Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall

From: Eric W. Biederman
Date: Wed May 02 2018 - 10:49:34 EST

Next message: Hans de Goede: "Re: [PATCH v5 2/5] efi: Add embedded peripheral firmware support"
Previous message: Rob Herring: "Re: [RFC PATCH] driver core: make deferring probe forever optional"
Next in thread: Mimi Zohar: "Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes:

> Allow LSMs and IMA to differentiate between the kexec_load and
> kexec_file_load syscalls by adding an "unnecessary" call to
> security_kernel_read_file() in kexec_load. This would be similar to the
> existing init_module syscall calling security_kernel_read_file().

Given the reasonable desire to load a policy that ensures everything
has a signature I don't have fundamental objections.

security_kernel_read_file as a hook seems an odd choice. At the very
least it has a bad name because there is no file reading going on here.

I am concerned that I don't see CONFIG_KEXEC_VERIFY_SIG being tested
anywhere. Which means I could have a kernel compiled without that and I
would be allowed to use kexec_file_load without signature checking.
While kexec_load would be denied.

Am I missing something here?

Eric

> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> ---
> kernel/kexec.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index aed8fb2564b3..d1386cfc6796 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -11,6 +11,7 @@
> #include <linux/capability.h>
> #include <linux/mm.h>
> #include <linux/file.h>
> +#include <linux/security.h>
> #include <linux/kexec.h>
> #include <linux/mutex.h>
> #include <linux/list.h>
> @@ -195,11 +196,21 @@ static int do_kexec_load(unsigned long entry, unsigned long nr_segments,
> static inline int kexec_load_check(unsigned long nr_segments,
> unsigned long flags)
> {
> + int result;
> +
> /* We only trust the superuser with rebooting the system. */
> if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> return -EPERM;
>
> /*
> + * Allow LSMs and IMA to differentiate between kexec_load and
> + * kexec_file_load syscalls.
> + */
> + result = security_kernel_read_file(NULL, READING_KEXEC_IMAGE);
> + if (result < 0)
> + return result;
> +
> + /*
> * Verify we have a legal set of flags
> * This leaves us room for future extensions.
> */

Next message: Hans de Goede: "Re: [PATCH v5 2/5] efi: Add embedded peripheral firmware support"
Previous message: Rob Herring: "Re: [RFC PATCH] driver core: make deferring probe forever optional"
Next in thread: Mimi Zohar: "Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]