In secure environments we shouldn't load a persistent and potentially
manipulated environment. Add a security policy for it.
Signed-off-by: Sascha Hauer <s.ha...@pengutronix.de>
---
common/Sconfig | 8 ++++++++
common/environment.c | 6 ++++++
2 files changed, 14 insertions(+)
diff --git a/common/Sconfig b/common/Sconfig
index
ac027022e932dffd429f0b34cb8e1a199b0b595b..ec68bc2737af02cff3ce38c7bc1b9d59af2336c5
100644
--- a/common/Sconfig
+++ b/common/Sconfig
@@ -20,6 +20,14 @@ config SHELL_INTERACTIVE
Disabling this option also disables interruption with ctrl-c
keystrokes.
+config ENVIRONMENT_LOAD
+ bool "Allow loading barebox environment from persistent media"
+ depends on $(kconfig-enabled,ENV_HANDLING)
+ help
+ The barebox environment doesn't have any security measures and could
be
+ manipulated by an attacker. Loading it from persistent media imposes a
+ security risk and should thus be disabled.
+
config RATP
bool "Allow remote control via RATP"
depends on $(kconfig-enabled,CONSOLE_RATP)
diff --git a/common/environment.c b/common/environment.c
index
33ab4c43295da0c66811d16649d0d6cc1a711277..62b8120cbd7d839b0d995bfe67b4e869a9e12aee
100644
--- a/common/environment.c
+++ b/common/environment.c
@@ -30,6 +30,7 @@
#include <efi/partition.h>
#include <bootsource.h>
#include <magicvar.h>
+#include <security/config.h>
#else
#define EXPORT_SYMBOL(x)
#endif
@@ -449,6 +450,11 @@ int envfs_load(const char *filename, const char *dir,
unsigned flags)
int ret = 0;
size_t size, rsize;
+#ifdef __BAREBOX__
+ if (!IS_ALLOWED(SCONFIG_ENVIRONMENT_LOAD))
+ return -EPERM;
+#endif
+
if (!filename)
filename = default_environment_path_get();
if (!filename)
--
2.39.5
