From: Ahmad Fatoum <a.fat...@pengutronix.de>
The go command doesn't do any signature verification and allows
executing arbitrary code. Add a security option, so a policy can disable
this command at runtime.
Signed-off-by: Ahmad Fatoum <a.fat...@pengutronix.de>
---
Sconfig | 1 +
commands/Sconfig | 12 ++++++++++++
commands/go.c | 4 ++++
3 files changed, 17 insertions(+)
diff --git a/Sconfig b/Sconfig
index
6cfd8c8677a655c1b238dadc22aa6d40b161596d..1c5b9d70d09f8df47edc48f6ac295501f66df97e
100644
--- a/Sconfig
+++ b/Sconfig
@@ -5,3 +5,4 @@ mainmenu "Barebox Security Configuration"
source "scripts/Sconfig.include"
source "security/Sconfig"
+source "commands/Sconfig"
diff --git a/commands/Sconfig b/commands/Sconfig
new file mode 100644
index
0000000000000000000000000000000000000000..7e6d937e162ce154b3993d03a9103181ea61af5d
--- /dev/null
+++ b/commands/Sconfig
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+menu "Command Policy"
+
+config CMD_GO
+ bool "Allow go command"
+ depends on $(kconfig-enabled,CMD_GO)
+ help
+ The go command jumps to an arbitrary address after shutting
+ down barebox and does not do any signature verification.
+
+endmenu
diff --git a/commands/go.c b/commands/go.c
index
3449a2181ad076e30ea96f016245806a59d657c4..640911d90db28c0dc60b713267dcab14627c793c
100644
--- a/commands/go.c
+++ b/commands/go.c
@@ -11,6 +11,7 @@
#include <getopt.h>
#include <linux/ctype.h>
#include <errno.h>
+#include <security/config.h>
#define INT_ARGS_MAX 4
@@ -24,6 +25,9 @@ static int do_go(int argc, char *argv[])
ulong arg[INT_ARGS_MAX] = {};
bool pass_argv = true;
+ if (!IS_ALLOWED(SCONFIG_CMD_GO))
+ return -EPERM;
+
while ((opt = getopt(argc, argv, "+si")) > 0) {
switch (opt) {
case 's':
--
2.47.3
