loadpin.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Module and Firmware Pinning Security Module
  4. *
  5. * Copyright 2011-2016 Google Inc.
  6. *
  7. * Author: Kees Cook <keescook@chromium.org>
  8. */
  9. #define pr_fmt(fmt) "LoadPin: " fmt
  10. #include <linux/module.h>
  11. #include <linux/fs.h>
  12. #include <linux/hex.h>
  13. #include <linux/kernel_read_file.h>
  14. #include <linux/lsm_hooks.h>
  15. #include <linux/mount.h>
  16. #include <linux/blkdev.h>
  17. #include <linux/path.h>
  18. #include <linux/sched.h> /* current */
  19. #include <linux/string_helpers.h>
  20. #include <linux/dm-verity-loadpin.h>
  21. #include <uapi/linux/loadpin.h>
  22. #include <uapi/linux/lsm.h>
  23. #define VERITY_DIGEST_FILE_HEADER "# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS"
  24. static void report_load(const char *origin, struct file *file, char *operation)
  25. {
  26. char *cmdline, *pathname;
  27. pathname = kstrdup_quotable_file(file, GFP_KERNEL);
  28. cmdline = kstrdup_quotable_cmdline(current, GFP_KERNEL);
  29. pr_notice("%s %s obj=%s%s%s pid=%d cmdline=%s%s%s\n",
  30. origin, operation,
  31. (pathname && pathname[0] != '<') ? "\"" : "",
  32. pathname,
  33. (pathname && pathname[0] != '<') ? "\"" : "",
  34. task_pid_nr(current),
  35. cmdline ? "\"" : "", cmdline, cmdline ? "\"" : "");
  36. kfree(cmdline);
  37. kfree(pathname);
  38. }
  39. static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE);
  40. static char *exclude_read_files[READING_MAX_ID];
  41. static int ignore_read_file_id[READING_MAX_ID] __ro_after_init;
  42. static struct super_block *pinned_root;
  43. static DEFINE_SPINLOCK(pinned_root_spinlock);
  44. #ifdef CONFIG_SECURITY_LOADPIN_VERITY
  45. static bool deny_reading_verity_digests;
  46. #endif
  47. // initialized to false
  48. static bool loadpin_root_writable;
  49. #ifdef CONFIG_SYSCTL
  50. static int proc_handler_loadpin(const struct ctl_table *table, int dir,
  51. void *buffer, size_t *lenp, loff_t *ppos)
  52. {
  53. if (!loadpin_root_writable && SYSCTL_USER_TO_KERN(dir))
  54. return -EINVAL;
  55. return proc_dointvec_minmax(table, dir, buffer, lenp, ppos);
  56. }
  57. static const struct ctl_table loadpin_sysctl_table[] = {
  58. {
  59. .procname = "enforce",
  60. .data = &enforce,
  61. .maxlen = sizeof(int),
  62. .mode = 0644,
  63. .proc_handler = proc_handler_loadpin,
  64. .extra1 = SYSCTL_ZERO,
  65. .extra2 = SYSCTL_ONE,
  66. },
  67. };
  68. #endif
  69. static void report_writable(struct super_block *mnt_sb, bool writable)
  70. {
  71. if (mnt_sb->s_bdev) {
  72. pr_info("%pg (%u:%u): %s\n", mnt_sb->s_bdev,
  73. MAJOR(mnt_sb->s_bdev->bd_dev),
  74. MINOR(mnt_sb->s_bdev->bd_dev),
  75. writable ? "writable" : "read-only");
  76. } else
  77. pr_info("mnt_sb lacks block device, treating as: writable\n");
  78. if (!writable)
  79. pr_info("load pinning engaged.\n");
  80. }
  81. /*
  82. * This must be called after early kernel init, since then the rootdev
  83. * is available.
  84. */
  85. static bool sb_is_writable(struct super_block *mnt_sb)
  86. {
  87. bool writable = true;
  88. if (mnt_sb->s_bdev)
  89. writable = !bdev_read_only(mnt_sb->s_bdev);
  90. return writable;
  91. }
  92. static void loadpin_sb_free_security(struct super_block *mnt_sb)
  93. {
  94. /*
  95. * When unmounting the filesystem we were using for load
  96. * pinning, we acknowledge the superblock release, but make sure
  97. * no other modules or firmware can be loaded when we are in
  98. * enforcing mode. Otherwise, allow the root to be reestablished.
  99. */
  100. if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) {
  101. if (enforce) {
  102. pinned_root = ERR_PTR(-EIO);
  103. pr_info("umount pinned fs: refusing further loads\n");
  104. } else {
  105. pinned_root = NULL;
  106. }
  107. }
  108. }
  109. static int loadpin_check(struct file *file, enum kernel_read_file_id id)
  110. {
  111. struct super_block *load_root;
  112. const char *origin = kernel_read_file_id_str(id);
  113. bool first_root_pin = false;
  114. /* If the file id is excluded, ignore the pinning. */
  115. if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) &&
  116. ignore_read_file_id[id]) {
  117. report_load(origin, file, "pinning-excluded");
  118. return 0;
  119. }
  120. /* This handles the older init_module API that has a NULL file. */
  121. if (!file) {
  122. if (!enforce) {
  123. report_load(origin, NULL, "old-api-pinning-ignored");
  124. return 0;
  125. }
  126. report_load(origin, NULL, "old-api-denied");
  127. return -EPERM;
  128. }
  129. load_root = file->f_path.mnt->mnt_sb;
  130. /* First loaded module/firmware defines the root for all others. */
  131. spin_lock(&pinned_root_spinlock);
  132. /*
  133. * pinned_root is only NULL at startup or when the pinned root has
  134. * been unmounted while we are not in enforcing mode. Otherwise, it
  135. * is either a valid reference, or an ERR_PTR.
  136. */
  137. if (!pinned_root) {
  138. pinned_root = load_root;
  139. first_root_pin = true;
  140. }
  141. spin_unlock(&pinned_root_spinlock);
  142. if (first_root_pin) {
  143. loadpin_root_writable = sb_is_writable(pinned_root);
  144. report_writable(pinned_root, loadpin_root_writable);
  145. report_load(origin, file, "pinned");
  146. }
  147. if (IS_ERR_OR_NULL(pinned_root) ||
  148. ((load_root != pinned_root) && !dm_verity_loadpin_is_bdev_trusted(load_root->s_bdev))) {
  149. if (unlikely(!enforce)) {
  150. report_load(origin, file, "pinning-ignored");
  151. return 0;
  152. }
  153. report_load(origin, file, "denied");
  154. return -EPERM;
  155. }
  156. return 0;
  157. }
  158. static int loadpin_read_file(struct file *file, enum kernel_read_file_id id,
  159. bool contents)
  160. {
  161. /*
  162. * LoadPin only cares about the _origin_ of a file, not its
  163. * contents, so we can ignore the "are full contents available"
  164. * argument here.
  165. */
  166. return loadpin_check(file, id);
  167. }
  168. static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
  169. {
  170. /*
  171. * LoadPin only cares about the _origin_ of a file, not its
  172. * contents, so a NULL file is passed, and we can ignore the
  173. * state of "contents".
  174. */
  175. return loadpin_check(NULL, (enum kernel_read_file_id) id);
  176. }
  177. static const struct lsm_id loadpin_lsmid = {
  178. .name = "loadpin",
  179. .id = LSM_ID_LOADPIN,
  180. };
  181. static struct security_hook_list loadpin_hooks[] __ro_after_init = {
  182. LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
  183. LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
  184. LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
  185. };
  186. static void __init parse_exclude(void)
  187. {
  188. int i, j;
  189. char *cur;
  190. /*
  191. * Make sure all the arrays stay within expected sizes. This
  192. * is slightly weird because kernel_read_file_str[] includes
  193. * READING_MAX_ID, which isn't actually meaningful here.
  194. */
  195. BUILD_BUG_ON(ARRAY_SIZE(exclude_read_files) !=
  196. ARRAY_SIZE(ignore_read_file_id));
  197. BUILD_BUG_ON(ARRAY_SIZE(kernel_read_file_str) <
  198. ARRAY_SIZE(ignore_read_file_id));
  199. for (i = 0; i < ARRAY_SIZE(exclude_read_files); i++) {
  200. cur = exclude_read_files[i];
  201. if (!cur)
  202. break;
  203. if (*cur == '\0')
  204. continue;
  205. for (j = 0; j < ARRAY_SIZE(ignore_read_file_id); j++) {
  206. if (strcmp(cur, kernel_read_file_str[j]) == 0) {
  207. pr_info("excluding: %s\n",
  208. kernel_read_file_str[j]);
  209. ignore_read_file_id[j] = 1;
  210. /*
  211. * Can not break, because one read_file_str
  212. * may map to more than on read_file_id.
  213. */
  214. }
  215. }
  216. }
  217. }
  218. static int __init loadpin_init(void)
  219. {
  220. pr_info("ready to pin (currently %senforcing)\n",
  221. enforce ? "" : "not ");
  222. parse_exclude();
  223. #ifdef CONFIG_SYSCTL
  224. if (!register_sysctl("kernel/loadpin", loadpin_sysctl_table))
  225. pr_notice("sysctl registration failed!\n");
  226. #endif
  227. security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks),
  228. &loadpin_lsmid);
  229. return 0;
  230. }
  231. #ifdef CONFIG_SECURITY_LOADPIN_VERITY
  232. enum loadpin_securityfs_interface_index {
  233. LOADPIN_DM_VERITY,
  234. };
  235. static int read_trusted_verity_root_digests(unsigned int fd)
  236. {
  237. void *data;
  238. int rc;
  239. char *p, *d;
  240. if (deny_reading_verity_digests)
  241. return -EPERM;
  242. /* The list of trusted root digests can only be set up once */
  243. if (!list_empty(&dm_verity_loadpin_trusted_root_digests))
  244. return -EPERM;
  245. CLASS(fd, f)(fd);
  246. if (fd_empty(f))
  247. return -EINVAL;
  248. data = kzalloc(SZ_4K, GFP_KERNEL);
  249. if (!data) {
  250. rc = -ENOMEM;
  251. goto err;
  252. }
  253. rc = kernel_read_file(fd_file(f), 0, (void **)&data, SZ_4K - 1, NULL, READING_POLICY);
  254. if (rc < 0)
  255. goto err;
  256. p = data;
  257. p[rc] = '\0';
  258. p = strim(p);
  259. p = strim(data);
  260. while ((d = strsep(&p, "\n")) != NULL) {
  261. int len;
  262. struct dm_verity_loadpin_trusted_root_digest *trd;
  263. if (d == data) {
  264. /* first line, validate header */
  265. if (strcmp(d, VERITY_DIGEST_FILE_HEADER)) {
  266. rc = -EPROTO;
  267. goto err;
  268. }
  269. continue;
  270. }
  271. len = strlen(d);
  272. if (len % 2) {
  273. rc = -EPROTO;
  274. goto err;
  275. }
  276. len /= 2;
  277. trd = kzalloc_flex(*trd, data, len);
  278. if (!trd) {
  279. rc = -ENOMEM;
  280. goto err;
  281. }
  282. trd->len = len;
  283. if (hex2bin(trd->data, d, len)) {
  284. kfree(trd);
  285. rc = -EPROTO;
  286. goto err;
  287. }
  288. list_add_tail(&trd->node, &dm_verity_loadpin_trusted_root_digests);
  289. }
  290. if (list_empty(&dm_verity_loadpin_trusted_root_digests)) {
  291. rc = -EPROTO;
  292. goto err;
  293. }
  294. kfree(data);
  295. return 0;
  296. err:
  297. kfree(data);
  298. /* any failure in loading/parsing invalidates the entire list */
  299. {
  300. struct dm_verity_loadpin_trusted_root_digest *trd, *tmp;
  301. list_for_each_entry_safe(trd, tmp, &dm_verity_loadpin_trusted_root_digests, node) {
  302. list_del(&trd->node);
  303. kfree(trd);
  304. }
  305. }
  306. /* disallow further attempts after reading a corrupt/invalid file */
  307. deny_reading_verity_digests = true;
  308. return rc;
  309. }
  310. /******************************** securityfs ********************************/
  311. static long dm_verity_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
  312. {
  313. void __user *uarg = (void __user *)arg;
  314. unsigned int fd;
  315. switch (cmd) {
  316. case LOADPIN_IOC_SET_TRUSTED_VERITY_DIGESTS:
  317. if (copy_from_user(&fd, uarg, sizeof(fd)))
  318. return -EFAULT;
  319. return read_trusted_verity_root_digests(fd);
  320. default:
  321. return -EINVAL;
  322. }
  323. }
  324. static const struct file_operations loadpin_dm_verity_ops = {
  325. .unlocked_ioctl = dm_verity_ioctl,
  326. .compat_ioctl = compat_ptr_ioctl,
  327. };
  328. /**
  329. * init_loadpin_securityfs - create the securityfs directory for LoadPin
  330. *
  331. * We can not put this method normally under the loadpin_init() code path since
  332. * the security subsystem gets initialized before the vfs caches.
  333. *
  334. * Returns 0 if the securityfs directory creation was successful.
  335. */
  336. static int __init init_loadpin_securityfs(void)
  337. {
  338. struct dentry *loadpin_dir, *dentry;
  339. loadpin_dir = securityfs_create_dir("loadpin", NULL);
  340. if (IS_ERR(loadpin_dir)) {
  341. pr_err("LoadPin: could not create securityfs dir: %ld\n",
  342. PTR_ERR(loadpin_dir));
  343. return PTR_ERR(loadpin_dir);
  344. }
  345. dentry = securityfs_create_file("dm-verity", 0600, loadpin_dir,
  346. (void *)LOADPIN_DM_VERITY, &loadpin_dm_verity_ops);
  347. if (IS_ERR(dentry)) {
  348. pr_err("LoadPin: could not create securityfs entry 'dm-verity': %ld\n",
  349. PTR_ERR(dentry));
  350. return PTR_ERR(dentry);
  351. }
  352. return 0;
  353. }
  354. #endif /* CONFIG_SECURITY_LOADPIN_VERITY */
  355. DEFINE_LSM(loadpin) = {
  356. .id = &loadpin_lsmid,
  357. .init = loadpin_init,
  358. #ifdef CONFIG_SECURITY_LOADPIN_VERITY
  359. .initcall_fs = init_loadpin_securityfs,
  360. #endif /* CONFIG_SECURITY_LOADPIN_VERITY */
  361. };
  362. /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
  363. module_param(enforce, int, 0);
  364. MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");
  365. module_param_array_named(exclude, exclude_read_files, charp, NULL, 0);
  366. MODULE_PARM_DESC(exclude, "Exclude pinning specific read file types");