[PATCH 22/24] security: add security policy for loading barebox environment

[Sascha Hauer]

In secure environments we shouldn't load a persistent and potentially
manipulated environment. Add a security policy for it.

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
 common/Sconfig       | 8 ++++++++
 common/environment.c | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/common/Sconfig b/common/Sconfig
index ac027022e932dffd429f0b34cb8e1a199b0b595b..ec68bc2737af02cff3ce38c7bc1b9d59af2336c5 100644
--- a/common/Sconfig
+++ b/common/Sconfig
@@ -20,6 +20,14 @@ config SHELL_INTERACTIVE
 
 	  Disabling this option also disables interruption with ctrl-c keystrokes.
 
+config ENVIRONMENT_LOAD
+	bool "Allow loading barebox environment from persistent media"
+	depends on $(kconfig-enabled,ENV_HANDLING)
+	help
+	  The barebox environment doesn't have any security measures and could be
+	  manipulated by an attacker. Loading it from persistent media imposes a
+	  security risk and should thus be disabled.
+
 config RATP
 	bool "Allow remote control via RATP"
 	depends on $(kconfig-enabled,CONSOLE_RATP)
diff --git a/common/environment.c b/common/environment.c
index 33ab4c43295da0c66811d16649d0d6cc1a711277..62b8120cbd7d839b0d995bfe67b4e869a9e12aee 100644
--- a/common/environment.c
+++ b/common/environment.c
@@ -30,6 +30,7 @@
 #include <efi/partition.h>
 #include <bootsource.h>
 #include <magicvar.h>
+#include <security/config.h>
 #else
 #define EXPORT_SYMBOL(x)
 #endif
@@ -449,6 +450,11 @@ int envfs_load(const char *filename, const char *dir, unsigned flags)
 	int ret = 0;
 	size_t size, rsize;
 
+#ifdef __BAREBOX__
+	if (!IS_ALLOWED(SCONFIG_ENVIRONMENT_LOAD))
+		return -EPERM;
+#endif
+
 	if (!filename)
 		filename = default_environment_path_get();
 	if (!filename)

-- 
2.39.5