From 228a4ee828871783564b53c5fa20d4079c5aeb03 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 6 Jun 2019 18:12:27 +0000 Subject: [PATCH] Fix rbhz 1658675 again This patch got dropped with the latest rebase to upstream's version of the lockdown patches. --- efi-lockdown.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++++ kernel.spec | 3 +++ 2 files changed, 61 insertions(+) diff --git a/efi-lockdown.patch b/efi-lockdown.patch index e3ce55788..25c143fd3 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -2080,3 +2080,61 @@ index bb4dc78..c2e4953 100644 +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ -- 2.20.1 + +From patchwork Wed Nov 21 12:05:10 2018 +Date: Wed, 21 Nov 2018 13:05:10 +0100 +From: Vasily Gorbik +Subject: [PATCH next-lockdown 1/1] debugfs: avoid EPERM when no open file + operation defined + +With "debugfs: Restrict debugfs when the kernel is locked down" +return code "r" is unconditionally set to -EPERM, which stays like that +until function return if no "open" file operation defined, effectivelly +resulting in "Operation not permitted" for all such files despite kernel +lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. + +In particular this breaks 2 debugfs files on s390: +/sys/kernel/debug/s390_hypfs/diag_304 +/sys/kernel/debug/s390_hypfs/diag_204 + +To address that set EPERM return code only when debugfs_is_locked_down +returns true. + +Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") +Signed-off-by: Vasily Gorbik +--- + fs/debugfs/file.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c +index 51cb894c21f2..89c86faaa02a 100644 +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) + + real_fops = debugfs_real_fops(filp); + +- r = -EPERM; +- if (debugfs_is_locked_down(inode, filp, real_fops)) ++ if (debugfs_is_locked_down(inode, filp, real_fops)) { ++ r = -EPERM; + goto out; ++ } + + real_fops = fops_get(real_fops); + if (!real_fops) { +@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) + return r == -EIO ? -ENOENT : r; + + real_fops = debugfs_real_fops(filp); +- r = -EPERM; +- if (debugfs_is_locked_down(inode, filp, real_fops)) ++ if (debugfs_is_locked_down(inode, filp, real_fops)) { ++ r = -EPERM; + goto out; ++ } + + real_fops = fops_get(real_fops); + if (!real_fops) { +-- +2.21.0 diff --git a/kernel.spec b/kernel.spec index 0c1f8a350..e2e12b67f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1815,6 +1815,9 @@ fi # # %changelog +* Thu Jun 06 2019 Jeremy Cline +- Fix incorrect permission denied with lock down off (rhbz 1658675) + * Thu Jun 06 2019 Justin M. Forbes - 5.2.0-0.rc3.git2.1 - Linux v5.2-rc3-37-g156c05917e09