[PATCH 21/24] security: shell: add policy for executing the shell

[Sascha Hauer <s.hauer@pengutronix.de>]

Executing shell scripts can be dangerous in secure environments, so add
a security policy for it. While shell scripts can be executed securely
if made sure that no scripts from unknown sources are executed,
executing an interactive shell for sure is not desired in secure
environments, so offer two options: One for disabling the shell entirely
and one for disabling interactive shells.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/Sconfig          | 18 ++++++++++++++++++
 common/console.c        |  5 +++++
 common/console_simple.c |  5 +++++
 common/hush.c           | 13 +++++++++++++
 common/parser.c         |  7 +++++++
 5 files changed, 48 insertions(+)

diff --git a/common/Sconfig b/common/Sconfig
index 9142685a1d3f9846e69b746e545420eab5935661..ac027022e932dffd429f0b34cb8e1a199b0b595b 100644
--- a/common/Sconfig
+++ b/common/Sconfig
@@ -2,6 +2,24 @@
 
 menu "General Settings"
 
+config SHELL
+	bool "Allow executing shell scripts"
+	depends on $(kconfig-enabled,SHELL_HUSH) || $(kconfig-enabled,SHELL_SIMPLE)
+	help
+	  Say y here if you want to allow executing shell scripts. Shell scripts are
+	  potentially dangerous when coming from untrusted sources. Enable this option
+	  only when only trusted scripts can be executed, i.e. ENVIRONMENT_LOAD and
+	  untrusted filesystems are disabled.
+
+config SHELL_INTERACTIVE
+	bool "Allow executing interactive shell"
+	depends on SHELL
+	help
+	  An interactive shell cannot be safely executed in trusted environments. Disable
+	  this option in lockdown security configs.
+
+	  Disabling this option also disables interruption with ctrl-c keystrokes.
+
 config RATP
 	bool "Allow remote control via RATP"
 	depends on $(kconfig-enabled,CONSOLE_RATP)
diff --git a/common/console.c b/common/console.c
index 65e4f1f852243fa15d19e68d724cf340b950df06..ee498fadf3700376b6325be10911b2081ff1ebb3 100644
--- a/common/console.c
+++ b/common/console.c
@@ -25,6 +25,7 @@
 #include <linux/list.h>
 #include <linux/stringify.h>
 #include <debug_ll.h>
+#include <security/config.h>
 
 LIST_HEAD(console_list);
 EXPORT_SYMBOL(console_list);
@@ -673,6 +674,10 @@ EXPORT_SYMBOL(ctrlc_non_interruptible);
 int ctrlc(void)
 {
 	resched();
+
+	if (!IS_ALLOWED(SCONFIG_SHELL_INTERACTIVE))
+		return 0;
+
 	return ctrlc_non_interruptible();
 }
 EXPORT_SYMBOL(ctrlc);
diff --git a/common/console_simple.c b/common/console_simple.c
index 702087bd23d75c3c7d3d0aec25c97f0e88064ef1..f00fd567ed5d1ec7b0a8f00179953c08dda49de3 100644
--- a/common/console_simple.c
+++ b/common/console_simple.c
@@ -6,6 +6,7 @@
 #include <errno.h>
 #include <debug_ll.h>
 #include <console.h>
+#include <security/config.h>
 
 LIST_HEAD(console_list);
 EXPORT_SYMBOL(console_list);
@@ -70,6 +71,10 @@ EXPORT_SYMBOL(console_flush);
 int ctrlc (void)
 {
 	int ret = 0;
+
+	if (!IS_ALLOWED(SCONFIG_SHELL_INTERACTIVE))
+		return 0;
+
 #ifdef CONFIG_ARCH_HAS_CTRLC
 	ret = arch_ctrlc();
 #else
diff --git a/common/hush.c b/common/hush.c
index 21348c4b7510f074c9bdf27bc35dce0b17648648..8515e7733828715147fdbfba25844af3cca61e35 100644
--- a/common/hush.c
+++ b/common/hush.c
@@ -118,6 +118,7 @@
 #include <binfmt.h>
 #include <init.h>
 #include <shell.h>
+#include <security/config.h>
 
 /*cmd_boot.c*/
 extern int do_bootd(int flag, int argc, char *argv[]);      /* do_bootd */
@@ -1693,6 +1694,9 @@ char *shell_expand(char *str)
 	o_string o = {};
 	char *res, *parsed;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL))
+		return str;
+
 	remove_quotes_in_str(str);
 
 	o.quote = 1;
@@ -1910,6 +1914,9 @@ int run_command(const char *cmd)
 	struct p_context ctx = {};
 	int ret;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL))
+		return -EPERM;
+
 	initialize_context(&ctx);
 
 	ret = parse_string_outer(&ctx, cmd, FLAG_PARSE_SEMICOLON);
@@ -1922,6 +1929,9 @@ static int execute_script(const char *path, int argc, char *argv[])
 {
 	int ret;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL))
+		return -EPERM;
+
 	env_push_context();
 	ret = source_script(path, argc, argv);
 	env_pop_context();
@@ -1963,6 +1973,9 @@ int run_shell(void)
 	struct p_context ctx = {};
 	int exit = 0;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL_INTERACTIVE))
+		return -EPERM;
+
 	login();
 
 	do {
diff --git a/common/parser.c b/common/parser.c
index 387cd64c42677419ca12bbde5bb7a811c03fa11d..16fff052cf63b7a0e237bc2de1188b27af1b9809 100644
--- a/common/parser.c
+++ b/common/parser.c
@@ -5,6 +5,7 @@
 #include <password.h>
 #include <environment.h>
 #include <shell.h>
+#include <security/config.h>
 
 /*
  * not yet supported
@@ -190,6 +191,9 @@ int run_command(const char *cmd)
 	int argc, inquotes;
 	int rc = 0;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL))
+		return -EPERM;
+
 #ifdef DEBUG
 	pr_debug("[RUN_COMMAND] cmd[%p]=\"", cmd);
 	puts (cmd ? cmd : "NULL");	/* use puts - string may be loooong */
@@ -269,6 +273,9 @@ int run_shell(void)
 	static char lastcommand[CONFIG_CBSIZE] = { 0, };
 	int len;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL_INTERACTIVE))
+		return -EPERM;
+
 	login();
 
 	for (;;) {

-- 
2.39.5