[PATCH v2 21/24] security: shell: add policy for executing the shell

[Sascha Hauer <s.hauer@pengutronix.de>]

Executing shell scripts can be dangerous in secure environments, so add
a security policy for it. While shell scripts can be executed securely
if made sure that no scripts from unknown sources are executed,
executing an interactive shell for sure is not desired in secure
environments, so offer two options: One for disabling the shell entirely
and one for disabling interactive shells.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/Sconfig          | 18 ++++++++++++++++++
 common/console.c        |  1 +
 common/console_ctrlc.c  |  4 ++++
 common/console_simple.c |  1 +
 common/hush.c           | 13 +++++++++++++
 common/parser.c         |  7 +++++++
 6 files changed, 44 insertions(+)

diff --git a/common/Sconfig b/common/Sconfig
index 9142685a1d3f9846e69b746e545420eab5935661..ac027022e932dffd429f0b34cb8e1a199b0b595b 100644
--- a/common/Sconfig
+++ b/common/Sconfig
@@ -2,6 +2,24 @@
 
 menu "General Settings"
 
+config SHELL
+	bool "Allow executing shell scripts"
+	depends on $(kconfig-enabled,SHELL_HUSH) || $(kconfig-enabled,SHELL_SIMPLE)
+	help
+	  Say y here if you want to allow executing shell scripts. Shell scripts are
+	  potentially dangerous when coming from untrusted sources. Enable this option
+	  only when only trusted scripts can be executed, i.e. ENVIRONMENT_LOAD and
+	  untrusted filesystems are disabled.
+
+config SHELL_INTERACTIVE
+	bool "Allow executing interactive shell"
+	depends on SHELL
+	help
+	  An interactive shell cannot be safely executed in trusted environments. Disable
+	  this option in lockdown security configs.
+
+	  Disabling this option also disables interruption with ctrl-c keystrokes.
+
 config RATP
 	bool "Allow remote control via RATP"
 	depends on $(kconfig-enabled,CONSOLE_RATP)
diff --git a/common/console.c b/common/console.c
index ceecb8730e55422b78eea7204dc9b9a70cf97212..8eff3dba925f6de077dd194651a137f30870989d 100644
--- a/common/console.c
+++ b/common/console.c
@@ -25,6 +25,7 @@
 #include <linux/list.h>
 #include <linux/stringify.h>
 #include <debug_ll.h>
+#include <security/config.h>
 
 LIST_HEAD(console_list);
 EXPORT_SYMBOL(console_list);
diff --git a/common/console_ctrlc.c b/common/console_ctrlc.c
index 0272eec280d1d8f6d4a1827580a3ee1fb4bc8da6..6fbe07252effeb6d78eff1d47c0c2fe998e80bc1 100644
--- a/common/console_ctrlc.c
+++ b/common/console_ctrlc.c
@@ -5,6 +5,7 @@
 #include <sched.h>
 #include <globalvar.h>
 #include <magicvar.h>
+#include <security/config.h>
 
 static int ctrlc_abort;
 static int ctrlc_allowed;
@@ -18,6 +19,9 @@ int ctrlc_non_interruptible(void)
 {
 	int ret = 0;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL_INTERACTIVE))
+		return 0;
+
 	if (!ctrlc_allowed)
 		return 0;
 
diff --git a/common/console_simple.c b/common/console_simple.c
index d2feb58ea3e2ff1c4b382350156ea3d30b88eb95..dc748d8b698140f589598190f75b0ba23892a9a4 100644
--- a/common/console_simple.c
+++ b/common/console_simple.c
@@ -6,6 +6,7 @@
 #include <errno.h>
 #include <debug_ll.h>
 #include <console.h>
+#include <security/config.h>
 
 LIST_HEAD(console_list);
 EXPORT_SYMBOL(console_list);
diff --git a/common/hush.c b/common/hush.c
index 21348c4b7510f074c9bdf27bc35dce0b17648648..8515e7733828715147fdbfba25844af3cca61e35 100644
--- a/common/hush.c
+++ b/common/hush.c
@@ -118,6 +118,7 @@
 #include <binfmt.h>
 #include <init.h>
 #include <shell.h>
+#include <security/config.h>
 
 /*cmd_boot.c*/
 extern int do_bootd(int flag, int argc, char *argv[]);      /* do_bootd */
@@ -1693,6 +1694,9 @@ char *shell_expand(char *str)
 	o_string o = {};
 	char *res, *parsed;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL))
+		return str;
+
 	remove_quotes_in_str(str);
 
 	o.quote = 1;
@@ -1910,6 +1914,9 @@ int run_command(const char *cmd)
 	struct p_context ctx = {};
 	int ret;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL))
+		return -EPERM;
+
 	initialize_context(&ctx);
 
 	ret = parse_string_outer(&ctx, cmd, FLAG_PARSE_SEMICOLON);
@@ -1922,6 +1929,9 @@ static int execute_script(const char *path, int argc, char *argv[])
 {
 	int ret;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL))
+		return -EPERM;
+
 	env_push_context();
 	ret = source_script(path, argc, argv);
 	env_pop_context();
@@ -1963,6 +1973,9 @@ int run_shell(void)
 	struct p_context ctx = {};
 	int exit = 0;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL_INTERACTIVE))
+		return -EPERM;
+
 	login();
 
 	do {
diff --git a/common/parser.c b/common/parser.c
index 387cd64c42677419ca12bbde5bb7a811c03fa11d..16fff052cf63b7a0e237bc2de1188b27af1b9809 100644
--- a/common/parser.c
+++ b/common/parser.c
@@ -5,6 +5,7 @@
 #include <password.h>
 #include <environment.h>
 #include <shell.h>
+#include <security/config.h>
 
 /*
  * not yet supported
@@ -190,6 +191,9 @@ int run_command(const char *cmd)
 	int argc, inquotes;
 	int rc = 0;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL))
+		return -EPERM;
+
 #ifdef DEBUG
 	pr_debug("[RUN_COMMAND] cmd[%p]=\"", cmd);
 	puts (cmd ? cmd : "NULL");	/* use puts - string may be loooong */
@@ -269,6 +273,9 @@ int run_shell(void)
 	static char lastcommand[CONFIG_CBSIZE] = { 0, };
 	int len;
 
+	if (!IS_ALLOWED(SCONFIG_SHELL_INTERACTIVE))
+		return -EPERM;
+
 	login();
 
 	for (;;) {

-- 
2.47.3