|
Lee, Chun-Yi |
b157d4 |
From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001
|
|
Lee, Chun-Yi |
b157d4 |
From: Jeremy Cline <jcline@redhat.com>
|
|
Lee, Chun-Yi |
b157d4 |
Date: Mon, 30 Sep 2019 21:22:47 +0000
|
|
Lee, Chun-Yi |
b157d4 |
Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
|
|
Lee, Chun-Yi |
b157d4 |
Patch-mainline: Never, Fedora Core 32
|
|
Lee, Chun-Yi |
b157d4 |
References: jsc#SLE-9870
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
In order to automatically lock down kernels running on UEFI machines
|
|
Lee, Chun-Yi |
b157d4 |
booted in Secure Boot mode, expose the lock_kernel_down() hook.
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
Signed-off-by: Jeremy Cline <jcline@redhat.com>
|
|
Lee, Chun-Yi |
b157d4 |
Acked-by: Lee, Chun-Yi <jlee@suse.com>
|
|
Lee, Chun-Yi |
b157d4 |
---
|
|
Lee, Chun-Yi |
b157d4 |
include/linux/lsm_hook_defs.h | 1 +
|
|
Lee, Chun-Yi |
b157d4 |
include/linux/lsm_hooks.h | 6 ++++++
|
|
Lee, Chun-Yi |
b157d4 |
include/linux/security.h | 5 +++++
|
|
Lee, Chun-Yi |
b157d4 |
security/lockdown/lockdown.c | 1 +
|
|
Lee, Chun-Yi |
b157d4 |
security/security.c | 6 ++++++
|
|
Lee, Chun-Yi |
b157d4 |
5 files changed, 19 insertions(+)
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
--- a/include/linux/lsm_hook_defs.h
|
|
Lee, Chun-Yi |
b157d4 |
+++ b/include/linux/lsm_hook_defs.h
|
|
Lee, Chun-Yi |
b157d4 |
@@ -403,6 +403,7 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_fr
|
|
Lee, Chun-Yi |
b157d4 |
#endif /* CONFIG_BPF_SYSCALL */
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
|
|
Lee, Chun-Yi |
b157d4 |
+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
#ifdef CONFIG_PERF_EVENTS
|
|
Lee, Chun-Yi |
b157d4 |
LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
|
|
Lee, Chun-Yi |
b157d4 |
--- a/include/linux/lsm_hooks.h
|
|
Lee, Chun-Yi |
b157d4 |
+++ b/include/linux/lsm_hooks.h
|
|
Lee, Chun-Yi |
b157d4 |
@@ -1618,6 +1618,12 @@
|
|
Lee, Chun-Yi |
b157d4 |
* @what: kernel feature being accessed.
|
|
Lee, Chun-Yi |
b157d4 |
* Return 0 if permission is granted.
|
|
Lee, Chun-Yi |
b157d4 |
*
|
|
Lee, Chun-Yi |
b157d4 |
+ * @lock_kernel_down
|
|
Lee, Chun-Yi |
b157d4 |
+ * Put the kernel into lock-down mode.
|
|
Lee, Chun-Yi |
b157d4 |
+ *
|
|
Lee, Chun-Yi |
b157d4 |
+ * @where: Where the lock-down is originating from (e.g. command line option)
|
|
Lee, Chun-Yi |
b157d4 |
+ * @level: The lock-down level (can only increase)
|
|
Lee, Chun-Yi |
b157d4 |
+ *
|
|
Lee, Chun-Yi |
b157d4 |
* Security hooks for perf events
|
|
Lee, Chun-Yi |
b157d4 |
*
|
|
Lee, Chun-Yi |
b157d4 |
* @perf_event_open:
|
|
Lee, Chun-Yi |
b157d4 |
--- a/include/linux/security.h
|
|
Lee, Chun-Yi |
b157d4 |
+++ b/include/linux/security.h
|
|
Lee, Chun-Yi |
b157d4 |
@@ -487,6 +487,7 @@ int security_inode_notifysecctx(struct i
|
|
Lee, Chun-Yi |
b157d4 |
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
|
|
Lee, Chun-Yi |
b157d4 |
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
|
|
Lee, Chun-Yi |
b157d4 |
int security_locked_down(enum lockdown_reason what);
|
|
Lee, Chun-Yi |
b157d4 |
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
|
|
Lee, Chun-Yi |
b157d4 |
#else /* CONFIG_SECURITY */
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
|
|
Lee, Chun-Yi |
b157d4 |
@@ -1402,6 +1403,10 @@ static inline int security_locked_down(e
|
|
Lee, Chun-Yi |
b157d4 |
{
|
|
Lee, Chun-Yi |
b157d4 |
return 0;
|
|
Lee, Chun-Yi |
b157d4 |
}
|
|
Lee, Chun-Yi |
b157d4 |
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
|
|
Lee, Chun-Yi |
b157d4 |
+{
|
|
Lee, Chun-Yi |
b157d4 |
+ return 0;
|
|
Lee, Chun-Yi |
b157d4 |
+}
|
|
Lee, Chun-Yi |
b157d4 |
#endif /* CONFIG_SECURITY */
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
|
|
Lee, Chun-Yi |
b157d4 |
--- a/security/lockdown/lockdown.c
|
|
Lee, Chun-Yi |
b157d4 |
+++ b/security/lockdown/lockdown.c
|
|
Lee, Chun-Yi |
b157d4 |
@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
|
|
Lee, Chun-Yi |
b157d4 |
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
|
|
Lee, Chun-Yi |
b157d4 |
+ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
|
|
Lee, Chun-Yi |
b157d4 |
};
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
static int __init lockdown_lsm_init(void)
|
|
Lee, Chun-Yi |
b157d4 |
--- a/security/security.c
|
|
Lee, Chun-Yi |
b157d4 |
+++ b/security/security.c
|
|
Lee, Chun-Yi |
b157d4 |
@@ -2705,6 +2705,12 @@ int security_locked_down(enum lockdown_r
|
|
Lee, Chun-Yi |
b157d4 |
}
|
|
Lee, Chun-Yi |
b157d4 |
EXPORT_SYMBOL(security_locked_down);
|
|
Lee, Chun-Yi |
b157d4 |
|
|
Lee, Chun-Yi |
b157d4 |
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
|
|
Lee, Chun-Yi |
b157d4 |
+{
|
|
Lee, Chun-Yi |
b157d4 |
+ return call_int_hook(lock_kernel_down, 0, where, level);
|
|
Lee, Chun-Yi |
b157d4 |
+}
|
|
Lee, Chun-Yi |
b157d4 |
+EXPORT_SYMBOL(security_lock_kernel_down);
|
|
Lee, Chun-Yi |
b157d4 |
+
|
|
Lee, Chun-Yi |
b157d4 |
#ifdef CONFIG_PERF_EVENTS
|
|
Lee, Chun-Yi |
b157d4 |
int security_perf_event_open(struct perf_event_attr *attr, int type)
|
|
Lee, Chun-Yi |
b157d4 |
{
|