* [GIT PULL][Security] lockdown: Allow unprivileged users to see lockdown status
@ 2020-06-02 2:15 James Morris
2020-06-03 0:39 ` Linus Torvalds
2020-06-03 1:10 ` pr-tracker-bot
0 siblings, 2 replies; 4+ messages in thread
From: James Morris @ 2020-06-02 2:15 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, linux-security-module
Hi Linus,
Just one update for the security subsystem: allows unprivileged users to
see the status of the lockdown feature. From Jeremy Cline.
Please pull.
The following changes since commit 3e27a33932df104f4f9ff811467b0b4ccebde773:
security: remove duplicated include from security.h (2020-02-21 08:53:48 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
for you to fetch changes up to 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c:
lockdown: Allow unprivileged users to see lockdown status (2020-05-14 10:23:05 -0700)
----------------------------------------------------------------
Jeremy Cline (1):
lockdown: Allow unprivileged users to see lockdown status
security/lockdown/lockdown.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---
commit 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c
Author: Jeremy Cline <jcline@redhat.com>
Date: Thu May 14 10:05:46 2020 -0400
lockdown: Allow unprivileged users to see lockdown status
A number of userspace tools, such as systemtap, need a way to see the
current lockdown state so they can gracefully deal with the kernel being
locked down. The state is already exposed in
/sys/kernel/security/lockdown, but is only readable by root. Adjust the
permissions so unprivileged users can read the state.
Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
Cc: Frank Ch. Eigler <fche@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 40b790536def..ae594c0a127f 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -175,7 +175,7 @@ static int __init lockdown_secfs_init(void)
{
struct dentry *dentry;
- dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
+ dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
&lockdown_ops);
return PTR_ERR_OR_ZERO(dentry);
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [GIT PULL][Security] lockdown: Allow unprivileged users to see lockdown status
2020-06-02 2:15 [GIT PULL][Security] lockdown: Allow unprivileged users to see lockdown status James Morris
@ 2020-06-03 0:39 ` Linus Torvalds
2020-06-03 21:27 ` James Morris
2020-06-03 1:10 ` pr-tracker-bot
1 sibling, 1 reply; 4+ messages in thread
From: Linus Torvalds @ 2020-06-03 0:39 UTC (permalink / raw)
To: James Morris; +Cc: Linux Kernel Mailing List, LSM List
On Mon, Jun 1, 2020 at 7:15 PM James Morris <jmorris@namei.org> wrote:
>
> Just one update for the security subsystem: allows unprivileged users to
> see the status of the lockdown feature. From Jeremy Cline.
Hmm.
That branch seems to have sprouted another commit just today.
I ended up taking that too as trivial, but it shows how you seem to
basically send me a pointer to a live branch. Please don't do that.
When you make changes to that branch, I now get those changes that you
may not have meant to send me (and that I get upset for being
surprised by).
An easy solution to that is to send me a signed tag instead of a
pointer to a branch. Then you can continue to update the branch, while
the tag stays stable.
Plus we've been encouraging signed tags for pull requests anyway.
Linus
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL][Security] lockdown: Allow unprivileged users to see lockdown status
2020-06-02 2:15 [GIT PULL][Security] lockdown: Allow unprivileged users to see lockdown status James Morris
2020-06-03 0:39 ` Linus Torvalds
@ 2020-06-03 1:10 ` pr-tracker-bot
1 sibling, 0 replies; 4+ messages in thread
From: pr-tracker-bot @ 2020-06-03 1:10 UTC (permalink / raw)
To: James Morris; +Cc: Linus Torvalds, linux-kernel, linux-security-module
The pull request you sent on Tue, 2 Jun 2020 12:15:04 +1000 (AEST):
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/56f2e3b7d819f4fa44857ba81aa6870f18714ea0
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.wiki.kernel.org/userdoc/prtracker
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL][Security] lockdown: Allow unprivileged users to see lockdown status
2020-06-03 0:39 ` Linus Torvalds
@ 2020-06-03 21:27 ` James Morris
0 siblings, 0 replies; 4+ messages in thread
From: James Morris @ 2020-06-03 21:27 UTC (permalink / raw)
To: Linus Torvalds; +Cc: Linux Kernel Mailing List, LSM List
On Tue, 2 Jun 2020, Linus Torvalds wrote:
> On Mon, Jun 1, 2020 at 7:15 PM James Morris <jmorris@namei.org> wrote:
> >
> > Just one update for the security subsystem: allows unprivileged users to
> > see the status of the lockdown feature. From Jeremy Cline.
>
> Hmm.
>
> That branch seems to have sprouted another commit just today.
Oops, sorry, I thought it was already pulled.
>
> I ended up taking that too as trivial, but it shows how you seem to
> basically send me a pointer to a live branch. Please don't do that.
> When you make changes to that branch, I now get those changes that you
> may not have meant to send me (and that I get upset for being
> surprised by).
>
> An easy solution to that is to send me a signed tag instead of a
> pointer to a branch. Then you can continue to update the branch, while
> the tag stays stable.
>
> Plus we've been encouraging signed tags for pull requests anyway.
Ok.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-06-03 21:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-02 2:15 [GIT PULL][Security] lockdown: Allow unprivileged users to see lockdown status James Morris
2020-06-03 0:39 ` Linus Torvalds
2020-06-03 21:27 ` James Morris
2020-06-03 1:10 ` pr-tracker-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).