~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,26 +1,20 @@
	1	+// SPDX-License-Identifier: GPL-2.0-only
1	2	/*
2	3	* Module and Firmware Pinning Security Module
3	4	*
4	5	* Copyright 2011-2016 Google Inc.
5	6	*
6	7	* Author: Kees Cook <keescook@chromium.org>
7		- *
8		- * This software is licensed under the terms of the GNU General Public
9		- * License version 2, as published by the Free Software Foundation, and
10		- * may be copied, distributed, and modified under those terms.
11		- *
12		- * This program is distributed in the hope that it will be useful,
13		- * but WITHOUT ANY WARRANTY; without even the implied warranty of
14		- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15		- * GNU General Public License for more details.
16	8	*/
17	9
18	10	#define pr_fmt(fmt) "LoadPin: " fmt
19	11
20	12	#include <linux/module.h>
21	13	#include <linux/fs.h>
	14	+#include <linux/kernel_read_file.h>
22	15	#include <linux/lsm_hooks.h>
23	16	#include <linux/mount.h>
	17	+#include <linux/blkdev.h>
24	18	#include <linux/path.h>
25	19	#include <linux/sched.h> /* current */
26	20	#include <linux/string_helpers.h>
..	..	@@ -44,13 +38,13 @@
44	38	kfree(pathname);
45	39	}
46	40
47		-static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
	41	+static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE);
	42	+static char *exclude_read_files[READING_MAX_ID];
	43	+static int ignore_read_file_id[READING_MAX_ID] __ro_after_init;
48	44	static struct super_block *pinned_root;
49	45	static DEFINE_SPINLOCK(pinned_root_spinlock);
50	46
51	47	#ifdef CONFIG_SYSCTL
52		-static int zero;
53		-static int one = 1;
54	48
55	49	static struct ctl_path loadpin_sysctl_path[] = {
56	50	{ .procname = "kernel", },
..	..	@@ -60,13 +54,13 @@
60	54
61	55	static struct ctl_table loadpin_sysctl_table[] = {
62	56	{
63		- .procname = "enabled",
64		- .data = &enabled,
	57	+ .procname = "enforce",
	58	+ .data = &enforce,
65	59	.maxlen = sizeof(int),
66	60	.mode = 0644,
67	61	.proc_handler = proc_dointvec_minmax,
68		- .extra1 = &zero,
69		- .extra2 = &one,
	62	+ .extra1 = SYSCTL_ZERO,
	63	+ .extra2 = SYSCTL_ONE,
70	64	},
71	65	{ }
72	66	};
..	..	@@ -84,8 +78,11 @@
84	78	* device, allow sysctl to change modes for testing.
85	79	*/
86	80	if (mnt_sb->s_bdev) {
	81	+ char bdev[BDEVNAME_SIZE];
	82	+
87	83	ro = bdev_read_only(mnt_sb->s_bdev);
88		- pr_info("dev(%u,%u): %s\n",
	84	+ bdevname(mnt_sb->s_bdev, bdev);
	85	+ pr_info("%s (%u:%u): %s\n", bdev,
89	86	MAJOR(mnt_sb->s_bdev->bd_dev),
90	87	MINOR(mnt_sb->s_bdev->bd_dev),
91	88	ro ? "read-only" : "writable");
..	..	@@ -97,7 +94,7 @@
97	94	loadpin_sysctl_table))
98	95	pr_notice("sysctl registration failed!\n");
99	96	else
100		- pr_info("load pinning can be disabled.\n");
	97	+ pr_info("enforcement can be disabled.\n");
101	98	} else
102	99	pr_info("load pinning engaged.\n");
103	100	}
..	..	@@ -121,14 +118,21 @@
121	118	}
122	119	}
123	120
124		-static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
	121	+static int loadpin_check(struct file *file, enum kernel_read_file_id id)
125	122	{
126	123	struct super_block *load_root;
127	124	const char *origin = kernel_read_file_id_str(id);
128	125
	126	+ /* If the file id is excluded, ignore the pinning. */
	127	+ if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) &&
	128	+ ignore_read_file_id[id]) {
	129	+ report_load(origin, file, "pinning-excluded");
	130	+ return 0;
	131	+ }
	132	+
129	133	/* This handles the older init_module API that has a NULL file. */
130	134	if (!file) {
131		- if (!enabled) {
	135	+ if (!enforce) {
132	136	report_load(origin, NULL, "old-api-pinning-ignored");
133	137	return 0;
134	138	}
..	..	@@ -151,7 +155,7 @@
151	155	* Unlock now since it's only pinned_root we care about.
152	156	* In the worst case, we will (correctly) report pinning
153	157	* failures before we have announced that pinning is
154		- * enabled. This would be purely cosmetic.
	158	+ * enforcing. This would be purely cosmetic.
155	159	*/
156	160	spin_unlock(&pinned_root_spinlock);
157	161	check_pinning_enforcement(pinned_root);
..	..	@@ -161,7 +165,7 @@
161	165	}
162	166
163	167	if (IS_ERR_OR_NULL(pinned_root) \|\| load_root != pinned_root) {
164		- if (unlikely(!enabled)) {
	168	+ if (unlikely(!enforce)) {
165	169	report_load(origin, file, "pinning-ignored");
166	170	return 0;
167	171	}
..	..	@@ -173,9 +177,25 @@
173	177	return 0;
174	178	}
175	179
176		-static int loadpin_load_data(enum kernel_load_data_id id)
	180	+static int loadpin_read_file(struct file *file, enum kernel_read_file_id id,
	181	+ bool contents)
177	182	{
178		- return loadpin_read_file(NULL, (enum kernel_read_file_id) id);
	183	+ /*
	184	+ * LoadPin only cares about the _origin_ of a file, not its
	185	+ * contents, so we can ignore the "are full contents available"
	186	+ * argument here.
	187	+ */
	188	+ return loadpin_check(file, id);
	189	+}
	190	+
	191	+static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
	192	+{
	193	+ /*
	194	+ * LoadPin only cares about the _origin_ of a file, not its
	195	+ * contents, so a NULL file is passed, and we can ignore the
	196	+ * state of "contents".
	197	+ */
	198	+ return loadpin_check(NULL, (enum kernel_read_file_id) id);
179	199	}
180	200
181	201	static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
..	..	@@ -184,12 +204,58 @@
184	204	LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
185	205	};
186	206
187		-void __init loadpin_add_hooks(void)
	207	+static void __init parse_exclude(void)
188	208	{
189		- pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
190		- security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
	209	+ int i, j;
	210	+ char *cur;
	211	+
	212	+ /*
	213	+ * Make sure all the arrays stay within expected sizes. This
	214	+ * is slightly weird because kernel_read_file_str[] includes
	215	+ * READING_MAX_ID, which isn't actually meaningful here.
	216	+ */
	217	+ BUILD_BUG_ON(ARRAY_SIZE(exclude_read_files) !=
	218	+ ARRAY_SIZE(ignore_read_file_id));
	219	+ BUILD_BUG_ON(ARRAY_SIZE(kernel_read_file_str) <
	220	+ ARRAY_SIZE(ignore_read_file_id));
	221	+
	222	+ for (i = 0; i < ARRAY_SIZE(exclude_read_files); i++) {
	223	+ cur = exclude_read_files[i];
	224	+ if (!cur)
	225	+ break;
	226	+ if (*cur == '\0')
	227	+ continue;
	228	+
	229	+ for (j = 0; j < ARRAY_SIZE(ignore_read_file_id); j++) {
	230	+ if (strcmp(cur, kernel_read_file_str[j]) == 0) {
	231	+ pr_info("excluding: %s\n",
	232	+ kernel_read_file_str[j]);
	233	+ ignore_read_file_id[j] = 1;
	234	+ /*
	235	+ * Can not break, because one read_file_str
	236	+ * may map to more than on read_file_id.
	237	+ */
	238	+ }
	239	+ }
	240	+ }
191	241	}
192	242
	243	+static int __init loadpin_init(void)
	244	+{
	245	+ pr_info("ready to pin (currently %senforcing)\n",
	246	+ enforce ? "" : "not ");
	247	+ parse_exclude();
	248	+ security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
	249	+ return 0;
	250	+}
	251	+
	252	+DEFINE_LSM(loadpin) = {
	253	+ .name = "loadpin",
	254	+ .init = loadpin_init,
	255	+};
	256	+
193	257	/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
194		-module_param(enabled, int, 0);
195		-MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)");
	258	+module_param(enforce, int, 0);
	259	+MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");
	260	+module_param_array_named(exclude, exclude_read_files, charp, NULL, 0);
	261	+MODULE_PARM_DESC(exclude, "Exclude pinning specific read file types");