From c2eb371cede78df9a47bf3a125aa9a45dd833da7 Mon Sep 17 00:00:00 2001

From: Kyle McMartin <kyle@redhat.com>

Date: Mon, 9 Apr 2018 09:52:45 +0100

Subject: [PATCH] Add a SysRq option to lift kernel lockdown

Make an option to provide a sysrq key that will lift the kernel lockdown,

thereby allowing the running kernel image to be accessed and modified.

On x86 this is triggered with SysRq+x, but this key may not be available on

all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.

Since this macro must be defined in an arch to be able to use this facility

for that arch, the Kconfig option is restricted to arches that support it.

Signed-off-by: Kyle McMartin <kyle@redhat.com>

Signed-off-by: David Howells <dhowells@redhat.com>

cc: x86@kernel.org

Signed-off-by: Jeremy Cline <jcline@redhat.com>

---

 arch/x86/include/asm/setup.h |  2 ++

 drivers/input/misc/uinput.c  |  1 +

 drivers/tty/sysrq.c          | 27 +++++++++++++---------

 include/linux/input.h        |  5 +++++

 include/linux/sysrq.h        |  8 ++++++-

 kernel/debug/kdb/kdb_main.c  |  2 +-

 security/lockdown/Kconfig    | 11 +++++++++

 security/lockdown/lockdown.c | 43 ++++++++++++++++++++++++++++++++++++

 8 files changed, 87 insertions(+), 12 deletions(-)

diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h

index ed8ec011a9fd..8daf633a5347 100644

--- a/arch/x86/include/asm/setup.h

+++ b/arch/x86/include/asm/setup.h

@@ -9,6 +9,8 @@

 #include <linux/linkage.h>

 #include <asm/page_types.h>

+#define LOCKDOWN_LIFT_KEY 'x'

+

 #ifdef __i386__

 #include <linux/pfn.h>

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c

index 84051f20b18a..583ab2bc1916 100644

--- a/drivers/input/misc/uinput.c

+++ b/drivers/input/misc/uinput.c

@@ -353,6 +353,7 @@ static int uinput_create_device(struct uinput_device *udev)

 		dev->flush = uinput_dev_flush;

 	}

+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;

 	dev->event = uinput_dev_event;

 	input_set_drvdata(udev->dev, udev);

diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c

index 573b2055173c..99082faafc44 100644

--- a/drivers/tty/sysrq.c

+++ b/drivers/tty/sysrq.c

@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {

 	/* x: May be registered on mips for TLB dump */

 	/* x: May be registered on ppc/powerpc for xmon */

 	/* x: May be registered on sparc64 for global PMU dump */

+	/* x: May be registered on x86_64 for disabling secure boot */

 	NULL,				/* x */

 	/* y: May be registered on sparc64 for global register dump */

 	NULL,				/* y */

@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)

                 sysrq_key_table[i] = op_p;

 }

-void __handle_sysrq(int key, bool check_mask)

+void __handle_sysrq(int key, unsigned int from)

 {

 	struct sysrq_key_op *op_p;

 	int orig_log_level;

@@ -546,11 +547,15 @@ void __handle_sysrq(int key, bool check_mask)

         op_p = __sysrq_get_key_op(key);

         if (op_p) {

-		/*

-		 * Should we check for enabled operations (/proc/sysrq-trigger

-		 * should not) and is the invoked operation enabled?

-		 */

-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {

+		/* Ban synthetic events from some sysrq functionality */

+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&

+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) {

+			printk("This sysrq operation is disabled from userspace.\n");

+		} else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {

+			/*

+			 * Should we check for enabled operations (/proc/sysrq-trigger

+			 * should not) and is the invoked operation enabled?

+			 */

 			pr_info("%s\n", op_p->action_msg);

 			console_loglevel = orig_log_level;

 			op_p->handler(key);

@@ -585,7 +590,7 @@ void __handle_sysrq(int key, bool check_mask)

 void handle_sysrq(int key)

 {

 	if (sysrq_on())

-		__handle_sysrq(key, true);

+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);

 }

 EXPORT_SYMBOL(handle_sysrq);

@@ -665,7 +670,7 @@ static void sysrq_do_reset(struct timer_list *t)

 static void sysrq_handle_reset_request(struct sysrq_state *state)

 {

 	if (state->reset_requested)

-		__handle_sysrq(sysrq_xlate[KEY_B], false);

+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);

 	if (sysrq_reset_downtime_ms)

 		mod_timer(&state->keyreset_timer,

@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,

 	default:

 		if (sysrq->active && value && value != 2) {

+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?

+					SYSRQ_FROM_SYNTHETIC : 0;

 			sysrq->need_reinject = false;

-			__handle_sysrq(sysrq_xlate[code], true);

+			__handle_sysrq(sysrq_xlate[code], from);

 		}

 		break;

 	}

@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,

 		if (get_user(c, buf))

 			return -EFAULT;

-		__handle_sysrq(c, false);

+		__handle_sysrq(c, SYSRQ_FROM_PROC);

 	}

 	return count;

diff --git a/include/linux/input.h b/include/linux/input.h

index 94f277cd806a..8539afa2c001 100644

--- a/include/linux/input.h

+++ b/include/linux/input.h

@@ -48,6 +48,7 @@ enum input_clock_type {

  * @phys: physical path to the device in the system hierarchy

  * @uniq: unique identification code for the device (if device has it)

  * @id: id of the device (struct input_id)

+ * @flags: input device flags (SYNTHETIC, etc.)

  * @propbit: bitmap of device properties and quirks

  * @evbit: bitmap of types of events supported by the device (EV_KEY,

  *	EV_REL, etc.)

@@ -134,6 +135,8 @@ struct input_dev {

 	const char *uniq;

 	struct input_id id;

+	unsigned int flags;

+

 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];

 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];

@@ -204,6 +207,8 @@ struct input_dev {

 };

 #define to_input_dev(d) container_of(d, struct input_dev, dev)

+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001

+

 /*

  * Verify that we are in sync with input_device_id mod_devicetable.h #defines

  */

diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h

index 8c71874e8485..7de1f08b60a9 100644

--- a/include/linux/sysrq.h

+++ b/include/linux/sysrq.h

@@ -29,6 +29,8 @@

 #define SYSRQ_ENABLE_BOOT	0x0080

 #define SYSRQ_ENABLE_RTNICE	0x0100

+#define SYSRQ_DISABLE_USERSPACE	0x00010000

+

 struct sysrq_key_op {

 	void (*handler)(int);

 	char *help_msg;

@@ -43,8 +45,12 @@ struct sysrq_key_op {

  * are available -- else NULL's).

  */

+#define SYSRQ_FROM_KERNEL	0x0001

+#define SYSRQ_FROM_PROC		0x0002

+#define SYSRQ_FROM_SYNTHETIC	0x0004

+

 void handle_sysrq(int key);

-void __handle_sysrq(int key, bool check_mask);

+void __handle_sysrq(int key, unsigned int from);

 int register_sysrq_key(int key, struct sysrq_key_op *op);

 int unregister_sysrq_key(int key, struct sysrq_key_op *op);

 struct sysrq_key_op *__sysrq_get_key_op(int key);

diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c

index 4567fe998c30..d05142ef44c4 100644

--- a/kernel/debug/kdb/kdb_main.c

+++ b/kernel/debug/kdb/kdb_main.c

@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv)

 		return KDB_ARGCOUNT;

 	kdb_trap_printk++;

-	__handle_sysrq(*argv[1], check_mask);

+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);

 	kdb_trap_printk--;

 	return 0;

diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig

index e84ddf484010..20e979178e1c 100644

--- a/security/lockdown/Kconfig

+++ b/security/lockdown/Kconfig

@@ -45,3 +45,14 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY

 	 disabled.

 endchoice

+

+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ

+	bool "Allow the kernel lockdown to be lifted by SysRq"

+    depends on SECURITY_LOCKDOWN_LSM

+    depends on !LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY

+    depends on !LOCK_DOWN_KERNEL_FORCE_INTEGRITY

+    depends on MAGIC_SYSRQ

+    depends on X86

+	help

+      Allow setting the lockdown mode to "none" by pressing a SysRq key

+      combination on a wired keyboard. On x86, this is SysRq+x

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c

index 8a10b43daf74..df4662257309 100644

--- a/security/lockdown/lockdown.c

+++ b/security/lockdown/lockdown.c

@@ -13,6 +13,8 @@

 #include <linux/security.h>

 #include <linux/export.h>

 #include <linux/lsm_hooks.h>

+#include <linux/sysrq.h>

+#include <asm/setup.h>

 static enum lockdown_reason kernel_locked_down;

@@ -179,6 +181,47 @@ static int __init lockdown_secfs_init(void)

 	return PTR_ERR_OR_ZERO(dentry);

 }

+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ

+

+/*

+ * Take the kernel out of lockdown mode.

+ */

+static void lift_kernel_lockdown(void)

+{

+	pr_notice("Lifting lockdown\n");

+	kernel_locked_down = LOCKDOWN_NONE;

+}

+

+/*

+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by

+ * echoing the appropriate letter into the sysrq-trigger file).

+ */

+static void sysrq_handle_lockdown_lift(int key)

+{

+	if (kernel_locked_down)

+		lift_kernel_lockdown();

+}

+

+static struct sysrq_key_op lockdown_lift_sysrq_op = {

+	.handler	= sysrq_handle_lockdown_lift,

+	.help_msg	= "unSB(x)",

+	.action_msg	= "Disabling Secure Boot restrictions",

+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,

+};

+

+static int __init lockdown_lift_sysrq(void)

+{

+	if (kernel_locked_down) {

+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;

+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);

+	}

+	return 0;

+}

+

+late_initcall(lockdown_lift_sysrq);

+

+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */

+

 core_initcall(lockdown_secfs_init);

 #ifdef CONFIG_SECURITY_LOCKDOWN_LSM_EARLY

-- 

2.21.0