diff options
| -rw-r--r-- | efi-lockdown.patch | 58 | ||||
| -rw-r--r-- | kernel.spec | 3 |
2 files changed, 61 insertions, 0 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index e3ce55788..25c143fd3 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -2080,3 +2080,61 @@ index bb4dc78..c2e4953 100644 +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ -- 2.20.1 + +From patchwork Wed Nov 21 12:05:10 2018 +Date: Wed, 21 Nov 2018 13:05:10 +0100 +From: Vasily Gorbik <gor@linux.ibm.com> +Subject: [PATCH next-lockdown 1/1] debugfs: avoid EPERM when no open file + operation defined + +With "debugfs: Restrict debugfs when the kernel is locked down" +return code "r" is unconditionally set to -EPERM, which stays like that +until function return if no "open" file operation defined, effectivelly +resulting in "Operation not permitted" for all such files despite kernel +lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. + +In particular this breaks 2 debugfs files on s390: +/sys/kernel/debug/s390_hypfs/diag_304 +/sys/kernel/debug/s390_hypfs/diag_204 + +To address that set EPERM return code only when debugfs_is_locked_down +returns true. + +Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") +Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> +--- + fs/debugfs/file.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c +index 51cb894c21f2..89c86faaa02a 100644 +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) + + real_fops = debugfs_real_fops(filp); + +- r = -EPERM; +- if (debugfs_is_locked_down(inode, filp, real_fops)) ++ if (debugfs_is_locked_down(inode, filp, real_fops)) { ++ r = -EPERM; + goto out; ++ } + + real_fops = fops_get(real_fops); + if (!real_fops) { +@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) + return r == -EIO ? -ENOENT : r; + + real_fops = debugfs_real_fops(filp); +- r = -EPERM; +- if (debugfs_is_locked_down(inode, filp, real_fops)) ++ if (debugfs_is_locked_down(inode, filp, real_fops)) { ++ r = -EPERM; + goto out; ++ } + + real_fops = fops_get(real_fops); + if (!real_fops) { +-- +2.21.0 diff --git a/kernel.spec b/kernel.spec index 0c1f8a350..e2e12b67f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1815,6 +1815,9 @@ fi # # %changelog +* Thu Jun 06 2019 Jeremy Cline <jcline@redhat.com> +- Fix incorrect permission denied with lock down off (rhbz 1658675) + * Thu Jun 06 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.0-0.rc3.git2.1 - Linux v5.2-rc3-37-g156c05917e09 |