From nobody Tue Sep 16 11:01:43 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 922F0C53210
	for <linux-kernel@archiver.kernel.org>; Wed,  4 Jan 2023 14:39:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229648AbjADOj1 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 4 Jan 2023 09:39:27 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58720 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239489AbjADOjO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Jan 2023 09:39:14 -0500
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com
 [IPv6:2a00:1450:4864:20::62e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B9FDA45E
        for <linux-kernel@vger.kernel.org>;
 Wed,  4 Jan 2023 06:39:13 -0800 (PST)
Received: by mail-ej1-x62e.google.com with SMTP id u9so83231676ejo.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 04 Jan 2023 06:39:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=7ktTgqCg5vZndbEsq2NE84RTVG7aeSaApbDApUiy3yI=;
        b=bAo5rEoMeLXb+zWJpWccSUbC/52Xl5JUcRb7B7ldPjmJu8yrGJebcgfu2mvn6DoQOH
         DJpreAUPSRM8Os5s1oTyh3CCfi6WZSJnNqxdwx043PELATrAMnUMkGjBMipqFxsD6I2u
         shiCmP+MHLcOSwobb1InBZKdfL043vctCbYng=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7ktTgqCg5vZndbEsq2NE84RTVG7aeSaApbDApUiy3yI=;
        b=MLffjluwUk3Ck+G/f+H6hoitObbbpItp1i3IoWbjSCpyFsORH4TIKPddfywTNSwyhc
         uRzGMl+9LACJ2ict6bTx/liURAoq5/XmvVW6/fPQOlmxBGrgATuLFgmc1NNYkol1WYct
         7BaLkrWeQ//yY/8fnUnF1ZXGVTRGzMUxo9LWMsLxLk/O5rs0uoPrA+/nQviJBkZfZcoC
         gM+RTzBnDnnCXBNHmF3/dzt/KnKjnq0OzBAcFhXLC5w+m9zGSay2Yt7ryNXjqnsPyr9P
         d0eITIdTIMReIrBS4y9D2l8ri5ZPGo9VSCJogAKzeCgwVxPtIbOwHEXNbr2aqzWOzqJ7
         7AdA==
X-Gm-Message-State: AFqh2kqjv2mHaXujweNG8iUX1Pi4h12wlGpoGEPmAVPlv5aKZU+YwqyR
        joQ4/iTluyY0DmZzWg74uknIJg==
X-Google-Smtp-Source: 
 AMrXdXuNx+d3v0Nfvuk68oEYdAFWRimFrEchPyE6TlxN7ROhq+mc7cuwNsyL8lc4Y9VgL1LLJfST/g==
X-Received: by 2002:a17:906:b150:b0:7c1:2931:2263 with SMTP id
 bt16-20020a170906b15000b007c129312263mr43585109ejb.71.1672843151848;
        Wed, 04 Jan 2023 06:39:11 -0800 (PST)
Received: from alco.roam.corp.google.com
 ([2620:0:1059:10:a438:c7da:62e0:36f4])
        by smtp.gmail.com with ESMTPSA id
 c8-20020a170906924800b0078de26f66b9sm15386659ejx.114.2023.01.04.06.39.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 04 Jan 2023 06:39:11 -0800 (PST)
From: Ricardo Ribalda <ribalda@chromium.org>
Date: Wed, 04 Jan 2023 15:38:48 +0100
Subject: [PATCH v6 3/3] kexec: Introduce sysctl parameters kexec_load_limit_*
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20221114-disable-kexec-reset-v6-3-6a8531a09b9a@chromium.org>
References: <20221114-disable-kexec-reset-v6-0-6a8531a09b9a@chromium.org>
In-Reply-To: <20221114-disable-kexec-reset-v6-0-6a8531a09b9a@chromium.org>
To: Philipp Rudo <prudo@redhat.com>,
        Eric Biederman <ebiederm@xmission.com>,
        "Guilherme G. Piccoli" <gpiccoli@igalia.com>,
        Jonathan Corbet <corbet@lwn.net>
Cc: Ricardo Ribalda <ribalda@chromium.org>, linux-doc@vger.kernel.org,
        Sergey Senozhatsky <senozhatsky@chromium.org>,
        "Joel Fernandes (Google)" <joel@joelfernandes.org>,
        Baoquan He <bhe@redhat.com>, Petr Tesarik <petr@tesarici.cz>,
        kexec@lists.infradead.org, Bagas Sanjaya <bagasdotme@gmail.com>,
        Steven Rostedt <rostedt@goodmis.org>,
        linux-kernel@vger.kernel.org, Ross Zwisler <zwisler@kernel.org>
X-Mailer: b4 0.11.0-dev-696ae
X-Developer-Signature: v=1; a=openpgp-sha256; l=7913; i=ribalda@chromium.org;
 h=from:subject:message-id; bh=pwr4lQSQU6e2iagP33ihhaoD9RG5CubbrBaEaThEAKM=;
 b=owEBbQKS/ZANAwAKAdE30T7POsSIAcsmYgBjtY+HjBoWaxGoO7sxgdVTlJcthgWB365UeesT8qSd
 hvqseBiJAjMEAAEKAB0WIQREDzjr+/4oCDLSsx7RN9E+zzrEiAUCY7WPhwAKCRDRN9E+zzrEiAunD/
 91AfbnoUWa9e8aD0UKHg+GAqqRrXozPx01fMTG3wC2iUZxj/n2uMz/Y8QbTHYctYbTfVMTpx/jHg2K
 cbSS6gGr5ybyMAggEcwWMSPfYWS/rVzPFf6T8G0NpDwWEnbQ4QjHDaULMlPg5AXL5uReOCp0qh/CjQ
 k2MK/1noz9a6dzcMqHd25iw6UGm2HWY4VXSD7on2U1hzxCAixuddN5gPd8lwBxwpueWdRaq3EIX+BI
 0ECi9pmjTjN7BwiLeVDOPm8xI9hmn3SKhv/onx0MyBdYds4qYDZOgCxUWI/2/d+qa2V14UkKigfeQR
 g3c3YrWsOeWJTcCKad5PaGmNHk110c3wU8EZ5hCWcUXAMWyJbWXDh7GAOF6m8AVPtSsT2b++X9JQJw
 UUCys+nCBZmTEDOHNkS7ghuK3Q3YsjemCdfKa1LjHE1YSC18fK737LAKLRi3qv+vfFAQUX9HWBxWy7
 u2hkB6tkUVgrTIwmEC9BzneUHH6HUJIffKaBjcCpSklvHyU0VFnXEkMbJFIy8JkDT31zzdfVe0jilF
 yyWg2218E4cEthc8vrS0HQuGe/Rl5rCO/l2Z7k4ZB//JKMuQX9c7W4RoBIMSEp0xHdOJwxtHOSflS/
 xpS7m2cyXFO00X1x4m7hB6Mqmfn60Bhin0EGNy91xeKIdJLNMd5B15HPhzpA==
X-Developer-Key: i=ribalda@chromium.org; a=openpgp;
 fpr=9EC3BB66E2FC129A6F90B39556A0D81F9F782DA9
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

kexec allows replacing the current kernel with a different one. This is
usually a source of concerns for sysadmins that want to harden a system.

Linux already provides a way to disable loading new kexec kernel via
kexec_load_disabled, but that control is very coard, it is all or
nothing and does not make distinction between a panic kexec and a
normal kexec.

This patch introduces new sysctl parameters, with finner tunning to
specify how many times a kexec kernel can be loaded. The sysadmin can
set different limits for kexec panic and kexec reboot kernels. The
value can be modified at runtime via sysctl, but only with a stricter
value.

With these new parameters on place, a system with loadpin and verity
enabled, using the following kernel parameters:
sysctl.kexec_load_limit_reboot=3D0 sysct.kexec_load_limit_panic=3D1
can have a good warranty that if initrd tries to load a panic kernel,
a malitious user will have small chances to replace that kernel with a
different one, even if they can trigger timeouts on the disk where the
panic kernel lives.

Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
 Documentation/admin-guide/sysctl/kernel.rst | 18 ++++++
 include/linux/kexec.h                       |  2 +-
 kernel/kexec.c                              |  4 +-
 kernel/kexec_core.c                         | 87 +++++++++++++++++++++++++=
+++-
 kernel/kexec_file.c                         | 11 ++--
 5 files changed, 114 insertions(+), 8 deletions(-)

diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/ad=
min-guide/sysctl/kernel.rst
index 97394bd9d065..d5fb4b6ef405 100644
--- a/Documentation/admin-guide/sysctl/kernel.rst
+++ b/Documentation/admin-guide/sysctl/kernel.rst
@@ -461,6 +461,24 @@ allowing a system to set up (and later use) an image w=
ithout it being
 altered.
 Generally used together with the `modules_disabled`_ sysctl.
=20
+kexec_load_limit_panic
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+This parameter specifies a limit to the number of times the syscalls
+``kexec_load`` and ``kexec_file_load`` can be called with a crash
+image. It can only be set with a more restrictive value than the
+current one.
+
+=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
+-1 Unlimited calls to kexec. This is the default setting.
+N  Number of calls left.
+=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
+
+kexec_load_limit_reboot
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+Similar functionality as ``kexec_load_limit_panic``, but for a normal
+image.
=20
 kptr_restrict
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 182e0c11b87b..791e65829f86 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *=
image);
 extern struct kimage *kexec_image;
 extern struct kimage *kexec_crash_image;
=20
-bool kexec_load_permitted(void);
+bool kexec_load_permitted(int kexec_image_type);
=20
 #ifndef kexec_flush_icache_page
 #define kexec_flush_icache_page(page)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index ce1bca874a8d..92d301f98776 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -190,10 +190,12 @@ static int do_kexec_load(unsigned long entry, unsigne=
d long nr_segments,
 static inline int kexec_load_check(unsigned long nr_segments,
 				   unsigned long flags)
 {
+	int image_type =3D (flags & KEXEC_ON_CRASH) ?
+			 KEXEC_TYPE_CRASH : KEXEC_TYPE_DEFAULT;
 	int result;
=20
 	/* We only trust the superuser with rebooting the system. */
-	if (!kexec_load_permitted())
+	if (!kexec_load_permitted(image_type))
 		return -EPERM;
=20
 	/* Permit LSMs and IMA to fail the kexec */
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index a1efc70f4158..951541d78ca8 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -926,10 +926,64 @@ int kimage_load_segment(struct kimage *image,
 	return result;
 }
=20
+struct kexec_load_limit {
+	/* Mutex protects the limit count. */
+	struct mutex mutex;
+	int limit;
+};
+
+static struct kexec_load_limit load_limit_reboot =3D {
+	.mutex =3D __MUTEX_INITIALIZER(load_limit_reboot.mutex),
+	.limit =3D -1,
+};
+
+static struct kexec_load_limit load_limit_panic =3D {
+	.mutex =3D __MUTEX_INITIALIZER(load_limit_panic.mutex),
+	.limit =3D -1,
+};
+
 struct kimage *kexec_image;
 struct kimage *kexec_crash_image;
 static int kexec_load_disabled;
+
 #ifdef CONFIG_SYSCTL
+static int kexec_limit_handler(struct ctl_table *table, int write,
+			       void *buffer, size_t *lenp, loff_t *ppos)
+{
+	struct kexec_load_limit *limit =3D table->data;
+	int val;
+	struct ctl_table tmp =3D {
+		.data =3D &val,
+		.maxlen =3D sizeof(val),
+		.mode =3D table->mode,
+	};
+	int ret;
+
+	if (write) {
+		ret =3D proc_dointvec(&tmp, write, buffer, lenp, ppos);
+		if (ret)
+			return ret;
+
+		if (val < 0)
+			return -EINVAL;
+
+		mutex_lock(&limit->mutex);
+		if (limit->limit !=3D -1 && val >=3D limit->limit)
+			ret =3D -EINVAL;
+		else
+			limit->limit =3D val;
+		mutex_unlock(&limit->mutex);
+
+		return ret;
+	}
+
+	mutex_lock(&limit->mutex);
+	val =3D limit->limit;
+	mutex_unlock(&limit->mutex);
+
+	return proc_dointvec(&tmp, write, buffer, lenp, ppos);
+}
+
 static struct ctl_table kexec_core_sysctls[] =3D {
 	{
 		.procname	=3D "kexec_load_disabled",
@@ -941,6 +995,18 @@ static struct ctl_table kexec_core_sysctls[] =3D {
 		.extra1		=3D SYSCTL_ONE,
 		.extra2		=3D SYSCTL_ONE,
 	},
+	{
+		.procname	=3D "kexec_load_limit_panic",
+		.data		=3D &load_limit_panic,
+		.mode		=3D 0644,
+		.proc_handler	=3D kexec_limit_handler,
+	},
+	{
+		.procname	=3D "kexec_load_limit_reboot",
+		.data		=3D &load_limit_reboot,
+		.mode		=3D 0644,
+		.proc_handler	=3D kexec_limit_handler,
+	},
 	{ }
 };
=20
@@ -952,13 +1018,30 @@ static int __init kexec_core_sysctl_init(void)
 late_initcall(kexec_core_sysctl_init);
 #endif
=20
-bool kexec_load_permitted(void)
+bool kexec_load_permitted(int kexec_image_type)
 {
+	struct kexec_load_limit *limit;
+
 	/*
 	 * Only the superuser can use the kexec syscall and if it has not
 	 * been disabled.
 	 */
-	return capable(CAP_SYS_BOOT) && !kexec_load_disabled;
+	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+		return false;
+
+	/* Check limit counter and decrease it.*/
+	limit =3D (kexec_image_type =3D=3D KEXEC_TYPE_CRASH) ?
+		&load_limit_panic : &load_limit_reboot;
+	mutex_lock(&limit->mutex);
+	if (!limit->limit) {
+		mutex_unlock(&limit->mutex);
+		return false;
+	}
+	if (limit->limit !=3D -1)
+		limit->limit--;
+	mutex_unlock(&limit->mutex);
+
+	return true;
 }
=20
 /*
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 29efa43ea951..70e1e99038ee 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -326,11 +326,13 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int,=
 initrd_fd,
 		unsigned long, cmdline_len, const char __user *, cmdline_ptr,
 		unsigned long, flags)
 {
-	int ret =3D 0, i;
+	int image_type =3D (flags & KEXEC_FILE_ON_CRASH) ?
+			 KEXEC_TYPE_CRASH : KEXEC_TYPE_DEFAULT;
 	struct kimage **dest_image, *image;
+	int ret =3D 0, i;
=20
 	/* We only trust the superuser with rebooting the system. */
-	if (!kexec_load_permitted())
+	if (!kexec_load_permitted(image_type))
 		return -EPERM;
=20
 	/* Make sure we have a legal set of flags */
@@ -342,11 +344,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int,=
 initrd_fd,
 	if (!kexec_trylock())
 		return -EBUSY;
=20
-	dest_image =3D &kexec_image;
-	if (flags & KEXEC_FILE_ON_CRASH) {
+	if (image_type =3D=3D KEXEC_TYPE_CRASH) {
 		dest_image =3D &kexec_crash_image;
 		if (kexec_crash_image)
 			arch_kexec_unprotect_crashkres();
+	} else {
+		dest_image =3D &kexec_image;
 	}
=20
 	if (flags & KEXEC_FILE_UNLOAD)

--=20
2.39.0.314.g84b9a713c41-goog-b4-0.11.0-dev-696ae