security/lock_down.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /* Lock down the kernel
   3  *
   4  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
   5  * Written by David Howells (dhowells@redhat.com)
   6  *
   7  * This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public Licence
   9  * as published by the Free Software Foundation; either version
  10  * 2 of the Licence, or (at your option) any later version.
  11  */
  12
  13 #include <linux/security.h>
  14 #include <linux/export.h>
  15 #include <linux/sysrq.h>
  16 #include <asm/setup.h>
  17
  18 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
  19 static __read_mostly bool kernel_locked_down;
  20 #else
  21 static __ro_after_init bool kernel_locked_down;
  22 #endif
  23
  24 /*
  25  * Put the kernel into lock-down mode.
  26  */
  27 static void __init lock_kernel_down(const char *where)
  28 {
  29         if (!kernel_locked_down) {
  30                 kernel_locked_down = true;
  31                 pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
  32                           where);
  33         }
  34 }
  35
  36 static int __init lockdown_param(char *ignored)
  37 {
  38         lock_kernel_down("command line");
  39         return 0;
  40 }
  41
  42 early_param("lockdown", lockdown_param);
  43
  44 /*
  45  * Lock the kernel down from very early in the arch setup.  This must happen
  46  * prior to things like ACPI being initialised.
  47  */
  48 void __init init_lockdown(void)
  49 {
  50 #ifdef CONFIG_LOCK_DOWN_FORCE
  51         lock_kernel_down("Kernel configuration");
  52 #endif
  53 }
  54
  55 /**
  56  * kernel_is_locked_down - Find out if the kernel is locked down
  57  * @what: Tag to use in notice generated if lockdown is in effect
  58  */
  59 bool __kernel_is_locked_down(const char *what, bool first)
  60 {
  61         if (what && first && kernel_locked_down)
  62                 pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
  63                           current->comm, what);
  64         return kernel_locked_down;
  65 }
  66 EXPORT_SYMBOL(__kernel_is_locked_down);
  67
  68 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
  69
  70 /*
  71  * Take the kernel out of lockdown mode.
  72  */
  73 static void lift_kernel_lockdown(void)
  74 {
  75         pr_notice("Lifting lockdown\n");
  76         kernel_locked_down = false;
  77 }
  78
  79 /*
  80  * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
  81  * echoing the appropriate letter into the sysrq-trigger file).
  82  */
  83 static void sysrq_handle_lockdown_lift(int key)
  84 {
  85         if (kernel_locked_down)
  86                 lift_kernel_lockdown();
  87 }
  88
  89 static struct sysrq_key_op lockdown_lift_sysrq_op = {
  90         .handler        = sysrq_handle_lockdown_lift,
  91         .help_msg       = "unSB(x)",
  92         .action_msg     = "Disabling Secure Boot restrictions",
  93         .enable_mask    = SYSRQ_DISABLE_USERSPACE,
  94 };
  95
  96 static int __init lockdown_lift_sysrq(void)
  97 {
  98         if (kernel_locked_down) {
  99                 lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
 100                 register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
 101         }
 102         return 0;
 103 }
 104
 105 late_initcall(lockdown_lift_sysrq);
 106
 107 #endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */