Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 20657f66 authored by David Howells's avatar David Howells Committed by James Morris
Browse files

lockdown: Lock down module params that specify hardware parameters (eg. ioport) 



Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).

Suggested-by: default avatarAlan Cox <gnomes@lxorguk.ukuu.org.uk>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Cc: Jessica Yu <jeyu@kernel.org>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 794edf30

include/linux/security.h

+1 −0
Original line number Diff line number Diff line
@@ -113,6 +113,7 @@ enum lockdown_reason { 
	LOCKDOWN_ACPI_TABLES,

	LOCKDOWN_PCMCIA_CIS,

	LOCKDOWN_TIOCSSERIAL,

	LOCKDOWN_MODULE_PARAMETERS,

	LOCKDOWN_INTEGRITY_MAX,

	LOCKDOWN_CONFIDENTIALITY_MAX,

};

kernel/params.c

+16 −5
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ 
#include <linux/err.h>

#include <linux/slab.h>

#include <linux/ctype.h>

#include <linux/security.h>



#ifdef CONFIG_SYSFS

/* Protects all built-in parameters, modules use their own param_lock */
@@ -96,13 +97,19 @@ bool parameq(const char *a, const char *b) 
	return parameqn(a, b, strlen(a)+1);

}



static void param_check_unsafe(const struct kernel_param *kp)

static bool param_check_unsafe(const struct kernel_param *kp)

{

	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&

	    security_locked_down(LOCKDOWN_MODULE_PARAMETERS))

		return false;



	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {

		pr_notice("Setting dangerous option %s - tainting kernel\n",

			  kp->name);

		add_taint(TAINT_USER, LOCKDEP_STILL_OK);

	}



	return true;

}



static int parse_one(char *param,
@@ -132,8 +139,10 @@ static int parse_one(char *param, 
			pr_debug("handling %s with %p\n", param,

				params[i].ops->set);

			kernel_param_lock(params[i].mod);

			param_check_unsafe(&params[i]);

			if (param_check_unsafe(&params[i]))

				err = params[i].ops->set(val, &params[i]);

			else

				err = -EPERM;

			kernel_param_unlock(params[i].mod);

			return err;

		}
@@ -553,8 +562,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, 
		return -EPERM;



	kernel_param_lock(mk->mod);

	param_check_unsafe(attribute->param);

	if (param_check_unsafe(attribute->param))

		err = attribute->param->ops->set(buf, attribute->param);

	else

		err = -EPERM;

	kernel_param_unlock(mk->mod);

	if (!err)

		return len;

security/lockdown/lockdown.c

+1 −0
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { 
	[LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",

	[LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",

	[LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",

	[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",

	[LOCKDOWN_INTEGRITY_MAX] = "integrity",

	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",

};