Commit e464994b authored Dec 16, 2023 by Xiangyu Lu Committed by Yi Yang Dec 16, 2023

security: restrict init parameters by configuration

euler inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I8OYXL


CVE: NA

---------------------------------

Linux kernel allow to specify a single-user mode, or specify the init process by
init parameter, which could bypass the login authentication mechanisms, direct
access to root identify. Close init kernel boot parameters through
CONFIG_SECURITY_BOOT_INIT.

Signed-off-by: Xiangyu Lu <luxiangyu@huawei.com>
Reviewed-by: Wang Kai <morgan.wang@huawei.com>
Signed-off-by: Weilong Chen <chenweilong@huawei.com>
[hj: backport from hulk-3.10 for security enhancement]
Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
Signed-off-by: gaobo <gaobo794@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Acked-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Chen Jun <chenjun102@huawei.com>
Signed-off-by: Yi Yang <yiyang13@huawei.com>

parent 80971b57

init/main.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -573,6 +573,7 @@ static int __init unknown_bootoption(char param, char val,
		return 0;
		}

		#ifndef CONFIG_SECURITY_BOOT_INIT
		static int __init init_setup(char *str)
		{
		unsigned int i;
		@@ -601,6 +602,7 @@ static int __init rdinit_setup(char *str)
		return 1;
		}
		__setup("rdinit=", rdinit_setup);
		#endif

		#ifndef CONFIG_SMP
		static const unsigned int setup_max_cpus = NR_CPUS;

security/Kconfig

+6 −0

Original line number	Diff line number	Diff line
		@@ -249,5 +249,11 @@ config LSM

		source "security/Kconfig.hardening"

		config SECURITY_BOOT_INIT
		bool "Disable init & rdinit parameters in cmdline"
		default n
		help
		No support init and rdinit parameters in cmdline

		endmenu