From 150626f4876d4455a4553c9727e776e9c4dc9ec2 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Tue, 31 May 2022 10:51:21 +0800
Subject: [PATCH] lockdown: kABI workaround for lockdown_reason changes
Patch-mainline: Never, kABI workaround
References: bsc#1199426 CVE-2022-21499
The patch
patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch
introduced two new fields LOCKDOWN_DBG_WRITE/READ_KERNEL to struct
lockdown_reason.
Unfortunately kernel lockdown mechanism uses LOCKDOWN_INTEGRITY_MAX
and LOCKDOWN_CONFIDENTIALITY_MAX fields to separate lockdown functions
into two different modes. So we can not just move new LOCKDOWN_DBG_*
fields to the tail of lockdown_reason as usual.
In this case, we reuse LOCKDOWN_BPF_{READ|WRITE}_* for kgdb and modify
the lockdown_reason strings for adding kgdb wording. In the next SLE
kernel version, we will add enum padding to lockdown_reason before kABI
freeze to avoid this situation.
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
include/linux/security.h | 2 --
kernel/debug/debug_core.c | 2 +-
kernel/debug/kdb/kdb_main.c | 4 ++--
security/security.c | 6 ++----
4 files changed, 5 insertions(+), 9 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 3f70fe065..e0c7c822b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -121,12 +121,10 @@ enum lockdown_reason {
LOCKDOWN_DEBUGFS,
LOCKDOWN_XMON_WR,
LOCKDOWN_BPF_WRITE_USER,
- LOCKDOWN_DBG_WRITE_KERNEL,
LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_KCORE,
LOCKDOWN_KPROBES,
LOCKDOWN_BPF_READ_KERNEL,
- LOCKDOWN_DBG_READ_KERNEL,
LOCKDOWN_PERF,
LOCKDOWN_TRACEFS,
LOCKDOWN_XMON_RW,
diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
index 8d3ae54f2..24c295ae6 100644
--- a/kernel/debug/debug_core.c
+++ b/kernel/debug/debug_core.c
@@ -769,7 +769,7 @@ static int kgdb_cpu_enter(struct kgdb_state *ks, struct pt_regs *regs,
* themselves, especially with help from the lockdown
* message printed on the console!
*/
- if (security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL)) {
+ if (security_locked_down(LOCKDOWN_BPF_WRITE_USER)) {
if (IS_ENABLED(CONFIG_KGDB_KDB)) {
/* Switch back to kdb if possible... */
dbg_kdb_mode = 1;
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index 77c8bd41c..aa8cde88a 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -201,11 +201,11 @@ static void kdb_check_for_lockdown(void)
if (kdb_cmd_enabled & (KDB_ENABLE_ALL | write_flags))
need_to_lockdown_write =
- security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL);
+ security_locked_down(LOCKDOWN_BPF_WRITE_USER);
if (kdb_cmd_enabled & (KDB_ENABLE_ALL | read_flags))
need_to_lockdown_read =
- security_locked_down(LOCKDOWN_DBG_READ_KERNEL);
+ security_locked_down(LOCKDOWN_BPF_READ_KERNEL);
/* De-compose KDB_ENABLE_ALL if required */
if (need_to_lockdown_write || need_to_lockdown_read)
diff --git a/security/security.c b/security/security.c
index ae03d945f..88fde72a8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -58,13 +58,11 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_MMIOTRACE] = "unsafe mmio",
[LOCKDOWN_DEBUGFS] = "debugfs access",
[LOCKDOWN_XMON_WR] = "xmon write access",
- [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
- [LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",
+ [LOCKDOWN_BPF_WRITE_USER] = "use of bpf/kgdb/kdb to write user/kernel RAM",
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_KCORE] = "/proc/kcore access",
[LOCKDOWN_KPROBES] = "use of kprobes",
- [LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",
- [LOCKDOWN_DBG_READ_KERNEL] = "use of kgdb/kdb to read kernel RAM",
+ [LOCKDOWN_BPF_READ_KERNEL] = "use of bpf/kgdb/kdb to read kernel RAM",
[LOCKDOWN_PERF] = "unsafe use of perf",
[LOCKDOWN_TRACEFS] = "use of tracefs",
[LOCKDOWN_XMON_RW] = "xmon read and write access",
--
2.26.2