On 09/04/13 at 09:56pm, Vivek Goyal wrote: > With secureboot enabled, we don't even trust root. And when kexec is launched > it might happen that root has already rigged /proc and /sys which kexec > reads to get important data. > > So create a private mount namespace which is not visible to root, unmount > old /proc and /sys and remount these to get to actual data kernel exported.
Hello Vivek kexec will also use /sys/kernel/debug/boot_params, I want to copy efi_info from there for efi runtime support. So could you remount debugfs as well? > > Signed-off-by: Vivek Goyal <[email protected]> > --- > kexec/kexec.c | 65 > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 65 insertions(+) > > diff --git a/kexec/kexec.c b/kexec/kexec.c > index 21ff0e7..9187fb8 100644 > --- a/kexec/kexec.c > +++ b/kexec/kexec.c > @@ -31,6 +31,8 @@ > #include <sys/reboot.h> > #include <unistd.h> > #include <fcntl.h> > +#include <sys/mount.h> > +#include <sched.h> > #ifndef _O_BINARY > #define _O_BINARY 0 > #endif > @@ -1053,6 +1055,64 @@ char *concat_cmdline(const char *base, const char > *append) > } > > > +/* > + * In secureboot environment, even root is not trusted. /sbin/kexec reads > + * files from /proc and /sys and it might happen root faked these files > + * using bind mounts or other techniques. create a private namespace and > + * remount /proc to make sure kexec is looking at what has been exported > + * by kernel and not faked by root. > + */ > +static int remount_proc_and_sys(void) > +{ > + int ret = 0; > + > + ret = unshare(CLONE_NEWNS); > + if (ret == -1) { > + fprintf(stderr, "unshare(CLONE_NEWNS) failed:%s\n", > + strerror(errno)); > + return -1; > + } > + > + /* > + * make root private so that no mount event from previous namespace > + * are propogated > + */ > + ret = mount("", "/", "", MS_REC | MS_PRIVATE, ""); > + if (ret == -1) { > + fprintf(stderr, "mount(MS_REC|MS_PRIVATE) failed:%s\n", > + strerror(errno)); > + return -1; > + } > + > + /* lazy unmount /proc */ > + ret = umount2("/proc", MNT_DETACH); > + if (ret == -1) { > + fprintf(stderr, "umount(/proc) failed:%s\n", strerror(errno)); > + return -1; > + } > + > + ret = mount("none", "/proc", "proc", 0, ""); > + if (ret == -1) { > + fprintf(stderr, "mount(/proc) failed:%s\n", strerror(errno)); > + return -1; > + } > + > + /* lazy unmount /sys */ > + ret = umount2("/sys", MNT_DETACH); > + if (ret == -1) { > + fprintf(stderr, "umount(/sys) failed:%s\n", strerror(errno)); > + return -1; > + } > + > + ret = mount("none", "/sys", "sysfs", 0, ""); > + if (ret == -1) { > + fprintf(stderr, "mount(/sys) failed:%s\n", strerror(errno)); > + return -1; > + } > + > + return ret; > +} > + > int main(int argc, char *argv[]) > { > int do_load = 1; > @@ -1212,6 +1272,11 @@ int main(int argc, char *argv[]) > } > } > > + result = remount_proc_and_sys(); > + > + if (result) > + die("Remounting /proc/ and /sys/ failed\n"); > + > if (do_reuse_initrd){ > check_reuse_initrd(); > arch_reuse_initrd(); > -- > 1.8.3.1 > > _______________________________________________ > kexec mailing list > [email protected] > https://lists.fedoraproject.org/mailman/listinfo/kexec _______________________________________________ kernel mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/kernel
