security: Add a "locked down" LSM hook

Add a mechanism to allow LSMs to make a policy decision around whether
kernel functionality that would allow tampering with or examining the
runtime state of the kernel should be permitted.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Matthew Garrett 2019-08-19 17:17:38 -07:00 committed by James Morris
parent e6b1db98cf
commit 9e47d31d6a
3 changed files with 45 additions and 0 deletions

View File

@ -1446,6 +1446,11 @@
* @bpf_prog_free_security:
* Clean up the security information stored inside bpf prog.
*
* @locked_down
* Determine whether a kernel feature that potentially enables arbitrary
* code execution in kernel space should be permitted.
*
* @what: kernel feature being accessed
*/
union security_list_options {
int (*binder_set_context_mgr)(struct task_struct *mgr);
@ -1807,6 +1812,7 @@ union security_list_options {
int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux);
void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
#endif /* CONFIG_BPF_SYSCALL */
int (*locked_down)(enum lockdown_reason what);
};
struct security_hook_heads {
@ -2046,6 +2052,7 @@ struct security_hook_heads {
struct hlist_head bpf_prog_alloc_security;
struct hlist_head bpf_prog_free_security;
#endif /* CONFIG_BPF_SYSCALL */
struct hlist_head locked_down;
} __randomize_layout;
/*

View File

@ -77,6 +77,33 @@ enum lsm_event {
LSM_POLICY_CHANGE,
};
/*
* These are reasons that can be passed to the security_locked_down()
* LSM hook. Lockdown reasons that protect kernel integrity (ie, the
* ability for userland to modify kernel code) are placed before
* LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel
* confidentiality (ie, the ability for userland to extract
* information from the running kernel that would otherwise be
* restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX.
*
* LSM authors should note that the semantics of any given lockdown
* reason are not guaranteed to be stable - the same reason may block
* one set of features in one kernel release, and a slightly different
* set of features in a later kernel release. LSMs that seek to expose
* lockdown policy at any level of granularity other than "none",
* "integrity" or "confidentiality" are responsible for either
* ensuring that they expose a consistent level of functionality to
* userland, or ensuring that userland is aware that this is
* potentially a moving target. It is easy to misuse this information
* in a way that could break userspace. Please be careful not to do
* so.
*/
enum lockdown_reason {
LOCKDOWN_NONE,
LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_CONFIDENTIALITY_MAX,
};
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
@ -393,6 +420,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
#else /* CONFIG_SECURITY */
static inline int call_lsm_notifier(enum lsm_event event, void *data)
@ -1210,6 +1238,10 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
{
return -EOPNOTSUPP;
}
static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
}
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK

View File

@ -2389,3 +2389,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux)
call_void_hook(bpf_prog_free_security, aux);
}
#endif /* CONFIG_BPF_SYSCALL */
int security_locked_down(enum lockdown_reason what)
{
return call_int_hook(locked_down, 0, what);
}
EXPORT_SYMBOL(security_locked_down);