Re: [PATCH 09/13] powerpc/rtas: mandate RTAS syscall filtering

Mon, 21 Nov 2022 20:21:13 -0800 

On Fri, 2022-11-18 at 09:07 -0600, Nathan Lynch wrote:
> CONFIG_PPC_RTAS_FILTER has been optional but default-enabled since
> its
> introduction. It's been enabled in enterprise distro kernels for a
> while without causing ABI breakage that wasn't easily fixed, and it
> prevents harmful abuses of the rtas syscall.
> 
> Let's make it unconditional.
> 
> Signed-off-by: Nathan Lynch <nath...@linux.ibm.com>

Agreed.

Reviewed-by: Andrew Donnellan <a...@linux.ibm.com>

> ---
>  arch/powerpc/Kconfig       | 13 -------------
>  arch/powerpc/kernel/rtas.c | 16 ----------------
>  2 files changed, 29 deletions(-)
> 
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 2ca5418457ed..8092915a4e9b 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -1012,19 +1012,6 @@ config PPC_SECVAR_SYSFS
>           read/write operations on these variables. Say Y if you have
>           secure boot enabled and want to expose variables to
> userspace.
>  
> -config PPC_RTAS_FILTER
> -       bool "Enable filtering of RTAS syscalls"
> -       default y
> -       depends on PPC_RTAS
> -       help
> -         The RTAS syscall API has security issues that could be used
> to
> -         compromise system integrity. This option enforces
> restrictions on the
> -         RTAS calls and arguments passed by userspace programs to
> mitigate
> -         these issues.
> -
> -         Say Y unless you know what you are doing and the filter is
> causing
> -         problems for you.
> -
>  endmenu
>  
>  config ISA_DMA_API
> diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
> index c3142d352f41..3929bcea92c0 100644
> --- a/arch/powerpc/kernel/rtas.c
> +++ b/arch/powerpc/kernel/rtas.c
> @@ -1051,8 +1051,6 @@ noinstr struct pseries_errorlog
> *get_pseries_errorlog(struct rtas_error_log *log
>         return NULL;
>  }
>  
> -#ifdef CONFIG_PPC_RTAS_FILTER
> -
>  /*
>   * The sys_rtas syscall, as originally designed, allows root to pass
>   * arbitrary physical addresses to RTAS calls. A number of RTAS
> calls
> @@ -1201,20 +1199,6 @@ static void __init
> rtas_syscall_filter_init(void)
>                 rtas_filters[i].token =
> rtas_token(rtas_filters[i].name);
>  }
>  
> -#else
> -
> -static bool block_rtas_call(int token, int nargs,
> -                           struct rtas_args *args)
> -{
> -       return false;
> -}
> -
> -static void __init rtas_syscall_filter_init(void)
> -{
> -}
> -
> -#endif /* CONFIG_PPC_RTAS_FILTER */
> -
>  /* We assume to be passed big endian arguments */
>  SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
>  {

-- 
Andrew Donnellan    OzLabs, ADL Canberra
a...@linux.ibm.com   IBM Australia Limited

Reply via email to