37d0749
 	addr = kprobe_addr(p);
37d0749
 	if (IS_ERR(addr))
37d0749
-- 
37d0749
2.14.3
37d0749
b1f0987
From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001
37d0749
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:38 +0100
b1f0987
Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the
37d0749
 kernel is locked down
37d0749
37d0749
There are some bpf functions can be used to read kernel memory:
37d0749
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
37d0749
private keys in kernel memory (e.g. the hibernation image signing key) to
b1f0987
be read by an eBPF program.
37d0749
37d0749
Completely prohibit the use of BPF when the kernel is locked down.
37d0749
37d0749
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
37d0749
Signed-off-by: David Howells <dhowells@redhat.com>
37d0749
cc: netdev@vger.kernel.org
37d0749
cc: Chun-Yi Lee <jlee@suse.com>
37d0749
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
37d0749
---
37d0749
 kernel/bpf/syscall.c | 3 +++
37d0749
 1 file changed, 3 insertions(+)
37d0749
37d0749
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
b1f0987
index 0244973ee544..7457f2676c6d 100644
37d0749
--- a/kernel/bpf/syscall.c
37d0749
+++ b/kernel/bpf/syscall.c
16fb238
@@ -2333,6 +2333,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
37d0749
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
37d0749
 		return -EPERM;
37d0749
37d0749
+	if (kernel_is_locked_down("BPF"))
37d0749
+		return -EPERM;
37d0749
+
16fb238
 	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
37d0749
 	if (err)
37d0749
 		return err;
37d0749
-- 
37d0749
2.14.3
37d0749
b1f0987
From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
37d0749
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:38 +0100
b1f0987
Subject: [PATCH 23/24] Lock down perf
37d0749
37d0749
Disallow the use of certain perf facilities that might allow userspace to
37d0749
access kernel data.
37d0749
37d0749
Signed-off-by: David Howells <dhowells@redhat.com>
37d0749
---
37d0749
 kernel/events/core.c | 5 +++++
37d0749
 1 file changed, 5 insertions(+)
37d0749
37d0749
diff --git a/kernel/events/core.c b/kernel/events/core.c
b1f0987
index fc1c330c6bd6..1922f2e0980a 100644
37d0749
--- a/kernel/events/core.c
37d0749
+++ b/kernel/events/core.c
b1f0987
@@ -10407,6 +10407,11 @@ SYSCALL_DEFINE5(perf_event_open,
37d0749
 			return -EINVAL;
37d0749
 	}
37d0749
37d0749
+	if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
37d0749
+	    kernel_is_locked_down("PERF_SAMPLE_REGS_INTR"))
37d0749
+		/* REGS_INTR can leak data, lockdown must prevent this */
37d0749
+		return -EPERM;
37d0749
+
37d0749
 	/* Only privileged users can get physical addresses */
37d0749
 	if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
37d0749
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
37d0749
-- 
37d0749
2.14.3
c5708d5
b1f0987
From fe5091f97838c8c64b891280bcd30367e71cd5c3 Mon Sep 17 00:00:00 2001
c5708d5
From: David Howells <dhowells@redhat.com>
b1f0987
Date: Wed, 4 Apr 2018 14:45:38 +0100
b1f0987
Subject: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked
37d0749
 down
37d0749
37d0749
Disallow opening of debugfs files that might be used to muck around when
37d0749
the kernel is locked down as various drivers give raw access to hardware
37d0749
through debugfs.  Given the effort of auditing all 2000 or so files and
37d0749
manually fixing each one as necessary, I've chosen to apply a heuristic
37d0749
instead.  The following changes are made:
37d0749
37d0749
 (1) chmod and chown are disallowed on debugfs objects (though the root dir
37d0749
     can be modified by mount and remount, but I'm not worried about that).
c5708d5
37d0749
 (2) When the kernel is locked down, only files with the following criteria
37d0749
     are permitted to be opened:
c5708d5
37d0749
	- The file must have mode 00444
37d0749
	- The file must not have ioctl methods
37d0749
	- The file must not have mmap
c5708d5
37d0749
 (3) When the kernel is locked down, files may only be opened for reading.
37d0749
37d0749
Normal device interaction should be done through configfs, sysfs or a
37d0749
miscdev, not debugfs.
c5708d5
c5708d5
Note that this makes it unnecessary to specifically lock down show_dsts(),
c5708d5
show_devs() and show_call() in the asus-wmi driver.
c5708d5
37d0749
I would actually prefer to lock down all files by default and have the
37d0749
the files unlocked by the creator.  This is tricky to manage correctly,
37d0749
though, as there are 19 creation functions and ~1600 call sites (some of
37d0749
them in loops scanning tables).
37d0749
c5708d5
Signed-off-by: David Howells <dhowells@redhat.com>
c5708d5
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
c5708d5
cc: acpi4asus-user@lists.sourceforge.net
c5708d5
cc: platform-driver-x86@vger.kernel.org
37d0749
cc: Matthew Garrett <mjg59@srcf.ucam.org>
c5708d5
cc: Thomas Gleixner <tglx@linutronix.de>
c5708d5
---
37d0749
 fs/debugfs/file.c  | 28 ++++++++++++++++++++++++++++
37d0749
 fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
37d0749
 2 files changed, 56 insertions(+), 2 deletions(-)
c5708d5
c5708d5
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
37d0749
index 1f99678ff5d3..51cb894c21f2 100644
c5708d5
--- a/fs/debugfs/file.c
c5708d5
+++ b/fs/debugfs/file.c
37d0749
@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
37d0749
 }
37d0749
 EXPORT_SYMBOL_GPL(debugfs_file_put);
37d0749
37d0749
+/*
37d0749
+ * Only permit access to world-readable files when the kernel is locked down.
37d0749
+ * We also need to exclude any file that has ways to write or alter it as root
37d0749
+ * can bypass the permissions check.
37d0749
+ */
37d0749
+static bool debugfs_is_locked_down(struct inode *inode,
37d0749
+				   struct file *filp,
37d0749
+				   const struct file_operations *real_fops)
37d0749
+{
37d0749
+	if ((inode->i_mode & 07777) == 0444 &&
37d0749
+	    !(filp->f_mode & FMODE_WRITE) &&
37d0749
+	    !real_fops->unlocked_ioctl &&
37d0749
+	    !real_fops->compat_ioctl &&
37d0749
+	    !real_fops->mmap)
37d0749
+		return false;
c5708d5
+
37d0749
+	return kernel_is_locked_down("debugfs");
37d0749
+}
f8e9b44
+
37d0749
 static int open_proxy_open(struct inode *inode, struct file *filp)
37d0749
 {
37d0749
 	struct dentry *dentry = F_DENTRY(filp);
37d0749
@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
f8e9b44
 		return r == -EIO ? -ENOENT : r;
37d0749
37d0749
 	real_fops = debugfs_real_fops(filp);
37d0749
+
37d0749
+	r = -EPERM;
37d0749
+	if (debugfs_is_locked_down(inode, filp, real_fops))
37d0749
+		goto out;
c5708d5
+
37d0749
 	real_fops = fops_get(real_fops);
37d0749
 	if (!real_fops) {
37d0749
 		/* Huh? Module did not clean up after itself at exit? */
37d0749
@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
f8e9b44
 		return r == -EIO ? -ENOENT : r;
c5708d5
37d0749
 	real_fops = debugfs_real_fops(filp);
37d0749
+	r = -EPERM;
37d0749
+	if (debugfs_is_locked_down(inode, filp, real_fops))
37d0749
+		goto out;
37d0749
+
37d0749
 	real_fops = fops_get(real_fops);
37d0749
 	if (!real_fops) {
37d0749
 		/* Huh? Module did not cleanup after itself at exit? */
37d0749
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
b1f0987
index 13b01351dd1c..4daec17b8215 100644
37d0749
--- a/fs/debugfs/inode.c
37d0749
+++ b/fs/debugfs/inode.c
37d0749
@@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount;
37d0749
 static int debugfs_mount_count;
37d0749
 static bool debugfs_registered;
c5708d5
37d0749
+/*
37d0749
+ * Don't allow access attributes to be changed whilst the kernel is locked down
37d0749
+ * so that we can use the file mode as part of a heuristic to determine whether
37d0749
+ * to lock down individual files.
37d0749
+ */
37d0749
+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
37d0749
+{
37d0749
+	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
37d0749
+	    kernel_is_locked_down("debugfs"))
c5708d5
+		return -EPERM;
37d0749
+	return simple_setattr(dentry, ia);
37d0749
+}
37d0749
+
37d0749
+static const struct inode_operations debugfs_file_inode_operations = {
37d0749
+	.setattr	= debugfs_setattr,
37d0749
+};
37d0749
+static const struct inode_operations debugfs_dir_inode_operations = {
37d0749
+	.lookup		= simple_lookup,
37d0749
+	.setattr	= debugfs_setattr,
37d0749
+};
37d0749
+static const struct inode_operations debugfs_symlink_inode_operations = {
37d0749
+	.get_link	= simple_get_link,
37d0749
+	.setattr	= debugfs_setattr,
37d0749
+};
37d0749
+
37d0749
 static struct inode *debugfs_get_inode(struct super_block *sb)
37d0749
 {
37d0749
 	struct inode *inode = new_inode(sb);
b1f0987
@@ -356,6 +381,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
37d0749
 	inode->i_mode = mode;
37d0749
 	inode->i_private = data;
37d0749
37d0749
+	inode->i_op = &debugfs_file_inode_operations;
37d0749
 	inode->i_fop = proxy_fops;
37d0749
 	dentry->d_fsdata = (void *)((unsigned long)real_fops |
37d0749
 				DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
16fb238
@@ -515,7 +541,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
37d0749
 		return failed_creating(dentry);
16fb238
 
37d0749
 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
37d0749
-	inode->i_op = &simple_dir_inode_operations;
37d0749
+	inode->i_op = &debugfs_dir_inode_operations;
37d0749
 	inode->i_fop = &simple_dir_operations;
37d0749
37d0749
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
b1f0987
@@ -608,7 +634,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
37d0749
 		return failed_creating(dentry);
37d0749
 	}
37d0749
 	inode->i_mode = S_IFLNK | S_IRWXUGO;
37d0749
-	inode->i_op = &simple_symlink_inode_operations;
37d0749
+	inode->i_op = &debugfs_symlink_inode_operations;
37d0749
 	inode->i_link = link;
37d0749
 	d_instantiate(dentry, inode);
37d0749
 	return end_creating(dentry);
c5708d5
-- 
37d0749
2.14.3
c5708d5