security/lockdown/lockdown.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /* Lock down the kernel
   3  *
   4  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
   5  * Written by David Howells (dhowells@redhat.com)
   6  *
   7  * This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public Licence
   9  * as published by the Free Software Foundation; either version
  10  * 2 of the Licence, or (at your option) any later version.
  11  */
  12
  13 #include <linux/security.h>
  14 #include <linux/export.h>
  15 #include <linux/lsm_hooks.h>
  16
  17 static enum lockdown_reason kernel_locked_down;
  18
  19 static const enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE,
  20                                                  LOCKDOWN_INTEGRITY_MAX,
  21                                                  LOCKDOWN_CONFIDENTIALITY_MAX};
  22
  23 /*
  24  * Put the kernel into lock-down mode.
  25  */
  26 static int lock_kernel_down(const char *where, enum lockdown_reason level)
  27 {
  28         if (kernel_locked_down >= level)
  29                 return -EPERM;
  30
  31         kernel_locked_down = level;
  32         pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
  33                   where);
  34         return 0;
  35 }
  36
  37 static int __init lockdown_param(char *level)
  38 {
  39         if (!level)
  40                 return -EINVAL;
  41
  42         if (strcmp(level, "integrity") == 0)
  43                 lock_kernel_down("command line", LOCKDOWN_INTEGRITY_MAX);
  44         else if (strcmp(level, "confidentiality") == 0)
  45                 lock_kernel_down("command line", LOCKDOWN_CONFIDENTIALITY_MAX);
  46         else
  47                 return -EINVAL;
  48
  49         return 0;
  50 }
  51
  52 early_param("lockdown", lockdown_param);
  53
  54 /**
  55  * lockdown_is_locked_down - Find out if the kernel is locked down
  56  * @what: Tag to use in notice generated if lockdown is in effect
  57  */
  58 static int lockdown_is_locked_down(enum lockdown_reason what)
  59 {
  60         if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
  61                  "Invalid lockdown reason"))
  62                 return -EPERM;
  63
  64         if (kernel_locked_down >= what) {
  65                 if (lockdown_reasons[what])
  66                         pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
  67                                   current->comm, lockdown_reasons[what]);
  68                 return -EPERM;
  69         }
  70
  71         return 0;
  72 }
  73
  74 static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
  75         LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
  76 };
  77
  78 static int __init lockdown_lsm_init(void)
  79 {
  80 #if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY)
  81         lock_kernel_down("Kernel configuration", LOCKDOWN_INTEGRITY_MAX);
  82 #elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY)
  83         lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX);
  84 #endif
  85         security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks),
  86                            "lockdown");
  87         return 0;
  88 }
  89
  90 static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count,
  91                              loff_t *ppos)
  92 {
  93         char temp[80];
  94         int i, offset = 0;
  95
  96         for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) {
  97                 enum lockdown_reason level = lockdown_levels[i];
  98
  99                 if (lockdown_reasons[level]) {
 100                         const char *label = lockdown_reasons[level];
 101
 102                         if (kernel_locked_down == level)
 103                                 offset += sprintf(temp+offset, "[%s] ", label);
 104                         else
 105                                 offset += sprintf(temp+offset, "%s ", label);
 106                 }
 107         }
 108
 109         /* Convert the last space to a newline if needed. */
 110         if (offset > 0)
 111                 temp[offset-1] = '\n';
 112
 113         return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
 114 }
 115
 116 static ssize_t lockdown_write(struct file *file, const char __user *buf,
 117                               size_t n, loff_t *ppos)
 118 {
 119         char *state;
 120         int i, len, err = -EINVAL;
 121
 122         state = memdup_user_nul(buf, n);
 123         if (IS_ERR(state))
 124                 return PTR_ERR(state);
 125
 126         len = strlen(state);
 127         if (len && state[len-1] == '\n') {
 128                 state[len-1] = '\0';
 129                 len--;
 130         }
 131
 132         for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) {
 133                 enum lockdown_reason level = lockdown_levels[i];
 134                 const char *label = lockdown_reasons[level];
 135
 136                 if (label && !strcmp(state, label))
 137                         err = lock_kernel_down("securityfs", level);
 138         }
 139
 140         kfree(state);
 141         return err ? err : n;
 142 }
 143
 144 static const struct file_operations lockdown_ops = {
 145         .read  = lockdown_read,
 146         .write = lockdown_write,
 147 };
 148
 149 static int __init lockdown_secfs_init(void)
 150 {
 151         struct dentry *dentry;
 152
 153         dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
 154                                         &lockdown_ops);
 155         return PTR_ERR_OR_ZERO(dentry);
 156 }
 157
 158 core_initcall(lockdown_secfs_init);
 159
 160 #ifdef CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
 161 DEFINE_EARLY_LSM(lockdown) = {
 162 #else
 163 DEFINE_LSM(lockdown) = {
 164 #endif
 165         .name = "lockdown",
 166         .init = lockdown_lsm_init,
 167 };