From nobody Thu Sep 18 03:58:49 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A0994C4332F for ; Fri, 9 Dec 2022 19:57:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230031AbiLIT54 (ORCPT ); Fri, 9 Dec 2022 14:57:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229968AbiLIT5u (ORCPT ); Fri, 9 Dec 2022 14:57:50 -0500 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E214DFACC for ; Fri, 9 Dec 2022 11:57:48 -0800 (PST) Received: by mail-pj1-x1033.google.com with SMTP id b13-20020a17090a5a0d00b0021906102d05so6029196pjd.5 for ; Fri, 09 Dec 2022 11:57:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AWRQXWMGLPgHepp4vFWTTWBscI/fkP3Si7wPX1GCGCk=; b=euqFpG+4uBmvDf843vzZWop+YwoQXBlPf7xZAvfP7CUKN0IBX5xhIxbaRt4orfqkPh y9ggtZJHS/QIOVAQA1qopga++DFumRKRURcPC5xzeH8wrgIeCUVpsio5L4MIpTubhkj3 teI5hu3BHh2BaubBAhfnhNs85u/g5vJNaGsXw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AWRQXWMGLPgHepp4vFWTTWBscI/fkP3Si7wPX1GCGCk=; b=pJuuKi+d0/7YKxhxO3SqEYYeYFoLnJLV0Ptili7TpGxbd5urvsDDKGebW8cop2tfKi yCMYM6hHDPYUr4WJikFvC6CGapOhTZ28gBmavpsMR6EQq3pghNVVVfpSnbwXIGuLv7qE s65ofq9dpvkiAPOa2iAitttvh0WWlhuj4gDqJAdP84XYtjvgBYmAPHKWbGoI38FQ9P+l cGuBxAdexVMpj+8n1YnY9RDt76ojk5IifL6Oh/3a/heeawronLc6QACbiiMDT3bP2s1A bmNajSNnIdjJWzRnKbeFr3xFdy/i7tUlk65P1HntUvGvu8d9e4nR1MOtiG8OdkaDCtNO sTZQ== X-Gm-Message-State: ANoB5pmISN2usCgluxCWSnE5bpNORUpByaDSiIycKNI3XsdxsM8YgyxR JbefVUAJ6+Gcf0OtIsi745YGDrQ5mAsKlvzE X-Google-Smtp-Source: AA0mqf4xreSs2kzJGdPh7ZzAenPhd/07+xeZE9HjNIvQ4yzD3TI933zWiQ1lKTSzRaY/8XsSLATOFg== X-Received: by 2002:a17:902:7243:b0:18c:cde:fddb with SMTP id c3-20020a170902724300b0018c0cdefddbmr5513700pll.65.1670615868075; Fri, 09 Dec 2022 11:57:48 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e14-20020a17090301ce00b00188c9c11559sm1713993plh.1.2022.12.09.11.57.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 11:57:47 -0800 (PST) From: Kees Cook To: Paul Moore Cc: Kees Cook , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/4] LoadPin: Refactor read-only check into a helper Date: Fri, 9 Dec 2022 11:57:42 -0800 Message-Id: <20221209195746.1366607-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209195520.never.357-kees@kernel.org> References: <20221209195520.never.357-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3377; h=from:subject; bh=gbYMbpgNPEhAbd9b/hiVEdi/hzWQV3pKzGKmwKeatLM=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjk5M4v863YO6OmjVAFboqWMjG+L24JbKQ295kQddg gOTTpUqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY5OTOAAKCRCJcvTf3G3AJmBXEA Ckm9C7K7+KpajGNz01m4kpN8j+B9Uh9yHTSEHIRzhNPhaYrRavAx15k+ok+34SVIDmwD9yA7F9fg+i p6dmh1hpfThWXVuHH+KFw2jl7ag+g3XuagmOeLArJ8QlJte9iJ/qePM01979RwywvQ58mKDuyNfV5C URF1KUR24VIDmkd6UsSvndjBfeR0IH4g2pnloK7pCmkpKJc/5wKm8wRQrWCFuh+f/cBNxjLUf9pulM zkM5Mht0zLP481O7GbDImBdYk3E+F2dRRhg4fS2KG5io6VvwQKtaCdwj5Lwg8iP69ACE7/D86/Gxkb o11b6wAnj6HQv0zT5f+h27oXGHPR0YVObqaQKU5bnt6r87ryn7JdYS9GLtqF9ToR2eiowLfxJDC7of x4fFsNmfMYJQcEOXNzXZBDM0CMvVHzL1LuMM2UNyQZs82AV0u0HQH5v7pznh63Fo0lEdzTKEz8VclN cuG/isssBg/HIf2vVQowPMvDvUZyUqaDQm8Ex/QBrPMLbDURLk7xWT9UGIY49+DywGxN8maa4Qr9Bw ZQMstCN2Zk8itpTs7HYSuBJKzS2QbxT71fQDtot3+Qz5N7Rc57dZ+HGeALsXS2PyrbuJ3L8PCSgJcA Cr8HBfjXNL0sVJn1HCjyvc4Ibx67CdX/OBNHpmiXpFmFMNXSzEfliun+nmMA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In preparation for allowing mounts to shift when not enforced, move read-only checking into a separate helper. Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Serge Hallyn --- security/loadpin/loadpin.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 110a5ab2b46b..ca0eff3ce9d0 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -72,28 +72,21 @@ static struct ctl_table loadpin_sysctl_table[] =3D { { } }; =20 -/* - * This must be called after early kernel init, since then the rootdev - * is available. - */ -static void check_pinning_enforcement(struct super_block *mnt_sb) +static void report_writable(struct super_block *mnt_sb, bool writable) { - bool ro =3D false; - /* * If load pinning is not enforced via a read-only block * device, allow sysctl to change modes for testing. */ if (mnt_sb->s_bdev) { - ro =3D bdev_read_only(mnt_sb->s_bdev); pr_info("%pg (%u:%u): %s\n", mnt_sb->s_bdev, MAJOR(mnt_sb->s_bdev->bd_dev), MINOR(mnt_sb->s_bdev->bd_dev), - ro ? "read-only" : "writable"); + writable ? "writable" : "read-only"); } else pr_info("mnt_sb lacks block device, treating as: writable\n"); =20 - if (!ro) { + if (writable) { if (!register_sysctl_paths(loadpin_sysctl_path, loadpin_sysctl_table)) pr_notice("sysctl registration failed!\n"); @@ -103,12 +96,26 @@ static void check_pinning_enforcement(struct super_blo= ck *mnt_sb) pr_info("load pinning engaged.\n"); } #else -static void check_pinning_enforcement(struct super_block *mnt_sb) +static void report_writable(struct super_block *mnt_sb, bool writable) { pr_info("load pinning engaged.\n"); } #endif =20 +/* + * This must be called after early kernel init, since then the rootdev + * is available. + */ +static bool sb_is_writable(struct super_block *mnt_sb) +{ + bool writable =3D true; + + if (mnt_sb->s_bdev) + writable =3D !bdev_read_only(mnt_sb->s_bdev); + + return writable; +} + static void loadpin_sb_free_security(struct super_block *mnt_sb) { /* @@ -126,6 +133,7 @@ static int loadpin_check(struct file *file, enum kernel= _read_file_id id) { struct super_block *load_root; const char *origin =3D kernel_read_file_id_str(id); + bool load_root_writable; =20 /* If the file id is excluded, ignore the pinning. */ if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) && @@ -146,6 +154,7 @@ static int loadpin_check(struct file *file, enum kernel= _read_file_id id) } =20 load_root =3D file->f_path.mnt->mnt_sb; + load_root_writable =3D sb_is_writable(load_root); =20 /* First loaded module/firmware defines the root for all others. */ spin_lock(&pinned_root_spinlock); @@ -162,7 +171,7 @@ static int loadpin_check(struct file *file, enum kernel= _read_file_id id) * enforcing. This would be purely cosmetic. */ spin_unlock(&pinned_root_spinlock); - check_pinning_enforcement(pinned_root); + report_writable(pinned_root, load_root_writable); report_load(origin, file, "pinned"); } else { spin_unlock(&pinned_root_spinlock); --=20 2.34.1 From nobody Thu Sep 18 03:58:49 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F27BC4332F for ; Fri, 9 Dec 2022 19:58:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230048AbiLIT6A (ORCPT ); Fri, 9 Dec 2022 14:58:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229988AbiLIT5v (ORCPT ); Fri, 9 Dec 2022 14:57:51 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42AAD10FC7 for ; Fri, 9 Dec 2022 11:57:49 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id e7-20020a17090a77c700b00216928a3917so9222286pjs.4 for ; Fri, 09 Dec 2022 11:57:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0XypqeZMvpiFBQfKazI4yp1JHuUPb1a6M6ceDHFy28A=; b=M5n6hU4k6Urjc1b8A4bfo2FADCmgqjyOT5RWHnMPB/SqqsUDZ4fLBlIY4ROxrMpBye uKNUel9RHTB4ltOibK0PvCyC8WYugKqdmfTgUEVSB7es6TMeUtpv2Mjg2KhG2NQklR3M 8vg7HvNWzvPLaSc2wADx8p+NEGdzyw9Gk05dg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0XypqeZMvpiFBQfKazI4yp1JHuUPb1a6M6ceDHFy28A=; b=VWL64UtYxOQOmtAVuZSnkVUyrTR2gnvFewz1BfMGJqu3s5kNwHAGOvgumT1g82dpvB qFpqsYPpSdWxfmYuW65XgZwcK9sPH0vhYNtzONn9OlvFQX2LMy55yUNhDqG8IwYK7uIp qmYJG+E2Frf051UP6vxw7D3vs7+uNCJWyvXEWagJsh5/ymJSxf0cpRjuzP6+oHESjAWz fz6ldQJfsu4jOO6YvcMkCOIa9BKQCOALHsbC9tzIIUTe+8/GdTaGRmlAz5VOyYUUpNk2 Io0y7SwkxAhdg+/PoHAykqCdIMnnzD9Cx06uMXiVemLDiVJ11K6YdBMKW9af+Lia+b/w 0V6Q== X-Gm-Message-State: ANoB5pnXWE+lFc6YXyL+skXew8XNE9R553UaBv2QHeQMkKB2gH4OsQxp oyZNbHqrbQbjdT3MdOzK+3OBeQ== X-Google-Smtp-Source: AA0mqf4fudLoPpO6yNB6YzDD7437nfNWC6VO0ndSpCuM6VKuXMc04sPe/nHaL1cMX/EWJAhsqqJ/Vg== X-Received: by 2002:a17:902:b907:b0:186:c958:663 with SMTP id bf7-20020a170902b90700b00186c9580663mr7692837plb.31.1670615868692; Fri, 09 Dec 2022 11:57:48 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u14-20020a170902e80e00b00186ad73e2d5sm1686971plg.208.2022.12.09.11.57.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 11:57:47 -0800 (PST) From: Kees Cook To: Paul Moore Cc: Kees Cook , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/4] LoadPin: Refactor sysctl initialization Date: Fri, 9 Dec 2022 11:57:43 -0800 Message-Id: <20221209195746.1366607-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209195520.never.357-kees@kernel.org> References: <20221209195520.never.357-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3295; h=from:subject; bh=2jYh3TDSFdAvtFu+IUiUHb6OJqlYWF26TibciCwoy0A=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjk5M4s2Lx06O6PsfoKPZkusBCOUn9OHge4MMdEYfy Cr6MTKCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY5OTOAAKCRCJcvTf3G3AJrXZEA CLu03tFYWms+1oT8WWKW3aJMSIOjW3IFV7RdQCC2FpRaUBfJS9K0q1KRIorqezt7pR4iSy6Wh+f3N2 2QEaE6jVUJPwX4J0iP2bTMC/96T99A+wvf5fmFfq+jL+PJimhoYkMyk1+IVbCJ77nws3y6PfRovNZh 3Usea7tIDp99kVDWs3FBH23s7PUwSh7j2hElSUHsemNbYbolH3aT43Dqqr8WjlRNb5pbGFnVlTUuzE HlMNqFkCIJB7Flym1x5N5Ikd6x08YjRX1C25jEkTOUKSkBDoNA6QlLPY5AuPSXBukLssNQkNl2Oymw K+4/1l9u2uVwa50CiBZ16FsYoxGjGQUAz35iTpBI8Lu+hQAvcNDtEhdAJsOYhm3+NaIb6sK9hjCzAq +9LjJMaAlLXvAsGTTr+DLaFoUef9WWMzLI+4TRAcA0TpAjqPSU+lcqZ9U3mB9RcLRFHCFyLMfX3AaR mibsBk2mtLfza0B/I3sLVNDQTBzsRX+7IOEodVPgCPI4glPfNMq2PSnDzeolnRae3XGOv7IW9cdMYs rIeeO0bdC2iFBrqWqtG7PxVjTOvm6WmIihUi8lXoIz8aEJDPyXeyk2gWAHd5di8to/bgyh88xle0Cd LJNgJ8NtPx7vOibucXKKRkaitsq0iM0ildBzFjfQSTjMUJe056Ko9Ry1uV6w== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In preparation for shifting root mount when not enforcing, split sysctl logic out into a separate helper, and unconditionally register the sysctl, but only make it writable when the device is writable. Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Serge Hallyn --- security/loadpin/loadpin.c | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index ca0eff3ce9d0..5b15f8f7268d 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -52,7 +52,6 @@ static bool deny_reading_verity_digests; #endif =20 #ifdef CONFIG_SYSCTL - static struct ctl_path loadpin_sysctl_path[] =3D { { .procname =3D "kernel", }, { .procname =3D "loadpin", }, @@ -66,18 +65,29 @@ static struct ctl_table loadpin_sysctl_table[] =3D { .maxlen =3D sizeof(int), .mode =3D 0644, .proc_handler =3D proc_dointvec_minmax, - .extra1 =3D SYSCTL_ZERO, + .extra1 =3D SYSCTL_ONE, .extra2 =3D SYSCTL_ONE, }, { } }; =20 -static void report_writable(struct super_block *mnt_sb, bool writable) +static void set_sysctl(bool is_writable) { /* * If load pinning is not enforced via a read-only block * device, allow sysctl to change modes for testing. */ + if (is_writable) + loadpin_sysctl_table[0].extra1 =3D SYSCTL_ZERO; + else + loadpin_sysctl_table[0].extra1 =3D SYSCTL_ONE; +} +#else +static inline void set_sysctl(bool is_writable) { } +#endif + +static void report_writable(struct super_block *mnt_sb, bool writable) +{ if (mnt_sb->s_bdev) { pr_info("%pg (%u:%u): %s\n", mnt_sb->s_bdev, MAJOR(mnt_sb->s_bdev->bd_dev), @@ -86,21 +96,9 @@ static void report_writable(struct super_block *mnt_sb, = bool writable) } else pr_info("mnt_sb lacks block device, treating as: writable\n"); =20 - if (writable) { - if (!register_sysctl_paths(loadpin_sysctl_path, - loadpin_sysctl_table)) - pr_notice("sysctl registration failed!\n"); - else - pr_info("enforcement can be disabled.\n"); - } else + if (!writable) pr_info("load pinning engaged.\n"); } -#else -static void report_writable(struct super_block *mnt_sb, bool writable) -{ - pr_info("load pinning engaged.\n"); -} -#endif =20 /* * This must be called after early kernel init, since then the rootdev @@ -172,6 +170,7 @@ static int loadpin_check(struct file *file, enum kernel= _read_file_id id) */ spin_unlock(&pinned_root_spinlock); report_writable(pinned_root, load_root_writable); + set_sysctl(load_root_writable); report_load(origin, file, "pinned"); } else { spin_unlock(&pinned_root_spinlock); @@ -259,6 +258,10 @@ static int __init loadpin_init(void) pr_info("ready to pin (currently %senforcing)\n", enforce ? "" : "not "); parse_exclude(); +#ifdef CONFIG_SYSCTL + if (!register_sysctl_paths(loadpin_sysctl_path, loadpin_sysctl_table)) + pr_notice("sysctl registration failed!\n"); +#endif security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); =20 return 0; --=20 2.34.1 From nobody Thu Sep 18 03:58:49 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4550AC4332F for ; Fri, 9 Dec 2022 19:58:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230058AbiLIT6E (ORCPT ); Fri, 9 Dec 2022 14:58:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230001AbiLIT5v (ORCPT ); Fri, 9 Dec 2022 14:57:51 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 269E512D21 for ; Fri, 9 Dec 2022 11:57:50 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id t17so5857947pjo.3 for ; Fri, 09 Dec 2022 11:57:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FV94Hdsmj/rge1pxGHPoYvch3kgpddAT5RyHFFyJFTg=; b=MIEgM7AcEd8c1p4RBoJryGl+eDFfeBPqULbKL8T4v93d7IuqpBpKuUT4N4q3zie5Y5 2wegkvSoDJbnR2DqvqUgRQHNzeEL5vYDbvfJYQrPLH+RWnbduNvYHR7dTB7s/xEZ0oEA zLjcPxIKyVogGcQqMiz6s/V/GnuLHAwfM1sZc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FV94Hdsmj/rge1pxGHPoYvch3kgpddAT5RyHFFyJFTg=; b=5H5lLwn7+4Zp75tA6SaeSrpldaY/kWKZrq7sZVhZQYeW9WJMnRcwDXi0g62M209055 xl0Feawc1sw3/Pw9RmfrO9c3m/R0+5anUBAxVgyeIN5Qo8eqOVBklrCS26RwLqa/zZqE m6UOBvw+ztxFs8j4iUt4Pp1wmKN6oJlwzGUbrBpghab+KMw4QSq/Gi2oMpgdgiBXbgVM yn6qjNEzQpCSoBBwcYSap/GnubmFaFhoK+OYQqu6nYyitkg6/SuljPnP8DR2rM+5ZKLx 580uoTpAQr5PMx7JbDWh6UUFYss+375a01lamDT8M/PIdSRKlCFPR396/+qPHji3DhlJ gjyw== X-Gm-Message-State: ANoB5pmSF9I4lLnVJdKAQx3MmjwfC4Tuw2H0FIkBd1IDrMFFrXR1UQD0 7fsB+1eKon7AHQpkAc/VZgGTeQ== X-Google-Smtp-Source: AA0mqf5JfLp+yQhtaQbxy2JIfSbZafFNMeQKy6aySb+jcSnSlGQcUzWFGJmdl5DTeENoDsDcONXKhQ== X-Received: by 2002:a17:90a:5786:b0:216:cdf6:54f4 with SMTP id g6-20020a17090a578600b00216cdf654f4mr7128252pji.48.1670615869671; Fri, 09 Dec 2022 11:57:49 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 16-20020a630a10000000b00476b165ff8bsm1321797pgk.57.2022.12.09.11.57.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 11:57:47 -0800 (PST) From: Kees Cook To: Paul Moore Cc: Kees Cook , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 3/4] LoadPin: Move pin reporting cleanly out of locking Date: Fri, 9 Dec 2022 11:57:44 -0800 Message-Id: <20221209195746.1366607-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209195520.never.357-kees@kernel.org> References: <20221209195520.never.357-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1754; h=from:subject; bh=qpKMYDC56+fDQCAgb3kucQB61qmMW3F8BnrtighTbJ8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjk5M4AxgOeVuDbCFggXuhx/+nBj8BFwaPMy3eb2VJ NaeaG1iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY5OTOAAKCRCJcvTf3G3AJriyD/ 4r/FpIMnOqnp15Re6UBICImyzzlTPeTQyPYjM8kPBV1nrBZVoQVObVFTVsfYF0QupC5DBXHqOphZq1 MznJK9y64QlK0QxxmQiAbWEss99MW4M7gaenC2pROIftMK6LsahpdyQflTek4KFl0gJIZync7I1NR5 l0UGJLJY0y2F0KZ4W2M5XOarsAXRpDP2NJ2oJ2NLvcQ/h5dY1syx49NIeKTl3VoIAHloDwhaLsCFBX 5GD2RDGmYARrnDkhJj066OKCc6HLmgONm5mwpemsUPPWYG0a6tNjeky4aP0i1nUEcllFc0QYnH43K9 fX76lvoiRtDJRpmblu7yJyMfBAwPN2XSby9F45m24vBAXCCSdsqZmj6YAH4QZBC7lSPIOtP17lv3Lk zR428NPpNenay48toMomPOPXERR62GlqO7RVAJGNwvYCzqesj2vQ1e9vvieSywoJ+J60QiOE4uIIPB k1J6LY2ttmycsbAbQX8Po1Gs9yk+VjeZM3553qBcUV23OHqzY0hXTMMHjIlaICWnQIrxJrV2QSnwsZ wFXgCpjIZKqIrTR0u5dkryfomClsmBzVAnJ6sFsWT10Xbsq1BC0M9jZiS86aopKttRPciM16ZQ+4BC Dbfh/Sgd0DvhkkXP0s47geEvu+vc2AKu3Jl5h6D0TWARQOvUKNcQHOvAd81Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Refactor the pin reporting to be more cleanly outside the locking. It was already, but moving it around helps clear the path for the root to switch when not enforcing. Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Serge Hallyn --- security/loadpin/loadpin.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 5b15f8f7268d..ef12d77548ae 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -131,6 +131,7 @@ static int loadpin_check(struct file *file, enum kernel= _read_file_id id) { struct super_block *load_root; const char *origin =3D kernel_read_file_id_str(id); + bool first_root_pin =3D false; bool load_root_writable; =20 /* If the file id is excluded, ignore the pinning. */ @@ -162,18 +163,14 @@ static int loadpin_check(struct file *file, enum kern= el_read_file_id id) */ if (!pinned_root) { pinned_root =3D load_root; - /* - * Unlock now since it's only pinned_root we care about. - * In the worst case, we will (correctly) report pinning - * failures before we have announced that pinning is - * enforcing. This would be purely cosmetic. - */ - spin_unlock(&pinned_root_spinlock); + first_root_pin =3D true; + } + spin_unlock(&pinned_root_spinlock); + + if (first_root_pin) { report_writable(pinned_root, load_root_writable); set_sysctl(load_root_writable); report_load(origin, file, "pinned"); - } else { - spin_unlock(&pinned_root_spinlock); } =20 if (IS_ERR_OR_NULL(pinned_root) || --=20 2.34.1 From nobody Thu Sep 18 03:58:49 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC089C4332F for ; Fri, 9 Dec 2022 19:58:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229947AbiLIT6Q (ORCPT ); Fri, 9 Dec 2022 14:58:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230010AbiLIT5w (ORCPT ); Fri, 9 Dec 2022 14:57:52 -0500 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B34B313E01 for ; Fri, 9 Dec 2022 11:57:50 -0800 (PST) Received: by mail-pj1-x1030.google.com with SMTP id e7-20020a17090a77c700b00216928a3917so9222355pjs.4 for ; Fri, 09 Dec 2022 11:57:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oGkVWEa5T6qjzunke8iqiL9y1vbCzAYhZe+DJ6bp/6U=; b=YxYIoV/nSKqI3pErZbKeQ+OkDCJm4+BV+FwVp0x9JxlywPESjTUrYN+hT1YeqoRHJj 58pXWErDz4iQ3HmCmcfLNgA/9aKFWIIRJ1e68Nlc8f7cluB3scf4xAQjEODflZhqQpC1 yYXvK9ZEHFO1UxFS1T65RhM/dlBkpLwKi5Qsg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oGkVWEa5T6qjzunke8iqiL9y1vbCzAYhZe+DJ6bp/6U=; b=p/WOfYcK9HOEriVGBMUkbRFUtqlJylm9jkvQHt/3e2PJKQOkEiUaJ+0sBARKLozevH 8HCAzopP6B399paADSj0aoS0aj8/cP41M1QGRXpEjOBmz0ZCB9hIBK2/7DESWkeQARZx JRMQSBewk0GfwybxjYlopFLrA2gyoNFFFb6wM6awykRO3FozSH8PlWAHDAWTB4w9ic8M gRi7rYOMs2UTdL7O9KaOpG4+ovXZqiIq7fwYTcq2rlXqkanNj3tEaMrAJc57+Q8d9D7z cqfhnT3UNEEaZVUIPzHVw/XMKpjZvCMn1oZLDLkhJzbTwu1sGKObhjnIgN/ZkjWXgasL jluw== X-Gm-Message-State: ANoB5pmSE9CbRSNwocQWqJmqE9C75y44Si6yfsENTgfBmjYp9VZuDjjc 2ps5+IRq0AMf4MZslITARFIwmg== X-Google-Smtp-Source: AA0mqf7AHghEqWHBk2qK+HA8SKaR3vV04rR+Y0hdwdmcjeKe7svSSE8m1yoEiOaO5NLGjTm3McEELw== X-Received: by 2002:a17:90a:8f03:b0:218:fa36:ad6a with SMTP id g3-20020a17090a8f0300b00218fa36ad6amr7149816pjo.4.1670615870177; Fri, 09 Dec 2022 11:57:50 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z8-20020a17090a8b8800b002199eaa80e1sm1480173pjn.13.2022.12.09.11.57.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 11:57:47 -0800 (PST) From: Kees Cook To: Paul Moore Cc: Kees Cook , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 4/4] LoadPin: Allow filesystem switch when not enforcing Date: Fri, 9 Dec 2022 11:57:45 -0800 Message-Id: <20221209195746.1366607-4-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209195520.never.357-kees@kernel.org> References: <20221209195520.never.357-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2460; h=from:subject; bh=fZeLjQA82vU81dQmP0SkURZPi2Xeq07Q0YGb0gDxICs=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjk5M5YgZfaDfRh3GV0WAB5frGjrqzt0HVxRlIyT5F ShdHp42JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY5OTOQAKCRCJcvTf3G3AJtIhEA CG+MP65o4vsx9LrA/BTfp93kFMlahQKQp/LZVmywRGc0dlSGywP1qJ82Hhunso+NQ3WyYgxK2k8gDu KDnDdlUhK3X45LokRqyWe+iHsZ/TLfCumpYikmt5nNknIHQrbsfWwRGk8iuztb0b6PELNloUxtWNyF P2Zlg6Keka/RrQrrI39kfz9rhRRq6Z7LfNh+zphduwb+T0QVPXIp/w811m/IK8Pe9ApPv0TQL0oWRv WwOPL9VTCopNFmmvwdR9D7ZatXo3JshPaQWcxaPQ/F5pNmgT+oR1vdZXTla7/RZG6ceyA2miKysWWX lO+JgyszP1nylCYySX6lf3TeoFLYj7IvyQbDH/KQ2RecO6PH0ADj6uvPrk1R83PJb+i6mBjLDMVaVu IC4U3FmsSyTTMU6X/0GhgzdPGLdfU+HNUHfSLmYORGQQHGEHSkZuXyF7UbUCaWqjk1C4gLh0KuT35N BDKNiY8ewe01D9912PnouT+X9yuP+D16iN6xZEp5qDXJwVKKcFmTvfY8M330lDiWR14umJgCERyp5e ZNoM70nrGCAlFqVP2bfgda0CV/EoCaMEZnDz8s4gksDnlgAN0/xMN3tz9R0Sj2JPVpKHA8NDdKlpws sHRWEv15zSNDSIwOR8i/yfMVJuRHW/3f23LTGeFfSXebtvraan+uYn18txtA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" For LoadPin to be used at all in a classic distro environment, it needs to allow for switching filesystems (from the initramfs to the "real" root filesystem). To allow for this, if the "enforce" mode is not set at boot, reset the pinned filesystem tracking when the pinned filesystem gets unmounted instead of invalidating further loads. Once enforcement is set, it cannot be unset, and the pinning will stick. This means that distros can build with CONFIG_SECURITY_LOADPIN=3Dy, but with CONFIG_SECURITY_LOADPIN_ENFORCE disabled, but after boot is running, the system can enable enforcement: $ sysctl -w kernel.loadpin.enforced=3D1 Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Serge Hallyn --- security/loadpin/loadpin.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index ef12d77548ae..d73a281adf86 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -119,11 +119,16 @@ static void loadpin_sb_free_security(struct super_blo= ck *mnt_sb) /* * When unmounting the filesystem we were using for load * pinning, we acknowledge the superblock release, but make sure - * no other modules or firmware can be loaded. + * no other modules or firmware can be loaded when we are in + * enforcing mode. Otherwise, allow the root to be reestablished. */ if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb =3D=3D pinned_root) { - pinned_root =3D ERR_PTR(-EIO); - pr_info("umount pinned fs: refusing further loads\n"); + if (enforce) { + pinned_root =3D ERR_PTR(-EIO); + pr_info("umount pinned fs: refusing further loads\n"); + } else { + pinned_root =3D NULL; + } } } =20 @@ -158,8 +163,9 @@ static int loadpin_check(struct file *file, enum kernel= _read_file_id id) /* First loaded module/firmware defines the root for all others. */ spin_lock(&pinned_root_spinlock); /* - * pinned_root is only NULL at startup. Otherwise, it is either - * a valid reference, or an ERR_PTR. + * pinned_root is only NULL at startup or when the pinned root has + * been unmounted while we are not in enforcing mode. Otherwise, it + * is either a valid reference, or an ERR_PTR. */ if (!pinned_root) { pinned_root =3D load_root; --=20 2.34.1