On 09/04/13 at 09:56pm, Vivek Goyal wrote:
> With secureboot enabled, we don't even trust root. And when kexec is launched
> it might happen that root has already rigged /proc and /sys which kexec
> reads to get important data.
>
> So create a private mount namespace which is not visible to root, unmount
> old /proc and /sys and remount these to get to actual data kernel exported.
Hello Vivek
kexec will also use /sys/kernel/debug/boot_params, I want to copy efi_info from
there for efi runtime support. So could you remount debugfs as well?
>
> Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
> ---
> kexec/kexec.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 65 insertions(+)
>
> diff --git a/kexec/kexec.c b/kexec/kexec.c
> index 21ff0e7..9187fb8 100644
> --- a/kexec/kexec.c
> +++ b/kexec/kexec.c
> @@ -31,6 +31,8 @@
> #include <sys/reboot.h>
> #include <unistd.h>
> #include <fcntl.h>
> +#include <sys/mount.h>
> +#include <sched.h>
> #ifndef _O_BINARY
> #define _O_BINARY 0
> #endif
> @@ -1053,6 +1055,64 @@ char *concat_cmdline(const char *base, const char *append)
> }
>
>
> +/*
> + * In secureboot environment, even root is not trusted. /sbin/kexec reads
> + * files from /proc and /sys and it might happen root faked these files
> + * using bind mounts or other techniques. create a private namespace and
> + * remount /proc to make sure kexec is looking at what has been exported
> + * by kernel and not faked by root.
> + */
> +static int remount_proc_and_sys(void)
> +{
> + int ret = 0;
> +
> + ret = unshare(CLONE_NEWNS);
> + if (ret == -1) {
> + fprintf(stderr, "unshare(CLONE_NEWNS) failed:%s\n",
> + strerror(errno));
> + return -1;
> + }
> +
> + /*
> + * make root private so that no mount event from previous namespace
> + * are propogated
> + */
> + ret = mount("", "/", "", MS_REC | MS_PRIVATE, "");
> + if (ret == -1) {
> + fprintf(stderr, "mount(MS_REC|MS_PRIVATE) failed:%s\n",
> + strerror(errno));
> + return -1;
> + }
> +
> + /* lazy unmount /proc */
> + ret = umount2("/proc", MNT_DETACH);
> + if (ret == -1) {
> + fprintf(stderr, "umount(/proc) failed:%s\n", strerror(errno));
> + return -1;
> + }
> +
> + ret = mount("none", "/proc", "proc", 0, "");
> + if (ret == -1) {
> + fprintf(stderr, "mount(/proc) failed:%s\n", strerror(errno));
> + return -1;
> + }
> +
> + /* lazy unmount /sys */
> + ret = umount2("/sys", MNT_DETACH);
> + if (ret == -1) {
> + fprintf(stderr, "umount(/sys) failed:%s\n", strerror(errno));
> + return -1;
> + }
> +
> + ret = mount("none", "/sys", "sysfs", 0, "");
> + if (ret == -1) {
> + fprintf(stderr, "mount(/sys) failed:%s\n", strerror(errno));
> + return -1;
> + }
> +
> + return ret;
> +}
> +
> int main(int argc, char *argv[])
> {
> int do_load = 1;
> @@ -1212,6 +1272,11 @@ int main(int argc, char *argv[])
> }
> }
>
> + result = remount_proc_and_sys();
> +
> + if (result)
> + die("Remounting /proc/ and /sys/ failed\n");
> +
> if (do_reuse_initrd){
> check_reuse_initrd();
> arch_reuse_initrd();
> --
> 1.8.3.1
>
> _______________________________________________
> kexec mailing list
> kexec@xxxxxxxxxxxxxxxxxxxxxxx
> https://lists.fedoraproject.org/mailman/listinfo/kexec
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
