diff options
-rw-r--r-- | efi-lockdown.patch | 58 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 8 | ||||
-rw-r--r-- | sources | 2 |
4 files changed, 67 insertions, 3 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index e3ce55788..25c143fd3 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -2080,3 +2080,61 @@ index bb4dc78..c2e4953 100644 +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ -- 2.20.1 + +From patchwork Wed Nov 21 12:05:10 2018 +Date: Wed, 21 Nov 2018 13:05:10 +0100 +From: Vasily Gorbik <gor@linux.ibm.com> +Subject: [PATCH next-lockdown 1/1] debugfs: avoid EPERM when no open file + operation defined + +With "debugfs: Restrict debugfs when the kernel is locked down" +return code "r" is unconditionally set to -EPERM, which stays like that +until function return if no "open" file operation defined, effectivelly +resulting in "Operation not permitted" for all such files despite kernel +lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. + +In particular this breaks 2 debugfs files on s390: +/sys/kernel/debug/s390_hypfs/diag_304 +/sys/kernel/debug/s390_hypfs/diag_204 + +To address that set EPERM return code only when debugfs_is_locked_down +returns true. + +Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") +Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> +--- + fs/debugfs/file.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c +index 51cb894c21f2..89c86faaa02a 100644 +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) + + real_fops = debugfs_real_fops(filp); + +- r = -EPERM; +- if (debugfs_is_locked_down(inode, filp, real_fops)) ++ if (debugfs_is_locked_down(inode, filp, real_fops)) { ++ r = -EPERM; + goto out; ++ } + + real_fops = fops_get(real_fops); + if (!real_fops) { +@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) + return r == -EIO ? -ENOENT : r; + + real_fops = debugfs_real_fops(filp); +- r = -EPERM; +- if (debugfs_is_locked_down(inode, filp, real_fops)) ++ if (debugfs_is_locked_down(inode, filp, real_fops)) { ++ r = -EPERM; + goto out; ++ } + + real_fops = fops_get(real_fops); + if (!real_fops) { +-- +2.21.0 @@ -1 +1 @@ -156c05917e0920ef5643eb54c0ea71aae5d60c3d +16d72dd4891fecc1e1bf7ca193bb7d5b9804c038 diff --git a/kernel.spec b/kernel.spec index c30bc5207..dc312fedd 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 3 # The git snapshot level -%define gitrev 2 +%define gitrev 3 # Set rpm version accordingly %define rpmversion 5.%{upstream_sublevel}.0 %endif @@ -1835,6 +1835,12 @@ fi # # %changelog +* Fri Jun 07 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.0-0.rc3.git3.1 +- Linux v5.2-rc3-77-g16d72dd4891f + +* Thu Jun 06 2019 Jeremy Cline <jcline@redhat.com> +- Fix incorrect permission denied with lock down off (rhbz 1658675) + * Thu Jun 06 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.0-0.rc3.git2.1 - Linux v5.2-rc3-37-g156c05917e09 @@ -1,3 +1,3 @@ SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236 SHA512 (patch-5.2-rc3.xz) = 0d412178769defc6f4da5bba057a0e4f1330b2d87fd08b8554598d8cd802c1edbc68d58acf5af1c2d4777609feb25aee1963d7154572ec4b2a30ca36b9d07adc -SHA512 (patch-5.2-rc3-git2.xz) = 626e564d1e6a9c5ab083ed71755ddc58666956dffab3b1f98c9a89af770462fddefb929b9a715411df84dadf7f8fa71de68349771db92320c4398e9bae40e886 +SHA512 (patch-5.2-rc3-git3.xz) = 76bb21fbd76f80e1e948fa5c5718430a1a49885f54f83b38c8b6b3cfed2482cba8c7708f5ef4fb365df1c23d7e5564642fd6e2807c9650919b0091db2ccd50ca |