Skip to content
This repository has been archived by the owner on Sep 24, 2020. It is now read-only.

Rebase changes from the v4.8.6 branch #28

Merged
merged 21 commits into from
Nov 29, 2016
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
61aa910
security, overlayfs: provide copy up security hook for unioned files
rhvgoyal Jul 19, 2016
591db70
selinux: Implementation for inode_copy_up() hook
rhvgoyal Jul 19, 2016
c4b0abc
security,overlayfs: Provide security hook for copy up of xattrs for o…
rhvgoyal Jul 19, 2016
0b0daf4
selinux: Implementation for inode_copy_up_xattr() hook
rhvgoyal Jul 19, 2016
27a7af7
selinux: Pass security pointer to determine_inode_label()
rhvgoyal Jul 19, 2016
1271cf9
security, overlayfs: Provide hook to correctly label newly created files
rhvgoyal Jul 19, 2016
2c1808b
selinux: Implement dentry_create_files_as() hook
rhvgoyal Jul 19, 2016
11eef9a
Add secure_modules() call
Aug 9, 2013
e2e5d62
PCI: Lock down BAR access when module security is enabled
Mar 8, 2012
dac8156
x86: Lock down IO port access when module security is enabled
Mar 8, 2012
af958e1
ACPI: Limit access to custom_method
Mar 9, 2012
78eca91
asus-wmi: Restrict debugfs interface when module loading is restricted
Mar 9, 2012
d012dc5
Restrict /dev/mem and /dev/kmem when module loading is restricted
Mar 9, 2012
c5afea7
acpi: Ignore acpi_rsdp kernel parameter when module loading is restri…
jwboyer Jun 25, 2012
ef69c62
kexec: Disable at runtime if the kernel enforces module loading restr…
Nov 20, 2015
7328100
x86: Restrict MSR access when module loading is restricted
Feb 8, 2013
30317cc
Add option to automatically enforce module signatures when in Secure …
Aug 9, 2013
fe523b6
efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Aug 27, 2013
e75618e
efi: Add EFI_SECURE_BOOT bit
Aug 27, 2013
e2c1136
hibernate: Disable in a signed modules environment
Jun 20, 2014
7856850
kbuild: derive relative path for KBUILD_SRC from CURDIR
Nov 25, 2015
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Documentation/x86/zero-page.txt
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ Offset Proto Name Meaning
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
(below)
1EB/001 ALL kbd_status Numlock is enabled
1EC/001 ALL secure_boot Secure boot is enabled in the firmware
1EF/001 ALL sentinel Used to detect broken bootloaders
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
Expand Down
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@:

sub-make:
$(Q)$(MAKE) -C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR) \
$(Q)$(MAKE) -C $(KBUILD_OUTPUT) \
KBUILD_SRC=$(shell realpath --relative-to=$(KBUILD_OUTPUT) $(CURDIR)) \
-f $(CURDIR)/Makefile $(filter-out _all sub-make,$(MAKECMDGOALS))

# Leave processing to above invocation of make
Expand Down
11 changes: 11 additions & 0 deletions arch/x86/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -1774,6 +1774,17 @@ config EFI_MIXED

If unsure, say N.

config EFI_SECURE_BOOT_SIG_ENFORCE
def_bool n
depends on EFI
prompt "Force module signing when UEFI Secure Boot is enabled"
---help---
UEFI Secure Boot provides a mechanism for ensuring that the
firmware will only load signed bootloaders and kernels. Certain
use cases may also require that all kernel modules also be signed.
Say Y here to automatically enable module signature enforcement
when a system boots with UEFI Secure Boot enabled.

config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
Expand Down
35 changes: 35 additions & 0 deletions arch/x86/boot/compressed/eboot.c
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
#include <asm/efi.h>
#include <asm/setup.h>
#include <asm/desc.h>
#include <asm/bootparam_utils.h>

#include "../string.h"
#include "eboot.h"
Expand Down Expand Up @@ -571,6 +572,36 @@ static void setup_efi_pci(struct boot_params *params)
efi_call_early(free_pool, pci_handle);
}

static int get_secure_boot(void)
{
u8 sb, setup;
unsigned long datasize = sizeof(sb);
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;

status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
L"SecureBoot", &var_guid, NULL, &datasize, &sb);

if (status != EFI_SUCCESS)
return 0;

if (sb == 0)
return 0;


status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
L"SetupMode", &var_guid, NULL, &datasize,
&setup);

if (status != EFI_SUCCESS)
return 0;

if (setup == 1)
return 0;

return 1;
}

static efi_status_t
setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
{
Expand Down Expand Up @@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c,
else
setup_boot_services32(efi_early);

sanitize_boot_params(boot_params);

boot_params->secure_boot = get_secure_boot();

setup_graphics(boot_params);

setup_efi_pci(boot_params);
Expand Down
3 changes: 2 additions & 1 deletion arch/x86/include/uapi/asm/bootparam.h
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,8 @@ struct boot_params {
__u8 eddbuf_entries; /* 0x1e9 */
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
__u8 kbd_status; /* 0x1eb */
__u8 _pad5[3]; /* 0x1ec */
__u8 secure_boot; /* 0x1ec */
__u8 _pad5[2]; /* 0x1ed */
/*
* The sentinel is set to a nonzero value (0xff) in header.S.
*
Expand Down
5 changes: 3 additions & 2 deletions arch/x86/kernel/ioport.c
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
#include <linux/thread_info.h>
#include <linux/syscalls.h>
#include <linux/bitmap.h>
#include <linux/module.h>
#include <asm/syscalls.h>

/*
Expand All @@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)

if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
if (turn_on && !capable(CAP_SYS_RAWIO))
if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
return -EPERM;

/*
Expand Down Expand Up @@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
return -EINVAL;
/* Trying to gain more privileges? */
if (level > old) {
if (!capable(CAP_SYS_RAWIO))
if (!capable(CAP_SYS_RAWIO) || secure_modules())
return -EPERM;
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
Expand Down
7 changes: 7 additions & 0 deletions arch/x86/kernel/msr.c
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;

if (secure_modules())
return -EPERM;

if (count % 8)
return -EINVAL; /* Invalid chunk size */

Expand Down Expand Up @@ -130,6 +133,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EBADF;
break;
}
if (secure_modules()) {
err = -EPERM;
break;
}
if (copy_from_user(&regs, uregs, sizeof regs)) {
err = -EFAULT;
break;
Expand Down
8 changes: 8 additions & 0 deletions arch/x86/kernel/setup.c
Original file line number Diff line number Diff line change
Expand Up @@ -1160,6 +1160,14 @@ void __init setup_arch(char **cmdline_p)

io_delay_init();

#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot) {
set_bit(EFI_SECURE_BOOT, &efi.flags);
enforce_signed_modules();
pr_info("Secure boot enabled\n");
}
#endif

/*
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
Expand Down
3 changes: 3 additions & 0 deletions drivers/acpi/custom_method.c
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
struct acpi_table_header table;
acpi_status status;

if (secure_modules())
return -EPERM;

if (!(*ppos)) {
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
Expand Down
3 changes: 2 additions & 1 deletion drivers/acpi/osl.c
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
#include <linux/list.h>
#include <linux/jiffies.h>
#include <linux/semaphore.h>
#include <linux/module.h>

#include <asm/io.h>
#include <asm/uaccess.h>
Expand Down Expand Up @@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
acpi_physical_address __init acpi_os_get_root_pointer(void)
{
#ifdef CONFIG_KEXEC
if (acpi_rsdp)
if (acpi_rsdp && !secure_modules())
return acpi_rsdp;
#endif

Expand Down
10 changes: 10 additions & 0 deletions drivers/char/mem.c
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
#include <linux/export.h>
#include <linux/io.h>
#include <linux/uio.h>
#include <linux/module.h>

#include <linux/uaccess.h>

Expand Down Expand Up @@ -163,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
if (p != *ppos)
return -EFBIG;

if (secure_modules())
return -EPERM;

if (!valid_phys_addr_range(p, count))
return -EFAULT;

Expand Down Expand Up @@ -509,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
int err = 0;

if (secure_modules())
return -EPERM;

if (p < (unsigned long) high_memory) {
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
Expand Down Expand Up @@ -574,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
unsigned long i = *ppos;
const char __user *tmp = buf;

if (secure_modules())
return -EPERM;

if (!access_ok(VERIFY_READ, buf, count))
return -EFAULT;
while (count-- > 0 && i < 65536) {
Expand Down
10 changes: 10 additions & 0 deletions drivers/pci/pci-sysfs.c
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
#include <linux/vgaarb.h>
#include <linux/pm_runtime.h>
#include <linux/of.h>
#include <linux/module.h>
#include "pci.h"

static int sysfs_initialized; /* = 0 */
Expand Down Expand Up @@ -716,6 +717,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8 *) buf;

if (secure_modules())
return -EPERM;

if (off > dev->cfg_size)
return 0;
if (off + count > dev->cfg_size) {
Expand Down Expand Up @@ -1007,6 +1011,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
resource_size_t start, end;
int i;

if (secure_modules())
return -EPERM;

for (i = 0; i < PCI_ROM_RESOURCE; i++)
if (res == &pdev->resource[i])
break;
Expand Down Expand Up @@ -1106,6 +1113,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
{
if (secure_modules())
return -EPERM;

return pci_resource_io(filp, kobj, attr, buf, off, count, true);
}

Expand Down
8 changes: 7 additions & 1 deletion drivers/pci/proc.c
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
int size = dev->cfg_size;
int cnt;

if (secure_modules())
return -EPERM;

if (pos >= size)
return 0;
if (nbytes >= size)
Expand Down Expand Up @@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
#endif /* HAVE_PCI_MMAP */
int ret = 0;

if (secure_modules())
return -EPERM;

switch (cmd) {
case PCIIOC_CONTROLLER:
ret = pci_domain_nr(dev->bus);
Expand Down Expand Up @@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
struct pci_filp_private *fpriv = file->private_data;
int i, ret, write_combine;

if (!capable(CAP_SYS_RAWIO))
if (!capable(CAP_SYS_RAWIO) || secure_modules())
return -EPERM;

/* Make sure the caller is mapping a real resource for this device */
Expand Down
3 changes: 2 additions & 1 deletion drivers/pci/syscall.c
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
#include <linux/errno.h>
#include <linux/pci.h>
#include <linux/syscalls.h>
#include <linux/module.h>
#include <asm/uaccess.h>
#include "pci.h"

Expand Down Expand Up @@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
u32 dword;
int err = 0;

if (!capable(CAP_SYS_ADMIN))
if (!capable(CAP_SYS_ADMIN) || secure_modules())
return -EPERM;

dev = pci_get_bus_and_slot(bus, dfn);
Expand Down
9 changes: 9 additions & 0 deletions drivers/platform/x86/asus-wmi.c
Original file line number Diff line number Diff line change
Expand Up @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)
int err;
u32 retval = -1;

if (secure_modules())
return -EPERM;

err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);

if (err < 0)
Expand All @@ -1888,6 +1891,9 @@ static int show_devs(struct seq_file *m, void *data)
int err;
u32 retval = -1;

if (secure_modules())
return -EPERM;

err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
&retval);

Expand All @@ -1912,6 +1918,9 @@ static int show_call(struct seq_file *m, void *data)
union acpi_object *obj;
acpi_status status;

if (secure_modules())
return -EPERM;

status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
1, asus->debug.method_id,
&input, &output);
Expand Down
22 changes: 22 additions & 0 deletions fs/overlayfs/copy_up.c
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,13 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new)
goto retry;
}

error = security_inode_copy_up_xattr(name);
if (error < 0 && error != -EOPNOTSUPP)
break;
if (error == 1) {
error = 0;
continue; /* Discard */
}
error = vfs_setxattr(new, name, value, size, 0);
if (error)
break;
Expand Down Expand Up @@ -260,6 +267,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
struct dentry *upper = NULL;
umode_t mode = stat->mode;
int err;
const struct cred *old_creds = NULL;
struct cred *new_creds = NULL;

newdentry = ovl_lookup_temp(workdir, dentry);
err = PTR_ERR(newdentry);
Expand All @@ -272,10 +281,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
if (IS_ERR(upper))
goto out1;

err = security_inode_copy_up(dentry, &new_creds);
if (err < 0)
goto out2;

if (new_creds)
old_creds = override_creds(new_creds);

/* Can't properly set mode on creation because of the umask */
stat->mode &= S_IFMT;
err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
stat->mode = mode;

if (new_creds) {
revert_creds(old_creds);
put_cred(new_creds);
}

if (err)
goto out2;

Expand Down
Loading