From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001

From: Jeremy Cline <jcline@redhat.com>

Date: Mon, 30 Sep 2019 21:22:47 +0000

Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down

Patch-mainline: Never, Fedora Core 32

References: jsc#SLE-9870

In order to automatically lock down kernels running on UEFI machines

booted in Secure Boot mode, expose the lock_kernel_down() hook.

Signed-off-by: Jeremy Cline <jcline@redhat.com>

Acked-by: Lee, Chun-Yi <jlee@suse.com>

---

 include/linux/lsm_hook_defs.h |    1 +

 include/linux/lsm_hooks.h     |    6 ++++++

 include/linux/security.h      |    5 +++++

 security/lockdown/lockdown.c  |    1 +

 security/security.c           |    6 ++++++

 5 files changed, 19 insertions(+)

--- a/include/linux/lsm_hook_defs.h

+++ b/include/linux/lsm_hook_defs.h

@@ -403,6 +403,7 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_fr

 #endif /* CONFIG_BPF_SYSCALL */

 LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)

+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)

 #ifdef CONFIG_PERF_EVENTS

 LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)

--- a/include/linux/lsm_hooks.h

+++ b/include/linux/lsm_hooks.h

@@ -1618,6 +1618,12 @@

  *	@what: kernel feature being accessed.

  *	Return 0 if permission is granted.

  *

+ * @lock_kernel_down

+ *     Put the kernel into lock-down mode.

+ *

+ *     @where: Where the lock-down is originating from (e.g. command line option)

+ *     @level: The lock-down level (can only increase)

+ *

  * Security hooks for perf events

  *

  * @perf_event_open:

--- a/include/linux/security.h

+++ b/include/linux/security.h

@@ -487,6 +487,7 @@ int security_inode_notifysecctx(struct i

 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);

 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);

 int security_locked_down(enum lockdown_reason what);

+int security_lock_kernel_down(const char *where, enum lockdown_reason level);

 #else /* CONFIG_SECURITY */

 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)

@@ -1402,6 +1403,10 @@ static inline int security_locked_down(e

 {

 	return 0;

 }

+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)

+{

+	return 0;

+}

 #endif	/* CONFIG_SECURITY */

 #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)

--- a/security/lockdown/lockdown.c

+++ b/security/lockdown/lockdown.c

@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum

 static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {

 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),

+	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),

 };

 static int __init lockdown_lsm_init(void)

--- a/security/security.c

+++ b/security/security.c

@@ -2705,6 +2705,12 @@ int security_locked_down(enum lockdown_r

 }

 EXPORT_SYMBOL(security_locked_down);

+int security_lock_kernel_down(const char *where, enum lockdown_reason level)

+{

+	return call_int_hook(lock_kernel_down, 0, where, level);

+}

+EXPORT_SYMBOL(security_lock_kernel_down);

+

 #ifdef CONFIG_PERF_EVENTS

 int security_perf_event_open(struct perf_event_attr *attr, int type)

 {