From b25e1037bf38886f5569497df579da634e3f072d Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Thu, 6 Jun 2019 18:12:27 +0000
Subject: Fix rbhz 1658675 again

This patch got dropped with the latest rebase to upstream's version of
the lockdown patches.
---
 efi-lockdown.patch | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 kernel.spec        |  3 +++
 2 files changed, 60 insertions(+)

diff --git a/efi-lockdown.patch b/efi-lockdown.patch
index fab50ef1a..f87488893 100644
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@@ -1794,3 +1794,60 @@ index 122797023bdb..f8f1cdb74a4f 100644
 -- 
 2.21.0
 
+From patchwork Wed Nov 21 12:05:10 2018
+Date: Wed, 21 Nov 2018 13:05:10 +0100
+From: Vasily Gorbik <gor@linux.ibm.com>
+Subject: [PATCH next-lockdown 1/1] debugfs: avoid EPERM when no open file
+ operation defined
+
+With "debugfs: Restrict debugfs when the kernel is locked down"
+return code "r" is unconditionally set to -EPERM, which stays like that
+until function return if no "open" file operation defined, effectivelly
+resulting in "Operation not permitted" for all such files despite kernel
+lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
+
+In particular this breaks 2 debugfs files on s390:
+/sys/kernel/debug/s390_hypfs/diag_304
+/sys/kernel/debug/s390_hypfs/diag_204
+
+To address that set EPERM return code only when debugfs_is_locked_down
+returns true.
+
+Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+---
+ fs/debugfs/file.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
+index 51cb894c21f2..89c86faaa02a 100644
+--- a/fs/debugfs/file.c
++++ b/fs/debugfs/file.c
+@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
+ 
+ 	real_fops = debugfs_real_fops(filp);
+ 
+-	r = -EPERM;
+-	if (debugfs_is_locked_down(inode, filp, real_fops))
++	if (debugfs_is_locked_down(inode, filp, real_fops)) {
++		r = -EPERM;
+ 		goto out;
++	}
+ 
+ 	real_fops = fops_get(real_fops);
+ 	if (!real_fops) {
+@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
+ 		return r == -EIO ? -ENOENT : r;
+ 
+ 	real_fops = debugfs_real_fops(filp);
+-	r = -EPERM;
+-	if (debugfs_is_locked_down(inode, filp, real_fops))
++	if (debugfs_is_locked_down(inode, filp, real_fops)) {
++		r = -EPERM;
+ 		goto out;
++	}
+ 
+ 	real_fops = fops_get(real_fops);
+ 	if (!real_fops) {
+-- 
+2.21.0
diff --git a/kernel.spec b/kernel.spec
index ba835280d..7f01feea8 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -1854,6 +1854,9 @@ fi
 #
 #
 %changelog
+* Thu Jun 06 2019 Jeremy Cline <jcline@redhat.com>
+- Fix incorrect permission denied with lock down off (rhbz 1658675)
+
 * Wed Jun 05 2019 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2019-12456 (rhbz 1717182 1717183)
 
-- 
cgit