[mirror_ubuntu-eoan-kernel.git] / security / lock_down.c

// SPDX-License-Identifier: GPL-2.0
/* Lock down the kernel
 *
 * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public Licence
 * as published by the Free Software Foundation; either version
 * 2 of the Licence, or (at your option) any later version.
 */

#include <linux/security.h>
#include <linux/export.h>
#include <linux/sysrq.h>
#include <asm/setup.h>

#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
static __read_mostly bool kernel_locked_down;
#else
static __ro_after_init bool kernel_locked_down;
#endif

/*
 * Put the kernel into lock-down mode.
 */
static void __init lock_kernel_down(const char *where)
{
	if (!kernel_locked_down) {
		kernel_locked_down = true;
		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
			  where);
	}
}

static int __init lockdown_param(char *ignored)
{
	lock_kernel_down("command line");
	return 0;
}

early_param("lockdown", lockdown_param);

/*
 * Lock the kernel down from very early in the arch setup.  This must happen
 * prior to things like ACPI being initialised.
 */
void __init init_lockdown(void)
{
#ifdef CONFIG_LOCK_DOWN_FORCE
	lock_kernel_down("Kernel configuration");
#endif
}

/**
 * kernel_is_locked_down - Find out if the kernel is locked down
 * @what: Tag to use in notice generated if lockdown is in effect
 */
bool __kernel_is_locked_down(const char *what, bool first)
{
	if (what && first && kernel_locked_down)
		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
			  current->comm, what);
	return kernel_locked_down;
}
EXPORT_SYMBOL(__kernel_is_locked_down);

#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ

/*
 * Take the kernel out of lockdown mode.
 */
static void lift_kernel_lockdown(void)
{
	pr_notice("Lifting lockdown\n");
	kernel_locked_down = false;
}

/*
 * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
 * echoing the appropriate letter into the sysrq-trigger file).
 */
static void sysrq_handle_lockdown_lift(int key)
{
	if (kernel_locked_down)
		lift_kernel_lockdown();
}

static struct sysrq_key_op lockdown_lift_sysrq_op = {
	.handler	= sysrq_handle_lockdown_lift,
	.help_msg	= "unSB(x)",
	.action_msg	= "Disabling Secure Boot restrictions",
	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
};

static int __init lockdown_lift_sysrq(void)
{
	if (kernel_locked_down) {
		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
	}
	return 0;
}

late_initcall(lockdown_lift_sysrq);

#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
Commit	Line	Data
0a8dc8c9 DH	1	// SPDX-License-Identifier: GPL-2.0
	2	/* Lock down the kernel
	3	*
	4	* Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
	5	* Written by David Howells (dhowells@redhat.com)
	6	*
	7	* This program is free software; you can redistribute it and/or
	8	* modify it under the terms of the GNU General Public Licence
	9	* as published by the Free Software Foundation; either version
	10	* 2 of the Licence, or (at your option) any later version.
	11	*/
	12
	13	#include <linux/security.h>
	14	#include <linux/export.h>
3da3c68e KM	15	#include <linux/sysrq.h>
3da3c68e KM	16	#include <asm/setup.h>
0a8dc8c9	17
3da3c68e KM	18	#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
	19	static __read_mostly bool kernel_locked_down;
	20	#else
0a8dc8c9	21	static __ro_after_init bool kernel_locked_down;
3da3c68e	22	#endif
0a8dc8c9 DH	23
	24	/*
	25	* Put the kernel into lock-down mode.
	26	*/
	27	static void __init lock_kernel_down(const char *where)
	28	{
	29	if (!kernel_locked_down) {
	30	kernel_locked_down = true;
	31	pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
	32	where);
	33	}
	34	}
	35
	36	static int __init lockdown_param(char *ignored)
	37	{
	38	lock_kernel_down("command line");
	39	return 0;
	40	}
	41
	42	early_param("lockdown", lockdown_param);
	43
	44	/*
	45	* Lock the kernel down from very early in the arch setup. This must happen
	46	* prior to things like ACPI being initialised.
	47	*/
	48	void __init init_lockdown(void)
	49	{
	50	#ifdef CONFIG_LOCK_DOWN_FORCE
	51	lock_kernel_down("Kernel configuration");
	52	#endif
	53	}
	54
	55	/**
	56	* kernel_is_locked_down - Find out if the kernel is locked down
	57	* @what: Tag to use in notice generated if lockdown is in effect
	58	*/
	59	bool __kernel_is_locked_down(const char *what, bool first)
	60	{
	61	if (what && first && kernel_locked_down)
f127f150 DH	62	pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
f127f150 DH	63	current->comm, what);
0a8dc8c9 DH	64	return kernel_locked_down;
	65	}
	66	EXPORT_SYMBOL(__kernel_is_locked_down);
3da3c68e KM	67
	68	#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
	69
	70	/*
	71	* Take the kernel out of lockdown mode.
	72	*/
	73	static void lift_kernel_lockdown(void)
	74	{
	75	pr_notice("Lifting lockdown\n");
	76	kernel_locked_down = false;
	77	}
	78
	79	/*
	80	* Allow lockdown to be lifted by pressing something like SysRq+x (and not by
	81	* echoing the appropriate letter into the sysrq-trigger file).
	82	*/
	83	static void sysrq_handle_lockdown_lift(int key)
	84	{
	85	if (kernel_locked_down)
	86	lift_kernel_lockdown();
	87	}
	88
	89	static struct sysrq_key_op lockdown_lift_sysrq_op = {
	90	.handler = sysrq_handle_lockdown_lift,
	91	.help_msg = "unSB(x)",
	92	.action_msg = "Disabling Secure Boot restrictions",
	93	.enable_mask = SYSRQ_DISABLE_USERSPACE,
	94	};
	95
	96	static int __init lockdown_lift_sysrq(void)
	97	{
	98	if (kernel_locked_down) {
	99	lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
	100	register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
	101	}
	102	return 0;
	103	}
	104
	105	late_initcall(lockdown_lift_sysrq);
	106
	107	#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */