kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   e8944f5a47be92d739b3ad37d07a2d887f2a4d79
  2.   patches.kabi
  3.   lockdown-kABI-workaround-for-lockdown_reason-changes.patch
Blob Blame History Raw 
From 150626f4876d4455a4553c9727e776e9c4dc9ec2 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Tue, 31 May 2022 10:51:21 +0800
Subject: [PATCH] lockdown: kABI workaround for lockdown_reason changes
Patch-mainline: Never, kABI workaround
References: bsc#1199426, CVE-2022-21499

The patch
patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch
introduced two new fields LOCKDOWN_DBG_WRITE/READ_KERNEL to struct
lockdown_reason.

Unfortunately kernel lockdown mechanism uses LOCKDOWN_INTEGRITY_MAX
and LOCKDOWN_CONFIDENTIALITY_MAX fields to separate lockdown functions
into two different modes. So we can not just move new LOCKDOWN_DBG_*
fields to the tail of lockdown_reason as usual.

In this case, we reuse LOCKDOWN_DEBUGFS and LOCKDOWN_BPF_READ for kgdb
and modify the lockdown_reason strings for adding kgdb wording. In the
next SLE kernel version, we will add enum padding to lockdown_reason
before kABI freeze to avoid this situation.

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 include/linux/security.h     |    2 --
 kernel/debug/debug_core.c    |    2 +-
 kernel/debug/kdb/kdb_main.c  |    4 ++--
 security/lockdown/lockdown.c |    6 ++----
 4 files changed, 5 insertions(+), 9 deletions(-)

--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -116,12 +116,10 @@ enum lockdown_reason {
 	LOCKDOWN_MODULE_PARAMETERS,
 	LOCKDOWN_MMIOTRACE,
 	LOCKDOWN_DEBUGFS,
-	LOCKDOWN_DBG_WRITE_KERNEL,
 	LOCKDOWN_INTEGRITY_MAX,
 	LOCKDOWN_KCORE,
 	LOCKDOWN_KPROBES,
 	LOCKDOWN_BPF_READ,
-	LOCKDOWN_DBG_READ_KERNEL,
 	LOCKDOWN_PERF,
 	LOCKDOWN_TRACEFS,
 	LOCKDOWN_CONFIDENTIALITY_MAX,
--- a/kernel/debug/debug_core.c
+++ b/kernel/debug/debug_core.c
@@ -699,7 +699,7 @@ cpu_master_loop:
 			 * themselves, especially with help from the lockdown
 			 * message printed on the console!
 			 */
-			if (security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL)) {
+			if (security_locked_down(LOCKDOWN_DEBUGFS)) {
 				if (IS_ENABLED(CONFIG_KGDB_KDB)) {
 					/* Switch back to kdb if possible... */
 					dbg_kdb_mode = 1;
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -232,11 +232,11 @@ static void kdb_check_for_lockdown(void)
 
 	if (kdb_cmd_enabled & (KDB_ENABLE_ALL | write_flags))
 		need_to_lockdown_write =
-			security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL);
+			security_locked_down(LOCKDOWN_DEBUGFS);
 
 	if (kdb_cmd_enabled & (KDB_ENABLE_ALL | read_flags))
 		need_to_lockdown_read =
-			security_locked_down(LOCKDOWN_DBG_READ_KERNEL);
+			security_locked_down(LOCKDOWN_BPF_READ);
 
 	/* De-compose KDB_ENABLE_ALL if required */
 	if (need_to_lockdown_write || need_to_lockdown_read)
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -30,13 +30,11 @@ static const char *const lockdown_reason
 	[LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",
 	[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",
 	[LOCKDOWN_MMIOTRACE] = "unsafe mmio",
-	[LOCKDOWN_DEBUGFS] = "debugfs access",
-	[LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",
+	[LOCKDOWN_DEBUGFS] = "debugfs access or use of kgdb/kdb to write kernel RAM",
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_KCORE] = "/proc/kcore access",
 	[LOCKDOWN_KPROBES] = "use of kprobes",
-	[LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM",
-	[LOCKDOWN_DBG_READ_KERNEL] = "use of kgdb/kdb to read kernel RAM",
+	[LOCKDOWN_BPF_READ] = "use of bpf/kgdb/kdb to read kernel RAM",
 	[LOCKDOWN_PERF] = "unsafe use of perf",
 	[LOCKDOWN_TRACEFS] = "use of tracefs",
 	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.