KAUTH_SYSTEM_UNENCRYPTED_SWAP

To: tech-kern%NetBSD.org@localhost
Subject: KAUTH_SYSTEM_UNENCRYPTED_SWAP
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Sat, 16 May 2020 23:53:02 +0100

Attached patch adds KAUTH_SYSTEM_UNENCRYPTED_SWAP and
it forbids changing vm.swap_encrypt from 1 to 0 when
securelevel > 0.

If there are no objections, I'm going to commit it tomorrow.

-- 
Alex

Index: share/man/man9/kauth.9
===================================================================
RCS file: /cvsroot/src/share/man/man9/kauth.9,v
retrieving revision 1.112
diff -p -u -u -r1.112 kauth.9
--- share/man/man9/kauth.9	15 Jul 2018 05:16:41 -0000	1.112
+++ share/man/man9/kauth.9	16 May 2020 19:22:46 -0000
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd July 14, 2018
+.Dd May 17, 2020
 .Dt KAUTH 9
 .Os
 .Sh NAME
@@ -488,6 +488,8 @@ Check if changing the RTC offset is allo
 .It Dv KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS
 Check if manipulating timecounters is allowed.
 .El
+.It Dv KAUTH_SYSTEM_UNENCRYPTED_SWAP
+Check if encrypted swap can be degraded to unencrypted.
 .It Dv KAUTH_SYSTEM_VERIEXEC
 Check if operations on the
 .Xr veriexec 8
Index: share/man/man9/secmodel_securelevel.9
===================================================================
RCS file: /cvsroot/src/share/man/man9/secmodel_securelevel.9,v
retrieving revision 1.19
diff -p -u -u -r1.19 secmodel_securelevel.9
--- share/man/man9/secmodel_securelevel.9	18 May 2019 10:21:03 -0000	1.19
+++ share/man/man9/secmodel_securelevel.9	16 May 2020 19:22:46 -0000
@@ -26,7 +26,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 18, 2019
+.Dd May 17, 2020
 .Dt SECMODEL_SECURELEVEL 9
 .Os
 .Sh NAME
@@ -129,6 +129,11 @@ calls are denied.
 .It
 Access to unmanaged memory is denied.
 .It
+The
+.Va vm.swap_encrypt
+.Xr sysctl 8
+variable may not be changed to 0.
+.It
 Only GPIO pins that have been set at
 .Em securelevel
 0 can be accessed.
Index: sys/secmodel/securelevel/secmodel_securelevel.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/securelevel/secmodel_securelevel.c,v
retrieving revision 1.35
diff -p -u -u -r1.35 secmodel_securelevel.c
--- sys/secmodel/securelevel/secmodel_securelevel.c	11 May 2020 19:36:39 -0000	1.35
+++ sys/secmodel/securelevel/secmodel_securelevel.c	16 May 2020 19:22:47 -0000
@@ -343,6 +343,11 @@ secmodel_securelevel_system_cb(kauth_cre
 			result = KAUTH_RESULT_DENY;
 		break;
 
+	case KAUTH_SYSTEM_UNENCRYPTED_SWAP:
+		if (securelevel > 0)
+			result = KAUTH_RESULT_DENY;
+		break;
+
 	case KAUTH_SYSTEM_DEBUG:
 	default:
 		break;
Index: sys/secmodel/suser/secmodel_suser.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/suser/secmodel_suser.c,v
retrieving revision 1.54
diff -p -u -u -r1.54 secmodel_suser.c
--- sys/secmodel/suser/secmodel_suser.c	16 May 2020 19:12:38 -0000	1.54
+++ sys/secmodel/suser/secmodel_suser.c	16 May 2020 19:22:47 -0000
@@ -397,6 +397,11 @@ secmodel_suser_system_cb(kauth_cred_t cr
 
 		break;
 
+	case KAUTH_SYSTEM_UNENCRYPTED_SWAP:
+		if (isroot)
+			result = KAUTH_RESULT_ALLOW;
+		break;
+
 	case KAUTH_SYSTEM_VERIEXEC:
 		switch (req) {
 		case KAUTH_REQ_SYSTEM_VERIEXEC_ACCESS:
Index: sys/sys/kauth.h
===================================================================
RCS file: /cvsroot/src/sys/sys/kauth.h,v
retrieving revision 1.84
diff -p -u -u -r1.84 kauth.h
--- sys/sys/kauth.h	29 Apr 2020 05:54:37 -0000	1.84
+++ sys/sys/kauth.h	16 May 2020 19:22:47 -0000
@@ -152,6 +152,7 @@ enum {
 	KAUTH_SYSTEM_FS_SNAPSHOT,
 	KAUTH_SYSTEM_INTR,
 	KAUTH_SYSTEM_KERNADDR,
+	KAUTH_SYSTEM_UNENCRYPTED_SWAP,
 };
 
 /*
Index: sys/uvm/uvm_swap.c
===================================================================
RCS file: /cvsroot/src/sys/uvm/uvm_swap.c,v
retrieving revision 1.189
diff -p -u -u -r1.189 uvm_swap.c
--- sys/uvm/uvm_swap.c	10 May 2020 02:38:10 -0000	1.189
+++ sys/uvm/uvm_swap.c	16 May 2020 19:22:47 -0000
@@ -2078,12 +2078,34 @@ uvm_swap_decryptpage(struct swapdev *sdp
 	explicit_memset(&aes, 0, sizeof aes);
 }
 
+static int
+sysctl_swap_encrypt(SYSCTLFN_ARGS)
+{
+	struct sysctlnode node;
+	int newval, error;
+
+	newval = *(int *)rnode->sysctl_data;
+
+	node = *rnode;
+	node.sysctl_data = &newval;
+	error = sysctl_lookup(SYSCTLFN_CALL(&node));
+	if (error || newp == NULL)
+		return error;
+
+	if (!newval && kauth_authorize_system(l->l_cred,
+	    KAUTH_SYSTEM_UNENCRYPTED_SWAP, 0, NULL, NULL, NULL))
+		return EPERM;
+
+	*(int *)rnode->sysctl_data = newval;
+	return 0;
+}
+
 SYSCTL_SETUP(sysctl_uvmswap_setup, "sysctl uvmswap setup")
 {
 
 	sysctl_createv(clog, 0, NULL, NULL,
 	    CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_BOOL, "swap_encrypt",
 	    SYSCTL_DESCR("Encrypt data when swapped out to disk"),
-	    NULL, 0, &uvm_swap_encrypt, 0,
+	    &sysctl_swap_encrypt, 0, &uvm_swap_encrypt, 0,
 	    CTL_VM, CTL_CREATE, CTL_EOL);
 }

Follow-Ups:
- Re: KAUTH_SYSTEM_UNENCRYPTED_SWAP
  - From: maya
- Re: KAUTH_SYSTEM_UNENCRYPTED_SWAP
  - From: Paul Goyette

Prev by Date: Re: vmspace refcnt refactor patch
Next by Date: Re: KAUTH_SYSTEM_UNENCRYPTED_SWAP
Previous by Thread: vmspace refcnt refactor patch
Next by Thread: Re: KAUTH_SYSTEM_UNENCRYPTED_SWAP
Indexes:

Home | Main Index | Thread Index | Old Index