x86/msr: Restrict MSR access when the kernel is locked down

Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode.  Based on a
patch by Kees Cook.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
cc: x86@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 3db2252b958d19fe7cf4de4e8e91f257da4e4409..1547be359d7f5a539ab470381654b6b02c4bf102 100644 (file)
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -34,6 +34,7 @@
 #include <linux/notifier.h>
 #include <linux/uaccess.h>
 #include <linux/gfp.h>
+#include <linux/security.h>
 
 #include <asm/cpufeature.h>
 #include <asm/msr.h>
@@ -79,6 +80,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
        int err = 0;
        ssize_t bytes = 0;
 
+       err = security_locked_down(LOCKDOWN_MSR);
+       if (err)
+               return err;
+
        if (count % 8)
                return -EINVAL; /* Invalid chunk size */
 
@@ -130,6 +135,9 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
                        err = -EFAULT;
                        break;
                }
+               err = security_locked_down(LOCKDOWN_MSR);
+               if (err)
+                       break;
                err = wrmsr_safe_regs_on_cpu(cpu, regs);
                if (err)
                        break;

diff --git a/include/linux/security.h b/include/linux/security.h
index cd93fa5d3c6d34f6aac5f0b7dde849e1ad4a1865..010637a79eac5a19c925f0423a0c1b6e183386ac 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -109,6 +109,7 @@ enum lockdown_reason {
        LOCKDOWN_HIBERNATION,
        LOCKDOWN_PCI_ACCESS,
        LOCKDOWN_IOPORT,
+       LOCKDOWN_MSR,
        LOCKDOWN_INTEGRITY_MAX,
        LOCKDOWN_CONFIDENTIALITY_MAX,
 };

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8b7d65dbb0866080e5dab9c45b690c35fdf8c7e2..b1c1c72440d5e753ae61216323fd73bf358d4489 100644 (file)
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -24,6 +24,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
        [LOCKDOWN_HIBERNATION] = "hibernation",
        [LOCKDOWN_PCI_ACCESS] = "direct PCI access",
        [LOCKDOWN_IOPORT] = "raw io port access",
+       [LOCKDOWN_MSR] = "raw MSR access",
        [LOCKDOWN_INTEGRITY_MAX] = "integrity",
        [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
 };