From 11c2287f53486c23cb9c5b4de673c335d6bd1178 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 00:40:43 +0000 Subject: [PATCH 01/14] Implement lockdown patches --- usr/share/hardened-kernel/build | 1 + .../lockdown/0001-lockdown-kconfig.patch | 33 +++++++ .../0002-lockdown-efivar_ssdt_load.patch | 22 +++++ .../lockdown/0003-lockdown-acpi_rsdp.patch | 3 + .../0004-lockdown-pci-bar-access.patch | 98 +++++++++++++++++++ .../patches/lockdown/0005-lockdown-perf.patch | 14 +++ .../lockdown/0006-lockdown-tiocsserial.patch | 22 +++++ .../lockdown/0007-lockdown-ioport.patch | 32 ++++++ .../lockdown/0008-lockdown-pcmcia.patch | 22 +++++ .../0009-lockdown-module-params.patch | 59 +++++++++++ 10 files changed, 306 insertions(+) create mode 100644 usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch create mode 100644 usr/share/hardened-kernel/patches/lockdown/0002-lockdown-efivar_ssdt_load.patch create mode 100644 usr/share/hardened-kernel/patches/lockdown/0003-lockdown-acpi_rsdp.patch create mode 100644 usr/share/hardened-kernel/patches/lockdown/0004-lockdown-pci-bar-access.patch create mode 100644 usr/share/hardened-kernel/patches/lockdown/0005-lockdown-perf.patch create mode 100644 usr/share/hardened-kernel/patches/lockdown/0006-lockdown-tiocsserial.patch create mode 100644 usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch create mode 100644 usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch create mode 100644 usr/share/hardened-kernel/patches/lockdown/0009-lockdown-module-params.patch diff --git a/usr/share/hardened-kernel/build b/usr/share/hardened-kernel/build index a894d15..1ec94d6 100755 --- a/usr/share/hardened-kernel/build +++ b/usr/share/hardened-kernel/build @@ -92,6 +92,7 @@ tar -xf "${source_folder}/linux-${version}.tar.xz" -C "$working_folder" ls "$extracted_linux_kernel_sources_folder" cat "${source_folder}/linux-hardened-${version}.a.patch" | patch --silent -p1 -d "$extracted_linux_kernel_sources_folder" +cat "${MYDIR}/patches/lockdown/*.patch" | patch --silent -p1 -d "$extracted_linux_kernel_sources_folder" cp "${MYDIR}/${kernel_config}" "$extracted_linux_kernel_sources_folder/.config" diff --git a/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch b/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch new file mode 100644 index 0000000..7468279 --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch @@ -0,0 +1,33 @@ +diff --git a/security/Kconfig b/security/Kconfig +index d9aa521..01fc608 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -230,6 +230,13 @@ config STATIC_USERMODEHELPER_PATH + If you wish for all usermode helper programs to be disabled, + specify an empty string here (i.e. ""). + ++config SECURITY_LOCKDOWN ++ string "Enable kernel lockdown" ++ default y ++ help ++ Enables kernel lockdown which disables any feature that ++ userspace can abuse to compromise the kernel. ++ + source security/selinux/Kconfig + source security/smack/Kconfig + source security/tomoyo/Kconfig +diff --git a/include/linux/security.h b/include/linux/security.h +index 75f4156..9c1171a 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -402,6 +402,10 @@ void security_inode_invalidate_secctx(struct inode *inode); + int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); + int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); + int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); ++ ++/* Kernel lockdown */ ++int kernel_lockdown = IS_ENABLED(CONFIG_SECURITY_LOCKDOWN); ++ + #else /* CONFIG_SECURITY */ + struct security_mnt_opts { + }; diff --git a/usr/share/hardened-kernel/patches/lockdown/0002-lockdown-efivar_ssdt_load.patch b/usr/share/hardened-kernel/patches/lockdown/0002-lockdown-efivar_ssdt_load.patch new file mode 100644 index 0000000..507aab2 --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0002-lockdown-efivar_ssdt_load.patch @@ -0,0 +1,22 @@ +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index d54fca9..94b0781 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include + +@@ -241,6 +242,9 @@ static void generic_ops_unregister(void) + static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; + static int __init efivar_ssdt_setup(char *str) + { ++ if (kernel_lockdown) ++ return -EPERM; ++ + if (strlen(str) < sizeof(efivar_ssdt)) + memcpy(efivar_ssdt, str, strlen(str)); + else diff --git a/usr/share/hardened-kernel/patches/lockdown/0003-lockdown-acpi_rsdp.patch b/usr/share/hardened-kernel/patches/lockdown/0003-lockdown-acpi_rsdp.patch new file mode 100644 index 0000000..1c8055a --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0003-lockdown-acpi_rsdp.patch @@ -0,0 +1,3 @@ +TODO + +https://lkml.org/lkml/2019/8/19/1204 diff --git a/usr/share/hardened-kernel/patches/lockdown/0004-lockdown-pci-bar-access.patch b/usr/share/hardened-kernel/patches/lockdown/0004-lockdown-pci-bar-access.patch new file mode 100644 index 0000000..1f79625 --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0004-lockdown-pci-bar-access.patch @@ -0,0 +1,98 @@ +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 1edf5a1..a529f6b 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, + loff_t init_off = off; + u8 *data = (u8 *) buf; + ++ if (kernel_lockdown) ++ return -EPERM; ++ + if (off > dev->cfg_size) + return 0; + if (off + count > dev->cfg_size) { +@@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, + enum pci_mmap_state mmap_type; + struct resource *res = &pdev->resource[bar]; + ++ if (kernel_lockdown) ++ return -EPERM; ++ + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) + return -EINVAL; + +@@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, + struct bin_attribute *attr, char *buf, + loff_t off, size_t count) + { ++ if (kernel_lockdown) ++ return -EPERM; ++ + return pci_resource_io(filp, kobj, attr, buf, off, count, true); + } + +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c +index 7ac035a..972702c 100644 +--- a/drivers/pci/proc.c ++++ b/drivers/pci/proc.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include "pci.h" + +@@ -117,6 +118,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, + int size = dev->cfg_size; + int cnt; + ++ if (kernel_lockdown) ++ return -EPERM; ++ + if (pos >= size) + return 0; + if (nbytes >= size) +@@ -196,6 +200,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, + #endif /* HAVE_PCI_MMAP */ + int ret = 0; + ++ if (kernel_lockdown) ++ return -EPERM; ++ + switch (cmd) { + case PCIIOC_CONTROLLER: + ret = pci_domain_nr(dev->bus); +@@ -237,7 +244,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) + struct pci_filp_private *fpriv = file->private_data; + int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; + +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || ++ kernel_lockdown) + return -EPERM; + + if (fpriv->mmap_state == pci_mmap_io) { +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index d96626c..f793681 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + #include + #include + #include "pci.h" +@@ -90,7 +91,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + u32 dword; + int err = 0; + +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN) || ++ kernel_lockdown) + return -EPERM; + + dev = pci_get_domain_bus_and_slot(0, bus, dfn); diff --git a/usr/share/hardened-kernel/patches/lockdown/0005-lockdown-perf.patch b/usr/share/hardened-kernel/patches/lockdown/0005-lockdown-perf.patch new file mode 100644 index 0000000..b1e175e --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0005-lockdown-perf.patch @@ -0,0 +1,14 @@ +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 460d5fd..73cc6ee 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10507,6 +10507,9 @@ SYSCALL_DEFINE5(perf_event_open, + return -EINVAL; + } + ++ if (kernel_lockdown) ++ return -EPERM; ++ + /* Only privileged users can get physical addresses */ + if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && + perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) diff --git a/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-tiocsserial.patch b/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-tiocsserial.patch new file mode 100644 index 0000000..17b42ea --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-tiocsserial.patch @@ -0,0 +1,22 @@ +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index dc56cdd..3e96b14 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -866,6 +867,9 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, + goto check_and_exit; + } + ++ if (kernel_lockdown && (change_irq || change_port)) ++ goto exit; ++ + /* + * Ask the low level driver to verify the settings. + */ diff --git a/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch b/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch new file mode 100644 index 0000000..0f43176 --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch @@ -0,0 +1,32 @@ +diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c +index 0fe1c87..e6a02e7 100644 +--- a/arch/x86/kernel/ioport.c ++++ b/arch/x86/kernel/ioport.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && !capable(CAP_SYS_RAWIO) || ++ lockdown_kernel) + return -EPERM; + + /* +@@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || ++ lockdown_kernel) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch b/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch new file mode 100644 index 0000000..9d94a45 --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch @@ -0,0 +1,22 @@ +diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c +index ac0672b..7c89c51 100644 +--- a/drivers/pcmcia/cistpl.c ++++ b/drivers/pcmcia/cistpl.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1578,6 +1579,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, + struct pcmcia_socket *s; + int error; + ++ if (lockdown_kernel) ++ return -EPERM; ++ + s = to_socket(container_of(kobj, struct device, kobj)); + + if (off) diff --git a/usr/share/hardened-kernel/patches/lockdown/0009-lockdown-module-params.patch b/usr/share/hardened-kernel/patches/lockdown/0009-lockdown-module-params.patch new file mode 100644 index 0000000..5cf173b --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/0009-lockdown-module-params.patch @@ -0,0 +1,59 @@ +diff --git a/kernel/params.c b/kernel/params.c +index ce89f75..98221b8 100644 +--- a/kernel/params.c ++++ b/kernel/params.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #ifdef CONFIG_SYSFS + /* Protects all built-in parameters, modules use their own param_lock */ +@@ -108,13 +109,19 @@ bool parameq(const char *a, const char *b) + return parameqn(a, b, strlen(a)+1); + } + +-static void param_check_unsafe(const struct kernel_param *kp) ++static bool param_check_unsafe(const struct kernel_param *kp) + { ++ if (kp->flags & KERNEL_PARAM_FL_HWPARAM && ++ kernel_lockdown) ++ return false; ++ + if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { + pr_notice("Setting dangerous option %s - tainting kernel\n", + kp->name); + add_taint(TAINT_USER, LOCKDEP_STILL_OK); + } ++ ++ return true; + } + + static int parse_one(char *param, +@@ -144,8 +151,10 @@ static int parse_one(char *param, + pr_debug("handling %s with %p\n", param, + params[i].ops->set); + kernel_param_lock(params[i].mod); +- param_check_unsafe(¶ms[i]); +- err = params[i].ops->set(val, ¶ms[i]); ++ if (param_check_unsafe(¶ms[i])) ++ err = params[i].ops->set(val, ¶ms[i]); ++ else ++ err = -EPERM; + kernel_param_unlock(params[i].mod); + return err; + } +@@ -565,8 +574,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, + return -EPERM; + + kernel_param_lock(mk->mod); +- param_check_unsafe(attribute->param); +- err = attribute->param->ops->set(buf, attribute->param); ++ if (param_check_unsafe(attribute->param)) ++ err = attribute->param->ops->set(buf, attribute->param); ++ else ++ err = -EPERM; + kernel_param_unlock(mk->mod); + if (!err) + return len; From ac749a11bf7e49d243bd89fddf5a5ed51c6fadd1 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 00:47:02 +0000 Subject: [PATCH 02/14] Create README.md --- .../patches/lockdown/README.md | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 usr/share/hardened-kernel/patches/lockdown/README.md diff --git a/usr/share/hardened-kernel/patches/lockdown/README.md b/usr/share/hardened-kernel/patches/lockdown/README.md new file mode 100644 index 0000000..216d1c8 --- /dev/null +++ b/usr/share/hardened-kernel/patches/lockdown/README.md @@ -0,0 +1,100 @@ +This patchset implements features of the lockdown LSM that we need as +lockdown is not available in LTS kernels. + +Features that are already mitigated by our kernel configuration are not +implemented. + +# 0001-lockdown-kconfig.patch: + +Creates the CONFIG_SECURITY_LOCKDOWN kconfig setting to enable/disable +kernel lockdown. + +# 0002-lockdown-efivar_ssdt_load.patch: + +Disables efivar_ssdt_load. + +Only useful for the host kernel. + +> efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an +EFI variable, which gives arbitrary code execution in ring 0. Prevent +that when the kernel is locked down. + +# 0003-lockdown-acpi_rsdp: + +Ignore the acpi_rsdp kernel parameter. + +Not implemented yet. + +> This option allows userspace to pass the RSDP address to the kernel, which +makes it possible for a user to modify the workings of hardware. Reject +the option when the kernel is locked down. This requires some reworking +of the existing RSDP command line logic, since the early boot code also +makes use of a command-line passed RSDP when locating the SRAT table +before the lockdown code has been initialised. This is achieved by +separating the command line RSDP path in the early boot code from the +generic RSDP path, and then copying the command line RSDP into boot +params in the kernel proper if lockdown is not enabled. If lockdown is +enabled and an RSDP is provided on the command line, this will only be +used when parsing SRAT (which shouldn't permit kernel code execution) +and will be ignored in the rest of the kernel. + +# 0004-lockdown-pci-bar-access.patch: + +Locks down PCI BAR access. + +> Any hardware that can potentially generate DMA has to be locked down in +order to avoid it being possible for an attacker to modify kernel code, +allowing them to circumvent disabled module loading or module signing. +Default to paranoid - in future we can potentially relax this for +sufficiently IOMMU-isolated devices. + +# 0005-lockdown-perf.patch: + +Locks down perf. + +The official lockdown patchset only locks down REGS_INTR but this patch +disables perf_event_open entirely to further reduce attack surface. + +This will be dropped if perf_event_paranoid=4 support is merged into +linux-hardened. + +> Disallow the use of certain perf facilities that might allow userspace to +access kernel data. + +# 0006-lockdown-tiocsserial.patch + +Locks down TIOCSSERIAL. + +> Lock down TIOCSSERIAL as that can be used to change the ioport and irq +settings on a serial port. This only appears to be an issue for the serial +drivers that use the core serial code. All other drivers seem to either +ignore attempts to change port/irq or give an error. + +# 0007-lockdown-ioport.patch: + +Locks down IO port access (specifically, the ioperm() and iopl() syscalls). + +> IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO +register space. This would potentially permit root to trigger arbitrary +DMA, so lock it down by default. +> +> This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and +KDDISABIO console ioctls. + +# 0008-lockdown-pcmcia.patch: + +Locks down PCMCIA. + +Only useful for the host kernel. + +> Prohibit replacement of the PCMCIA Card Information Structure when the +kernel is locked down. + +# 0009-lockdown-module-params.patch: + +Locks down module parameters. + +> Provided an annotation for module parameters that specify hardware +parameters (such as io ports, iomem addresses, irqs, dma channels, fixed +dma buffers and other types). From ebe1373dab4e3cb3d28ee13b4b8e6bb25dc5ad03 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 15:01:57 +0000 Subject: [PATCH 03/14] Should be kernel_lockdown, not lockdown_kernel --- .../patches/lockdown/0007-lockdown-ioport.patch | 4 ++-- .../patches/lockdown/0008-lockdown-pcmcia.patch | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch b/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch index 0f43176..35d100f 100644 --- a/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch +++ b/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch @@ -16,7 +16,7 @@ index 0fe1c87..e6a02e7 100644 return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && !capable(CAP_SYS_RAWIO) || -+ lockdown_kernel) ++ kernel_lockdown) return -EPERM; /* @@ -26,7 +26,7 @@ index 0fe1c87..e6a02e7 100644 if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || -+ lockdown_kernel) ++ kernel_lockdown) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch b/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch index 9d94a45..81198bb 100644 --- a/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch +++ b/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch @@ -14,7 +14,7 @@ index ac0672b..7c89c51 100644 struct pcmcia_socket *s; int error; -+ if (lockdown_kernel) ++ if (kernel_lockdown) + return -EPERM; + s = to_socket(container_of(kobj, struct device, kobj)); From e7422f702ee42d87e252431a6e9975dd6da29e3a Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 15:35:30 +0000 Subject: [PATCH 04/14] Should be a boolean --- .../patches/lockdown/0001-lockdown-kconfig.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch b/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch index 7468279..3290c7b 100644 --- a/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch +++ b/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch @@ -7,7 +7,7 @@ index d9aa521..01fc608 100644 specify an empty string here (i.e. ""). +config SECURITY_LOCKDOWN -+ string "Enable kernel lockdown" ++ bool "Enable kernel lockdown" + default y + help + Enables kernel lockdown which disables any feature that From 63b9dd34fa1a2ea6e9b31b8246394e32ca0f7e6f Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 15:43:38 +0000 Subject: [PATCH 05/14] Enable lockdown --- usr/share/hardened-kernel/hardened-vm-kernel | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/hardened-kernel/hardened-vm-kernel b/usr/share/hardened-kernel/hardened-vm-kernel index 262aeb7..95cda68 100644 --- a/usr/share/hardened-kernel/hardened-vm-kernel +++ b/usr/share/hardened-kernel/hardened-vm-kernel @@ -4679,6 +4679,7 @@ CONFIG_FORTIFY_SOURCE=y CONFIG_PAGE_SANITIZE=y CONFIG_PAGE_SANITIZE_VERIFY=y # CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_SECURITY_LOCKDOWN=y # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set From 3677944ccb4a7f43fa0e7a69900adf7410b1bca7 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 15:45:48 +0000 Subject: [PATCH 06/14] Enable lockdown --- usr/share/hardened-kernel/hardened-host-kernel | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/hardened-kernel/hardened-host-kernel b/usr/share/hardened-kernel/hardened-host-kernel index 1bf5409..0a23ce5 100644 --- a/usr/share/hardened-kernel/hardened-host-kernel +++ b/usr/share/hardened-kernel/hardened-host-kernel @@ -6995,6 +6995,7 @@ CONFIG_FORTIFY_SOURCE=y CONFIG_PAGE_SANITIZE=y CONFIG_PAGE_SANITIZE_VERIFY=y # CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_SECURITY_LOCKDOWN=y # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set From 186bba551cb91f88c82752fea3dcf26e44c155db Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 17:09:48 +0000 Subject: [PATCH 07/14] Remove acpi_rsdp patch It's only an issue with CONFIG_KEXEC which we disable --- .../lockdown/0003-lockdown-acpi_rsdp.patch | 3 -- ...tch => 0003-lockdown-pci-bar-access.patch} | 0 ...wn-perf.patch => 0004-lockdown-perf.patch} | 0 ....patch => 0005-lockdown-tiocsserial.patch} | 0 ...oport.patch => 0006-lockdown-ioport.patch} | 0 ...cmcia.patch => 0007-lockdown-pcmcia.patch} | 0 ...atch => 0008-lockdown-module-params.patch} | 0 .../patches/lockdown/README.md | 31 ++++--------------- 8 files changed, 6 insertions(+), 28 deletions(-) delete mode 100644 usr/share/hardened-kernel/patches/lockdown/0003-lockdown-acpi_rsdp.patch rename usr/share/hardened-kernel/patches/lockdown/{0004-lockdown-pci-bar-access.patch => 0003-lockdown-pci-bar-access.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0005-lockdown-perf.patch => 0004-lockdown-perf.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0006-lockdown-tiocsserial.patch => 0005-lockdown-tiocsserial.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0007-lockdown-ioport.patch => 0006-lockdown-ioport.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0008-lockdown-pcmcia.patch => 0007-lockdown-pcmcia.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0009-lockdown-module-params.patch => 0008-lockdown-module-params.patch} (100%) diff --git a/usr/share/hardened-kernel/patches/lockdown/0003-lockdown-acpi_rsdp.patch b/usr/share/hardened-kernel/patches/lockdown/0003-lockdown-acpi_rsdp.patch deleted file mode 100644 index 1c8055a..0000000 --- a/usr/share/hardened-kernel/patches/lockdown/0003-lockdown-acpi_rsdp.patch +++ /dev/null @@ -1,3 +0,0 @@ -TODO - -https://lkml.org/lkml/2019/8/19/1204 diff --git a/usr/share/hardened-kernel/patches/lockdown/0004-lockdown-pci-bar-access.patch b/usr/share/hardened-kernel/patches/lockdown/0003-lockdown-pci-bar-access.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0004-lockdown-pci-bar-access.patch rename to usr/share/hardened-kernel/patches/lockdown/0003-lockdown-pci-bar-access.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0005-lockdown-perf.patch b/usr/share/hardened-kernel/patches/lockdown/0004-lockdown-perf.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0005-lockdown-perf.patch rename to usr/share/hardened-kernel/patches/lockdown/0004-lockdown-perf.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-tiocsserial.patch b/usr/share/hardened-kernel/patches/lockdown/0005-lockdown-tiocsserial.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0006-lockdown-tiocsserial.patch rename to usr/share/hardened-kernel/patches/lockdown/0005-lockdown-tiocsserial.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch b/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-ioport.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0007-lockdown-ioport.patch rename to usr/share/hardened-kernel/patches/lockdown/0006-lockdown-ioport.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch b/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-pcmcia.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0008-lockdown-pcmcia.patch rename to usr/share/hardened-kernel/patches/lockdown/0007-lockdown-pcmcia.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0009-lockdown-module-params.patch b/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-module-params.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0009-lockdown-module-params.patch rename to usr/share/hardened-kernel/patches/lockdown/0008-lockdown-module-params.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/README.md b/usr/share/hardened-kernel/patches/lockdown/README.md index 216d1c8..8617612 100644 --- a/usr/share/hardened-kernel/patches/lockdown/README.md +++ b/usr/share/hardened-kernel/patches/lockdown/README.md @@ -19,26 +19,7 @@ Only useful for the host kernel. EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. -# 0003-lockdown-acpi_rsdp: - -Ignore the acpi_rsdp kernel parameter. - -Not implemented yet. - -> This option allows userspace to pass the RSDP address to the kernel, which -makes it possible for a user to modify the workings of hardware. Reject -the option when the kernel is locked down. This requires some reworking -of the existing RSDP command line logic, since the early boot code also -makes use of a command-line passed RSDP when locating the SRAT table -before the lockdown code has been initialised. This is achieved by -separating the command line RSDP path in the early boot code from the -generic RSDP path, and then copying the command line RSDP into boot -params in the kernel proper if lockdown is not enabled. If lockdown is -enabled and an RSDP is provided on the command line, this will only be -used when parsing SRAT (which shouldn't permit kernel code execution) -and will be ignored in the rest of the kernel. - -# 0004-lockdown-pci-bar-access.patch: +# 0003-lockdown-pci-bar-access.patch: Locks down PCI BAR access. @@ -48,7 +29,7 @@ allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. -# 0005-lockdown-perf.patch: +# 0004-lockdown-perf.patch: Locks down perf. @@ -61,7 +42,7 @@ linux-hardened. > Disallow the use of certain perf facilities that might allow userspace to access kernel data. -# 0006-lockdown-tiocsserial.patch +# 0005-lockdown-tiocsserial.patch Locks down TIOCSSERIAL. @@ -70,7 +51,7 @@ settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. -# 0007-lockdown-ioport.patch: +# 0006-lockdown-ioport.patch: Locks down IO port access (specifically, the ioperm() and iopl() syscalls). @@ -82,7 +63,7 @@ DMA, so lock it down by default. > This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. -# 0008-lockdown-pcmcia.patch: +# 0007-lockdown-pcmcia.patch: Locks down PCMCIA. @@ -91,7 +72,7 @@ Only useful for the host kernel. > Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. -# 0009-lockdown-module-params.patch: +# 0008-lockdown-module-params.patch: Locks down module parameters. From 71b0f767f3d761b9a299a91b6fa4ec2967d0f51b Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 17:28:22 +0000 Subject: [PATCH 08/14] Add missing parentheses --- .../patches/lockdown/0006-lockdown-ioport.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-ioport.patch b/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-ioport.patch index 35d100f..63320cf 100644 --- a/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-ioport.patch +++ b/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-ioport.patch @@ -15,8 +15,8 @@ index 0fe1c87..e6a02e7 100644 if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && !capable(CAP_SYS_RAWIO) || -+ kernel_lockdown) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || ++ kernel_lockdown)) return -EPERM; /* From c6711b246c8e1d96fa8559c0cfd8d4b2233f99f5 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 18:50:13 +0000 Subject: [PATCH 09/14] Set kernel_lockdown properly --- .../lockdown/0001-lockdown-kconfig.patch | 24 +++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch b/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch index 3290c7b..b9dd57d 100644 --- a/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch +++ b/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch @@ -17,7 +17,7 @@ index d9aa521..01fc608 100644 source security/smack/Kconfig source security/tomoyo/Kconfig diff --git a/include/linux/security.h b/include/linux/security.h -index 75f4156..9c1171a 100644 +index 75f4156..a591b90 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -402,6 +402,10 @@ void security_inode_invalidate_secctx(struct inode *inode); @@ -26,8 +26,28 @@ index 75f4156..9c1171a 100644 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); + +/* Kernel lockdown */ -+int kernel_lockdown = IS_ENABLED(CONFIG_SECURITY_LOCKDOWN); ++extern int kernel_lockdown; + #else /* CONFIG_SECURITY */ struct security_mnt_opts { }; +diff --git a/security/Makefile b/security/Makefile +index 4d2d378..ccf18e1 100644 +--- a/security/Makefile ++++ b/security/Makefile +@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o + # Object integrity file lists + subdir-$(CONFIG_INTEGRITY) += integrity + obj-$(CONFIG_INTEGRITY) += integrity/ ++ ++# Kernel lockdown ++obj-$(CONFIG_SECURITY_LOCKDOWN) += lockdown.o +diff --git a/security/lockdown.c b/security/lockdown.c +new file mode 100644 +index 0000000..eb2d10f +--- /dev/null ++++ b/security/lockdown.c +@@ -0,0 +1,3 @@ ++#include ++ ++int __ro_after_init kernel_lockdown = IS_ENABLED(CONFIG_SECURITY_LOCKDOWN); From 9b726ae2069cfa0d2b7af14deb39cbc04c590890 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 19 Jan 2020 18:56:16 +0000 Subject: [PATCH 10/14] lockdown.c licensing --- .../patches/lockdown/0001-lockdown-kconfig.patch | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch b/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch index b9dd57d..414b148 100644 --- a/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch +++ b/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch @@ -44,10 +44,11 @@ index 4d2d378..ccf18e1 100644 +obj-$(CONFIG_SECURITY_LOCKDOWN) += lockdown.o diff --git a/security/lockdown.c b/security/lockdown.c new file mode 100644 -index 0000000..eb2d10f +index 0000000..80ac2fe --- /dev/null +++ b/security/lockdown.c -@@ -0,0 +1,3 @@ +@@ -0,0 +1,4 @@ ++// SPDX-License-Identifier: GPL-2.0 +#include + +int __ro_after_init kernel_lockdown = IS_ENABLED(CONFIG_SECURITY_LOCKDOWN); From 26d3b4974acb4e7478f1d4df11c2cbef061a33dc Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 16 Feb 2020 17:29:20 +0000 Subject: [PATCH 11/14] Remove unneeded numbers --- .../hardened-kernel/patches/lockdown/README.md | 16 ++++++++-------- ...oad.patch => lockdown-efivar_ssdt_load.patch} | 0 ...ckdown-ioport.patch => lockdown-ioport.patch} | 0 ...down-kconfig.patch => lockdown-kconfig.patch} | 0 ...params.patch => lockdown-module-params.patch} | 0 ...ccess.patch => lockdown-pci-bar-access.patch} | 0 ...ckdown-pcmcia.patch => lockdown-pcmcia.patch} | 0 ...4-lockdown-perf.patch => lockdown-perf.patch} | 0 ...csserial.patch => lockdown-tiocsserial.patch} | 0 9 files changed, 8 insertions(+), 8 deletions(-) rename usr/share/hardened-kernel/patches/lockdown/{0002-lockdown-efivar_ssdt_load.patch => lockdown-efivar_ssdt_load.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0006-lockdown-ioport.patch => lockdown-ioport.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0001-lockdown-kconfig.patch => lockdown-kconfig.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0008-lockdown-module-params.patch => lockdown-module-params.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0003-lockdown-pci-bar-access.patch => lockdown-pci-bar-access.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0007-lockdown-pcmcia.patch => lockdown-pcmcia.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0004-lockdown-perf.patch => lockdown-perf.patch} (100%) rename usr/share/hardened-kernel/patches/lockdown/{0005-lockdown-tiocsserial.patch => lockdown-tiocsserial.patch} (100%) diff --git a/usr/share/hardened-kernel/patches/lockdown/README.md b/usr/share/hardened-kernel/patches/lockdown/README.md index 8617612..5d6d244 100644 --- a/usr/share/hardened-kernel/patches/lockdown/README.md +++ b/usr/share/hardened-kernel/patches/lockdown/README.md @@ -4,12 +4,12 @@ lockdown is not available in LTS kernels. Features that are already mitigated by our kernel configuration are not implemented. -# 0001-lockdown-kconfig.patch: +# lockdown-kconfig.patch: Creates the CONFIG_SECURITY_LOCKDOWN kconfig setting to enable/disable kernel lockdown. -# 0002-lockdown-efivar_ssdt_load.patch: +# lockdown-efivar_ssdt_load.patch: Disables efivar_ssdt_load. @@ -19,7 +19,7 @@ Only useful for the host kernel. EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. -# 0003-lockdown-pci-bar-access.patch: +# lockdown-pci-bar-access.patch: Locks down PCI BAR access. @@ -29,7 +29,7 @@ allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. -# 0004-lockdown-perf.patch: +# lockdown-perf.patch: Locks down perf. @@ -42,7 +42,7 @@ linux-hardened. > Disallow the use of certain perf facilities that might allow userspace to access kernel data. -# 0005-lockdown-tiocsserial.patch +# lockdown-tiocsserial.patch Locks down TIOCSSERIAL. @@ -51,7 +51,7 @@ settings on a serial port. This only appears to be an issue for the serial drivers that use the core serial code. All other drivers seem to either ignore attempts to change port/irq or give an error. -# 0006-lockdown-ioport.patch: +# lockdown-ioport.patch: Locks down IO port access (specifically, the ioperm() and iopl() syscalls). @@ -63,7 +63,7 @@ DMA, so lock it down by default. > This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. -# 0007-lockdown-pcmcia.patch: +# lockdown-pcmcia.patch: Locks down PCMCIA. @@ -72,7 +72,7 @@ Only useful for the host kernel. > Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. -# 0008-lockdown-module-params.patch: +# lockdown-module-params.patch: Locks down module parameters. diff --git a/usr/share/hardened-kernel/patches/lockdown/0002-lockdown-efivar_ssdt_load.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-efivar_ssdt_load.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0002-lockdown-efivar_ssdt_load.patch rename to usr/share/hardened-kernel/patches/lockdown/lockdown-efivar_ssdt_load.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0006-lockdown-ioport.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-ioport.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0006-lockdown-ioport.patch rename to usr/share/hardened-kernel/patches/lockdown/lockdown-ioport.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0001-lockdown-kconfig.patch rename to usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0008-lockdown-module-params.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-module-params.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0008-lockdown-module-params.patch rename to usr/share/hardened-kernel/patches/lockdown/lockdown-module-params.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0003-lockdown-pci-bar-access.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-pci-bar-access.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0003-lockdown-pci-bar-access.patch rename to usr/share/hardened-kernel/patches/lockdown/lockdown-pci-bar-access.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0007-lockdown-pcmcia.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-pcmcia.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0007-lockdown-pcmcia.patch rename to usr/share/hardened-kernel/patches/lockdown/lockdown-pcmcia.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0004-lockdown-perf.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-perf.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0004-lockdown-perf.patch rename to usr/share/hardened-kernel/patches/lockdown/lockdown-perf.patch diff --git a/usr/share/hardened-kernel/patches/lockdown/0005-lockdown-tiocsserial.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-tiocsserial.patch similarity index 100% rename from usr/share/hardened-kernel/patches/lockdown/0005-lockdown-tiocsserial.patch rename to usr/share/hardened-kernel/patches/lockdown/lockdown-tiocsserial.patch From d2de37cd8d2c33d468704da6488dc56811ac1409 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 16 Feb 2020 17:51:23 +0000 Subject: [PATCH 12/14] Fix lockdown-kconfig and add boot parameter --- .../patches/lockdown/README.md | 4 +- .../patches/lockdown/lockdown-kconfig.patch | 82 +++++++++++++------ 2 files changed, 59 insertions(+), 27 deletions(-) diff --git a/usr/share/hardened-kernel/patches/lockdown/README.md b/usr/share/hardened-kernel/patches/lockdown/README.md index 5d6d244..2dd9430 100644 --- a/usr/share/hardened-kernel/patches/lockdown/README.md +++ b/usr/share/hardened-kernel/patches/lockdown/README.md @@ -6,8 +6,8 @@ implemented. # lockdown-kconfig.patch: -Creates the CONFIG_SECURITY_LOCKDOWN kconfig setting to enable/disable -kernel lockdown. +Creates the CONFIG_SECURITY_LOCKDOWN kconfig setting and boot parameter +to enable/disable kernel lockdown. # lockdown-efivar_ssdt_load.patch: diff --git a/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch index 414b148..16e940c 100644 --- a/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch +++ b/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch @@ -1,11 +1,42 @@ -diff --git a/security/Kconfig b/security/Kconfig -index d9aa521..01fc608 100644 ---- a/security/Kconfig +diff --git a/linux-4.19.97/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 9ae9f28..6f31664 100644 +--- a/linux-4.19.97/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2186,6 +2186,12 @@ + lockd.nlm_udpport=M [NFS] Assign UDP port. + Format: + ++ lockdown= [SECURITY] ++ { on | off } ++ Enable the kernel lockdown feature. If set to on, ++ kernel lockdown will be enabled and features that ++ allow userspace to modify the kernel will be disabled. ++ + locktorture.nreaders_stress= [KNL] + Set the number of locking read-acquisition kthreads. + Defaults to being automatically set based on the +diff --git a/linux-4.19.97/include/linux/security.h b/include/linux/security.h +index 75f4156..1a69db0 100644 +--- a/linux-4.19.97/include/linux/security.h ++++ b/include/linux/security.h +@@ -66,6 +66,9 @@ struct audit_krule; + struct user_namespace; + struct timezone; + ++/* Kernel lockdown */ ++extern int kernel_lockdown; ++ + enum lsm_event { + LSM_POLICY_CHANGE, + }; +diff --git a/linux-4.19.97/security/Kconfig b/security/Kconfig +index a921713..92b4f43 100644 +--- a/linux-4.19.97/security/Kconfig +++ b/security/Kconfig -@@ -230,6 +230,13 @@ config STATIC_USERMODEHELPER_PATH +@@ -281,6 +281,13 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). - + +config SECURITY_LOCKDOWN + bool "Enable kernel lockdown" + default y @@ -16,24 +47,9 @@ index d9aa521..01fc608 100644 source security/selinux/Kconfig source security/smack/Kconfig source security/tomoyo/Kconfig -diff --git a/include/linux/security.h b/include/linux/security.h -index 75f4156..a591b90 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -402,6 +402,10 @@ void security_inode_invalidate_secctx(struct inode *inode); - int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); - int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); - int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); -+ -+/* Kernel lockdown */ -+extern int kernel_lockdown; -+ - #else /* CONFIG_SECURITY */ - struct security_mnt_opts { - }; -diff --git a/security/Makefile b/security/Makefile +diff --git a/linux-4.19.97/security/Makefile b/security/Makefile index 4d2d378..ccf18e1 100644 ---- a/security/Makefile +--- a/linux-4.19.97/security/Makefile +++ b/security/Makefile @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists @@ -44,11 +60,27 @@ index 4d2d378..ccf18e1 100644 +obj-$(CONFIG_SECURITY_LOCKDOWN) += lockdown.o diff --git a/security/lockdown.c b/security/lockdown.c new file mode 100644 -index 0000000..80ac2fe +index 0000000..09b9cc6 --- /dev/null +++ b/security/lockdown.c -@@ -0,0 +1,4 @@ +@@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 +#include + -+int __ro_after_init kernel_lockdown = IS_ENABLED(CONFIG_SECURITY_LOCKDOWN); ++int kernel_lockdown __ro_after_init = IS_ENABLED(CONFIG_SECURITY_LOCKDOWN); ++ ++static int __init enable_lockdown(char *level) ++{ ++ if (!level) ++ return -EINVAL; ++ ++ if (strcmp(level, "on") == 0) ++ int kernel_lockdown = 1; ++ else if (strcmp(level, "off") == 0) ++ int kernel_lockdown = 0; ++ else ++ return -EINVAL; ++ ++ return 0; ++} ++early_param("lockdown", enable_lockdown); From d1998953db25b7ad6e9b64d32d879e8f7893f999 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 16 Feb 2020 17:57:04 +0000 Subject: [PATCH 13/14] Fix lockdown-kconfig --- .../patches/lockdown/lockdown-kconfig.patch | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch index 16e940c..10279eb 100644 --- a/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch +++ b/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch @@ -1,6 +1,6 @@ -diff --git a/linux-4.19.97/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 9ae9f28..6f31664 100644 ---- a/linux-4.19.97/Documentation/admin-guide/kernel-parameters.txt +--- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2186,6 +2186,12 @@ lockd.nlm_udpport=M [NFS] Assign UDP port. @@ -15,9 +15,9 @@ index 9ae9f28..6f31664 100644 locktorture.nreaders_stress= [KNL] Set the number of locking read-acquisition kthreads. Defaults to being automatically set based on the -diff --git a/linux-4.19.97/include/linux/security.h b/include/linux/security.h +diff --git a/include/linux/security.h b/include/linux/security.h index 75f4156..1a69db0 100644 ---- a/linux-4.19.97/include/linux/security.h +--- a/include/linux/security.h +++ b/include/linux/security.h @@ -66,6 +66,9 @@ struct audit_krule; struct user_namespace; @@ -29,9 +29,9 @@ index 75f4156..1a69db0 100644 enum lsm_event { LSM_POLICY_CHANGE, }; -diff --git a/linux-4.19.97/security/Kconfig b/security/Kconfig +diff --git a/security/Kconfig b/security/Kconfig index a921713..92b4f43 100644 ---- a/linux-4.19.97/security/Kconfig +--- a/security/Kconfig +++ b/security/Kconfig @@ -281,6 +281,13 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, @@ -47,9 +47,9 @@ index a921713..92b4f43 100644 source security/selinux/Kconfig source security/smack/Kconfig source security/tomoyo/Kconfig -diff --git a/linux-4.19.97/security/Makefile b/security/Makefile +diff --git a/security/Makefile b/security/Makefile index 4d2d378..ccf18e1 100644 ---- a/linux-4.19.97/security/Makefile +--- a/security/Makefile +++ b/security/Makefile @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists From 98e4581689a49ea619b5458556c6b55a89f3efcc Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 16 Feb 2020 19:42:46 +0000 Subject: [PATCH 14/14] Fix lockdown-kconfig --- .../patches/lockdown/lockdown-kconfig.patch | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch b/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch index 10279eb..efed58a 100644 --- a/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch +++ b/usr/share/hardened-kernel/patches/lockdown/lockdown-kconfig.patch @@ -48,7 +48,7 @@ index a921713..92b4f43 100644 source security/smack/Kconfig source security/tomoyo/Kconfig diff --git a/security/Makefile b/security/Makefile -index 4d2d378..ccf18e1 100644 +index 4d2d378..4b183ad 100644 --- a/security/Makefile +++ b/security/Makefile @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o @@ -57,10 +57,10 @@ index 4d2d378..ccf18e1 100644 obj-$(CONFIG_INTEGRITY) += integrity/ + +# Kernel lockdown -+obj-$(CONFIG_SECURITY_LOCKDOWN) += lockdown.o ++obj-y += lockdown.o diff --git a/security/lockdown.c b/security/lockdown.c new file mode 100644 -index 0000000..09b9cc6 +index 0000000..f9291b3 --- /dev/null +++ b/security/lockdown.c @@ -0,0 +1,20 @@ @@ -75,9 +75,9 @@ index 0000000..09b9cc6 + return -EINVAL; + + if (strcmp(level, "on") == 0) -+ int kernel_lockdown = 1; ++ kernel_lockdown = 1; + else if (strcmp(level, "off") == 0) -+ int kernel_lockdown = 0; ++ kernel_lockdown = 0; + else + return -EINVAL; +