1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18#define pr_fmt(fmt) "LoadPin: " fmt
19
20#include <linux/module.h>
21#include <linux/fs.h>
22#include <linux/fs_struct.h>
23#include <linux/lsm_hooks.h>
24#include <linux/mount.h>
25#include <linux/path.h>
26#include <linux/sched.h>
27#include <linux/string_helpers.h>
28
29static void report_load(const char *origin, struct file *file, char *operation)
30{
31 char *cmdline, *pathname;
32
33 pathname = kstrdup_quotable_file(file, GFP_KERNEL);
34 cmdline = kstrdup_quotable_cmdline(current, GFP_KERNEL);
35
36 pr_notice("%s %s obj=%s%s%s pid=%d cmdline=%s%s%s\n",
37 origin, operation,
38 (pathname && pathname[0] != '<') ? "\"" : "",
39 pathname,
40 (pathname && pathname[0] != '<') ? "\"" : "",
41 task_pid_nr(current),
42 cmdline ? "\"" : "", cmdline, cmdline ? "\"" : "");
43
44 kfree(cmdline);
45 kfree(pathname);
46}
47
48static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
49static struct super_block *pinned_root;
50static DEFINE_SPINLOCK(pinned_root_spinlock);
51
52#ifdef CONFIG_SYSCTL
53static int zero;
54static int one = 1;
55
56static struct ctl_path loadpin_sysctl_path[] = {
57 { .procname = "kernel", },
58 { .procname = "loadpin", },
59 { }
60};
61
62static struct ctl_table loadpin_sysctl_table[] = {
63 {
64 .procname = "enabled",
65 .data = &enabled,
66 .maxlen = sizeof(int),
67 .mode = 0644,
68 .proc_handler = proc_dointvec_minmax,
69 .extra1 = &zero,
70 .extra2 = &one,
71 },
72 { }
73};
74
75
76
77
78
79static void check_pinning_enforcement(struct super_block *mnt_sb)
80{
81 bool ro = false;
82
83
84
85
86
87 if (mnt_sb->s_bdev) {
88 ro = bdev_read_only(mnt_sb->s_bdev);
89 pr_info("dev(%u,%u): %s\n",
90 MAJOR(mnt_sb->s_bdev->bd_dev),
91 MINOR(mnt_sb->s_bdev->bd_dev),
92 ro ? "read-only" : "writable");
93 } else
94 pr_info("mnt_sb lacks block device, treating as: writable\n");
95
96 if (!ro) {
97 if (!register_sysctl_paths(loadpin_sysctl_path,
98 loadpin_sysctl_table))
99 pr_notice("sysctl registration failed!\n");
100 else
101 pr_info("load pinning can be disabled.\n");
102 } else
103 pr_info("load pinning engaged.\n");
104}
105#else
106static void check_pinning_enforcement(struct super_block *mnt_sb)
107{
108 pr_info("load pinning engaged.\n");
109}
110#endif
111
112static void loadpin_sb_free_security(struct super_block *mnt_sb)
113{
114
115
116
117
118
119 if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) {
120 pinned_root = ERR_PTR(-EIO);
121 pr_info("umount pinned fs: refusing further loads\n");
122 }
123}
124
125static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
126{
127 struct super_block *load_root;
128 const char *origin = kernel_read_file_id_str(id);
129
130
131 if (!file) {
132 if (!enabled) {
133 report_load(origin, NULL, "old-api-pinning-ignored");
134 return 0;
135 }
136
137 report_load(origin, NULL, "old-api-denied");
138 return -EPERM;
139 }
140
141 load_root = file->f_path.mnt->mnt_sb;
142
143
144 spin_lock(&pinned_root_spinlock);
145
146
147
148
149 if (!pinned_root) {
150 pinned_root = load_root;
151
152
153
154
155
156
157 spin_unlock(&pinned_root_spinlock);
158 check_pinning_enforcement(pinned_root);
159 report_load(origin, file, "pinned");
160 } else {
161 spin_unlock(&pinned_root_spinlock);
162 }
163
164 if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) {
165 if (unlikely(!enabled)) {
166 report_load(origin, file, "pinning-ignored");
167 return 0;
168 }
169
170 report_load(origin, file, "denied");
171 return -EPERM;
172 }
173
174 return 0;
175}
176
177static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
178 LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
179 LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
180};
181
182void __init loadpin_add_hooks(void)
183{
184 pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
185 security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
186}
187
188
189module_param(enabled, int, 0);
190MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)");
191