From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: John Keeping <john@metanate.com>,
Mike Snitzer <snitzer@redhat.com>,
Sasha Levin <sashal@kernel.org>,
dm-devel@redhat.com
Subject: [PATCH AUTOSEL 5.4 27/31] dm verity: fix require_signatures module_param permissions
Date: Thu, 3 Jun 2021 13:09:15 -0400 [thread overview]
Message-ID: <20210603170919.3169112-27-sashal@kernel.org> (raw)
In-Reply-To: <20210603170919.3169112-1-sashal@kernel.org>
From: John Keeping <john@metanate.com>
[ Upstream commit 0c1f3193b1cdd21e7182f97dc9bca7d284d18a15 ]
The third parameter of module_param() is permissions for the sysfs node
but it looks like it is being used as the initial value of the parameter
here. In fact, false here equates to omitting the file from sysfs and
does not affect the value of require_signatures.
Making the parameter writable is not simple because going from
false->true is fine but it should not be possible to remove the
requirement to verify a signature. But it can be useful to inspect the
value of this parameter from userspace, so change the permissions to
make a read-only file in sysfs.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-verity-verify-sig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index 614e43db93aa..919154ae4cae 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -15,7 +15,7 @@
#define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
static bool require_signatures;
-module_param(require_signatures, bool, false);
+module_param(require_signatures, bool, 0444);
MODULE_PARM_DESC(require_signatures,
"Verify the roothash of dm-verity hash tree");
--
2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
dm-devel@redhat.com, John Keeping <john@metanate.com>,
Mike Snitzer <snitzer@redhat.com>
Subject: [dm-devel] [PATCH AUTOSEL 5.4 27/31] dm verity: fix require_signatures module_param permissions
Date: Thu, 3 Jun 2021 13:09:15 -0400 [thread overview]
Message-ID: <20210603170919.3169112-27-sashal@kernel.org> (raw)
In-Reply-To: <20210603170919.3169112-1-sashal@kernel.org>
From: John Keeping <john@metanate.com>
[ Upstream commit 0c1f3193b1cdd21e7182f97dc9bca7d284d18a15 ]
The third parameter of module_param() is permissions for the sysfs node
but it looks like it is being used as the initial value of the parameter
here. In fact, false here equates to omitting the file from sysfs and
does not affect the value of require_signatures.
Making the parameter writable is not simple because going from
false->true is fine but it should not be possible to remove the
requirement to verify a signature. But it can be useful to inspect the
value of this parameter from userspace, so change the permissions to
make a read-only file in sysfs.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-verity-verify-sig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index 614e43db93aa..919154ae4cae 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -15,7 +15,7 @@
#define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
static bool require_signatures;
-module_param(require_signatures, bool, false);
+module_param(require_signatures, bool, 0444);
MODULE_PARM_DESC(require_signatures,
"Verify the roothash of dm-verity hash tree");
--
2.30.2
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-06-03 17:13 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 17:08 [PATCH AUTOSEL 5.4 01/31] ASoC: max98088: fix ni clock divider calculation Sasha Levin
2021-06-03 17:08 ` Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 02/31] spi: Fix spi device unregister flow Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 03/31] net/nfc/rawsock.c: fix a permission check bug Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 04/31] usb: cdns3: Fix runtime PM imbalance on error Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 05/31] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet Sasha Levin
2021-06-03 17:08 ` Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 06/31] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet Sasha Levin
2021-06-03 17:08 ` Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 07/31] vfio-ccw: Serialize FSM IDLE state with I/O completion Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 08/31] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-03 17:08 ` Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 09/31] spi: sprd: Add " Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 10/31] isdn: mISDN: netjet: Fix crash in nj_probe: Sasha Levin
2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 11/31] bonding: init notify_work earlier to avoid uninitialized use Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 12/31] netlink: disable IRQs for netlink_lock_table() Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 13/31] net: mdiobus: get rid of a BUG_ON() Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 14/31] cgroup: disable controllers at parse time Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 15/31] wq: handle VM suspension in stall detection Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 16/31] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 17/31] RDS tcp loopback connection can hang Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 18/31] scsi: bnx2fc: Return failure if io_req is already in ABTS processing Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 19/31] scsi: vmw_pvscsi: Set correct residual data length Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 20/31] scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 21/31] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 22/31] net: macb: ensure the device is available before accessing GEMGXL control registers Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 23/31] net: appletalk: cops: Fix data race in cops_probe1 Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 24/31] net: dsa: microchip: enable phy errata workaround on 9567 Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 25/31] nvme-fabrics: decode host pathing error for connect Sasha Levin
2021-06-03 17:09 ` Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 26/31] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Sasha Levin
2021-06-03 17:09 ` Sasha Levin [this message]
2021-06-03 17:09 ` [dm-devel] [PATCH AUTOSEL 5.4 27/31] dm verity: fix require_signatures module_param permissions Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 28/31] bnx2x: Fix missing error code in bnx2x_iov_init_one() Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 29/31] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME Sasha Levin
2021-06-03 17:09 ` Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 30/31] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 30/31] powerpc/fsl: set fsl, i2c-erratum-a004447 " Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 31/31] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 " Sasha Levin
2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 31/31] powerpc/fsl: set fsl, i2c-erratum-a004447 " Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210603170919.3169112-27-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dm-devel@redhat.com \
--cc=john@metanate.com \
--cc=linux-kernel@vger.kernel.org \
--cc=snitzer@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.