1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Module and Firmware Pinning Security Module |
4 | * |
5 | * Copyright 2011-2016 Google Inc. |
6 | * |
7 | * Author: Kees Cook <keescook@chromium.org> |
8 | */ |
9 | |
10 | #define pr_fmt(fmt) "LoadPin: " fmt |
11 | |
12 | #include <linux/module.h> |
13 | #include <linux/fs.h> |
14 | #include <linux/kernel_read_file.h> |
15 | #include <linux/lsm_hooks.h> |
16 | #include <linux/mount.h> |
17 | #include <linux/blkdev.h> |
18 | #include <linux/path.h> |
19 | #include <linux/sched.h> /* current */ |
20 | #include <linux/string_helpers.h> |
21 | #include <linux/dm-verity-loadpin.h> |
22 | #include <uapi/linux/loadpin.h> |
23 | |
24 | #define "# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS" |
25 | |
26 | static void report_load(const char *origin, struct file *file, char *operation) |
27 | { |
28 | char *cmdline, *pathname; |
29 | |
30 | pathname = kstrdup_quotable_file(file, GFP_KERNEL); |
31 | cmdline = kstrdup_quotable_cmdline(current, GFP_KERNEL); |
32 | |
33 | pr_notice("%s %s obj=%s%s%s pid=%d cmdline=%s%s%s\n" , |
34 | origin, operation, |
35 | (pathname && pathname[0] != '<') ? "\"" : "" , |
36 | pathname, |
37 | (pathname && pathname[0] != '<') ? "\"" : "" , |
38 | task_pid_nr(current), |
39 | cmdline ? "\"" : "" , cmdline, cmdline ? "\"" : "" ); |
40 | |
41 | kfree(objp: cmdline); |
42 | kfree(objp: pathname); |
43 | } |
44 | |
45 | static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE); |
46 | static char *exclude_read_files[READING_MAX_ID]; |
47 | static int ignore_read_file_id[READING_MAX_ID] __ro_after_init; |
48 | static struct super_block *pinned_root; |
49 | static DEFINE_SPINLOCK(pinned_root_spinlock); |
50 | #ifdef CONFIG_SECURITY_LOADPIN_VERITY |
51 | static bool deny_reading_verity_digests; |
52 | #endif |
53 | |
54 | #ifdef CONFIG_SYSCTL |
55 | static struct ctl_table loadpin_sysctl_table[] = { |
56 | { |
57 | .procname = "enforce" , |
58 | .data = &enforce, |
59 | .maxlen = sizeof(int), |
60 | .mode = 0644, |
61 | .proc_handler = proc_dointvec_minmax, |
62 | .extra1 = SYSCTL_ONE, |
63 | .extra2 = SYSCTL_ONE, |
64 | }, |
65 | { } |
66 | }; |
67 | |
68 | static void set_sysctl(bool is_writable) |
69 | { |
70 | /* |
71 | * If load pinning is not enforced via a read-only block |
72 | * device, allow sysctl to change modes for testing. |
73 | */ |
74 | if (is_writable) |
75 | loadpin_sysctl_table[0].extra1 = SYSCTL_ZERO; |
76 | else |
77 | loadpin_sysctl_table[0].extra1 = SYSCTL_ONE; |
78 | } |
79 | #else |
80 | static inline void set_sysctl(bool is_writable) { } |
81 | #endif |
82 | |
83 | static void report_writable(struct super_block *mnt_sb, bool writable) |
84 | { |
85 | if (mnt_sb->s_bdev) { |
86 | pr_info("%pg (%u:%u): %s\n" , mnt_sb->s_bdev, |
87 | MAJOR(mnt_sb->s_bdev->bd_dev), |
88 | MINOR(mnt_sb->s_bdev->bd_dev), |
89 | writable ? "writable" : "read-only" ); |
90 | } else |
91 | pr_info("mnt_sb lacks block device, treating as: writable\n" ); |
92 | |
93 | if (!writable) |
94 | pr_info("load pinning engaged.\n" ); |
95 | } |
96 | |
97 | /* |
98 | * This must be called after early kernel init, since then the rootdev |
99 | * is available. |
100 | */ |
101 | static bool sb_is_writable(struct super_block *mnt_sb) |
102 | { |
103 | bool writable = true; |
104 | |
105 | if (mnt_sb->s_bdev) |
106 | writable = !bdev_read_only(bdev: mnt_sb->s_bdev); |
107 | |
108 | return writable; |
109 | } |
110 | |
111 | static void loadpin_sb_free_security(struct super_block *mnt_sb) |
112 | { |
113 | /* |
114 | * When unmounting the filesystem we were using for load |
115 | * pinning, we acknowledge the superblock release, but make sure |
116 | * no other modules or firmware can be loaded when we are in |
117 | * enforcing mode. Otherwise, allow the root to be reestablished. |
118 | */ |
119 | if (!IS_ERR_OR_NULL(ptr: pinned_root) && mnt_sb == pinned_root) { |
120 | if (enforce) { |
121 | pinned_root = ERR_PTR(error: -EIO); |
122 | pr_info("umount pinned fs: refusing further loads\n" ); |
123 | } else { |
124 | pinned_root = NULL; |
125 | } |
126 | } |
127 | } |
128 | |
129 | static int loadpin_check(struct file *file, enum kernel_read_file_id id) |
130 | { |
131 | struct super_block *load_root; |
132 | const char *origin = kernel_read_file_id_str(id); |
133 | bool first_root_pin = false; |
134 | bool load_root_writable; |
135 | |
136 | /* If the file id is excluded, ignore the pinning. */ |
137 | if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) && |
138 | ignore_read_file_id[id]) { |
139 | report_load(origin, file, operation: "pinning-excluded" ); |
140 | return 0; |
141 | } |
142 | |
143 | /* This handles the older init_module API that has a NULL file. */ |
144 | if (!file) { |
145 | if (!enforce) { |
146 | report_load(origin, NULL, operation: "old-api-pinning-ignored" ); |
147 | return 0; |
148 | } |
149 | |
150 | report_load(origin, NULL, operation: "old-api-denied" ); |
151 | return -EPERM; |
152 | } |
153 | |
154 | load_root = file->f_path.mnt->mnt_sb; |
155 | load_root_writable = sb_is_writable(mnt_sb: load_root); |
156 | |
157 | /* First loaded module/firmware defines the root for all others. */ |
158 | spin_lock(lock: &pinned_root_spinlock); |
159 | /* |
160 | * pinned_root is only NULL at startup or when the pinned root has |
161 | * been unmounted while we are not in enforcing mode. Otherwise, it |
162 | * is either a valid reference, or an ERR_PTR. |
163 | */ |
164 | if (!pinned_root) { |
165 | pinned_root = load_root; |
166 | first_root_pin = true; |
167 | } |
168 | spin_unlock(lock: &pinned_root_spinlock); |
169 | |
170 | if (first_root_pin) { |
171 | report_writable(mnt_sb: pinned_root, writable: load_root_writable); |
172 | set_sysctl(load_root_writable); |
173 | report_load(origin, file, operation: "pinned" ); |
174 | } |
175 | |
176 | if (IS_ERR_OR_NULL(ptr: pinned_root) || |
177 | ((load_root != pinned_root) && !dm_verity_loadpin_is_bdev_trusted(bdev: load_root->s_bdev))) { |
178 | if (unlikely(!enforce)) { |
179 | report_load(origin, file, operation: "pinning-ignored" ); |
180 | return 0; |
181 | } |
182 | |
183 | report_load(origin, file, operation: "denied" ); |
184 | return -EPERM; |
185 | } |
186 | |
187 | return 0; |
188 | } |
189 | |
190 | static int loadpin_read_file(struct file *file, enum kernel_read_file_id id, |
191 | bool contents) |
192 | { |
193 | /* |
194 | * LoadPin only cares about the _origin_ of a file, not its |
195 | * contents, so we can ignore the "are full contents available" |
196 | * argument here. |
197 | */ |
198 | return loadpin_check(file, id); |
199 | } |
200 | |
201 | static int loadpin_load_data(enum kernel_load_data_id id, bool contents) |
202 | { |
203 | /* |
204 | * LoadPin only cares about the _origin_ of a file, not its |
205 | * contents, so a NULL file is passed, and we can ignore the |
206 | * state of "contents". |
207 | */ |
208 | return loadpin_check(NULL, id: (enum kernel_read_file_id) id); |
209 | } |
210 | |
211 | static struct security_hook_list loadpin_hooks[] __ro_after_init = { |
212 | LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), |
213 | LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), |
214 | LSM_HOOK_INIT(kernel_load_data, loadpin_load_data), |
215 | }; |
216 | |
217 | static void __init parse_exclude(void) |
218 | { |
219 | int i, j; |
220 | char *cur; |
221 | |
222 | /* |
223 | * Make sure all the arrays stay within expected sizes. This |
224 | * is slightly weird because kernel_read_file_str[] includes |
225 | * READING_MAX_ID, which isn't actually meaningful here. |
226 | */ |
227 | BUILD_BUG_ON(ARRAY_SIZE(exclude_read_files) != |
228 | ARRAY_SIZE(ignore_read_file_id)); |
229 | BUILD_BUG_ON(ARRAY_SIZE(kernel_read_file_str) < |
230 | ARRAY_SIZE(ignore_read_file_id)); |
231 | |
232 | for (i = 0; i < ARRAY_SIZE(exclude_read_files); i++) { |
233 | cur = exclude_read_files[i]; |
234 | if (!cur) |
235 | break; |
236 | if (*cur == '\0') |
237 | continue; |
238 | |
239 | for (j = 0; j < ARRAY_SIZE(ignore_read_file_id); j++) { |
240 | if (strcmp(cur, kernel_read_file_str[j]) == 0) { |
241 | pr_info("excluding: %s\n" , |
242 | kernel_read_file_str[j]); |
243 | ignore_read_file_id[j] = 1; |
244 | /* |
245 | * Can not break, because one read_file_str |
246 | * may map to more than on read_file_id. |
247 | */ |
248 | } |
249 | } |
250 | } |
251 | } |
252 | |
253 | static int __init loadpin_init(void) |
254 | { |
255 | pr_info("ready to pin (currently %senforcing)\n" , |
256 | enforce ? "" : "not " ); |
257 | parse_exclude(); |
258 | #ifdef CONFIG_SYSCTL |
259 | if (!register_sysctl("kernel/loadpin" , loadpin_sysctl_table)) |
260 | pr_notice("sysctl registration failed!\n" ); |
261 | #endif |
262 | security_add_hooks(hooks: loadpin_hooks, ARRAY_SIZE(loadpin_hooks), lsm: "loadpin" ); |
263 | |
264 | return 0; |
265 | } |
266 | |
267 | DEFINE_LSM(loadpin) = { |
268 | .name = "loadpin" , |
269 | .init = loadpin_init, |
270 | }; |
271 | |
272 | #ifdef CONFIG_SECURITY_LOADPIN_VERITY |
273 | |
274 | enum loadpin_securityfs_interface_index { |
275 | LOADPIN_DM_VERITY, |
276 | }; |
277 | |
278 | static int read_trusted_verity_root_digests(unsigned int fd) |
279 | { |
280 | struct fd f; |
281 | void *data; |
282 | int rc; |
283 | char *p, *d; |
284 | |
285 | if (deny_reading_verity_digests) |
286 | return -EPERM; |
287 | |
288 | /* The list of trusted root digests can only be set up once */ |
289 | if (!list_empty(head: &dm_verity_loadpin_trusted_root_digests)) |
290 | return -EPERM; |
291 | |
292 | f = fdget(fd); |
293 | if (!f.file) |
294 | return -EINVAL; |
295 | |
296 | data = kzalloc(SZ_4K, GFP_KERNEL); |
297 | if (!data) { |
298 | rc = -ENOMEM; |
299 | goto err; |
300 | } |
301 | |
302 | rc = kernel_read_file(file: f.file, offset: 0, buf: (void **)&data, SZ_4K - 1, NULL, id: READING_POLICY); |
303 | if (rc < 0) |
304 | goto err; |
305 | |
306 | p = data; |
307 | p[rc] = '\0'; |
308 | p = strim(p); |
309 | |
310 | p = strim(data); |
311 | while ((d = strsep(&p, "\n" )) != NULL) { |
312 | int len; |
313 | struct dm_verity_loadpin_trusted_root_digest *trd; |
314 | |
315 | if (d == data) { |
316 | /* first line, validate header */ |
317 | if (strcmp(d, VERITY_DIGEST_FILE_HEADER)) { |
318 | rc = -EPROTO; |
319 | goto err; |
320 | } |
321 | |
322 | continue; |
323 | } |
324 | |
325 | len = strlen(d); |
326 | |
327 | if (len % 2) { |
328 | rc = -EPROTO; |
329 | goto err; |
330 | } |
331 | |
332 | len /= 2; |
333 | |
334 | trd = kzalloc(struct_size(trd, data, len), GFP_KERNEL); |
335 | if (!trd) { |
336 | rc = -ENOMEM; |
337 | goto err; |
338 | } |
339 | trd->len = len; |
340 | |
341 | if (hex2bin(dst: trd->data, src: d, count: len)) { |
342 | kfree(objp: trd); |
343 | rc = -EPROTO; |
344 | goto err; |
345 | } |
346 | |
347 | list_add_tail(new: &trd->node, head: &dm_verity_loadpin_trusted_root_digests); |
348 | } |
349 | |
350 | if (list_empty(head: &dm_verity_loadpin_trusted_root_digests)) { |
351 | rc = -EPROTO; |
352 | goto err; |
353 | } |
354 | |
355 | kfree(objp: data); |
356 | fdput(fd: f); |
357 | |
358 | return 0; |
359 | |
360 | err: |
361 | kfree(objp: data); |
362 | |
363 | /* any failure in loading/parsing invalidates the entire list */ |
364 | { |
365 | struct dm_verity_loadpin_trusted_root_digest *trd, *tmp; |
366 | |
367 | list_for_each_entry_safe(trd, tmp, &dm_verity_loadpin_trusted_root_digests, node) { |
368 | list_del(entry: &trd->node); |
369 | kfree(objp: trd); |
370 | } |
371 | } |
372 | |
373 | /* disallow further attempts after reading a corrupt/invalid file */ |
374 | deny_reading_verity_digests = true; |
375 | |
376 | fdput(fd: f); |
377 | |
378 | return rc; |
379 | } |
380 | |
381 | /******************************** securityfs ********************************/ |
382 | |
383 | static long dm_verity_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) |
384 | { |
385 | void __user *uarg = (void __user *)arg; |
386 | unsigned int fd; |
387 | |
388 | switch (cmd) { |
389 | case LOADPIN_IOC_SET_TRUSTED_VERITY_DIGESTS: |
390 | if (copy_from_user(to: &fd, from: uarg, n: sizeof(fd))) |
391 | return -EFAULT; |
392 | |
393 | return read_trusted_verity_root_digests(fd); |
394 | |
395 | default: |
396 | return -EINVAL; |
397 | } |
398 | } |
399 | |
400 | static const struct file_operations loadpin_dm_verity_ops = { |
401 | .unlocked_ioctl = dm_verity_ioctl, |
402 | .compat_ioctl = compat_ptr_ioctl, |
403 | }; |
404 | |
405 | /** |
406 | * init_loadpin_securityfs - create the securityfs directory for LoadPin |
407 | * |
408 | * We can not put this method normally under the loadpin_init() code path since |
409 | * the security subsystem gets initialized before the vfs caches. |
410 | * |
411 | * Returns 0 if the securityfs directory creation was successful. |
412 | */ |
413 | static int __init init_loadpin_securityfs(void) |
414 | { |
415 | struct dentry *loadpin_dir, *dentry; |
416 | |
417 | loadpin_dir = securityfs_create_dir(name: "loadpin" , NULL); |
418 | if (IS_ERR(ptr: loadpin_dir)) { |
419 | pr_err("LoadPin: could not create securityfs dir: %ld\n" , |
420 | PTR_ERR(loadpin_dir)); |
421 | return PTR_ERR(ptr: loadpin_dir); |
422 | } |
423 | |
424 | dentry = securityfs_create_file(name: "dm-verity" , mode: 0600, parent: loadpin_dir, |
425 | data: (void *)LOADPIN_DM_VERITY, fops: &loadpin_dm_verity_ops); |
426 | if (IS_ERR(ptr: dentry)) { |
427 | pr_err("LoadPin: could not create securityfs entry 'dm-verity': %ld\n" , |
428 | PTR_ERR(dentry)); |
429 | return PTR_ERR(ptr: dentry); |
430 | } |
431 | |
432 | return 0; |
433 | } |
434 | |
435 | fs_initcall(init_loadpin_securityfs); |
436 | |
437 | #endif /* CONFIG_SECURITY_LOADPIN_VERITY */ |
438 | |
439 | /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ |
440 | module_param(enforce, int, 0); |
441 | MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning" ); |
442 | module_param_array_named(exclude, exclude_read_files, charp, NULL, 0); |
443 | MODULE_PARM_DESC(exclude, "Exclude pinning specific read file types" ); |
444 | |