LSM: LoadPin for kernel file loading restrictions

This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
author: Kees Cook <keescook@chromium.org> 2016-04-20 18:46:28 -0400
committer: James Morris <james.l.morris@oracle.com> 2016-04-20 20:47:27 -0400
commit: 9b091556a073a9f5f93e2ad23d118f45c4796a84 (patch)
tree: 075fffff80b5caad9738f633c83333dea9e04efd /security/loadpin
parent: 1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262 (diff)
3 files changed, 201 insertions, 0 deletions
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
new file mode 100644
index 000000000000..c668ac4eda65
--- /dev/null
+++ b/security/loadpin/Kconfig
@@ -0,0 +1,10 @@
+config SECURITY_LOADPIN
+        bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
+        depends on SECURITY && BLOCK
+        help
+          Any files read through the kernel file reading interface
+          (kernel modules, firmware, kexec images, security policy) will
+          be pinned to the first filesystem used for loading. Any files
+          that come from other filesystems will be rejected. This is best
+          used on systems without an initrd that have a root filesystem
+          backed by a read-only device such as dm-verity or a CDROM.
diff --git a/security/loadpin/Makefile b/security/loadpin/Makefile
new file mode 100644
index 000000000000..c2d77f83037b
--- /dev/null
+++ b/security/loadpin/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_SECURITY_LOADPIN) += loadpin.o
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
new file mode 100644
index 000000000000..e4debae3c4d6
--- /dev/null
+++ b/security/loadpin/loadpin.c
@@ -0,0 +1,190 @@
+/*
+ * Module and Firmware Pinning Security Module
+ *
+ * Copyright 2011-2016 Google Inc.
+ *
+ * Author: Kees Cook <keescook@chromium.org>
+ *
+ * This software is licensed under the terms of the GNU General Public
+ * License version 2, as published by the Free Software Foundation, and
+ * may be copied, distributed, and modified under those terms.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#define pr_fmt(fmt) "LoadPin: " fmt
+#include <linux/module.h>
+#include <linux/fs.h>
+#include <linux/fs_struct.h>
+#include <linux/lsm_hooks.h>
+#include <linux/mount.h>
+#include <linux/path.h>
+#include <linux/sched.h>        /* current */
+#include <linux/string_helpers.h>
+static void report_load(const char *origin, struct file *file, char *operation)
+{
+        char *cmdline, *pathname;
+        pathname = kstrdup_quotable_file(file, GFP_KERNEL);
+        cmdline = kstrdup_quotable_cmdline(current, GFP_KERNEL);
+        pr_notice("%s %s obj=%s%s%s pid=%d cmdline=%s%s%s\n",
+                  origin, operation,
+                  (pathname && pathname[0] != '<') ? "\"" : "",
+                  pathname,
+                  (pathname && pathname[0] != '<') ? "\"" : "",
+                  task_pid_nr(current),
+                  cmdline ? "\"" : "", cmdline, cmdline ? "\"" : "");
+        kfree(cmdline);
+        kfree(pathname);
+}
+static int enabled = 1;
+static struct super_block *pinned_root;
+static DEFINE_SPINLOCK(pinned_root_spinlock);
+#ifdef CONFIG_SYSCTL
+static int zero;
+static int one = 1;
+static struct ctl_path loadpin_sysctl_path[] = {
+        { .procname = "kernel", },
+        { .procname = "loadpin", },
+        { }
+};
+static struct ctl_table loadpin_sysctl_table[] = {
+        {
+                .procname       = "enabled",
+                .data           = &enabled,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &zero,
+                .extra2         = &one,
+        },
+        { }
+};
+/*
+ * This must be called after early kernel init, since then the rootdev
+ * is available.
+ */
+static void check_pinning_enforcement(struct super_block *mnt_sb)
+{
+        bool ro = false;
+        /*
+         * If load pinning is not enforced via a read-only block
+         * device, allow sysctl to change modes for testing.
+         */
+        if (mnt_sb->s_bdev) {
+                ro = bdev_read_only(mnt_sb->s_bdev);
+                pr_info("dev(%u,%u): %s\n",
+                        MAJOR(mnt_sb->s_bdev->bd_dev),
+                        MINOR(mnt_sb->s_bdev->bd_dev),
+                        ro ? "read-only" : "writable");
+        } else
+                pr_info("mnt_sb lacks block device, treating as: writable\n");
+        if (!ro) {
+                if (!register_sysctl_paths(loadpin_sysctl_path,
+                                           loadpin_sysctl_table))
+                        pr_notice("sysctl registration failed!\n");
+                else
+                        pr_info("load pinning can be disabled.\n");
+        } else
+                pr_info("load pinning engaged.\n");
+}
+#else
+static void check_pinning_enforcement(struct super_block *mnt_sb)
+{
+        pr_info("load pinning engaged.\n");
+}
+#endif
+static void loadpin_sb_free_security(struct super_block *mnt_sb)
+{
+        /*
+         * When unmounting the filesystem we were using for load
+         * pinning, we acknowledge the superblock release, but make sure
+         * no other modules or firmware can be loaded.
+         */
+        if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) {
+                pinned_root = ERR_PTR(-EIO);
+                pr_info("umount pinned fs: refusing further loads\n");
+        }
+}
+static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
+{
+        struct super_block *load_root;
+        const char *origin = kernel_read_file_id_str(id);
+        /* This handles the older init_module API that has a NULL file. */
+        if (!file) {
+                if (!enabled) {
+                        report_load(origin, NULL, "old-api-pinning-ignored");
+                        return 0;
+                }
+                report_load(origin, NULL, "old-api-denied");
+                return -EPERM;
+        }
+        load_root = file->f_path.mnt->mnt_sb;
+        /* First loaded module/firmware defines the root for all others. */
+        spin_lock(&pinned_root_spinlock);
+        /*
+         * pinned_root is only NULL at startup. Otherwise, it is either
+         * a valid reference, or an ERR_PTR.
+         */
+        if (!pinned_root) {
+                pinned_root = load_root;
+                /*
+                 * Unlock now since it's only pinned_root we care about.
+                 * In the worst case, we will (correctly) report pinning
+                 * failures before we have announced that pinning is
+                 * enabled. This would be purely cosmetic.
+                 */
+                spin_unlock(&pinned_root_spinlock);
+                check_pinning_enforcement(pinned_root);
+                report_load(origin, file, "pinned");
+        } else {
+                spin_unlock(&pinned_root_spinlock);
+        }
+        if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) {
+                if (unlikely(!enabled)) {
+                        report_load(origin, file, "pinning-ignored");
+                        return 0;
+                }
+                report_load(origin, file, "denied");
+                return -EPERM;
+        }
+        return 0;
+}
+static struct security_hook_list loadpin_hooks[] = {
+        LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
+        LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
+};
+void __init loadpin_add_hooks(void)
+{
+        pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
+        security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks));
+}
+/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
+module_param(enabled, int, 0);
+MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)");
author	Kees Cook <keescook@chromium.org>	2016-04-20 18:46:28 -0400
committer	James Morris <james.l.morris@oracle.com>	2016-04-20 20:47:27 -0400
commit	9b091556a073a9f5f93e2ad23d118f45c4796a84 (patch)
tree	075fffff80b5caad9738f633c83333dea9e04efd /security/loadpin
parent	1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262 (diff)

diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig new file mode 100644 index 000000000000..c668ac4eda65 --- /dev/null +++ b/security/loadpin/Kconfig
@@ -0,0 +1,10 @@
	1	config SECURITY_LOADPIN
	2	bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
	3	depends on SECURITY && BLOCK
	4	help
	5	Any files read through the kernel file reading interface
	6	(kernel modules, firmware, kexec images, security policy) will
	7	be pinned to the first filesystem used for loading. Any files
	8	that come from other filesystems will be rejected. This is best
	9	used on systems without an initrd that have a root filesystem
	10	backed by a read-only device such as dm-verity or a CDROM.


diff --git a/security/loadpin/Makefile b/security/loadpin/Makefile new file mode 100644 index 000000000000..c2d77f83037b --- /dev/null +++ b/security/loadpin/Makefile
@@ -0,0 +1 @@
		obj-$(CONFIG_SECURITY_LOADPIN) += loadpin.o


diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c new file mode 100644 index 000000000000..e4debae3c4d6 --- /dev/null +++ b/security/loadpin/loadpin.c
@@ -0,0 +1,190 @@
	1	/*
	2	* Module and Firmware Pinning Security Module
	3	*
	4	* Copyright 2011-2016 Google Inc.
	5	*
	6	* Author: Kees Cook <keescook@chromium.org>
	7	*
	8	* This software is licensed under the terms of the GNU General Public
	9	* License version 2, as published by the Free Software Foundation, and
	10	* may be copied, distributed, and modified under those terms.
	11	*
	12	* This program is distributed in the hope that it will be useful,
	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	* GNU General Public License for more details.
	16	*/
	17
	18	#define pr_fmt(fmt) "LoadPin: " fmt
	19
	20	#include <linux/module.h>
	21	#include <linux/fs.h>
	22	#include <linux/fs_struct.h>
	23	#include <linux/lsm_hooks.h>
	24	#include <linux/mount.h>
	25	#include <linux/path.h>
	26	#include <linux/sched.h> /* current */
	27	#include <linux/string_helpers.h>
	28
	29	static void report_load(const char origin, struct file file, char *operation)
	30	{
	31	char cmdline, pathname;
	32
	33	pathname = kstrdup_quotable_file(file, GFP_KERNEL);
	34	cmdline = kstrdup_quotable_cmdline(current, GFP_KERNEL);
	35
	36	pr_notice("%s %s obj=%s%s%s pid=%d cmdline=%s%s%s\n",
	37	origin, operation,
	38	(pathname && pathname[0] != '<') ? "\"" : "",
	39	pathname,
	40	(pathname && pathname[0] != '<') ? "\"" : "",
	41	task_pid_nr(current),
	42	cmdline ? "\"" : "", cmdline, cmdline ? "\"" : "");
	43
	44	kfree(cmdline);
	45	kfree(pathname);
	46	}
	47
	48	static int enabled = 1;
	49	static struct super_block *pinned_root;
	50	static DEFINE_SPINLOCK(pinned_root_spinlock);
	51
	52	#ifdef CONFIG_SYSCTL
	53	static int zero;
	54	static int one = 1;
	55
	56	static struct ctl_path loadpin_sysctl_path[] = {
	57	{ .procname = "kernel", },
	58	{ .procname = "loadpin", },
	59	{ }
	60	};
	61
	62	static struct ctl_table loadpin_sysctl_table[] = {
	63	{
	64	.procname = "enabled",
	65	.data = &enabled,
	66	.maxlen = sizeof(int),
	67	.mode = 0644,
	68	.proc_handler = proc_dointvec_minmax,
	69	.extra1 = &zero,
	70	.extra2 = &one,
	71	},
	72	{ }
	73	};
	74
	75	/*
	76	* This must be called after early kernel init, since then the rootdev
	77	* is available.
	78	*/
	79	static void check_pinning_enforcement(struct super_block *mnt_sb)
	80	{
	81	bool ro = false;
	82
	83	/*
	84	* If load pinning is not enforced via a read-only block
	85	* device, allow sysctl to change modes for testing.
	86	*/
	87	if (mnt_sb->s_bdev) {
	88	ro = bdev_read_only(mnt_sb->s_bdev);
	89	pr_info("dev(%u,%u): %s\n",
	90	MAJOR(mnt_sb->s_bdev->bd_dev),
	91	MINOR(mnt_sb->s_bdev->bd_dev),
	92	ro ? "read-only" : "writable");
	93	} else
	94	pr_info("mnt_sb lacks block device, treating as: writable\n");
	95
	96	if (!ro) {
	97	if (!register_sysctl_paths(loadpin_sysctl_path,
	98	loadpin_sysctl_table))
	99	pr_notice("sysctl registration failed!\n");
	100	else
	101	pr_info("load pinning can be disabled.\n");
	102	} else
	103	pr_info("load pinning engaged.\n");
	104	}
	105	#else
	106	static void check_pinning_enforcement(struct super_block *mnt_sb)
	107	{
	108	pr_info("load pinning engaged.\n");
	109	}
	110	#endif
	111
	112	static void loadpin_sb_free_security(struct super_block *mnt_sb)
	113	{
	114	/*
	115	* When unmounting the filesystem we were using for load
	116	* pinning, we acknowledge the superblock release, but make sure
	117	* no other modules or firmware can be loaded.
	118	*/
	119	if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) {
	120	pinned_root = ERR_PTR(-EIO);
	121	pr_info("umount pinned fs: refusing further loads\n");
	122	}
	123	}
	124
	125	static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
	126	{
	127	struct super_block *load_root;
	128	const char *origin = kernel_read_file_id_str(id);
	129
	130	/* This handles the older init_module API that has a NULL file. */
	131	if (!file) {
	132	if (!enabled) {
	133	report_load(origin, NULL, "old-api-pinning-ignored");
	134	return 0;
	135	}
	136
	137	report_load(origin, NULL, "old-api-denied");
	138	return -EPERM;
	139	}
	140
	141	load_root = file->f_path.mnt->mnt_sb;
	142
	143	/* First loaded module/firmware defines the root for all others. */
	144	spin_lock(&pinned_root_spinlock);
	145	/*
	146	* pinned_root is only NULL at startup. Otherwise, it is either
	147	* a valid reference, or an ERR_PTR.
	148	*/
	149	if (!pinned_root) {
	150	pinned_root = load_root;
	151	/*
	152	* Unlock now since it's only pinned_root we care about.
	153	* In the worst case, we will (correctly) report pinning
	154	* failures before we have announced that pinning is
	155	* enabled. This would be purely cosmetic.
	156	*/
	157	spin_unlock(&pinned_root_spinlock);
	158	check_pinning_enforcement(pinned_root);
	159	report_load(origin, file, "pinned");
	160	} else {
	161	spin_unlock(&pinned_root_spinlock);
	162	}
	163
	164	if (IS_ERR_OR_NULL(pinned_root) \|\| load_root != pinned_root) {
	165	if (unlikely(!enabled)) {
	166	report_load(origin, file, "pinning-ignored");
	167	return 0;
	168	}
	169
	170	report_load(origin, file, "denied");
	171	return -EPERM;
	172	}
	173
	174	return 0;
	175	}
	176
	177	static struct security_hook_list loadpin_hooks[] = {
	178	LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
	179	LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
	180	};
	181
	182	void __init loadpin_add_hooks(void)
	183	{
	184	pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
	185	security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks));
	186	}
	187
	188	/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
	189	module_param(enabled, int, 0);
	190	MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)");