Merge tag 'fw-restrict-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into next

11 files changed, 104 insertions, 8 deletions

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 4c3efe434806..d0d0c578324c 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -26,6 +26,7 @@ Description:
                         option: [[appraise_type=]] [permit_directio]
 
                 base:   func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
+                                [FIRMWARE_CHECK]
                         mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
                         fsmagic:= hex value
                         fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
@@ -57,7 +58,8 @@ Description:
                         measure func=BPRM_CHECK
                         measure func=FILE_MMAP mask=MAY_EXEC
                         measure func=FILE_CHECK mask=MAY_READ uid=0
-                        measure func=MODULE_CHECK uid=0
+                        measure func=MODULE_CHECK
+                        measure func=FIRMWARE_CHECK
                         appraise fowner=0
 
                 The default policy measures all executables in bprm_check,
diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index d276e33880be..63f165c59da8 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -28,6 +28,7 @@
 #include <linux/suspend.h>
 #include <linux/syscore_ops.h>
 #include <linux/reboot.h>
+#include <linux/security.h>
 
 #include <generated/utsrelease.h>
 
@@ -308,12 +309,17 @@ static int fw_read_file_contents(struct file *file, struct firmware_buf *fw_buf)
         if (rc != size) {
                 if (rc > 0)
                         rc = -EIO;
-                vfree(buf);
-                return rc;
+                goto fail;
         }
+        rc = security_kernel_fw_from_file(file, buf, size);
+        if (rc)
+                goto fail;
         fw_buf->data = buf;
         fw_buf->size = size;
         return 0;
+fail:
+        vfree(buf);
+        return rc;
 }
 
 static int fw_get_filesystem_firmware(struct device *device,
@@ -617,6 +623,7 @@ static ssize_t firmware_loading_store(struct device *dev,
 {
         struct firmware_priv *fw_priv = to_firmware_priv(dev);
         struct firmware_buf *fw_buf;
+        ssize_t written = count;
         int loading = simple_strtol(buf, NULL, 10);
         int i;
 
@@ -640,6 +647,8 @@ static ssize_t firmware_loading_store(struct device *dev,
                 break;
         case 0:
                 if (test_bit(FW_STATUS_LOADING, &fw_buf->status)) {
+                        int rc;
+
                         set_bit(FW_STATUS_DONE, &fw_buf->status);
                         clear_bit(FW_STATUS_LOADING, &fw_buf->status);
 
@@ -649,10 +658,23 @@ static ssize_t firmware_loading_store(struct device *dev,
                          * see the mapped 'buf->data' once the loading
                          * is completed.
                          * */
-                        if (fw_map_pages_buf(fw_buf))
+                        rc = fw_map_pages_buf(fw_buf);
+                        if (rc)
                                 dev_err(dev, "%s: map pages failed\n",
                                         __func__);
+                        else
+                                rc = security_kernel_fw_from_file(NULL,
+                                                fw_buf->data, fw_buf->size);
+
+                        /*
+                         * Same logic as fw_load_abort, only the DONE bit
+                         * is ignored and we set ABORT only on failure.
+                         */
                         list_del_init(&fw_buf->pending_list);
+                        if (rc) {
+                                set_bit(FW_STATUS_ABORT, &fw_buf->status);
+                                written = rc;
+                        }
                         complete_all(&fw_buf->completion);
                         break;
                 }
@@ -666,7 +688,7 @@ static ssize_t firmware_loading_store(struct device *dev,
         }
 out:
         mutex_unlock(&fw_lock);
-        return count;
+        return written;
 }
 
 static DEVICE_ATTR(loading, 0644, firmware_loading_show, firmware_loading_store);
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 1b7f268cddce..7cf5e9b32550 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -19,6 +19,7 @@ extern int ima_file_check(struct file *file, int mask);
 extern void ima_file_free(struct file *file);
 extern int ima_file_mmap(struct file *file, unsigned long prot);
 extern int ima_module_check(struct file *file);
+extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
 
 #else
 static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -46,6 +47,11 @@ static inline int ima_module_check(struct file *file)
         return 0;
 }
 
+static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
+{
+        return 0;
+}
+
 #endif /* CONFIG_IMA */
 
 #ifdef CONFIG_IMA_APPRAISE
diff --git a/include/linux/security.h b/include/linux/security.h
index 59820f8782a1..0ae4b147718a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -702,6 +702,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      @inode points to the inode to use as a reference.
  *      The current task must be the one that nominated @inode.
  *      Return 0 if successful.
+ * @kernel_fw_from_file:
+ *      Load firmware from userspace (not called for built-in firmware).
+ *      @file contains the file structure pointing to the file containing
+ *      the firmware to load. This argument will be NULL if the firmware
+ *      was loaded via the uevent-triggered blob-based interface exposed
+ *      by CONFIG_FW_LOADER_USER_HELPER.
+ *      @buf pointer to buffer containing firmware contents.
+ *      @size length of the firmware contents.
+ *      Return 0 if permission is granted.
  * @kernel_module_request:
  *      Ability to trigger the kernel to automatically upcall to userspace for
  *      userspace to load a kernel module with the given name.
@@ -1568,6 +1577,7 @@ struct security_operations {
         void (*cred_transfer)(struct cred *new, const struct cred *old);
         int (*kernel_act_as)(struct cred *new, u32 secid);
         int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
+        int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
         int (*kernel_module_request)(char *kmod_name);
         int (*kernel_module_from_file)(struct file *file);
         int (*task_fix_setuid) (struct cred *new, const struct cred *old,
@@ -1840,6 +1850,7 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
 void security_transfer_creds(struct cred *new, const struct cred *old);
 int security_kernel_act_as(struct cred *new, u32 secid);
 int security_kernel_create_files_as(struct cred *new, struct inode *inode);
+int security_kernel_fw_from_file(struct file *file, char *buf, size_t size);
 int security_kernel_module_request(char *kmod_name);
 int security_kernel_module_from_file(struct file *file);
 int security_task_fix_setuid(struct cred *new, const struct cred *old,
@@ -2366,6 +2377,12 @@ static inline int security_kernel_create_files_as(struct cred *cred,
         return 0;
 }
 
+static inline int security_kernel_fw_from_file(struct file *file,
+                                               char *buf, size_t size)
+{
+        return 0;
+}
+
 static inline int security_kernel_module_request(char *kmod_name)
 {
         return 0;
diff --git a/security/capability.c b/security/capability.c
index e76373de3129..a74fde6a7468 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -401,6 +401,11 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
         return 0;
 }
 
+static int cap_kernel_fw_from_file(struct file *file, char *buf, size_t size)
+{
+        return 0;
+}
+
 static int cap_kernel_module_request(char *kmod_name)
 {
         return 0;
@@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
         set_to_cap_if_null(ops, cred_transfer);
         set_to_cap_if_null(ops, kernel_act_as);
         set_to_cap_if_null(ops, kernel_create_files_as);
+        set_to_cap_if_null(ops, kernel_fw_from_file);
         set_to_cap_if_null(ops, kernel_module_request);
         set_to_cap_if_null(ops, kernel_module_from_file);
         set_to_cap_if_null(ops, task_fix_setuid);
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index c42056edfc97..57da4bd7ba0c 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -158,7 +158,7 @@ struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
 struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
 
 /* IMA policy related functions */
-enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK, POST_SETATTR };
+enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK, FIRMWARE_CHECK, POST_SETATTR };
 
 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
                      int flags);
@@ -171,6 +171,7 @@ void ima_delete_rules(void);
 #define IMA_APPRAISE_ENFORCE    0x01
 #define IMA_APPRAISE_FIX        0x02
 #define IMA_APPRAISE_MODULES    0x04
+#define IMA_APPRAISE_FIRMWARE   0x08
 
 #ifdef CONFIG_IMA_APPRAISE
 int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 59ac90275070..86bfd5c5df85 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -75,6 +75,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
                 return iint->ima_bprm_status;
         case MODULE_CHECK:
                 return iint->ima_module_status;
+        case FIRMWARE_CHECK:
+                return iint->ima_firmware_status;
         case FILE_CHECK:
         default:
                 return iint->ima_file_status;
@@ -94,6 +96,9 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
         case MODULE_CHECK:
                 iint->ima_module_status = status;
                 break;
+        case FIRMWARE_CHECK:
+                iint->ima_firmware_status = status;
+                break;
         case FILE_CHECK:
         default:
                 iint->ima_file_status = status;
@@ -113,6 +118,9 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
         case MODULE_CHECK:
                 iint->flags |= (IMA_MODULE_APPRAISED | IMA_APPRAISED);
                 break;
+        case FIRMWARE_CHECK:
+                iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED);
+                break;
         case FILE_CHECK:
         default:
                 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 0d696431209c..2917f980bf30 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -319,6 +319,17 @@ int ima_module_check(struct file *file)
         return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK);
 }
 
+int ima_fw_from_file(struct file *file, char *buf, size_t size)
+{
+        if (!file) {
+                if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+                    (ima_appraise & IMA_APPRAISE_ENFORCE))
+                        return -EACCES; /* INTEGRITY_UNKNOWN */
+                return 0;
+        }
+        return process_measurement(file, NULL, MAY_EXEC, FIRMWARE_CHECK);
+}
+
 static int __init init_ima(void)
 {
         int error;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index cea84d8bd7be..07099a8bc283 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -84,6 +84,7 @@ static struct ima_rule_entry default_rules[] = {
         {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID,
          .flags = IMA_FUNC | IMA_MASK | IMA_UID},
         {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
+        {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
 };
 
 static struct ima_rule_entry default_appraise_rules[] = {
@@ -241,6 +242,8 @@ static int get_subaction(struct ima_rule_entry *rule, int func)
                 return IMA_BPRM_APPRAISE;
         case MODULE_CHECK:
                 return IMA_MODULE_APPRAISE;
+        case FIRMWARE_CHECK:
+                return IMA_FIRMWARE_APPRAISE;
         case FILE_CHECK:
         default:
                 return IMA_FILE_APPRAISE;
@@ -486,6 +489,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                                 entry->func = FILE_CHECK;
                         else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
                                 entry->func = MODULE_CHECK;
+                        else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
+                                entry->func = FIRMWARE_CHECK;
                         else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
                                 || (strcmp(args[0].from, "MMAP_CHECK") == 0))
                                 entry->func = MMAP_CHECK;
@@ -636,6 +641,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                 result = -EINVAL;
         else if (entry->func == MODULE_CHECK)
                 ima_appraise |= IMA_APPRAISE_MODULES;
+        else if (entry->func == FIRMWARE_CHECK)
+                ima_appraise |= IMA_APPRAISE_FIRMWARE;
         audit_log_format(ab, "res=%d", !result);
         audit_log_end(ab);
         return result;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 09c440d9aaee..19b8e314ca96 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -46,10 +46,14 @@
 #define IMA_BPRM_APPRAISED      0x00002000
 #define IMA_MODULE_APPRAISE     0x00004000
 #define IMA_MODULE_APPRAISED    0x00008000
+#define IMA_FIRMWARE_APPRAISE   0x00010000
+#define IMA_FIRMWARE_APPRAISED  0x00020000
 #define IMA_APPRAISE_SUBMASK    (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
-                                 IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE)
+                                 IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE | \
+                                 IMA_FIRMWARE_APPRAISE)
 #define IMA_APPRAISED_SUBMASK   (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
-                                 IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED)
+                                 IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED | \
+                                 IMA_FIRMWARE_APPRAISED)
 
 enum evm_ima_xattr_type {
         IMA_XATTR_DIGEST = 0x01,
@@ -104,6 +108,7 @@ struct integrity_iint_cache {
         enum integrity_status ima_mmap_status:4;
         enum integrity_status ima_bprm_status:4;
         enum integrity_status ima_module_status:4;
+        enum integrity_status ima_firmware_status:4;
         enum integrity_status evm_status:4;
         struct ima_digest_data *ima_hash;
 };
diff --git a/security/security.c b/security/security.c
index 31614e9e96e5..e41b1a8d7644 100644
--- a/security/security.c
+++ b/security/security.c
@@ -845,6 +845,17 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
         return security_ops->kernel_create_files_as(new, inode);
 }
 
+int security_kernel_fw_from_file(struct file *file, char *buf, size_t size)
+{
+        int ret;
+
+        ret = security_ops->kernel_fw_from_file(file, buf, size);
+        if (ret)
+                return ret;
+        return ima_fw_from_file(file, buf, size);
+}
+EXPORT_SYMBOL_GPL(security_kernel_fw_from_file);
+
 int security_kernel_module_request(char *kmod_name)
 {
         return security_ops->kernel_module_request(kmod_name);