[PATCH v2 20/24] security: fastboot: add security policy for fastboot oem

[Sascha Hauer]

Fastboot OEM commands allow to execute arbitrary commands via fastboot,
so add a security policy for it to limit access to this functionality.

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
 common/Sconfig    | 4 ++++
 common/fastboot.c | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/common/Sconfig b/common/Sconfig
index edbc4bc028af79e2a72bb86de94ecce5c7b7643d..9142685a1d3f9846e69b746e545420eab5935661 100644
--- a/common/Sconfig
+++ b/common/Sconfig
@@ -6,6 +6,10 @@ config RATP
 	bool "Allow remote control via RATP"
 	depends on $(kconfig-enabled,CONSOLE_RATP)
 
+config FASTBOOT_CMD_OEM
+	bool "Allow Fastboot OEM commands"
+	depends on $(kconfig-enabled,FASTBOOT_CMD_OEM)
+
 endmenu
 
 menu "Boot Policy"
diff --git a/common/fastboot.c b/common/fastboot.c
index e5c79c22376caa81dbd6bb9385e103a7afd7dfe9..b661d610a3ce32fd4c148537a4a2f9308d00fdf9 100644
--- a/common/fastboot.c
+++ b/common/fastboot.c
@@ -42,6 +42,7 @@
 #include <linux/types.h>
 #include <linux/stat.h>
 #include <linux/mtd/mtd.h>
+#include <security/config.h>
 #include <fastboot.h>
 #include <system-partitions.h>
 
@@ -968,6 +969,11 @@ static void __maybe_unused cb_oem(struct fastboot *fb, const char *cmd)
 {
 	pr_debug("%s: \"%s\"\n", __func__, cmd);
 
+	if (!IS_ALLOWED(SCONFIG_FASTBOOT_CMD_OEM)) {
+		fastboot_tx_print(fb, FASTBOOT_MSG_FAIL, "OEM commands not allowed");
+		return;
+	}
+
 	fb_run_command(fb, cmd, cmd_oem_dispatch_info, ARRAY_SIZE(cmd_oem_dispatch_info));
 }
 

-- 
2.47.3