kernel/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch

104 lines
3.7 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Mon, 30 Sep 2019 21:22:47 +0000
Subject: [PATCH] security: lockdown: expose a hook to lock the kernel down
In order to automatically lock down kernels running on UEFI machines
booted in Secure Boot mode, expose the lock_kernel_down() hook.
Upstream Status: RHEL only
Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
include/linux/lsm_hook_defs.h | 2 ++
include/linux/lsm_hooks.h | 6 ++++++
include/linux/security.h | 5 +++++
security/lockdown/lockdown.c | 1 +
security/security.c | 6 ++++++
5 files changed, 20 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index fb3ce6cec997..a9dac118b66e 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -372,6 +372,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
#endif /* CONFIG_BPF_SYSCALL */
LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
+
#ifdef CONFIG_PERF_EVENTS
LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 3e62dab77699..1696345315e0 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1484,6 +1484,12 @@
*
* @what: kernel feature being accessed
*
+ * @lock_kernel_down
+ * Put the kernel into lock-down mode.
+ *
+ * @where: Where the lock-down is originating from (e.g. command line option)
+ * @level: The lock-down level (can only increase)
+ *
* Security hooks for perf events
*
* @perf_event_open:
diff --git a/include/linux/security.h b/include/linux/security.h
index b3f2cb21b4f2..5e54ba73c257 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -447,6 +447,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1280,6 +1281,10 @@ static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
}
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 87cbdc64d272..18555cf18da7 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
+ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
};
static int __init lockdown_lsm_init(void)
diff --git a/security/security.c b/security/security.c
kernel-5.8.0-0.rc0.20200610git84fc461db99b.1 * Wed Jun 10 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.8.0-0.rc0.20200610git84fc461db99b.1] - 84fc461db99b rebase - Fix PATCHLEVEL for merge window ("Justin M. Forbes") - PCI: tegra: Revert raw_violation_fixup for tegra124 (Nicolas Chauvet) - Change ark CONFIG_COMMON_CLK to yes, it is selected already by other options ("Justin M. Forbes") - More module filtering for Fedora ("Justin M. Forbes") - Update filters for rnbd in Fedora ("Justin M. Forbes") - Fix up module filtering for 5.8 ("Justin M. Forbes") - More Fedora config work ("Justin M. Forbes") - RTW88BE and CE have been extracted to their own modules ("Justin M. Forbes") - Set CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK for Fedora ("Justin M. Forbes") - Arm64 Use Branch Target Identification for kernel ("Justin M. Forbes") - Fedora config updates ("Justin M. Forbes") - Change value of CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE ("Justin M. Forbes") - Fix configs for Fedora ("Justin M. Forbes") - Fix update_scripts.sh unselective pattern sub (David Howells) - Updated changelog for the release based on b0c3ba31be3e ("CKI@GitLab") - Drop the static path configuration for the Sphinx docs (Jeremy Cline) - Sign off generated configuration patches (Jeremy Cline) - Use __make macro instead of make (Tom Stellard) - redhat/configs: Enable CONFIG_SMC91X and disable CONFIG_SMC911X (Prarit Bhargava) [http://bugzilla.redhat.com/1722136] Resolves: rhbz# Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
2020-06-10 22:01:45 +00:00
index e0290b7e6a08..124ecb15a291 100644
--- a/security/security.c
+++ b/security/security.c
kernel-5.8.0-0.rc0.20200610git84fc461db99b.1 * Wed Jun 10 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.8.0-0.rc0.20200610git84fc461db99b.1] - 84fc461db99b rebase - Fix PATCHLEVEL for merge window ("Justin M. Forbes") - PCI: tegra: Revert raw_violation_fixup for tegra124 (Nicolas Chauvet) - Change ark CONFIG_COMMON_CLK to yes, it is selected already by other options ("Justin M. Forbes") - More module filtering for Fedora ("Justin M. Forbes") - Update filters for rnbd in Fedora ("Justin M. Forbes") - Fix up module filtering for 5.8 ("Justin M. Forbes") - More Fedora config work ("Justin M. Forbes") - RTW88BE and CE have been extracted to their own modules ("Justin M. Forbes") - Set CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK for Fedora ("Justin M. Forbes") - Arm64 Use Branch Target Identification for kernel ("Justin M. Forbes") - Fedora config updates ("Justin M. Forbes") - Change value of CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE ("Justin M. Forbes") - Fix configs for Fedora ("Justin M. Forbes") - Fix update_scripts.sh unselective pattern sub (David Howells) - Updated changelog for the release based on b0c3ba31be3e ("CKI@GitLab") - Drop the static path configuration for the Sphinx docs (Jeremy Cline) - Sign off generated configuration patches (Jeremy Cline) - Use __make macro instead of make (Tom Stellard) - redhat/configs: Enable CONFIG_SMC91X and disable CONFIG_SMC911X (Prarit Bhargava) [http://bugzilla.redhat.com/1722136] Resolves: rhbz# Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
2020-06-10 22:01:45 +00:00
@@ -2479,6 +2479,12 @@ int security_locked_down(enum lockdown_reason what)
}
EXPORT_SYMBOL(security_locked_down);
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return call_int_hook(lock_kernel_down, 0, where, level);
+}
+EXPORT_SYMBOL(security_lock_kernel_down);
+
#ifdef CONFIG_PERF_EVENTS
int security_perf_event_open(struct perf_event_attr *attr, int type)
{
--
2.26.2