forked from Minki/linux
eec4844fae
In the sysctl code the proc_dointvec_minmax() function is often used to validate the user supplied value between an allowed range. This function uses the extra1 and extra2 members from struct ctl_table as minimum and maximum allowed value. On sysctl handler declaration, in every source file there are some readonly variables containing just an integer which address is assigned to the extra1 and extra2 members, so the sysctl range is enforced. The special values 0, 1 and INT_MAX are very often used as range boundary, leading duplication of variables like zero=0, one=1, int_max=INT_MAX in different source files: $ git grep -E '\.extra[12].*&(zero|one|int_max)' |wc -l 248 Add a const int array containing the most commonly used values, some macros to refer more easily to the correct array member, and use them instead of creating a local one for every object file. This is the bloat-o-meter output comparing the old and new binary compiled with the default Fedora config: # scripts/bloat-o-meter -d vmlinux.o.old vmlinux.o add/remove: 2/2 grow/shrink: 0/2 up/down: 24/-188 (-164) Data old new delta sysctl_vals - 12 +12 __kstrtab_sysctl_vals - 12 +12 max 14 10 -4 int_max 16 - -16 one 68 - -68 zero 128 28 -100 Total: Before=20583249, After=20583085, chg -0.00% [mcroce@redhat.com: tipc: remove two unused variables] Link: http://lkml.kernel.org/r/20190530091952.4108-1-mcroce@redhat.com [akpm@linux-foundation.org: fix net/ipv6/sysctl_net_ipv6.c] [arnd@arndb.de: proc/sysctl: make firmware loader table conditional] Link: http://lkml.kernel.org/r/20190617130014.1713870-1-arnd@arndb.de [akpm@linux-foundation.org: fix fs/eventpoll.c] Link: http://lkml.kernel.org/r/20190430180111.10688-1-mcroce@redhat.com Signed-off-by: Matteo Croce <mcroce@redhat.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Kees Cook <keescook@chromium.org> Reviewed-by: Aaron Tomlin <atomlin@redhat.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
244 lines
6.3 KiB
C
244 lines
6.3 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Module and Firmware Pinning Security Module
|
|
*
|
|
* Copyright 2011-2016 Google Inc.
|
|
*
|
|
* Author: Kees Cook <keescook@chromium.org>
|
|
*/
|
|
|
|
#define pr_fmt(fmt) "LoadPin: " fmt
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/lsm_hooks.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/path.h>
|
|
#include <linux/sched.h> /* current */
|
|
#include <linux/string_helpers.h>
|
|
|
|
static void report_load(const char *origin, struct file *file, char *operation)
|
|
{
|
|
char *cmdline, *pathname;
|
|
|
|
pathname = kstrdup_quotable_file(file, GFP_KERNEL);
|
|
cmdline = kstrdup_quotable_cmdline(current, GFP_KERNEL);
|
|
|
|
pr_notice("%s %s obj=%s%s%s pid=%d cmdline=%s%s%s\n",
|
|
origin, operation,
|
|
(pathname && pathname[0] != '<') ? "\"" : "",
|
|
pathname,
|
|
(pathname && pathname[0] != '<') ? "\"" : "",
|
|
task_pid_nr(current),
|
|
cmdline ? "\"" : "", cmdline, cmdline ? "\"" : "");
|
|
|
|
kfree(cmdline);
|
|
kfree(pathname);
|
|
}
|
|
|
|
static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE);
|
|
static char *exclude_read_files[READING_MAX_ID];
|
|
static int ignore_read_file_id[READING_MAX_ID] __ro_after_init;
|
|
static struct super_block *pinned_root;
|
|
static DEFINE_SPINLOCK(pinned_root_spinlock);
|
|
|
|
#ifdef CONFIG_SYSCTL
|
|
|
|
static struct ctl_path loadpin_sysctl_path[] = {
|
|
{ .procname = "kernel", },
|
|
{ .procname = "loadpin", },
|
|
{ }
|
|
};
|
|
|
|
static struct ctl_table loadpin_sysctl_table[] = {
|
|
{
|
|
.procname = "enforce",
|
|
.data = &enforce,
|
|
.maxlen = sizeof(int),
|
|
.mode = 0644,
|
|
.proc_handler = proc_dointvec_minmax,
|
|
.extra1 = SYSCTL_ZERO,
|
|
.extra2 = SYSCTL_ONE,
|
|
},
|
|
{ }
|
|
};
|
|
|
|
/*
|
|
* This must be called after early kernel init, since then the rootdev
|
|
* is available.
|
|
*/
|
|
static void check_pinning_enforcement(struct super_block *mnt_sb)
|
|
{
|
|
bool ro = false;
|
|
|
|
/*
|
|
* If load pinning is not enforced via a read-only block
|
|
* device, allow sysctl to change modes for testing.
|
|
*/
|
|
if (mnt_sb->s_bdev) {
|
|
char bdev[BDEVNAME_SIZE];
|
|
|
|
ro = bdev_read_only(mnt_sb->s_bdev);
|
|
bdevname(mnt_sb->s_bdev, bdev);
|
|
pr_info("%s (%u:%u): %s\n", bdev,
|
|
MAJOR(mnt_sb->s_bdev->bd_dev),
|
|
MINOR(mnt_sb->s_bdev->bd_dev),
|
|
ro ? "read-only" : "writable");
|
|
} else
|
|
pr_info("mnt_sb lacks block device, treating as: writable\n");
|
|
|
|
if (!ro) {
|
|
if (!register_sysctl_paths(loadpin_sysctl_path,
|
|
loadpin_sysctl_table))
|
|
pr_notice("sysctl registration failed!\n");
|
|
else
|
|
pr_info("enforcement can be disabled.\n");
|
|
} else
|
|
pr_info("load pinning engaged.\n");
|
|
}
|
|
#else
|
|
static void check_pinning_enforcement(struct super_block *mnt_sb)
|
|
{
|
|
pr_info("load pinning engaged.\n");
|
|
}
|
|
#endif
|
|
|
|
static void loadpin_sb_free_security(struct super_block *mnt_sb)
|
|
{
|
|
/*
|
|
* When unmounting the filesystem we were using for load
|
|
* pinning, we acknowledge the superblock release, but make sure
|
|
* no other modules or firmware can be loaded.
|
|
*/
|
|
if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) {
|
|
pinned_root = ERR_PTR(-EIO);
|
|
pr_info("umount pinned fs: refusing further loads\n");
|
|
}
|
|
}
|
|
|
|
static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
|
|
{
|
|
struct super_block *load_root;
|
|
const char *origin = kernel_read_file_id_str(id);
|
|
|
|
/* If the file id is excluded, ignore the pinning. */
|
|
if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) &&
|
|
ignore_read_file_id[id]) {
|
|
report_load(origin, file, "pinning-excluded");
|
|
return 0;
|
|
}
|
|
|
|
/* This handles the older init_module API that has a NULL file. */
|
|
if (!file) {
|
|
if (!enforce) {
|
|
report_load(origin, NULL, "old-api-pinning-ignored");
|
|
return 0;
|
|
}
|
|
|
|
report_load(origin, NULL, "old-api-denied");
|
|
return -EPERM;
|
|
}
|
|
|
|
load_root = file->f_path.mnt->mnt_sb;
|
|
|
|
/* First loaded module/firmware defines the root for all others. */
|
|
spin_lock(&pinned_root_spinlock);
|
|
/*
|
|
* pinned_root is only NULL at startup. Otherwise, it is either
|
|
* a valid reference, or an ERR_PTR.
|
|
*/
|
|
if (!pinned_root) {
|
|
pinned_root = load_root;
|
|
/*
|
|
* Unlock now since it's only pinned_root we care about.
|
|
* In the worst case, we will (correctly) report pinning
|
|
* failures before we have announced that pinning is
|
|
* enforcing. This would be purely cosmetic.
|
|
*/
|
|
spin_unlock(&pinned_root_spinlock);
|
|
check_pinning_enforcement(pinned_root);
|
|
report_load(origin, file, "pinned");
|
|
} else {
|
|
spin_unlock(&pinned_root_spinlock);
|
|
}
|
|
|
|
if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) {
|
|
if (unlikely(!enforce)) {
|
|
report_load(origin, file, "pinning-ignored");
|
|
return 0;
|
|
}
|
|
|
|
report_load(origin, file, "denied");
|
|
return -EPERM;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int loadpin_load_data(enum kernel_load_data_id id)
|
|
{
|
|
return loadpin_read_file(NULL, (enum kernel_read_file_id) id);
|
|
}
|
|
|
|
static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
|
|
LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
|
|
LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
|
|
LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
|
|
};
|
|
|
|
static void __init parse_exclude(void)
|
|
{
|
|
int i, j;
|
|
char *cur;
|
|
|
|
/*
|
|
* Make sure all the arrays stay within expected sizes. This
|
|
* is slightly weird because kernel_read_file_str[] includes
|
|
* READING_MAX_ID, which isn't actually meaningful here.
|
|
*/
|
|
BUILD_BUG_ON(ARRAY_SIZE(exclude_read_files) !=
|
|
ARRAY_SIZE(ignore_read_file_id));
|
|
BUILD_BUG_ON(ARRAY_SIZE(kernel_read_file_str) <
|
|
ARRAY_SIZE(ignore_read_file_id));
|
|
|
|
for (i = 0; i < ARRAY_SIZE(exclude_read_files); i++) {
|
|
cur = exclude_read_files[i];
|
|
if (!cur)
|
|
break;
|
|
if (*cur == '\0')
|
|
continue;
|
|
|
|
for (j = 0; j < ARRAY_SIZE(ignore_read_file_id); j++) {
|
|
if (strcmp(cur, kernel_read_file_str[j]) == 0) {
|
|
pr_info("excluding: %s\n",
|
|
kernel_read_file_str[j]);
|
|
ignore_read_file_id[j] = 1;
|
|
/*
|
|
* Can not break, because one read_file_str
|
|
* may map to more than on read_file_id.
|
|
*/
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
static int __init loadpin_init(void)
|
|
{
|
|
pr_info("ready to pin (currently %senforcing)\n",
|
|
enforce ? "" : "not ");
|
|
parse_exclude();
|
|
security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
|
|
return 0;
|
|
}
|
|
|
|
DEFINE_LSM(loadpin) = {
|
|
.name = "loadpin",
|
|
.init = loadpin_init,
|
|
};
|
|
|
|
/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
|
|
module_param(enforce, int, 0);
|
|
MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");
|
|
module_param_array_named(exclude, exclude_read_files, charp, NULL, 0);
|
|
MODULE_PARM_DESC(exclude, "Exclude pinning specific read file types");
|