Jeremy Cline 5df4c5
From c2eb371cede78df9a47bf3a125aa9a45dd833da7 Mon Sep 17 00:00:00 2001
ead55f
From: Kyle McMartin <kyle@redhat.com>
ead55f
Date: Mon, 9 Apr 2018 09:52:45 +0100
Jeremy Cline 5df4c5
Subject: [PATCH] Add a SysRq option to lift kernel lockdown
ead55f
ead55f
Make an option to provide a sysrq key that will lift the kernel lockdown,
ead55f
thereby allowing the running kernel image to be accessed and modified.
ead55f
ead55f
On x86 this is triggered with SysRq+x, but this key may not be available on
ead55f
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
ead55f
Since this macro must be defined in an arch to be able to use this facility
ead55f
for that arch, the Kconfig option is restricted to arches that support it.
ead55f
ead55f
Signed-off-by: Kyle McMartin <kyle@redhat.com>
ead55f
Signed-off-by: David Howells <dhowells@redhat.com>
ead55f
cc: x86@kernel.org
Jeremy Cline 5df4c5
Signed-off-by: Jeremy Cline <jcline@redhat.com>
ead55f
---
ead55f
 arch/x86/include/asm/setup.h |  2 ++
ead55f
 drivers/input/misc/uinput.c  |  1 +
Jeremy Cline 5df4c5
 drivers/tty/sysrq.c          | 27 +++++++++++++---------
Jeremy Cline 5df4c5
 include/linux/input.h        |  5 +++++
Jeremy Cline 5df4c5
 include/linux/sysrq.h        |  8 ++++++-
ead55f
 kernel/debug/kdb/kdb_main.c  |  2 +-
Jeremy Cline 5df4c5
 security/lockdown/Kconfig    | 11 +++++++++
Jeremy Cline 5df4c5
 security/lockdown/lockdown.c | 43 ++++++++++++++++++++++++++++++++++++
Jeremy Cline 5df4c5
 8 files changed, 87 insertions(+), 12 deletions(-)
ead55f
ead55f
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
ead55f
index ed8ec011a9fd..8daf633a5347 100644
ead55f
--- a/arch/x86/include/asm/setup.h
ead55f
+++ b/arch/x86/include/asm/setup.h
ead55f
@@ -9,6 +9,8 @@
ead55f
 #include <linux/linkage.h>
ead55f
 #include <asm/page_types.h>
ead55f
 
ead55f
+#define LOCKDOWN_LIFT_KEY 'x'
ead55f
+
ead55f
 #ifdef __i386__
ead55f
 
ead55f
 #include <linux/pfn.h>
ead55f
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
4cbd7a
index 84051f20b18a..583ab2bc1916 100644
ead55f
--- a/drivers/input/misc/uinput.c
ead55f
+++ b/drivers/input/misc/uinput.c
4cbd7a
@@ -353,6 +353,7 @@ static int uinput_create_device(struct uinput_device *udev)
ead55f
 		dev->flush = uinput_dev_flush;
ead55f
 	}
ead55f
 
ead55f
+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
ead55f
 	dev->event = uinput_dev_event;
ead55f
 
ead55f
 	input_set_drvdata(udev->dev, udev);
ead55f
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
Jeremy Cline 5df4c5
index 573b2055173c..99082faafc44 100644
ead55f
--- a/drivers/tty/sysrq.c
ead55f
+++ b/drivers/tty/sysrq.c
ead55f
@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
ead55f
 	/* x: May be registered on mips for TLB dump */
ead55f
 	/* x: May be registered on ppc/powerpc for xmon */
ead55f
 	/* x: May be registered on sparc64 for global PMU dump */
ead55f
+	/* x: May be registered on x86_64 for disabling secure boot */
ead55f
 	NULL,				/* x */
ead55f
 	/* y: May be registered on sparc64 for global register dump */
ead55f
 	NULL,				/* y */
ead55f
@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
ead55f
                 sysrq_key_table[i] = op_p;
ead55f
 }
ead55f
 
ead55f
-void __handle_sysrq(int key, bool check_mask)
ead55f
+void __handle_sysrq(int key, unsigned int from)
ead55f
 {
ead55f
 	struct sysrq_key_op *op_p;
ead55f
 	int orig_log_level;
4cbd7a
@@ -546,11 +547,15 @@ void __handle_sysrq(int key, bool check_mask)
ead55f
 
ead55f
         op_p = __sysrq_get_key_op(key);
ead55f
         if (op_p) {
Jeremy Cline 5df4c5
-		/*
Jeremy Cline 5df4c5
-		 * Should we check for enabled operations (/proc/sysrq-trigger
Jeremy Cline 5df4c5
-		 * should not) and is the invoked operation enabled?
Jeremy Cline 5df4c5
-		 */
Jeremy Cline 5df4c5
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
ead55f
+		/* Ban synthetic events from some sysrq functionality */
ead55f
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
Jeremy Cline 5df4c5
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) {
ead55f
+			printk("This sysrq operation is disabled from userspace.\n");
Jeremy Cline 5df4c5
+		} else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
Jeremy Cline 5df4c5
+			/*
Jeremy Cline 5df4c5
+			 * Should we check for enabled operations (/proc/sysrq-trigger
Jeremy Cline 5df4c5
+			 * should not) and is the invoked operation enabled?
Jeremy Cline 5df4c5
+			 */
ead55f
 			pr_info("%s\n", op_p->action_msg);
ead55f
 			console_loglevel = orig_log_level;
ead55f
 			op_p->handler(key);
4cbd7a
@@ -585,7 +590,7 @@ void __handle_sysrq(int key, bool check_mask)
ead55f
 void handle_sysrq(int key)
ead55f
 {
ead55f
 	if (sysrq_on())
ead55f
-		__handle_sysrq(key, true);
ead55f
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
ead55f
 }
ead55f
 EXPORT_SYMBOL(handle_sysrq);
ead55f
 
4cbd7a
@@ -665,7 +670,7 @@ static void sysrq_do_reset(struct timer_list *t)
ead55f
 static void sysrq_handle_reset_request(struct sysrq_state *state)
ead55f
 {
ead55f
 	if (state->reset_requested)
ead55f
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
ead55f
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
ead55f
 
ead55f
 	if (sysrq_reset_downtime_ms)
ead55f
 		mod_timer(&state->keyreset_timer,
4cbd7a
@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
ead55f
 
ead55f
 	default:
ead55f
 		if (sysrq->active && value && value != 2) {
ead55f
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
ead55f
+					SYSRQ_FROM_SYNTHETIC : 0;
ead55f
 			sysrq->need_reinject = false;
ead55f
-			__handle_sysrq(sysrq_xlate[code], true);
ead55f
+			__handle_sysrq(sysrq_xlate[code], from);
ead55f
 		}
ead55f
 		break;
ead55f
 	}
4cbd7a
@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
ead55f
 
ead55f
 		if (get_user(c, buf))
ead55f
 			return -EFAULT;
ead55f
-		__handle_sysrq(c, false);
ead55f
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
ead55f
 	}
ead55f
 
ead55f
 	return count;
ead55f
diff --git a/include/linux/input.h b/include/linux/input.h
Jeremy Cline 5df4c5
index 94f277cd806a..8539afa2c001 100644
ead55f
--- a/include/linux/input.h
ead55f
+++ b/include/linux/input.h
Jeremy Cline 5df4c5
@@ -48,6 +48,7 @@ enum input_clock_type {
ead55f
  * @phys: physical path to the device in the system hierarchy
ead55f
  * @uniq: unique identification code for the device (if device has it)
ead55f
  * @id: id of the device (struct input_id)
ead55f
+ * @flags: input device flags (SYNTHETIC, etc.)
ead55f
  * @propbit: bitmap of device properties and quirks
ead55f
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
ead55f
  *	EV_REL, etc.)
Jeremy Cline 5df4c5
@@ -134,6 +135,8 @@ struct input_dev {
ead55f
 	const char *uniq;
ead55f
 	struct input_id id;
ead55f
 
ead55f
+	unsigned int flags;
ead55f
+
ead55f
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
ead55f
 
ead55f
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
Jeremy Cline 5df4c5
@@ -204,6 +207,8 @@ struct input_dev {
ead55f
 };
ead55f
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
ead55f
 
ead55f
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
ead55f
+
ead55f
 /*
ead55f
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
ead55f
  */
ead55f
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
ead55f
index 8c71874e8485..7de1f08b60a9 100644
ead55f
--- a/include/linux/sysrq.h
ead55f
+++ b/include/linux/sysrq.h
ead55f
@@ -29,6 +29,8 @@
ead55f
 #define SYSRQ_ENABLE_BOOT	0x0080
ead55f
 #define SYSRQ_ENABLE_RTNICE	0x0100
ead55f
 
ead55f
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
ead55f
+
ead55f
 struct sysrq_key_op {
ead55f
 	void (*handler)(int);
ead55f
 	char *help_msg;
ead55f
@@ -43,8 +45,12 @@ struct sysrq_key_op {
ead55f
  * are available -- else NULL's).
ead55f
  */
ead55f
 
ead55f
+#define SYSRQ_FROM_KERNEL	0x0001
ead55f
+#define SYSRQ_FROM_PROC		0x0002
ead55f
+#define SYSRQ_FROM_SYNTHETIC	0x0004
ead55f
+
ead55f
 void handle_sysrq(int key);
ead55f
-void __handle_sysrq(int key, bool check_mask);
ead55f
+void __handle_sysrq(int key, unsigned int from);
ead55f
 int register_sysrq_key(int key, struct sysrq_key_op *op);
ead55f
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
ead55f
 struct sysrq_key_op *__sysrq_get_key_op(int key);
ead55f
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
Jeremy Cline 5df4c5
index 4567fe998c30..d05142ef44c4 100644
ead55f
--- a/kernel/debug/kdb/kdb_main.c
ead55f
+++ b/kernel/debug/kdb/kdb_main.c
ead55f
@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv)
ead55f
 		return KDB_ARGCOUNT;
ead55f
 
ead55f
 	kdb_trap_printk++;
ead55f
-	__handle_sysrq(*argv[1], check_mask);
ead55f
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
ead55f
 	kdb_trap_printk--;
ead55f
 
ead55f
 	return 0;
Jeremy Cline 5df4c5
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
Jeremy Cline 5df4c5
index e84ddf484010..20e979178e1c 100644
Jeremy Cline 5df4c5
--- a/security/lockdown/Kconfig
Jeremy Cline 5df4c5
+++ b/security/lockdown/Kconfig
Jeremy Cline 5df4c5
@@ -45,3 +45,14 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
Jeremy Cline 5df4c5
 	 disabled.
4cbd7a
 
Jeremy Cline 5df4c5
 endchoice
ead55f
+
Jeremy Cline 5df4c5
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
Jeremy Cline 5df4c5
+	bool "Allow the kernel lockdown to be lifted by SysRq"
Jeremy Cline 5df4c5
+    depends on SECURITY_LOCKDOWN_LSM
Jeremy Cline 5df4c5
+    depends on !LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
Jeremy Cline 5df4c5
+    depends on !LOCK_DOWN_KERNEL_FORCE_INTEGRITY
Jeremy Cline 5df4c5
+    depends on MAGIC_SYSRQ
Jeremy Cline 5df4c5
+    depends on X86
Jeremy Cline 5df4c5
+	help
Jeremy Cline 5df4c5
+      Allow setting the lockdown mode to "none" by pressing a SysRq key
Jeremy Cline 5df4c5
+      combination on a wired keyboard. On x86, this is SysRq+x
Jeremy Cline 5df4c5
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
Jeremy Cline 5df4c5
index 8a10b43daf74..df4662257309 100644
Jeremy Cline 5df4c5
--- a/security/lockdown/lockdown.c
Jeremy Cline 5df4c5
+++ b/security/lockdown/lockdown.c
Jeremy Cline 5df4c5
@@ -13,6 +13,8 @@
ead55f
 #include <linux/security.h>
ead55f
 #include <linux/export.h>
Jeremy Cline 5df4c5
 #include <linux/lsm_hooks.h>
ead55f
+#include <linux/sysrq.h>
ead55f
+#include <asm/setup.h>
4cbd7a
 
Jeremy Cline 5df4c5
 static enum lockdown_reason kernel_locked_down;
4cbd7a
 
Jeremy Cline 5df4c5
@@ -179,6 +181,47 @@ static int __init lockdown_secfs_init(void)
Jeremy Cline 5df4c5
 	return PTR_ERR_OR_ZERO(dentry);
ead55f
 }
Jeremy Cline 5df4c5
 
ead55f
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
ead55f
+
ead55f
+/*
ead55f
+ * Take the kernel out of lockdown mode.
ead55f
+ */
ead55f
+static void lift_kernel_lockdown(void)
ead55f
+{
ead55f
+	pr_notice("Lifting lockdown\n");
Jeremy Cline 5df4c5
+	kernel_locked_down = LOCKDOWN_NONE;
ead55f
+}
ead55f
+
ead55f
+/*
ead55f
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
ead55f
+ * echoing the appropriate letter into the sysrq-trigger file).
ead55f
+ */
ead55f
+static void sysrq_handle_lockdown_lift(int key)
ead55f
+{
ead55f
+	if (kernel_locked_down)
ead55f
+		lift_kernel_lockdown();
ead55f
+}
ead55f
+
ead55f
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
ead55f
+	.handler	= sysrq_handle_lockdown_lift,
ead55f
+	.help_msg	= "unSB(x)",
ead55f
+	.action_msg	= "Disabling Secure Boot restrictions",
ead55f
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
ead55f
+};
ead55f
+
ead55f
+static int __init lockdown_lift_sysrq(void)
ead55f
+{
ead55f
+	if (kernel_locked_down) {
ead55f
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
ead55f
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
ead55f
+	}
ead55f
+	return 0;
ead55f
+}
ead55f
+
ead55f
+late_initcall(lockdown_lift_sysrq);
ead55f
+
ead55f
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
Jeremy Cline 5df4c5
+
Jeremy Cline 5df4c5
 core_initcall(lockdown_secfs_init);
Jeremy Cline 5df4c5
 
Jeremy Cline 5df4c5
 #ifdef CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
ead55f
-- 
4cbd7a
2.21.0
Jeremy Cline 5df4c5