2019-08-20 03:17:39 +03:00
// SPDX-License-Identifier: GPL-2.0
/* Lock down the kernel
*
* Copyright ( C ) 2016 Red Hat , Inc . All Rights Reserved .
* Written by David Howells ( dhowells @ redhat . com )
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation ; either version
* 2 of the Licence , or ( at your option ) any later version .
*/
# include <linux/security.h>
# include <linux/export.h>
# include <linux/lsm_hooks.h>
2023-09-12 23:56:46 +03:00
# include <uapi/linux/lsm.h>
2019-08-20 03:17:39 +03:00
static enum lockdown_reason kernel_locked_down ;
2019-09-10 13:03:17 +03:00
static const enum lockdown_reason lockdown_levels [ ] = { LOCKDOWN_NONE ,
2019-08-20 03:17:39 +03:00
LOCKDOWN_INTEGRITY_MAX ,
LOCKDOWN_CONFIDENTIALITY_MAX } ;
/*
* Put the kernel into lock - down mode .
*/
static int lock_kernel_down ( const char * where , enum lockdown_reason level )
{
if ( kernel_locked_down > = level )
return - EPERM ;
kernel_locked_down = level ;
pr_notice ( " Kernel is locked down from %s; see man kernel_lockdown.7 \n " ,
where ) ;
return 0 ;
}
static int __init lockdown_param ( char * level )
{
if ( ! level )
return - EINVAL ;
if ( strcmp ( level , " integrity " ) = = 0 )
lock_kernel_down ( " command line " , LOCKDOWN_INTEGRITY_MAX ) ;
else if ( strcmp ( level , " confidentiality " ) = = 0 )
lock_kernel_down ( " command line " , LOCKDOWN_CONFIDENTIALITY_MAX ) ;
else
return - EINVAL ;
return 0 ;
}
early_param ( " lockdown " , lockdown_param ) ;
/**
* lockdown_is_locked_down - Find out if the kernel is locked down
* @ what : Tag to use in notice generated if lockdown is in effect
*/
static int lockdown_is_locked_down ( enum lockdown_reason what )
{
2019-08-20 03:18:05 +03:00
if ( WARN ( what > = LOCKDOWN_CONFIDENTIALITY_MAX ,
" Invalid lockdown reason " ) )
return - EPERM ;
2019-08-20 03:17:39 +03:00
if ( kernel_locked_down > = what ) {
if ( lockdown_reasons [ what ] )
2022-09-09 01:02:22 +03:00
pr_notice_ratelimited ( " Lockdown: %s: %s is restricted; see man kernel_lockdown.7 \n " ,
2019-08-20 03:18:05 +03:00
current - > comm , lockdown_reasons [ what ] ) ;
2019-08-20 03:17:39 +03:00
return - EPERM ;
}
return 0 ;
}
selinux: remove the runtime disable functionality
After working with the larger SELinux-based distros for several
years, we're finally at a place where we can disable the SELinux
runtime disable functionality. The existing kernel deprecation
notice explains the functionality and why we want to remove it:
The selinuxfs "disable" node allows SELinux to be disabled at
runtime prior to a policy being loaded into the kernel. If
disabled via this mechanism, SELinux will remain disabled until
the system is rebooted.
The preferred method of disabling SELinux is via the "selinux=0"
boot parameter, but the selinuxfs "disable" node was created to
make it easier for systems with primitive bootloaders that did not
allow for easy modification of the kernel command line.
Unfortunately, allowing for SELinux to be disabled at runtime makes
it difficult to secure the kernel's LSM hooks using the
"__ro_after_init" feature.
It is that last sentence, mentioning the '__ro_after_init' hardening,
which is the real motivation for this change, and if you look at the
diffstat you'll see that the impact of this patch reaches across all
the different LSMs, helping prevent tampering at the LSM hook level.
From a SELinux perspective, it is important to note that if you
continue to disable SELinux via "/etc/selinux/config" it may appear
that SELinux is disabled, but it is simply in an uninitialized state.
If you load a policy with `load_policy -i`, you will see SELinux
come alive just as if you had loaded the policy during early-boot.
It is also worth noting that the "/sys/fs/selinux/disable" file is
always writable now, regardless of the Kconfig settings, but writing
to the file has no effect on the system, other than to display an
error on the console if a non-zero/true value is written.
Finally, in the several years where we have been working on
deprecating this functionality, there has only been one instance of
someone mentioning any user visible breakage. In this particular
case it was an individual's kernel test system, and the workaround
documented in the deprecation notice ("selinux=0" on the kernel
command line) resolved the issue without problem.
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-17 19:43:07 +03:00
static struct security_hook_list lockdown_hooks [ ] __ro_after_init = {
2019-08-20 03:17:39 +03:00
LSM_HOOK_INIT ( locked_down , lockdown_is_locked_down ) ,
} ;
2023-09-12 23:56:46 +03:00
const struct lsm_id lockdown_lsmid = {
. name = " lockdown " ,
. id = LSM_ID_LOCKDOWN ,
} ;
2019-08-20 03:17:39 +03:00
static int __init lockdown_lsm_init ( void )
{
# if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY)
lock_kernel_down ( " Kernel configuration " , LOCKDOWN_INTEGRITY_MAX ) ;
# elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY)
lock_kernel_down ( " Kernel configuration " , LOCKDOWN_CONFIDENTIALITY_MAX ) ;
# endif
security_add_hooks ( lockdown_hooks , ARRAY_SIZE ( lockdown_hooks ) ,
2023-09-12 23:56:46 +03:00
& lockdown_lsmid ) ;
2019-08-20 03:17:39 +03:00
return 0 ;
}
static ssize_t lockdown_read ( struct file * filp , char __user * buf , size_t count ,
loff_t * ppos )
{
char temp [ 80 ] ;
int i , offset = 0 ;
for ( i = 0 ; i < ARRAY_SIZE ( lockdown_levels ) ; i + + ) {
enum lockdown_reason level = lockdown_levels [ i ] ;
if ( lockdown_reasons [ level ] ) {
const char * label = lockdown_reasons [ level ] ;
if ( kernel_locked_down = = level )
offset + = sprintf ( temp + offset , " [%s] " , label ) ;
else
offset + = sprintf ( temp + offset , " %s " , label ) ;
}
}
/* Convert the last space to a newline if needed. */
if ( offset > 0 )
temp [ offset - 1 ] = ' \n ' ;
return simple_read_from_buffer ( buf , count , ppos , temp , strlen ( temp ) ) ;
}
static ssize_t lockdown_write ( struct file * file , const char __user * buf ,
size_t n , loff_t * ppos )
{
char * state ;
int i , len , err = - EINVAL ;
state = memdup_user_nul ( buf , n ) ;
if ( IS_ERR ( state ) )
return PTR_ERR ( state ) ;
len = strlen ( state ) ;
if ( len & & state [ len - 1 ] = = ' \n ' ) {
state [ len - 1 ] = ' \0 ' ;
len - - ;
}
for ( i = 0 ; i < ARRAY_SIZE ( lockdown_levels ) ; i + + ) {
enum lockdown_reason level = lockdown_levels [ i ] ;
const char * label = lockdown_reasons [ level ] ;
if ( label & & ! strcmp ( state , label ) )
err = lock_kernel_down ( " securityfs " , level ) ;
}
kfree ( state ) ;
return err ? err : n ;
}
static const struct file_operations lockdown_ops = {
. read = lockdown_read ,
. write = lockdown_write ,
} ;
static int __init lockdown_secfs_init ( void )
{
struct dentry * dentry ;
2020-05-14 17:05:46 +03:00
dentry = securityfs_create_file ( " lockdown " , 0644 , NULL , NULL ,
2019-08-20 03:17:39 +03:00
& lockdown_ops ) ;
return PTR_ERR_OR_ZERO ( dentry ) ;
}
core_initcall ( lockdown_secfs_init ) ;
# ifdef CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
DEFINE_EARLY_LSM ( lockdown ) = {
# else
DEFINE_LSM ( lockdown ) = {
# endif
. name = " lockdown " ,
. init = lockdown_lsm_init ,
} ;