summaryrefslogtreecommitdiffstats
path: root/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2020-04-26 21:15:20 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2020-04-26 21:15:20 -0500
commit6c2cc50051831fa502a8b082a312ca90e7039f3f (patch)
treebb474cc356d09fb7963eadaeb127a00f7fed6531 /0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch
parentd1b6f8c7af0eb9a0a44b2d4723e58dde5eafa236 (diff)
downloadkernel-6c2cc50051831fa502a8b082a312ca90e7039f3f.tar.gz
kernel-6c2cc50051831fa502a8b082a312ca90e7039f3f.tar.xz
kernel-6c2cc50051831fa502a8b082a312ca90e7039f3f.zip
kernel-5.7.0-0.rc3.1
* Sun Apr 26 2020 CKI@GitLab <cki-project@redhat.com> [5.7.0-0.rc3.1] - v5.7-rc3 rebase - Add cec to the filter overrides ("Justin M. Forbes") - Add overrides to filter-modules.sh ("Justin M. Forbes") - Adjust the changelog update script to not push anything (Jeremy Cline) - Drop --target noarch from the rh-rpms make target (Jeremy Cline) Resolves: rhbz# Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
Diffstat (limited to '0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch')
-rw-r--r--0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch18
1 files changed, 9 insertions, 9 deletions
diff --git a/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch b/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch
index 154271305..f7baef09c 100644
--- a/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch
+++ b/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch
@@ -1,4 +1,4 @@
-From 154a1cadac2380c5439c20d0073176601fae2ca1 Mon Sep 17 00:00:00 2001
+From 9c4460884d6fd08e62cf3b50f3d5889efa9d40e9 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Mon, 30 Sep 2019 21:22:47 +0000
Subject: [PATCH] security: lockdown: expose a hook to lock the kernel down
@@ -22,11 +22,11 @@ index 9cd4455528e5..dfa09696a0e5 100644
+++ b/include/linux/lsm_hook_defs.h
@@ -371,6 +371,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
#endif /* CONFIG_BPF_SYSCALL */
-
+
LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
+
-
+
#ifdef CONFIG_PERF_EVENTS
LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
@@ -56,7 +56,7 @@ index a8d9310472df..381305889d89 100644
int security_locked_down(enum lockdown_reason what);
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
#else /* CONFIG_SECURITY */
-
+
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1273,6 +1274,10 @@ static inline int security_locked_down(enum lockdown_reason what)
{
@@ -67,19 +67,19 @@ index a8d9310472df..381305889d89 100644
+ return 0;
+}
#endif /* CONFIG_SECURITY */
-
+
#ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 5a952617a0eb..61cc3cdc4d25 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
-
+
static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
+ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
};
-
+
static int __init lockdown_lsm_init(void)
diff --git a/security/security.c b/security/security.c
index 7fed24b9d57e..37fab5c5d974 100644
@@ -88,7 +88,7 @@ index 7fed24b9d57e..37fab5c5d974 100644
@@ -2456,6 +2456,12 @@ int security_locked_down(enum lockdown_reason what)
}
EXPORT_SYMBOL(security_locked_down);
-
+
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return call_int_hook(lock_kernel_down, 0, where, level);
@@ -99,5 +99,5 @@ index 7fed24b9d57e..37fab5c5d974 100644
int security_perf_event_open(struct perf_event_attr *attr, int type)
{
--
-2.26.0
+2.26.2