diff options
Diffstat (limited to '0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch')
-rw-r--r-- | 0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch | 103 |
1 files changed, 0 insertions, 103 deletions
diff --git a/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch b/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch deleted file mode 100644 index 856055e60..000000000 --- a/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Jeremy Cline <jcline@redhat.com> -Date: Mon, 30 Sep 2019 21:22:47 +0000 -Subject: [PATCH] security: lockdown: expose a hook to lock the kernel down - -In order to automatically lock down kernels running on UEFI machines -booted in Secure Boot mode, expose the lock_kernel_down() hook. - -Upstream Status: RHEL only -Signed-off-by: Jeremy Cline <jcline@redhat.com> ---- - include/linux/lsm_hook_defs.h | 2 ++ - include/linux/lsm_hooks.h | 6 ++++++ - include/linux/security.h | 5 +++++ - security/lockdown/lockdown.c | 1 + - security/security.c | 6 ++++++ - 5 files changed, 20 insertions(+) - -diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h -index 2a8c74d99015..0d3129588b78 100644 ---- a/include/linux/lsm_hook_defs.h -+++ b/include/linux/lsm_hook_defs.h -@@ -383,6 +383,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux) - #endif /* CONFIG_BPF_SYSCALL */ - - LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) -+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level) -+ - - #ifdef CONFIG_PERF_EVENTS - LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 9e2e3e63719d..317660f68b4f 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -1507,6 +1507,12 @@ - * - * @what: kernel feature being accessed - * -+ * @lock_kernel_down -+ * Put the kernel into lock-down mode. -+ * -+ * @where: Where the lock-down is originating from (e.g. command line option) -+ * @level: The lock-down level (can only increase) -+ * - * Security hooks for perf events - * - * @perf_event_open: -diff --git a/include/linux/security.h b/include/linux/security.h -index 0a0a03b36a3b..26869f44416b 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); - int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); - int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); - int security_locked_down(enum lockdown_reason what); -+int security_lock_kernel_down(const char *where, enum lockdown_reason level); - #else /* CONFIG_SECURITY */ - - static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) -@@ -1291,6 +1292,10 @@ static inline int security_locked_down(enum lockdown_reason what) - { - return 0; - } -+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level) -+{ -+ return 0; -+} - #endif /* CONFIG_SECURITY */ - - #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) -diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c -index 87cbdc64d272..18555cf18da7 100644 ---- a/security/lockdown/lockdown.c -+++ b/security/lockdown/lockdown.c -@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what) - - static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { - LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), -+ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down), - }; - - static int __init lockdown_lsm_init(void) -diff --git a/security/security.c b/security/security.c -index 70a7ad357bc6..23e16e773bc2 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -2516,6 +2516,12 @@ int security_locked_down(enum lockdown_reason what) - } - EXPORT_SYMBOL(security_locked_down); - -+int security_lock_kernel_down(const char *where, enum lockdown_reason level) -+{ -+ return call_int_hook(lock_kernel_down, 0, where, level); -+} -+EXPORT_SYMBOL(security_lock_kernel_down); -+ - #ifdef CONFIG_PERF_EVENTS - int security_perf_event_open(struct perf_event_attr *attr, int type) - { --- -2.28.0 - |