Commit 9e47d31d authored by Matthew Garrett's avatar Matthew Garrett Committed by James Morris

security: Add a "locked down" LSM hook

Add a mechanism to allow LSMs to make a policy decision around whether
kernel functionality that would allow tampering with or examining the
runtime state of the kernel should be permitted.
Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Acked-by: default avatarKees Cook <keescook@chromium.org>
Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent e6b1db98
...@@ -1446,6 +1446,11 @@ ...@@ -1446,6 +1446,11 @@
* @bpf_prog_free_security: * @bpf_prog_free_security:
* Clean up the security information stored inside bpf prog. * Clean up the security information stored inside bpf prog.
* *
* @locked_down
* Determine whether a kernel feature that potentially enables arbitrary
* code execution in kernel space should be permitted.
*
* @what: kernel feature being accessed
*/ */
union security_list_options { union security_list_options {
int (*binder_set_context_mgr)(struct task_struct *mgr); int (*binder_set_context_mgr)(struct task_struct *mgr);
...@@ -1807,6 +1812,7 @@ union security_list_options { ...@@ -1807,6 +1812,7 @@ union security_list_options {
int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux); int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux);
void (*bpf_prog_free_security)(struct bpf_prog_aux *aux); void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
#endif /* CONFIG_BPF_SYSCALL */ #endif /* CONFIG_BPF_SYSCALL */
int (*locked_down)(enum lockdown_reason what);
}; };
struct security_hook_heads { struct security_hook_heads {
...@@ -2046,6 +2052,7 @@ struct security_hook_heads { ...@@ -2046,6 +2052,7 @@ struct security_hook_heads {
struct hlist_head bpf_prog_alloc_security; struct hlist_head bpf_prog_alloc_security;
struct hlist_head bpf_prog_free_security; struct hlist_head bpf_prog_free_security;
#endif /* CONFIG_BPF_SYSCALL */ #endif /* CONFIG_BPF_SYSCALL */
struct hlist_head locked_down;
} __randomize_layout; } __randomize_layout;
/* /*
......
...@@ -77,6 +77,33 @@ enum lsm_event { ...@@ -77,6 +77,33 @@ enum lsm_event {
LSM_POLICY_CHANGE, LSM_POLICY_CHANGE,
}; };
/*
* These are reasons that can be passed to the security_locked_down()
* LSM hook. Lockdown reasons that protect kernel integrity (ie, the
* ability for userland to modify kernel code) are placed before
* LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel
* confidentiality (ie, the ability for userland to extract
* information from the running kernel that would otherwise be
* restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX.
*
* LSM authors should note that the semantics of any given lockdown
* reason are not guaranteed to be stable - the same reason may block
* one set of features in one kernel release, and a slightly different
* set of features in a later kernel release. LSMs that seek to expose
* lockdown policy at any level of granularity other than "none",
* "integrity" or "confidentiality" are responsible for either
* ensuring that they expose a consistent level of functionality to
* userland, or ensuring that userland is aware that this is
* potentially a moving target. It is easy to misuse this information
* in a way that could break userspace. Please be careful not to do
* so.
*/
enum lockdown_reason {
LOCKDOWN_NONE,
LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_CONFIDENTIALITY_MAX,
};
/* These functions are in security/commoncap.c */ /* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns, extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts); int cap, unsigned int opts);
...@@ -393,6 +420,7 @@ void security_inode_invalidate_secctx(struct inode *inode); ...@@ -393,6 +420,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
#else /* CONFIG_SECURITY */ #else /* CONFIG_SECURITY */
static inline int call_lsm_notifier(enum lsm_event event, void *data) static inline int call_lsm_notifier(enum lsm_event event, void *data)
...@@ -1210,6 +1238,10 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 ...@@ -1210,6 +1238,10 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
{ {
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
}
#endif /* CONFIG_SECURITY */ #endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK #ifdef CONFIG_SECURITY_NETWORK
......
...@@ -2389,3 +2389,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) ...@@ -2389,3 +2389,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux)
call_void_hook(bpf_prog_free_security, aux); call_void_hook(bpf_prog_free_security, aux);
} }
#endif /* CONFIG_BPF_SYSCALL */ #endif /* CONFIG_BPF_SYSCALL */
int security_locked_down(enum lockdown_reason what)
{
return call_int_hook(locked_down, 0, what);
}
EXPORT_SYMBOL(security_locked_down);
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment