security/loadpin improvement
- Allow exclusion of specific file types (Ke Wu) -----BEGIN PGP SIGNATURE----- Comment: Kees Cook <kees@outflux.net> iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAl0kFSgWHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJjQ+D/sFRaH6jqo1svYBmD1UZ8rSCYsq qXuBFfuZMNGkP2tWEXKVKc3+dKWxv+gHnXNO9K7lGeIQkH0LpEGy+ObqE+dnrdLp wjVF6gWuZJ2iKzD+ZgaQnN+AmXcuRz/0NHRE2xvmw1u7V2wvZQoEasTNNe+P8yIZ +VU9bTegdhZ0gEpPHbVyKNqOcRsX0cvReD5LsE5XTuNElTo3i0FH7tr+EXRAPnKU gxtr+LGGldyZ0w618tHuWTwZJWVZw9V9uxdxxfQ41qKoZGRA2bvG3h8PGE6AwwWo KrTEAHjiWoCXDzQgZuZpLPvpqkCcW71+jCCdqz3KKs0NS8zp1Rba6WVxcKFZioa5 ROqCxwt/8sJQDF/vI/pZOhG0SsADZdAduUAwR+oNJmy4Y8ZPBPSTzJHcIsV9zUVN /OhKljyta8H30XpIQN56eQgIYl+M4MqXqFmEkTNziYclpZR64Td1umMcb831va0J dAbxHK4v3Uf9/w5PqKsFkOECBwzaRT0colHPlEl77Qlh9lC6/cZrY2JtO9zr/f1D yvZwQMCW/qk0jikKUqbERCv2GH3DOrBUQrAxgm+GCbS4ZTAjIXHOjjLIJIJPDvBz jzkk/zgYJqW3LKwHIgdVw0Ilh4FnFS+SG4OLfUsH5uauaedU2t0exvFakEwtK3Uc LCI7pT0GGnM0EKbxQQ== =eVyy -----END PGP SIGNATURE----- Merge tag 'loadpin-v5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull security/loadpin updates from Kees Cook: - Allow exclusion of specific file types (Ke Wu) * tag 'loadpin-v5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: security/loadpin: Allow to exclude specific file types
This commit is contained in:
Linus Torvalds
commit
c079512aad
|
|
@ -19,3 +19,13 @@ block device backing the filesystem is not read-only, a sysctl is
|
|||
created to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having
|
||||
a mutable filesystem means pinning is mutable too, but having the
|
||||
sysctl allows for easy testing on systems with a mutable filesystem.)
|
||||
|
||||
It's also possible to exclude specific file types from LoadPin using kernel
|
||||
command line option "``loadpin.exclude``". By default, all files are
|
||||
included, but they can be excluded using kernel command line option such
|
||||
as "``loadpin.exclude=kernel-module,kexec-image``". This allows to use
|
||||
different mechanisms such as ``CONFIG_MODULE_SIG`` and
|
||||
``CONFIG_KEXEC_VERIFY_SIG`` to verify kernel module and kernel image while
|
||||
still use LoadPin to protect the integrity of other files kernel loads. The
|
||||
full list of valid file types can be found in ``kernel_read_file_str``
|
||||
defined in ``include/linux/fs.h``.
|
||||
|
|
|
|||
|
|
@ -37,6 +37,8 @@ static void report_load(const char *origin, struct file *file, char *operation)
|
|||
}
|
||||
|
||||
static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE);
|
||||
static char *exclude_read_files[READING_MAX_ID];
|
||||
static int ignore_read_file_id[READING_MAX_ID] __ro_after_init;
|
||||
static struct super_block *pinned_root;
|
||||
static DEFINE_SPINLOCK(pinned_root_spinlock);
|
||||
|
||||
|
|
@ -121,6 +123,13 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
|
|||
struct super_block *load_root;
|
||||
const char *origin = kernel_read_file_id_str(id);
|
||||
|
||||
/* If the file id is excluded, ignore the pinning. */
|
||||
if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) &&
|
||||
ignore_read_file_id[id]) {
|
||||
report_load(origin, file, "pinning-excluded");
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* This handles the older init_module API that has a NULL file. */
|
||||
if (!file) {
|
||||
if (!enforce) {
|
||||
|
|
@ -179,10 +188,47 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
|
|||
LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
|
||||
};
|
||||
|
||||
static void __init parse_exclude(void)
|
||||
{
|
||||
int i, j;
|
||||
char *cur;
|
||||
|
||||
/*
|
||||
* Make sure all the arrays stay within expected sizes. This
|
||||
* is slightly weird because kernel_read_file_str[] includes
|
||||
* READING_MAX_ID, which isn't actually meaningful here.
|
||||
*/
|
||||
BUILD_BUG_ON(ARRAY_SIZE(exclude_read_files) !=
|
||||
ARRAY_SIZE(ignore_read_file_id));
|
||||
BUILD_BUG_ON(ARRAY_SIZE(kernel_read_file_str) <
|
||||
ARRAY_SIZE(ignore_read_file_id));
|
||||
|
||||
for (i = 0; i < ARRAY_SIZE(exclude_read_files); i++) {
|
||||
cur = exclude_read_files[i];
|
||||
if (!cur)
|
||||
break;
|
||||
if (*cur == '\0')
|
||||
continue;
|
||||
|
||||
for (j = 0; j < ARRAY_SIZE(ignore_read_file_id); j++) {
|
||||
if (strcmp(cur, kernel_read_file_str[j]) == 0) {
|
||||
pr_info("excluding: %s\n",
|
||||
kernel_read_file_str[j]);
|
||||
ignore_read_file_id[j] = 1;
|
||||
/*
|
||||
* Can not break, because one read_file_str
|
||||
* may map to more than on read_file_id.
|
||||
*/
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static int __init loadpin_init(void)
|
||||
{
|
||||
pr_info("ready to pin (currently %senforcing)\n",
|
||||
enforce ? "" : "not ");
|
||||
parse_exclude();
|
||||
security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -195,3 +241,5 @@ DEFINE_LSM(loadpin) = {
|
|||
/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
|
||||
module_param(enforce, int, 0);
|
||||
MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");
|
||||
module_param_array_named(exclude, exclude_read_files, charp, NULL, 0);
|
||||
MODULE_PARM_DESC(exclude, "Exclude pinning specific read file types");
|
||||
|
|
|
|||
Loading…
Reference in New Issue