[PATCH 20/24] security: fastboot: add security policy for fastboot oem

[Sascha Hauer]

Fastboot OEM commands allow to execute arbitrary commands via fastboot,
so add a security policy for it to limit access to this functionality.

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
 common/Sconfig    | 4 ++++
 common/fastboot.c | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/common/Sconfig b/common/Sconfig
index edbc4bc028af79e2a72bb86de94ecce5c7b7643d..9142685a1d3f9846e69b746e545420eab5935661 100644
--- a/common/Sconfig
+++ b/common/Sconfig
@@ -6,6 +6,10 @@ config RATP
 	bool "Allow remote control via RATP"
 	depends on $(kconfig-enabled,CONSOLE_RATP)
 
+config FASTBOOT_CMD_OEM
+	bool "Allow Fastboot OEM commands"
+	depends on $(kconfig-enabled,FASTBOOT_CMD_OEM)
+
 endmenu
 
 menu "Boot Policy"
diff --git a/common/fastboot.c b/common/fastboot.c
index 603391de77392aa7e1e61e32fd1844642f8ea42c..5c83b102e13909d49401ce03f9a98c6077894ee0 100644
--- a/common/fastboot.c
+++ b/common/fastboot.c
@@ -42,6 +42,7 @@
 #include <linux/types.h>
 #include <linux/stat.h>
 #include <linux/mtd/mtd.h>
+#include <security/config.h>
 #include <fastboot.h>
 #include <system-partitions.h>
 
@@ -966,6 +967,11 @@ static void __maybe_unused cb_oem(struct fastboot *fb, const char *cmd)
 {
 	pr_debug("%s: \"%s\"\n", __func__, cmd);
 
+	if (!IS_ALLOWED(SCONFIG_FASTBOOT_CMD_OEM)) {
+		fastboot_tx_print(fb, FASTBOOT_MSG_FAIL, "OEM commands not allowed");
+		return;
+	}
+
 	fb_run_command(fb, cmd, cmd_oem_dispatch_info, ARRAY_SIZE(cmd_oem_dispatch_info));
 }
 

-- 
2.39.5