From e464994b10c4d427b458e16ac6b8b71aba5e2738 Mon Sep 17 00:00:00 2001 From: Xiangyu Lu Date: Sat, 16 Dec 2023 09:39:22 +0000 Subject: [PATCH] security: restrict init parameters by configuration euler inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8OYXL CVE: NA --------------------------------- Linux kernel allow to specify a single-user mode, or specify the init process by init parameter, which could bypass the login authentication mechanisms, direct access to root identify. Close init kernel boot parameters through CONFIG_SECURITY_BOOT_INIT. Signed-off-by: Xiangyu Lu Reviewed-by: Wang Kai Signed-off-by: Weilong Chen [hj: backport from hulk-3.10 for security enhancement] Signed-off-by: Hanjun Guo Signed-off-by: gaobo Reviewed-by: Jason Yan Signed-off-by: zhangyi (F) Acked-by: Xie XiuQi Signed-off-by: Chen Jun Signed-off-by: Yi Yang --- init/main.c | 2 ++ security/Kconfig | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/init/main.c b/init/main.c index 7bbce78cdccf..ba7da8fe83ea 100644 --- a/init/main.c +++ b/init/main.c @@ -573,6 +573,7 @@ static int __init unknown_bootoption(char *param, char *val, return 0; } +#ifndef CONFIG_SECURITY_BOOT_INIT static int __init init_setup(char *str) { unsigned int i; @@ -601,6 +602,7 @@ static int __init rdinit_setup(char *str) return 1; } __setup("rdinit=", rdinit_setup); +#endif #ifndef CONFIG_SMP static const unsigned int setup_max_cpus = NR_CPUS; diff --git a/security/Kconfig b/security/Kconfig index 52c9af08ad35..9a6b9a115bb9 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -249,5 +249,11 @@ config LSM source "security/Kconfig.hardening" +config SECURITY_BOOT_INIT + bool "Disable init & rdinit parameters in cmdline" + default n + help + No support init and rdinit parameters in cmdline + endmenu -- Gitee