pciguard/sysfs_utils.cc - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2020 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "pciguard/sysfs_utils.h"

 #include <base/command_line.h>
 #include <base/files/file_enumerator.h>
 #include <base/files/file_util.h>
 #include <base/logging.h>
 #include <base/strings/string_util.h>
 #include <brillo/syslog_logging.h>

 #include <set>
 #include <string>
 #include <sysexits.h>

 namespace pciguard {

 namespace {

 // Actual driver allowlist.
 const char* kAllowlist[] = {
     // TODO(b/163121310): Finalize allowlist
     "pcieport",  // PCI Core services - AER, Hotplug etc.
     "xhci_hcd",  // XHCI host controller driver.
     "nvme",      // PCI Express NVME host controller driver.
     "ahci",      // AHCI driver
     "igb",       // Intel Gigabit Ethernet driver
 };

 }  // namespace

 SysfsUtils::SysfsUtils() : SysfsUtils(FilePath("/")) {}

 SysfsUtils::SysfsUtils(FilePath root)
     : allowlist_path_(root.Append("sys/bus/pci/drivers_allowlist")),
       pci_lockdown_path_(root.Append("sys/bus/pci/drivers_allowlist_lockdown")),
       pci_rescan_path_(root.Append("sys/bus/pci/rescan")),
       tbt_devices_path_(root.Append("sys/bus/thunderbolt/devices")),
       pci_devices_path_(root.Append("sys/bus/pci/devices")) {}

 int SysfsUtils::SetAuthorizedAttribute(base::FilePath devpath, bool enable) {
   if (!PathExists(devpath)) {
     PLOG(ERROR) << "Path doesn't exist : " << devpath;
     return EXIT_FAILURE;
   }

   base::FilePath symlink;
   // Check it is a thunderbolt path
   if (!base::ReadSymbolicLink(devpath.Append("subsystem"), &symlink) ||
       !base::EndsWith(symlink.value(), "/bus/thunderbolt",
                       base::CompareCase::SENSITIVE)) {
     LOG(ERROR) << "Not a thunderbolt devpath: " << devpath;
     return EXIT_FAILURE;
   }

   base::FilePath authorized_path = devpath.Append("authorized");
   std::string authorized;

   // Proceed only if authorized file exists
   if (!base::ReadFileToString(authorized_path, &authorized))
     return EXIT_SUCCESS;

   // Nevermind if no need to change the state.
   if (!authorized.empty() &&
       ((enable && authorized[0] != '0') || (!enable && authorized[0] == '0')))
     return EXIT_SUCCESS;

   auto val = "0";
   if (enable) {
     LOG(INFO) << "Authorizing:" << devpath;
     val = "1";
   } else {
     LOG(INFO) << "Deauthorizing:" << devpath;
   }

   if (base::WriteFile(authorized_path, val, 1) != 1) {
     PLOG(ERROR) << "Couldn't write " << val << " to " << authorized_path;
     return EXIT_FAILURE;
   }

   return EXIT_SUCCESS;
 }

 int SysfsUtils::DeauthorizeThunderboltDev(base::FilePath devpath) {
   return SetAuthorizedAttribute(devpath, false);
 }

 int SysfsUtils::OnInit(void) {
   if (!base::PathIsWritable(allowlist_path_) ||
       !base::PathIsWritable(pci_lockdown_path_)) {
     PLOG(ERROR) << "Kernel is missing needed support for external PCI security";
     return EX_OSFILE;
   }

   if (base::WriteFile(pci_lockdown_path_, "1", 1) != 1) {
     PLOG(ERROR) << "Couldn't write 1 to " << pci_lockdown_path_;
     return EX_IOERR;
   }

   for (auto drvr_name : kAllowlist) {
     if (base::WriteFile(allowlist_path_, drvr_name, sizeof(drvr_name)) ==
         sizeof(drvr_name))
       LOG(INFO) << "Allowed " << drvr_name;
     else
       PLOG(ERROR) << "Couldn't allow " << drvr_name;
   }
   return EX_OK;
 }

 int SysfsUtils::AuthorizeThunderboltDev(base::FilePath devpath) {
   return SetAuthorizedAttribute(devpath, true);
 }

 int SysfsUtils::AuthorizeAllDevices(void) {
   LOG(INFO) << "Authorizing all external PCI devices";

   // Allow drivers to bind to PCI devices. This also binds any PCI devices
   // that may have been hotplugged "into" external peripherals, while the
   // screen was locked.
   if (base::WriteFile(pci_lockdown_path_, "0", 1) != 1) {
     PLOG(ERROR) << "Couldn't write 0 to " << pci_lockdown_path_;
     return EXIT_FAILURE;
   }

   int ret = EXIT_SUCCESS;

   // Add any PCI devices that we removed when the user had logged off.
   if (base::WriteFile(pci_rescan_path_, "1", 1) != 1) {
     PLOG(ERROR) << "Couldn't write 1 to " << pci_rescan_path_;
     ret = EXIT_FAILURE;
   }

   // Create an BFS ordered set of thunderbolt devices.
   auto cmp = [](const base::FilePath& dev1, const base::FilePath& dev2) {
     base::FilePath symlink1, symlink2;
     (void)base::ReadSymbolicLink(dev1, &symlink1);
     (void)base::ReadSymbolicLink(dev2, &symlink2);
     return symlink1 < symlink2;
   };
   std::set<base::FilePath, decltype(cmp)> thunderbolt_devs(cmp);
   base::FileEnumerator iter(tbt_devices_path_, false,
                             base::FileEnumerator::DIRECTORIES);
   for (auto devpath = iter.Next(); !devpath.empty(); devpath = iter.Next())
     thunderbolt_devs.insert(devpath);

   // Authorize the thunderbolt devices in BFS order (sorting using the
   // symlinks to which the devices point, gives us BFS). This is
   // required because if a parent is deauthorized, the children are
   // automatically deauthorized, but vice versa is not true.
   for (auto dev : thunderbolt_devs) {
     if (AuthorizeThunderboltDev(dev))
       ret = EXIT_FAILURE;
   }

   return ret;
 }

 int SysfsUtils::DenyNewDevices(void) {
   LOG(INFO) << "Will deny all new external PCI devices";

   // Deny drivers to bind to any *new* external PCI devices.
   if (base::WriteFile(pci_lockdown_path_, "1", 1) != 1) {
     PLOG(ERROR) << "Couldn't write 1 to " << pci_lockdown_path_;
     return EXIT_FAILURE;
   }
   return EXIT_SUCCESS;
 }

 int SysfsUtils::DeauthorizeAllDevices(void) {
   int ret = EXIT_SUCCESS;
   if (DenyNewDevices())
     return EXIT_FAILURE;

   LOG(INFO) << "Deauthorizing all external PCI devices";

   // Remove all untrusted (external) PCI devices.
   base::FileEnumerator iter(pci_devices_path_, false,
                             base::FileEnumerator::DIRECTORIES);
   for (auto devpath = iter.Next(); !devpath.empty(); devpath = iter.Next()) {
     std::string untrusted;

     // It is possible this device may already been have removed (as an effect
     // of its parent being removed).
     if (!PathExists(devpath))
       continue;

     // Proceed only if there is an "untrusted" file.
     if (!base::ReadFileToString(devpath.Append("untrusted"), &untrusted) ||
         untrusted.empty()) {
       PLOG(ERROR) << "Couldn't read " << devpath << "/untrusted";
       ret = EXIT_FAILURE;
       continue;
     }

     // Nevermind the trusted devices.
     if (untrusted[0] == '0')
       continue;

     // Remove untrusted device.
     if (base::WriteFile(devpath.Append("remove"), "1", 1) != 1) {
       PLOG(ERROR) << "Couldn't remove untrusted device " << devpath;
       ret = EXIT_FAILURE;
     }
   }

   // Deauthorize all thunderbolt devices.
   base::FileEnumerator tbt_iter(tbt_devices_path_, false,
                                 base::FileEnumerator::DIRECTORIES);
   for (auto devpath = tbt_iter.Next(); !devpath.empty();
        devpath = tbt_iter.Next()) {
     if (DeauthorizeThunderboltDev(devpath))
       ret = EXIT_FAILURE;
   }
   return ret;
 }

 }  // namespace pciguard
	// Copyright 2020 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "pciguard/sysfs_utils.h"

	#include <base/command_line.h>
	#include <base/files/file_enumerator.h>
	#include <base/files/file_util.h>
	#include <base/logging.h>
	#include <base/strings/string_util.h>
	#include <brillo/syslog_logging.h>

	#include <set>
	#include <string>
	#include <sysexits.h>

	namespace pciguard {

	namespace {

	// Actual driver allowlist.
	const char* kAllowlist[] = {
	// TODO(b/163121310): Finalize allowlist
	"pcieport", // PCI Core services - AER, Hotplug etc.
	"xhci_hcd", // XHCI host controller driver.
	"nvme", // PCI Express NVME host controller driver.
	"ahci", // AHCI driver
	"igb", // Intel Gigabit Ethernet driver
	};

	} // namespace

	SysfsUtils::SysfsUtils() : SysfsUtils(FilePath("/")) {}

	SysfsUtils::SysfsUtils(FilePath root)
	: allowlist_path_(root.Append("sys/bus/pci/drivers_allowlist")),
	pci_lockdown_path_(root.Append("sys/bus/pci/drivers_allowlist_lockdown")),
	pci_rescan_path_(root.Append("sys/bus/pci/rescan")),
	tbt_devices_path_(root.Append("sys/bus/thunderbolt/devices")),
	pci_devices_path_(root.Append("sys/bus/pci/devices")) {}

	int SysfsUtils::SetAuthorizedAttribute(base::FilePath devpath, bool enable) {
	if (!PathExists(devpath)) {
	PLOG(ERROR) << "Path doesn't exist : " << devpath;
	return EXIT_FAILURE;
	}

	base::FilePath symlink;
	// Check it is a thunderbolt path
	if (!base::ReadSymbolicLink(devpath.Append("subsystem"), &symlink) \|\|
	!base::EndsWith(symlink.value(), "/bus/thunderbolt",
	base::CompareCase::SENSITIVE)) {
	LOG(ERROR) << "Not a thunderbolt devpath: " << devpath;
	return EXIT_FAILURE;
	}

	base::FilePath authorized_path = devpath.Append("authorized");
	std::string authorized;

	// Proceed only if authorized file exists
	if (!base::ReadFileToString(authorized_path, &authorized))
	return EXIT_SUCCESS;

	// Nevermind if no need to change the state.
	if (!authorized.empty() &&
	((enable && authorized[0] != '0') \|\| (!enable && authorized[0] == '0')))
	return EXIT_SUCCESS;

	auto val = "0";
	if (enable) {
	LOG(INFO) << "Authorizing:" << devpath;
	val = "1";
	} else {
	LOG(INFO) << "Deauthorizing:" << devpath;
	}

	if (base::WriteFile(authorized_path, val, 1) != 1) {
	PLOG(ERROR) << "Couldn't write " << val << " to " << authorized_path;
	return EXIT_FAILURE;
	}

	return EXIT_SUCCESS;
	}

	int SysfsUtils::DeauthorizeThunderboltDev(base::FilePath devpath) {
	return SetAuthorizedAttribute(devpath, false);
	}

	int SysfsUtils::OnInit(void) {
	if (!base::PathIsWritable(allowlist_path_) \|\|
	!base::PathIsWritable(pci_lockdown_path_)) {
	PLOG(ERROR) << "Kernel is missing needed support for external PCI security";
	return EX_OSFILE;
	}

	if (base::WriteFile(pci_lockdown_path_, "1", 1) != 1) {
	PLOG(ERROR) << "Couldn't write 1 to " << pci_lockdown_path_;
	return EX_IOERR;
	}

	for (auto drvr_name : kAllowlist) {
	if (base::WriteFile(allowlist_path_, drvr_name, sizeof(drvr_name)) ==
	sizeof(drvr_name))
	LOG(INFO) << "Allowed " << drvr_name;
	else
	PLOG(ERROR) << "Couldn't allow " << drvr_name;
	}
	return EX_OK;
	}

	int SysfsUtils::AuthorizeThunderboltDev(base::FilePath devpath) {
	return SetAuthorizedAttribute(devpath, true);
	}

	int SysfsUtils::AuthorizeAllDevices(void) {
	LOG(INFO) << "Authorizing all external PCI devices";

	// Allow drivers to bind to PCI devices. This also binds any PCI devices
	// that may have been hotplugged "into" external peripherals, while the
	// screen was locked.
	if (base::WriteFile(pci_lockdown_path_, "0", 1) != 1) {
	PLOG(ERROR) << "Couldn't write 0 to " << pci_lockdown_path_;
	return EXIT_FAILURE;
	}

	int ret = EXIT_SUCCESS;

	// Add any PCI devices that we removed when the user had logged off.
	if (base::WriteFile(pci_rescan_path_, "1", 1) != 1) {
	PLOG(ERROR) << "Couldn't write 1 to " << pci_rescan_path_;
	ret = EXIT_FAILURE;
	}

	// Create an BFS ordered set of thunderbolt devices.
	auto cmp = [](const base::FilePath& dev1, const base::FilePath& dev2) {
	base::FilePath symlink1, symlink2;
	(void)base::ReadSymbolicLink(dev1, &symlink1);
	(void)base::ReadSymbolicLink(dev2, &symlink2);
	return symlink1 < symlink2;
	};
	std::set<base::FilePath, decltype(cmp)> thunderbolt_devs(cmp);
	base::FileEnumerator iter(tbt_devices_path_, false,
	base::FileEnumerator::DIRECTORIES);
	for (auto devpath = iter.Next(); !devpath.empty(); devpath = iter.Next())
	thunderbolt_devs.insert(devpath);

	// Authorize the thunderbolt devices in BFS order (sorting using the
	// symlinks to which the devices point, gives us BFS). This is
	// required because if a parent is deauthorized, the children are
	// automatically deauthorized, but vice versa is not true.
	for (auto dev : thunderbolt_devs) {
	if (AuthorizeThunderboltDev(dev))
	ret = EXIT_FAILURE;
	}

	return ret;
	}

	int SysfsUtils::DenyNewDevices(void) {
	LOG(INFO) << "Will deny all new external PCI devices";

	// Deny drivers to bind to any new external PCI devices.
	if (base::WriteFile(pci_lockdown_path_, "1", 1) != 1) {
	PLOG(ERROR) << "Couldn't write 1 to " << pci_lockdown_path_;
	return EXIT_FAILURE;
	}
	return EXIT_SUCCESS;
	}

	int SysfsUtils::DeauthorizeAllDevices(void) {
	int ret = EXIT_SUCCESS;
	if (DenyNewDevices())
	return EXIT_FAILURE;

	LOG(INFO) << "Deauthorizing all external PCI devices";

	// Remove all untrusted (external) PCI devices.
	base::FileEnumerator iter(pci_devices_path_, false,
	base::FileEnumerator::DIRECTORIES);
	for (auto devpath = iter.Next(); !devpath.empty(); devpath = iter.Next()) {
	std::string untrusted;

	// It is possible this device may already been have removed (as an effect
	// of its parent being removed).
	if (!PathExists(devpath))
	continue;

	// Proceed only if there is an "untrusted" file.
	if (!base::ReadFileToString(devpath.Append("untrusted"), &untrusted) \|\|
	untrusted.empty()) {
	PLOG(ERROR) << "Couldn't read " << devpath << "/untrusted";
	ret = EXIT_FAILURE;
	continue;
	}

	// Nevermind the trusted devices.
	if (untrusted[0] == '0')
	continue;

	// Remove untrusted device.
	if (base::WriteFile(devpath.Append("remove"), "1", 1) != 1) {
	PLOG(ERROR) << "Couldn't remove untrusted device " << devpath;
	ret = EXIT_FAILURE;
	}
	}

	// Deauthorize all thunderbolt devices.
	base::FileEnumerator tbt_iter(tbt_devices_path_, false,
	base::FileEnumerator::DIRECTORIES);
	for (auto devpath = tbt_iter.Next(); !devpath.empty();
	devpath = tbt_iter.Next()) {
	if (DeauthorizeThunderboltDev(devpath))
	ret = EXIT_FAILURE;
	}
	return ret;
	}

	} // namespace pciguard