summaryrefslogtreecommitdiffstats
path: root/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch
diff options
context:
space:
mode:
Diffstat (limited to '0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch')
-rw-r--r--0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch103
1 files changed, 0 insertions, 103 deletions
diff --git a/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch b/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch
deleted file mode 100644
index 856055e60..000000000
--- a/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-d.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jeremy Cline <jcline@redhat.com>
-Date: Mon, 30 Sep 2019 21:22:47 +0000
-Subject: [PATCH] security: lockdown: expose a hook to lock the kernel down
-
-In order to automatically lock down kernels running on UEFI machines
-booted in Secure Boot mode, expose the lock_kernel_down() hook.
-
-Upstream Status: RHEL only
-Signed-off-by: Jeremy Cline <jcline@redhat.com>
----
- include/linux/lsm_hook_defs.h | 2 ++
- include/linux/lsm_hooks.h | 6 ++++++
- include/linux/security.h | 5 +++++
- security/lockdown/lockdown.c | 1 +
- security/security.c | 6 ++++++
- 5 files changed, 20 insertions(+)
-
-diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
-index 2a8c74d99015..0d3129588b78 100644
---- a/include/linux/lsm_hook_defs.h
-+++ b/include/linux/lsm_hook_defs.h
-@@ -383,6 +383,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
- #endif /* CONFIG_BPF_SYSCALL */
-
- LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
-+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
-+
-
- #ifdef CONFIG_PERF_EVENTS
- LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 9e2e3e63719d..317660f68b4f 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -1507,6 +1507,12 @@
- *
- * @what: kernel feature being accessed
- *
-+ * @lock_kernel_down
-+ * Put the kernel into lock-down mode.
-+ *
-+ * @where: Where the lock-down is originating from (e.g. command line option)
-+ * @level: The lock-down level (can only increase)
-+ *
- * Security hooks for perf events
- *
- * @perf_event_open:
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 0a0a03b36a3b..26869f44416b 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
- int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
- int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
- int security_locked_down(enum lockdown_reason what);
-+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
- #else /* CONFIG_SECURITY */
-
- static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
-@@ -1291,6 +1292,10 @@ static inline int security_locked_down(enum lockdown_reason what)
- {
- return 0;
- }
-+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
-+{
-+ return 0;
-+}
- #endif /* CONFIG_SECURITY */
-
- #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
-diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
-index 87cbdc64d272..18555cf18da7 100644
---- a/security/lockdown/lockdown.c
-+++ b/security/lockdown/lockdown.c
-@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
-
- static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
- LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
-+ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
- };
-
- static int __init lockdown_lsm_init(void)
-diff --git a/security/security.c b/security/security.c
-index 70a7ad357bc6..23e16e773bc2 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -2516,6 +2516,12 @@ int security_locked_down(enum lockdown_reason what)
- }
- EXPORT_SYMBOL(security_locked_down);
-
-+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
-+{
-+ return call_int_hook(lock_kernel_down, 0, where, level);
-+}
-+EXPORT_SYMBOL(security_lock_kernel_down);
-+
- #ifdef CONFIG_PERF_EVENTS
- int security_perf_event_open(struct perf_event_attr *attr, int type)
- {
---
-2.28.0
-