0002-Introduce-CONFIG_READONLY_USERMODEHELPER.patch - pub/scm/linux/kernel/git/gregkh/patches - Git at Google

 From 7c57d60d77d05ad26fe7ea6effb9c02fcf5208cc Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Date: Thu, 15 Dec 2016 13:07:19 -0800
 Subject: [PATCH 2/3] Introduce CONFIG_READONLY_USERMODEHELPER

 If you can write to kernel memory, an "easy" way to get the kernel to
 run any application is to change the pointer of one of the usermode
 helper program names.  To try to mitigate this, create a new config
 option, CONFIG_READONLY_USERMODEHELPER.

 This option only allows "predefined" binaries to be called.  A number of
 drivers and subsystems allow for the name of the binary to be changed,
 and this config option disables that capability, so be aware of that.

 Note:  Still a proof-of-concept at this point in time, doesn't cover all
 of the call_usermodehelper() calls just yet, including the "fun" of
 coredumps, it's still a work in progress.

 Not-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  include/linux/kmod.h |    6 ++++++
  security/Kconfig     |   17 +++++++++++++++++
  2 files changed, 23 insertions(+)

 --- a/include/linux/kmod.h
 +++ b/include/linux/kmod.h
 @@ -53,6 +53,12 @@ struct file;
  #define UMH_WAIT_PROC	2	/* wait for the process to complete */
  #define UMH_KILLABLE	4	/* wait for EXEC/PROC killable */

 +#ifdef CONFIG_READONLY_USERMODEHELPER
 +# define __ro_umh const
 +#else
 +# define __ro_umh /**/
 +#endif
 +
  struct subprocess_info {
  	struct work_struct work;
  	struct completion *complete;
 --- a/security/Kconfig
 +++ b/security/Kconfig
 @@ -193,6 +193,23 @@ config STATIC_USERMODEHELPER_PATH
  	  If you wish for all usermode helper programs to be disabled,
  	  specify an empty string here (i.e. "").

 +config READONLY_USERMODEHELPER
 +	bool "Make User Mode Helper program names read-only"
 +	default N
 +	help
 +	  Some user mode helper program names can be changed at runtime
 +	  by userspace programs.  Prevent this from happening by "hard
 +	  coding" all user mode helper program names at kernel build
 +	  time, moving the names into read-only memory, making it harder
 +	  for any arbritrary program to be run as root if something were
 +	  to go wrong.
 +
 +	  Note, some subsystems and drivers allow their user mode helper
 +	  binary to be changed with a module parameter, sysctl, sysfs
 +	  file, or some combination of these.  Enabling this option
 +	  prevents the binary name to be changed, which might not be
 +	  good for some systems.
 +
  source security/selinux/Kconfig
  source security/smack/Kconfig
  source security/tomoyo/Kconfig
	From 7c57d60d77d05ad26fe7ea6effb9c02fcf5208cc Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Date: Thu, 15 Dec 2016 13:07:19 -0800
	Subject: [PATCH 2/3] Introduce CONFIG_READONLY_USERMODEHELPER

	If you can write to kernel memory, an "easy" way to get the kernel to
	run any application is to change the pointer of one of the usermode
	helper program names. To try to mitigate this, create a new config
	option, CONFIG_READONLY_USERMODEHELPER.

	This option only allows "predefined" binaries to be called. A number of
	drivers and subsystems allow for the name of the binary to be changed,
	and this config option disables that capability, so be aware of that.

	Note: Still a proof-of-concept at this point in time, doesn't cover all
	of the call_usermodehelper() calls just yet, including the "fun" of
	coredumps, it's still a work in progress.

	Not-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	include/linux/kmod.h \| 6 ++++++
	security/Kconfig \| 17 +++++++++++++++++
	2 files changed, 23 insertions(+)

	--- a/include/linux/kmod.h
	+++ b/include/linux/kmod.h
	@@ -53,6 +53,12 @@ struct file;
	#define UMH_WAIT_PROC 2 /* wait for the process to complete */
	#define UMH_KILLABLE 4 /* wait for EXEC/PROC killable */

	+#ifdef CONFIG_READONLY_USERMODEHELPER
	+# define __ro_umh const
	+#else
	+# define __ro_umh /**/
	+#endif
	+
	struct subprocess_info {
	struct work_struct work;
	struct completion *complete;
	--- a/security/Kconfig
	+++ b/security/Kconfig
	@@ -193,6 +193,23 @@ config STATIC_USERMODEHELPER_PATH
	If you wish for all usermode helper programs to be disabled,
	specify an empty string here (i.e. "").

	+config READONLY_USERMODEHELPER
	+ bool "Make User Mode Helper program names read-only"
	+ default N
	+ help
	+ Some user mode helper program names can be changed at runtime
	+ by userspace programs. Prevent this from happening by "hard
	+ coding" all user mode helper program names at kernel build
	+ time, moving the names into read-only memory, making it harder
	+ for any arbritrary program to be run as root if something were
	+ to go wrong.
	+
	+ Note, some subsystems and drivers allow their user mode helper
	+ binary to be changed with a module parameter, sysctl, sysfs
	+ file, or some combination of these. Enabling this option
	+ prevents the binary name to be changed, which might not be
	+ good for some systems.
	+
	source security/selinux/Kconfig
	source security/smack/Kconfig
	source security/tomoyo/Kconfig