security: restrict init parameters by configuration

euler inclusion
category: bugfix
bugzilla: 46850
CVE: NA

---------------------------------

Linux kernel allow to specify a single-user mode, or specify the init process by
init parameter, which could bypass the login authentication mechanisms, direct
access to root identify. Close init kernel boot parameters through
CONFIG_SECURITY_BOOT_INIT.
Signed-off-by: NXiangyu Lu <luxiangyu@huawei.com>
Reviewed-by: NWang Kai <morgan.wang@huawei.com>
Signed-off-by: NWeilong Chen <chenweilong@huawei.com>
[hj: backport from hulk-3.10 for security enhancement]
Signed-off-by: NHanjun Guo <hanjun.guo@linaro.org>
Signed-off-by: Ngaobo <gaobo794@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: Nzhangyi (F) <yi.zhang@huawei.com>
Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: NChen Jun <chenjun102@huawei.com>

init/main.c

@@ -572,6 +572,7 @@ static int __init unknown_bootoption(char *param, char *val,
 	return 0;
 }
 
+#ifndef CONFIG_SECURITY_BOOT_INIT
 static int __init init_setup(char *str)
 {
 	unsigned int i;
@@ -600,6 +601,7 @@ static int __init rdinit_setup(char *str)
 	return 1;
 }
 __setup("rdinit=", rdinit_setup);
+#endif
 
 #ifndef CONFIG_SMP
 static const unsigned int setup_max_cpus = NR_CPUS;

security/Kconfig

@@ -291,5 +291,11 @@ config LSM
 
 source "security/Kconfig.hardening"
 
+config SECURITY_BOOT_INIT
+       bool "Disable init & rdinit parameters in cmdline"
+       default n
+       help
+         No support init and rdinit parameters in cmdline
+
 endmenu