From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Mon, 30 Sep 2019 21:22:47 +0000
Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
Patch-mainline: Never, Fedora Core 32
References: jsc#SLE-9870

In order to automatically lock down kernels running on UEFI machines
booted in Secure Boot mode, expose the lock_kernel_down() hook.

Signed-off-by: Jeremy Cline <jcline@redhat.com>
Acked-by: Lee, Chun-Yi <jlee@suse.com>
---
 include/linux/lsm_hooks.h    |    8 ++++++++
 include/linux/security.h     |    5 +++++
 security/lockdown/lockdown.c |    1 +
 security/security.c          |    6 ++++++
 4 files changed, 20 insertions(+)

--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1451,6 +1451,12 @@
  *     code execution in kernel space should be permitted.
  *
  *     @what: kernel feature being accessed
+ *
+ * @lock_kernel_down
+ *     Put the kernel into lock-down mode.
+ *
+ *     @where: Where the lock-down is originating from (e.g. command line option)
+ *     @level: The lock-down level (can only increase)
  */
 union security_list_options {
 	int (*binder_set_context_mgr)(struct task_struct *mgr);
@@ -1813,6 +1819,7 @@ union security_list_options {
 	void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
 #endif /* CONFIG_BPF_SYSCALL */
 	int (*locked_down)(enum lockdown_reason what);
+	int (*lock_kernel_down)(const char *where, enum lockdown_reason level);
 };
 
 struct security_hook_heads {
@@ -2053,6 +2060,7 @@ struct security_hook_heads {
 	struct hlist_head bpf_prog_free_security;
 #endif /* CONFIG_BPF_SYSCALL */
 	struct hlist_head locked_down;
+	struct hlist_head lock_kernel_down;
 } __randomize_layout;
 
 /*
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct i
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
 int security_locked_down(enum lockdown_reason what);
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
 #else /* CONFIG_SECURITY */
 
 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1263,6 +1264,10 @@ static inline int security_locked_down(e
 {
 	return 0;
 }
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return 0;
+}
 #endif	/* CONFIG_SECURITY */
 
 #ifdef CONFIG_SECURITY_NETWORK
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum
 
 static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
+	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
 };
 
 static int __init lockdown_lsm_init(void)
--- a/security/security.c
+++ b/security/security.c
@@ -2398,3 +2398,9 @@ int security_locked_down(enum lockdown_r
 	return call_int_hook(locked_down, 0, what);
 }
 EXPORT_SYMBOL(security_locked_down);
+
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return call_int_hook(lock_kernel_down, 0, where, level);
+}
+EXPORT_SYMBOL(security_lock_kernel_down);