From: Xiangyu Lu <luxiangyu@huawei.com> euler inclusion category: bugfix bugzilla: 46850 CVE: NA --------------------------------- Linux kernel allow to specify a single-user mode, or specify the init process by init parameter, which could bypass the login authentication mechanisms, direct access to root identify. Close init kernel boot parameters through CONFIG_SECURITY_BOOT_INIT. Signed-off-by: Xiangyu Lu <luxiangyu@huawei.com> Reviewed-by: Wang Kai <morgan.wang@huawei.com> Signed-off-by: Weilong Chen <chenweilong@huawei.com> [hj: backport from hulk-3.10 for security enhancement] Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org> Signed-off-by: gaobo <gaobo794@huawei.com> Reviewed-by: Jason Yan <yanaijie@huawei.com> Signed-off-by: zhangyi (F) <yi.zhang@huawei.com> --- init/main.c | 2 ++ security/Kconfig | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/init/main.c b/init/main.c index 32b2a8affafd..1e3c3371ea5d 100644 --- a/init/main.c +++ b/init/main.c @@ -572,6 +572,7 @@ static int __init unknown_bootoption(char *param, char *val, return 0; } +#ifndef CONFIG_SECURITY_BOOT_INIT static int __init init_setup(char *str) { unsigned int i; @@ -600,6 +601,7 @@ static int __init rdinit_setup(char *str) return 1; } __setup("rdinit=", rdinit_setup); +#endif #ifndef CONFIG_SMP static const unsigned int setup_max_cpus = NR_CPUS; diff --git a/security/Kconfig b/security/Kconfig index 7561f6f99f1d..a178816f61ed 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -291,5 +291,11 @@ config LSM source "security/Kconfig.hardening" +config SECURITY_BOOT_INIT + bool "Disable init & rdinit parameters in cmdline" + default n + help + No support init and rdinit parameters in cmdline + endmenu -- 2.25.0