diff options
author | Nathan Lynch <nathanl@linux.ibm.com> | 2022-09-26 15:16:43 +0200 |
---|---|---|
committer | Michael Ellerman <mpe@ellerman.id.au> | 2022-09-28 11:22:14 +0200 |
commit | b8f3e48834fe8c86b4f21739c6effd160e2c2c19 (patch) | |
tree | 6658e486f3a3a23d2a418f48986029a54977326f /security | |
parent | powerpc/pseries: block untrusted device tree changes when locked down (diff) | |
download | linux-b8f3e48834fe8c86b4f21739c6effd160e2c2c19.tar.xz linux-b8f3e48834fe8c86b4f21739c6effd160e2c2c19.zip |
powerpc/rtas: block error injection when locked down
The error injection facility on pseries VMs allows corruption of
arbitrary guest memory, potentially enabling a sufficiently privileged
user to disable lockdown or perform other modifications of the running
kernel via the rtas syscall.
Block the PAPR error injection facility from being opened or called
when locked down.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Acked-by: Paul Moore <paul@paul-moore.com> (LSM)
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220926131643.146502-3-nathanl@linux.ibm.com
Diffstat (limited to 'security')
-rw-r--r-- | security/security.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c index 400ab5de631e..3f5aa9d64aa7 100644 --- a/security/security.c +++ b/security/security.c @@ -61,6 +61,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_XMON_WR] = "xmon write access", [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM", [LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM", + [LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", |