From: Xiangyu Lu luxiangyu@huawei.com
euler inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8OYXL CVE: NA
---------------------------------
Linux kernel allow to specify a single-user mode, or specify the init process by init parameter, which could bypass the login authentication mechanisms, direct access to root identify. Close init kernel boot parameters through CONFIG_SECURITY_BOOT_INIT.
Signed-off-by: Xiangyu Lu luxiangyu@huawei.com Reviewed-by: Wang Kai morgan.wang@huawei.com Signed-off-by: Weilong Chen chenweilong@huawei.com [hj: backport from hulk-3.10 for security enhancement] Signed-off-by: Hanjun Guo hanjun.guo@linaro.org Signed-off-by: gaobo gaobo794@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: zhangyi (F) yi.zhang@huawei.com Acked-by: Xie XiuQi xiexiuqi@huawei.com Signed-off-by: Chen Jun chenjun102@huawei.com Signed-off-by: Yi Yang yiyang13@huawei.com --- init/main.c | 2 ++ security/Kconfig | 6 ++++++ 2 files changed, 8 insertions(+)
diff --git a/init/main.c b/init/main.c index 7bbce78cdccf..ba7da8fe83ea 100644 --- a/init/main.c +++ b/init/main.c @@ -573,6 +573,7 @@ static int __init unknown_bootoption(char *param, char *val, return 0; }
+#ifndef CONFIG_SECURITY_BOOT_INIT static int __init init_setup(char *str) { unsigned int i; @@ -601,6 +602,7 @@ static int __init rdinit_setup(char *str) return 1; } __setup("rdinit=", rdinit_setup); +#endif
#ifndef CONFIG_SMP static const unsigned int setup_max_cpus = NR_CPUS; diff --git a/security/Kconfig b/security/Kconfig index 52c9af08ad35..9a6b9a115bb9 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -249,5 +249,11 @@ config LSM
source "security/Kconfig.hardening"
+config SECURITY_BOOT_INIT + bool "Disable init & rdinit parameters in cmdline" + default n + help + No support init and rdinit parameters in cmdline + endmenu