From: Ahmad Fatoum <[email protected]> The go command doesn't do any signature verification and allows executing arbitrary code. Add a security option, so a policy can disable this command at runtime.
Signed-off-by: Ahmad Fatoum <[email protected]> --- Sconfig | 1 + commands/Sconfig | 12 ++++++++++++ commands/go.c | 4 ++++ 3 files changed, 17 insertions(+) diff --git a/Sconfig b/Sconfig index ee6ddf53bccbdc427227b8b0e8fe9eeefb470047..93f5760ad96fdde7141c47e2680dc5f4bc142ca7 100644 --- a/Sconfig +++ b/Sconfig @@ -5,3 +5,4 @@ mainmenu "Barebox/$(ARCH) Security Configuration" source "scripts/Sconfig.include" source "security/Sconfig" +source "commands/Sconfig" diff --git a/commands/Sconfig b/commands/Sconfig new file mode 100644 index 0000000000000000000000000000000000000000..7e6d937e162ce154b3993d03a9103181ea61af5d --- /dev/null +++ b/commands/Sconfig @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: GPL-2.0-only + +menu "Command Policy" + +config CMD_GO + bool "Allow go command" + depends on $(kconfig-enabled,CMD_GO) + help + The go command jumps to an arbitrary address after shutting + down barebox and does not do any signature verification. + +endmenu diff --git a/commands/go.c b/commands/go.c index 3449a2181ad076e30ea96f016245806a59d657c4..640911d90db28c0dc60b713267dcab14627c793c 100644 --- a/commands/go.c +++ b/commands/go.c @@ -11,6 +11,7 @@ #include <getopt.h> #include <linux/ctype.h> #include <errno.h> +#include <security/config.h> #define INT_ARGS_MAX 4 @@ -24,6 +25,9 @@ static int do_go(int argc, char *argv[]) ulong arg[INT_ARGS_MAX] = {}; bool pass_argv = true; + if (!IS_ALLOWED(SCONFIG_CMD_GO)) + return -EPERM; + while ((opt = getopt(argc, argv, "+si")) > 0) { switch (opt) { case 's': -- 2.39.5
