2 * Linux Security Module for Chromium OS
4 * Copyright 2011 Google Inc. All Rights Reserved
7 * Stephan Uphoff <ups@google.com>
8 * Kees Cook <keescook@chromium.org>
10 * This software is licensed under the terms of the GNU General Public
11 * License version 2, as published by the Free Software Foundation, and
12 * may be copied, distributed, and modified under those terms.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
20 #define pr_fmt(fmt) "Chromium OS LSM: " fmt
22 #include <linux/module.h>
23 #include <linux/security.h>
24 #include <linux/sched.h> /* current and other task related stuff */
26 #include <linux/fs_struct.h>
27 #include <linux/mount.h>
28 #include <linux/path.h>
29 #include <linux/root_dev.h>
33 static int chromiumos_security_sb_mount(char *dev_name, struct path *path,
34 char *type, unsigned long flags, void *data)
36 int error = current->total_link_count ? -ELOOP : 0;
41 cmdline = printable_cmdline(current);
42 pr_notice("Mount path with symlinks prohibited - "
43 "pid=%d cmdline=%s\n",
44 task_pid_nr(current), cmdline);
51 static void report_load_module(struct path *path, char *operation)
53 char *alloced = NULL, *cmdline;
54 char *pathname; /* Pointer to either static string or "alloced". */
57 pathname = "<unknown>";
59 /* We will allow 11 spaces for ' (deleted)' to be appended */
60 alloced = pathname = kmalloc(PATH_MAX+11, GFP_KERNEL);
62 pathname = "<no_memory>";
64 pathname = d_path(path, pathname, PATH_MAX+11);
66 pathname = "<too_long>";
68 pathname = printable(pathname);
75 cmdline = printable_cmdline(current);
77 pr_notice("init_module %s module=%s pid=%d cmdline=%s\n",
78 operation, pathname, task_pid_nr(current), cmdline);
84 static int module_locking = 1;
85 static struct dentry *locked_root;
91 static struct ctl_path chromiumos_sysctl_path[] = {
92 { .procname = "kernel", },
93 { .procname = "chromiumos", },
97 static struct ctl_table chromiumos_sysctl_table[] = {
99 .procname = "module_locking",
100 .data = &module_locking,
101 .maxlen = sizeof(int),
103 .proc_handler = proc_dointvec_minmax,
110 /* Check if the root device is read-only (e.g. dm-verity is enabled).
111 * This must be called after early kernel init, since then the rootdev
114 static bool rootdev_readonly(void)
117 struct block_device *bdev;
118 const fmode_t mode = FMODE_WRITE;
120 bdev = blkdev_get_by_dev(ROOT_DEV, mode, NULL);
122 /* In this weird case, assume it is read-only. */
123 pr_info("dev(%u,%u): FMODE_WRITE disallowed?!\n",
124 MAJOR(ROOT_DEV), MINOR(ROOT_DEV));
128 rc = bdev_read_only(bdev);
129 blkdev_put(bdev, mode);
131 pr_info("dev(%u,%u): %s\n", MAJOR(ROOT_DEV), MINOR(ROOT_DEV),
132 rc ? "read-only" : "writable");
137 static void check_locking_enforcement(void)
139 /* If module locking is not being enforced, allow sysctl to change
142 if (!rootdev_readonly()) {
143 if (!register_sysctl_paths(chromiumos_sysctl_path,
144 chromiumos_sysctl_table))
145 pr_notice("sysctl registration failed!\n");
147 pr_info("module locking can be disabled.\n");
149 pr_info("module locking engaged.\n");
152 static void check_locking_enforcement(void) { }
156 static int chromiumos_security_load_module(struct file *file)
158 struct dentry *module_root;
161 report_load_module(NULL, "old-api-denied");
165 module_root = file->f_vfsmnt->mnt_root;
167 /* First loaded module defines the root for all others. */
169 locked_root = dget(module_root);
170 report_load_module(&file->f_path, "locked");
171 check_locking_enforcement();
174 if (module_root != locked_root) {
175 if (unlikely(!module_locking)) {
176 report_load_module(&file->f_path, "locking-ignored");
180 report_load_module(&file->f_path, "denied");
187 static struct security_operations chromiumos_security_ops = {
188 .name = "chromiumos",
189 .sb_mount = chromiumos_security_sb_mount,
190 .kernel_module_from_file = chromiumos_security_load_module,
194 static int __init chromiumos_security_init(void)
198 error = register_security(&chromiumos_security_ops);
201 panic("Could not register Chromium OS security module");
205 security_initcall(chromiumos_security_init);
207 module_param(module_locking, int, S_IRUSR);
208 MODULE_PARM_DESC(module_locking, "Module loading restrictions (default: true)");