powerpc/rtas: block error injection when locked down
The error injection facility on pseries VMs allows corruption of arbitrary guest memory, potentially enabling a sufficiently privileged user to disable lockdown or perform other modifications of the running kernel via the rtas syscall. Block the PAPR error injection facility from being opened or called when locked down. Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> Acked-by: Paul Moore <paul@paul-moore.com> (LSM) Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20220926131643.146502-3-nathanl@linux.ibm.com
This commit is contained in:
Nathan Lynch
Michael Ellerman
parent
99df7a2810
commit
b8f3e48834
3 changed files with 26 additions and 1 deletions
|
|
@ -61,6 +61,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
|
|||
[LOCKDOWN_XMON_WR] = "xmon write access",
|
||||
[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
|
||||
[LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",
|
||||
[LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",
|
||||
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
|
||||
[LOCKDOWN_KCORE] = "/proc/kcore access",
|
||||
[LOCKDOWN_KPROBES] = "use of kprobes",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue