tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

initramfs,lsm: add a security hook to do_populate_rootfs()

This patch introduces a new hook to notify security system that the
content of initramfs has been unpacked into the rootfs.

Upon receiving this notification, the security system can activate
a policy to allow only files that originated from the initramfs to
execute or load into kernel during the early stages of booting.

This approach is crucial for minimizing the attack surface by
ensuring that only trusted files from the initramfs are operational
in the critical boot phase.

Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Fan Wu and committed by
Paul Moore 2fea0c26 52443cb6

+23
+2
include/linux/lsm_hook_defs.h
··· 449 449 LSM_HOOK(int, 0, uring_sqpoll, void) 450 450 LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) 451 451 #endif /* CONFIG_IO_URING */ 452 + 453 + LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void)
+8
include/linux/security.h
··· 2256 2256 #endif /* CONFIG_SECURITY */ 2257 2257 #endif /* CONFIG_IO_URING */ 2258 2258 2259 + #ifdef CONFIG_SECURITY 2260 + extern void security_initramfs_populated(void); 2261 + #else 2262 + static inline void security_initramfs_populated(void) 2263 + { 2264 + } 2265 + #endif /* CONFIG_SECURITY */ 2266 + 2259 2267 #endif /* ! __LINUX_SECURITY_H */
+3
init/initramfs.c
··· 17 17 #include <linux/namei.h> 18 18 #include <linux/init_syscalls.h> 19 19 #include <linux/umh.h> 20 + #include <linux/security.h> 20 21 21 22 #include "do_mounts.h" 22 23 ··· 713 712 } 714 713 715 714 done: 715 + security_initramfs_populated(); 716 + 716 717 /* 717 718 * If the initrd region is overlapped with crashkernel reserved region, 718 719 * free only memory that is not part of crashkernel region.
+10
security/security.c
··· 5778 5778 return call_int_hook(uring_cmd, ioucmd); 5779 5779 } 5780 5780 #endif /* CONFIG_IO_URING */ 5781 + 5782 + /** 5783 + * security_initramfs_populated() - Notify LSMs that initramfs has been loaded 5784 + * 5785 + * Tells the LSMs the initramfs has been unpacked into the rootfs. 5786 + */ 5787 + void security_initramfs_populated(void) 5788 + { 5789 + call_void_hook(initramfs_populated); 5790 + }