tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'xsa482-7.0-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:
"Restrict the xen privcmd driver in unprivileged domU to only allow
hypercalls to target domain when using secure boot"

* tag 'xsa482-7.0-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen/privcmd: add boot control for restricted usage in domU
xen/privcmd: restrict usage in unprivileged domU

Linus Torvalds a0124352 c3692998

+72 -3
+70 -3
drivers/xen/privcmd.c
··· 12 12 #include <linux/eventfd.h> 13 13 #include <linux/file.h> 14 14 #include <linux/kernel.h> 15 + #include <linux/kstrtox.h> 15 16 #include <linux/module.h> 16 17 #include <linux/mutex.h> 17 18 #include <linux/poll.h> ··· 31 30 #include <linux/seq_file.h> 32 31 #include <linux/miscdevice.h> 33 32 #include <linux/moduleparam.h> 33 + #include <linux/notifier.h> 34 + #include <linux/security.h> 34 35 #include <linux/virtio_mmio.h> 36 + #include <linux/wait.h> 35 37 36 38 #include <asm/xen/hypervisor.h> 37 39 #include <asm/xen/hypercall.h> ··· 50 46 #include <xen/page.h> 51 47 #include <xen/xen-ops.h> 52 48 #include <xen/balloon.h> 49 + #include <xen/xenbus.h> 53 50 #ifdef CONFIG_XEN_ACPI 54 51 #include <xen/acpi.h> 55 52 #endif ··· 73 68 MODULE_PARM_DESC(dm_op_buf_max_size, 74 69 "Maximum size of a dm_op hypercall buffer"); 75 70 71 + static bool unrestricted; 72 + module_param(unrestricted, bool, 0); 73 + MODULE_PARM_DESC(unrestricted, 74 + "Don't restrict hypercalls to target domain if running in a domU"); 75 + 76 76 struct privcmd_data { 77 77 domid_t domid; 78 78 }; 79 + 80 + /* DOMID_INVALID implies no restriction */ 81 + static domid_t target_domain = DOMID_INVALID; 82 + static bool restrict_wait; 83 + static DECLARE_WAIT_QUEUE_HEAD(restrict_wait_wq); 79 84 80 85 static int privcmd_vma_range_is_mapped( 81 86 struct vm_area_struct *vma, ··· 1578 1563 1579 1564 static int privcmd_open(struct inode *ino, struct file *file) 1580 1565 { 1581 - struct privcmd_data *data = kzalloc_obj(*data); 1566 + struct privcmd_data *data; 1582 1567 1568 + if (wait_event_interruptible(restrict_wait_wq, !restrict_wait) < 0) 1569 + return -EINTR; 1570 + 1571 + data = kzalloc_obj(*data); 1583 1572 if (!data) 1584 1573 return -ENOMEM; 1585 1574 1586 - /* DOMID_INVALID implies no restriction */ 1587 - data->domid = DOMID_INVALID; 1575 + data->domid = target_domain; 1588 1576 1589 1577 file->private_data = data; 1590 1578 return 0; ··· 1680 1662 .fops = &xen_privcmd_fops, 1681 1663 }; 1682 1664 1665 + static int init_restrict(struct notifier_block *notifier, 1666 + unsigned long event, 1667 + void *data) 1668 + { 1669 + char *target; 1670 + unsigned int domid; 1671 + 1672 + /* Default to an guaranteed unused domain-id. */ 1673 + target_domain = DOMID_IDLE; 1674 + 1675 + target = xenbus_read(XBT_NIL, "target", "", NULL); 1676 + if (IS_ERR(target) || kstrtouint(target, 10, &domid)) { 1677 + pr_err("No target domain found, blocking all hypercalls\n"); 1678 + goto out; 1679 + } 1680 + 1681 + target_domain = domid; 1682 + 1683 + out: 1684 + if (!IS_ERR(target)) 1685 + kfree(target); 1686 + 1687 + restrict_wait = false; 1688 + wake_up_all(&restrict_wait_wq); 1689 + 1690 + return NOTIFY_DONE; 1691 + } 1692 + 1693 + static struct notifier_block xenstore_notifier = { 1694 + .notifier_call = init_restrict, 1695 + }; 1696 + 1697 + static void __init restrict_driver(void) 1698 + { 1699 + if (unrestricted) { 1700 + if (security_locked_down(LOCKDOWN_XEN_USER_ACTIONS)) 1701 + pr_warn("Kernel is locked down, parameter \"unrestricted\" ignored\n"); 1702 + else 1703 + return; 1704 + } 1705 + 1706 + restrict_wait = true; 1707 + 1708 + register_xenstore_notifier(&xenstore_notifier); 1709 + } 1710 + 1683 1711 static int __init privcmd_init(void) 1684 1712 { 1685 1713 int err; 1686 1714 1687 1715 if (!xen_domain()) 1688 1716 return -ENODEV; 1717 + 1718 + if (!xen_initial_domain()) 1719 + restrict_driver(); 1689 1720 1690 1721 err = misc_register(&privcmd_dev); 1691 1722 if (err != 0) {
+1
include/linux/security.h
··· 145 145 LOCKDOWN_BPF_WRITE_USER, 146 146 LOCKDOWN_DBG_WRITE_KERNEL, 147 147 LOCKDOWN_RTAS_ERROR_INJECTION, 148 + LOCKDOWN_XEN_USER_ACTIONS, 148 149 LOCKDOWN_INTEGRITY_MAX, 149 150 LOCKDOWN_KCORE, 150 151 LOCKDOWN_KPROBES,
+1
security/security.c
··· 61 61 [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM", 62 62 [LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM", 63 63 [LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection", 64 + [LOCKDOWN_XEN_USER_ACTIONS] = "Xen guest user action", 64 65 [LOCKDOWN_INTEGRITY_MAX] = "integrity", 65 66 [LOCKDOWN_KCORE] = "/proc/kcore access", 66 67 [LOCKDOWN_KPROBES] = "use of kprobes",