powerpc/rtas: block error injection when locked down

The error injection facility on pseries VMs allows corruption of
arbitrary guest memory, potentially enabling a sufficiently privileged
user to disable lockdown or perform other modifications of the running
kernel via the rtas syscall.

Block the PAPR error injection facility from being opened or called
when locked down.

Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Acked-by: Paul Moore <paul@paul-moore.com> (LSM)
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220926131643.146502-3-nathanl@linux.ibm.com

diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index 0b8a858aa8479bbf4fe9e634c098e91f7b6191ef..e847f9b1c5b9fdd8190817207156f05e86ad70f7 100644 (file)
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -23,6 +23,7 @@
 #include <linux/memblock.h>
 #include <linux/slab.h>
 #include <linux/reboot.h>
+#include <linux/security.h>
 #include <linux/syscalls.h>
 #include <linux/of.h>
 #include <linux/of_fdt.h>
@@ -463,6 +464,9 @@ void rtas_call_unlocked(struct rtas_args *args, int token, int nargs, int nret,
        va_end(list);
 }
 
+static int ibm_open_errinjct_token;
+static int ibm_errinjct_token;
+
 int rtas_call(int token, int nargs, int nret, int *outputs, ...)
 {
        va_list list;
@@ -475,6 +479,16 @@ int rtas_call(int token, int nargs, int nret, int *outputs, ...)
        if (!rtas.entry || token == RTAS_UNKNOWN_SERVICE)
                return -1;
 
+       if (token == ibm_open_errinjct_token || token == ibm_errinjct_token) {
+               /*
+                * It would be nicer to not discard the error value
+                * from security_locked_down(), but callers expect an
+                * RTAS status, not an errno.
+                */
+               if (security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION))
+                       return -1;
+       }
+
        if ((mfmsr() & (MSR_IR|MSR_DR)) != (MSR_IR|MSR_DR)) {
                WARN_ON_ONCE(1);
                return -1;
@@ -1173,6 +1187,14 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
        if (block_rtas_call(token, nargs, &args))
                return -EINVAL;
 
+       if (token == ibm_open_errinjct_token || token == ibm_errinjct_token) {
+               int err;
+
+               err = security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION);
+               if (err)
+                       return err;
+       }
+
        /* Need to handle ibm,suspend_me call specially */
        if (token == rtas_token("ibm,suspend-me")) {
 
@@ -1271,7 +1293,8 @@ void __init rtas_initialize(void)
 #ifdef CONFIG_RTAS_ERROR_LOGGING
        rtas_last_error_token = rtas_token("rtas-last-error");
 #endif
-
+       ibm_open_errinjct_token = rtas_token("ibm,open-errinjct");
+       ibm_errinjct_token = rtas_token("ibm,errinjct");
        rtas_syscall_filter_init();
 }
 

diff --git a/include/linux/security.h b/include/linux/security.h
index 7da801ceb5a4101cf7b6c056ddd904cd57565eb3..a6d67600759e75336ca1664fafabb8913bf17889 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -123,6 +123,7 @@ enum lockdown_reason {
        LOCKDOWN_XMON_WR,
        LOCKDOWN_BPF_WRITE_USER,
        LOCKDOWN_DBG_WRITE_KERNEL,
+       LOCKDOWN_RTAS_ERROR_INJECTION,
        LOCKDOWN_INTEGRITY_MAX,
        LOCKDOWN_KCORE,
        LOCKDOWN_KPROBES,

diff --git a/security/security.c b/security/security.c
index 400ab5de631e3b1ec26eed2d4107b38daec30146..3f5aa9d64aa71f84606a8f9501d638bf81d89cf6 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -61,6 +61,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
        [LOCKDOWN_XMON_WR] = "xmon write access",
        [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
        [LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",
+       [LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",
        [LOCKDOWN_INTEGRITY_MAX] = "integrity",
        [LOCKDOWN_KCORE] = "/proc/kcore access",
        [LOCKDOWN_KPROBES] = "use of kprobes",