Commit | Line | Data |
---|---|---|
9b091556 KC |
1 | /* |
2 | * Module and Firmware Pinning Security Module | |
3 | * | |
4 | * Copyright 2011-2016 Google Inc. | |
5 | * | |
6 | * Author: Kees Cook <keescook@chromium.org> | |
7 | * | |
8 | * This software is licensed under the terms of the GNU General Public | |
9 | * License version 2, as published by the Free Software Foundation, and | |
10 | * may be copied, distributed, and modified under those terms. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | * GNU General Public License for more details. | |
16 | */ | |
17 | ||
18 | #define pr_fmt(fmt) "LoadPin: " fmt | |
19 | ||
20 | #include <linux/module.h> | |
21 | #include <linux/fs.h> | |
9b091556 KC |
22 | #include <linux/lsm_hooks.h> |
23 | #include <linux/mount.h> | |
24 | #include <linux/path.h> | |
25 | #include <linux/sched.h> /* current */ | |
26 | #include <linux/string_helpers.h> | |
27 | ||
28 | static void report_load(const char *origin, struct file *file, char *operation) | |
29 | { | |
30 | char *cmdline, *pathname; | |
31 | ||
32 | pathname = kstrdup_quotable_file(file, GFP_KERNEL); | |
33 | cmdline = kstrdup_quotable_cmdline(current, GFP_KERNEL); | |
34 | ||
35 | pr_notice("%s %s obj=%s%s%s pid=%d cmdline=%s%s%s\n", | |
36 | origin, operation, | |
37 | (pathname && pathname[0] != '<') ? "\"" : "", | |
38 | pathname, | |
39 | (pathname && pathname[0] != '<') ? "\"" : "", | |
40 | task_pid_nr(current), | |
41 | cmdline ? "\"" : "", cmdline, cmdline ? "\"" : ""); | |
42 | ||
43 | kfree(cmdline); | |
44 | kfree(pathname); | |
45 | } | |
46 | ||
13523bef | 47 | static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE); |
9b091556 KC |
48 | static struct super_block *pinned_root; |
49 | static DEFINE_SPINLOCK(pinned_root_spinlock); | |
50 | ||
51 | #ifdef CONFIG_SYSCTL | |
52 | static int zero; | |
53 | static int one = 1; | |
54 | ||
55 | static struct ctl_path loadpin_sysctl_path[] = { | |
56 | { .procname = "kernel", }, | |
57 | { .procname = "loadpin", }, | |
58 | { } | |
59 | }; | |
60 | ||
61 | static struct ctl_table loadpin_sysctl_table[] = { | |
62 | { | |
13523bef KC |
63 | .procname = "enforce", |
64 | .data = &enforce, | |
9b091556 KC |
65 | .maxlen = sizeof(int), |
66 | .mode = 0644, | |
67 | .proc_handler = proc_dointvec_minmax, | |
68 | .extra1 = &zero, | |
69 | .extra2 = &one, | |
70 | }, | |
71 | { } | |
72 | }; | |
73 | ||
74 | /* | |
75 | * This must be called after early kernel init, since then the rootdev | |
76 | * is available. | |
77 | */ | |
78 | static void check_pinning_enforcement(struct super_block *mnt_sb) | |
79 | { | |
80 | bool ro = false; | |
81 | ||
82 | /* | |
83 | * If load pinning is not enforced via a read-only block | |
84 | * device, allow sysctl to change modes for testing. | |
85 | */ | |
86 | if (mnt_sb->s_bdev) { | |
f4b626d6 KC |
87 | char bdev[BDEVNAME_SIZE]; |
88 | ||
9b091556 | 89 | ro = bdev_read_only(mnt_sb->s_bdev); |
f4b626d6 KC |
90 | bdevname(mnt_sb->s_bdev, bdev); |
91 | pr_info("%s (%u:%u): %s\n", bdev, | |
9b091556 KC |
92 | MAJOR(mnt_sb->s_bdev->bd_dev), |
93 | MINOR(mnt_sb->s_bdev->bd_dev), | |
94 | ro ? "read-only" : "writable"); | |
95 | } else | |
96 | pr_info("mnt_sb lacks block device, treating as: writable\n"); | |
97 | ||
98 | if (!ro) { | |
99 | if (!register_sysctl_paths(loadpin_sysctl_path, | |
100 | loadpin_sysctl_table)) | |
101 | pr_notice("sysctl registration failed!\n"); | |
102 | else | |
13523bef | 103 | pr_info("enforcement can be disabled.\n"); |
9b091556 KC |
104 | } else |
105 | pr_info("load pinning engaged.\n"); | |
106 | } | |
107 | #else | |
108 | static void check_pinning_enforcement(struct super_block *mnt_sb) | |
109 | { | |
110 | pr_info("load pinning engaged.\n"); | |
111 | } | |
112 | #endif | |
113 | ||
114 | static void loadpin_sb_free_security(struct super_block *mnt_sb) | |
115 | { | |
116 | /* | |
117 | * When unmounting the filesystem we were using for load | |
118 | * pinning, we acknowledge the superblock release, but make sure | |
119 | * no other modules or firmware can be loaded. | |
120 | */ | |
121 | if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) { | |
122 | pinned_root = ERR_PTR(-EIO); | |
123 | pr_info("umount pinned fs: refusing further loads\n"); | |
124 | } | |
125 | } | |
126 | ||
127 | static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) | |
128 | { | |
129 | struct super_block *load_root; | |
130 | const char *origin = kernel_read_file_id_str(id); | |
131 | ||
132 | /* This handles the older init_module API that has a NULL file. */ | |
133 | if (!file) { | |
13523bef | 134 | if (!enforce) { |
9b091556 KC |
135 | report_load(origin, NULL, "old-api-pinning-ignored"); |
136 | return 0; | |
137 | } | |
138 | ||
139 | report_load(origin, NULL, "old-api-denied"); | |
140 | return -EPERM; | |
141 | } | |
142 | ||
143 | load_root = file->f_path.mnt->mnt_sb; | |
144 | ||
145 | /* First loaded module/firmware defines the root for all others. */ | |
146 | spin_lock(&pinned_root_spinlock); | |
147 | /* | |
148 | * pinned_root is only NULL at startup. Otherwise, it is either | |
149 | * a valid reference, or an ERR_PTR. | |
150 | */ | |
151 | if (!pinned_root) { | |
152 | pinned_root = load_root; | |
153 | /* | |
154 | * Unlock now since it's only pinned_root we care about. | |
155 | * In the worst case, we will (correctly) report pinning | |
156 | * failures before we have announced that pinning is | |
13523bef | 157 | * enforcing. This would be purely cosmetic. |
9b091556 KC |
158 | */ |
159 | spin_unlock(&pinned_root_spinlock); | |
160 | check_pinning_enforcement(pinned_root); | |
161 | report_load(origin, file, "pinned"); | |
162 | } else { | |
163 | spin_unlock(&pinned_root_spinlock); | |
164 | } | |
165 | ||
166 | if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) { | |
13523bef | 167 | if (unlikely(!enforce)) { |
9b091556 KC |
168 | report_load(origin, file, "pinning-ignored"); |
169 | return 0; | |
170 | } | |
171 | ||
172 | report_load(origin, file, "denied"); | |
173 | return -EPERM; | |
174 | } | |
175 | ||
176 | return 0; | |
177 | } | |
178 | ||
c77b8cdf MZ |
179 | static int loadpin_load_data(enum kernel_load_data_id id) |
180 | { | |
181 | return loadpin_read_file(NULL, (enum kernel_read_file_id) id); | |
182 | } | |
183 | ||
ca97d939 | 184 | static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { |
9b091556 KC |
185 | LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), |
186 | LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), | |
c77b8cdf | 187 | LSM_HOOK_INIT(kernel_load_data, loadpin_load_data), |
9b091556 KC |
188 | }; |
189 | ||
190 | void __init loadpin_add_hooks(void) | |
191 | { | |
13523bef KC |
192 | pr_info("ready to pin (currently %senforcing)\n", |
193 | enforce ? "" : "not "); | |
d69dece5 | 194 | security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); |
9b091556 KC |
195 | } |
196 | ||
197 | /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ | |
13523bef KC |
198 | module_param(enforce, int, 0); |
199 | MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning"); |