From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett <matthewgarrett@google.com>, David Howells <dhowells@redhat.com>, Matthew Garrett <mjg59@google.com>, Kees Cook <keescook@chromium.org> Subject: [PATCH V40 29/29] lockdown: Print current->comm in restriction messages Date: Mon, 19 Aug 2019 17:18:05 -0700 Message-ID: <20190820001805.241928-30-matthewgarrett@google.com> (raw) In-Reply-To: <20190820001805.241928-1-matthewgarrett@google.com> Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <jmorris@namei.org> --- fs/proc/kcore.c | 5 +++-- security/lockdown/lockdown.c | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index ee2c576cc94e..e2ed8e08cc7a 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -548,11 +548,12 @@ static int open_kcore(struct inode *inode, struct file *filp) { int ret = security_locked_down(LOCKDOWN_KCORE); - if (ret) - return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; + if (ret) + return ret; + filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL); if (!filp->private_data) return -ENOMEM; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 84df03b1f5a7..0068cec77c05 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param); */ static int lockdown_is_locked_down(enum lockdown_reason what) { + if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX, + "Invalid lockdown reason")) + return -EPERM; + if (kernel_locked_down >= what) { if (lockdown_reasons[what]) - pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", - lockdown_reasons[what]); + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + current->comm, lockdown_reasons[what]); return -EPERM; } -- 2.23.0.rc1.153.gdeed80330f-goog
next prev parent reply index Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-08-20 0:17 [PATCH V40 00/29] Add kernel lockdown functionality Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 01/29] security: Support early LSMs Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 02/29] security: Add a "locked down" LSM hook Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 05/29] lockdown: Restrict /dev/{mem,kmem,port} when " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 06/29] kexec_load: Disable at runtime if " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 07/29] lockdown: Copy secure_boot flag in boot params across kexec reboot Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett 2019-08-30 14:26 ` Philipp Rudo 2019-08-20 0:17 ` [PATCH V40 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 10/29] hibernate: Disable when " Matthew Garrett 2019-08-20 21:43 ` Rafael J. Wysocki 2019-08-25 9:51 ` Pavel Machek 2019-08-20 0:17 ` [PATCH V40 11/29] PCI: Lock down BAR access " Matthew Garrett 2019-08-20 19:45 ` Bjorn Helgaas 2019-08-20 21:04 ` Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 12/29] x86: Lock down IO port " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 13/29] x86/msr: Restrict MSR " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 14/29] ACPI: Limit access to custom_method " Matthew Garrett 2019-08-20 22:07 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett 2019-08-20 22:08 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett 2019-08-20 22:08 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 17/29] lockdown: Prohibit PCMCIA CIS storage when " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 18/29] lockdown: Lock down TIOCSSERIAL Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 19/29] lockdown: Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett 2019-08-20 16:39 ` Jessica Yu 2019-08-20 0:17 ` [PATCH V40 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 21/29] lockdown: Lock down /proc/kcore Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 22/29] lockdown: Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 24/29] lockdown: Lock down perf when " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 27/29] tracefs: Restrict tracefs " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 28/29] efi: Restrict efivar_ssdt_load " Matthew Garrett 2019-08-20 0:18 ` Matthew Garrett [this message] 2019-08-20 6:45 ` [PATCH V40 00/29] Add kernel lockdown functionality James Morris 2019-08-30 16:28 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM David Howells 2019-09-04 16:51 ` Matthew Garrett 2019-09-10 10:06 ` Matthew Garrett 2019-08-30 16:31 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down David Howells 2019-09-04 16:57 ` Matthew Garrett 2019-08-30 16:32 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190820001805.241928-30-matthewgarrett@google.com \ --to=matthewgarrett@google.com \ --cc=dhowells@redhat.com \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mjg59@google.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Security-Module Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \ linux-security-module@vger.kernel.org public-inbox-index linux-security-module Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module AGPL code for this site: git clone https://public-inbox.org/public-inbox.git