From 150626f4876d4455a4553c9727e776e9c4dc9ec2 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Tue, 31 May 2022 10:51:21 +0800
Subject: [PATCH] lockdown: kABI workaround for lockdown_reason changes
Patch-mainline: Never, kABI workaround
References: bsc#1199426 CVE-2022-21499

The patch
patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch
introduced two new fields LOCKDOWN_DBG_WRITE/READ_KERNEL to struct
lockdown_reason.

Unfortunately kernel lockdown mechanism uses LOCKDOWN_INTEGRITY_MAX
and LOCKDOWN_CONFIDENTIALITY_MAX fields to separate lockdown functions
into two different modes. So we can not just move new LOCKDOWN_DBG_*
fields to the tail of lockdown_reason as usual.

In this case, we reuse LOCKDOWN_BPF_{READ|WRITE}_* for kgdb and modify
the lockdown_reason strings for adding kgdb wording. In the next SLE
kernel version, we will add enum padding to lockdown_reason before kABI
freeze to avoid this situation.

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>

[Yousaf]: For SLE15-SP5 keep contents of the following patch only:
commit e7f714552eb4 ("powerpc/rtas: block error injection when locked down (bsc#1023051).")
Signed-off-by: Yousaf Kaukab <ykaukab@suse.de>
---
 arch/powerpc/kernel/rtas.c | 4 ++--
 include/linux/security.h   | 1 -
 security/security.c        | 3 +--
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index 2e4926e97378..8507f8821543 100644
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -480,7 +480,7 @@ int rtas_call(int token, int nargs, int nret, int *outputs, ...)
 		 * from security_locked_down(), but callers expect an
 		 * RTAS status, not an errno.
 		 */
-		if (security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION))
+		if (security_locked_down(LOCKDOWN_XMON_WR))
 			return -1;
 	}
 
@@ -1112,7 +1112,7 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
 	if (token == ibm_open_errinjct_token || token == ibm_errinjct_token) {
 		int err;
 
-		err = security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION);
+		err = security_locked_down(LOCKDOWN_XMON_WR);
 		if (err)
 			return err;
 	}
diff --git a/include/linux/security.h b/include/linux/security.h
index 0903a1d83608..3f70fe065c7f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -122,7 +122,6 @@ enum lockdown_reason {
 	LOCKDOWN_XMON_WR,
 	LOCKDOWN_BPF_WRITE_USER,
 	LOCKDOWN_DBG_WRITE_KERNEL,
-	LOCKDOWN_RTAS_ERROR_INJECTION,
 	LOCKDOWN_INTEGRITY_MAX,
 	LOCKDOWN_KCORE,
 	LOCKDOWN_KPROBES,
diff --git a/security/security.c b/security/security.c
index 101287984740..2d51e084b38b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -57,10 +57,9 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",
 	[LOCKDOWN_MMIOTRACE] = "unsafe mmio",
 	[LOCKDOWN_DEBUGFS] = "debugfs access",
-	[LOCKDOWN_XMON_WR] = "xmon write access",
+	[LOCKDOWN_XMON_WR] = "xmon write access, rtas error injection",
 	[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
 	[LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",
-	[LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_KCORE] = "/proc/kcore access",
 	[LOCKDOWN_KPROBES] = "use of kprobes",
-- 
2.35.3