From: Xiangyu Lu luxiangyu@huawei.com

euler inclusion category: bugfix bugzilla: 46850 CVE: NA

---------------------------------

Linux kernel allow to specify a single-user mode, or specify the init process by init parameter, which could bypass the login authentication mechanisms, direct access to root identify. Close init kernel boot parameters through CONFIG_SECURITY_BOOT_INIT.

Signed-off-by: Xiangyu Lu luxiangyu@huawei.com Reviewed-by: Wang Kai morgan.wang@huawei.com Signed-off-by: Weilong Chen chenweilong@huawei.com [hj: backport from hulk-3.10 for security enhancement] Signed-off-by: Hanjun Guo hanjun.guo@linaro.org Signed-off-by: gaobo gaobo794@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: zhangyi (F) yi.zhang@huawei.com --- init/main.c | 2 ++ security/Kconfig | 6 ++++++ 2 files changed, 8 insertions(+)

diff --git a/init/main.c b/init/main.c index 32b2a8affafd..1e3c3371ea5d 100644 --- a/init/main.c +++ b/init/main.c @@ -572,6 +572,7 @@ static int __init unknown_bootoption(char *param, char *val, return 0; }

+#ifndef CONFIG_SECURITY_BOOT_INIT static int __init init_setup(char *str) { unsigned int i; @@ -600,6 +601,7 @@ static int __init rdinit_setup(char *str) return 1; } __setup("rdinit=", rdinit_setup); +#endif

#ifndef CONFIG_SMP static const unsigned int setup_max_cpus = NR_CPUS; diff --git a/security/Kconfig b/security/Kconfig index 7561f6f99f1d..a178816f61ed 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -291,5 +291,11 @@ config LSM

source "security/Kconfig.hardening"

+config SECURITY_BOOT_INIT + bool "Disable init & rdinit parameters in cmdline" + default n + help + No support init and rdinit parameters in cmdline + endmenu