powerpc/rtas: block error injection when locked down

The error injection facility on pseries VMs allows corruption of arbitrary guest memory, potentially enabling a sufficiently privileged user to disable lockdown or perform other modifications of the running kernel via the rtas syscall. Block the PAPR error injection facility from being opened or called when locked down. Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> Acked-by: Paul Moore <paul@paul-moore.com> (LSM) Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20220926131643.146502-3-nathanl@linux.ibm.com
author: Nathan Lynch <nathanl@linux.ibm.com> 2022-09-26 16:16:43 +0300
committer: Michael Ellerman <mpe@ellerman.id.au> 2022-09-28 12:22:14 +0300
commit: b8f3e48834fe8c86b4f21739c6effd160e2c2c19 (patch)
tree: 6658e486f3a3a23d2a418f48986029a54977326f /security
parent: 99df7a2810b6d24651d4887ab61a142e042fb235 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 400ab5de631e..3f5aa9d64aa7 100644
--- a/security/security.c
+++ b/security/security.c
@@ -61,6 +61,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_XMON_WR] = "xmon write access",
 	[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
 	[LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",
+	[LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_KCORE] = "/proc/kcore access",
 	[LOCKDOWN_KPROBES] = "use of kprobes",
author	Nathan Lynch <nathanl@linux.ibm.com>	2022-09-26 16:16:43 +0300
committer	Michael Ellerman <mpe@ellerman.id.au>	2022-09-28 12:22:14 +0300
commit	b8f3e48834fe8c86b4f21739c6effd160e2c2c19 (patch)
tree	6658e486f3a3a23d2a418f48986029a54977326f /security
parent	99df7a2810b6d24651d4887ab61a142e042fb235 (diff)