ACK/Cmnt: [PATCH 00/47][X] Lockdown updates
Stefan Bader
stefan.bader at canonical.com
Fri Jun 19 08:10:02 UTC 2020
On 19.06.20 01:12, Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1884159
>
> Note that this series does not contain updates to lock down debugfs.
> That work is still in progess.
>
> The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5:
>
> UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates
>
> for you to fetch changes up to 7d434c730078b87c9573201a5ec4dff89e45cc50:
>
> efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN (2020-06-18 17:29:15 -0500)
>
> Thanks,
> Seth
>
> ----------------------------------------------------------------
> Chun-Yi Lee (1):
> UBUNTU: SAUCE: (efi-lockdown) kexec_file: Disable at runtime if the
> kernel is locked down
>
> David Howells (41):
> UBUNTU: SAUCE: (efi-lockdown) x86/mmiotrace: Lock down the
> testmmiotrace module
> Annotate module params that specify hardware parameters (eg. ioport)
> Annotate hardware config module parameters in arch/x86/mm/
> Annotate hardware config module parameters in drivers/char/ipmi/
> Annotate hardware config module parameters in drivers/char/mwave/
> Annotate hardware config module parameters in drivers/char/
> Annotate hardware config module parameters in drivers/clocksource/
> Annotate hardware config module parameters in drivers/cpufreq/
> Annotate hardware config module parameters in drivers/gpio/
> Annotate hardware config module parameters in drivers/i2c/
> Annotate hardware config module parameters in drivers/input/
> Annotate hardware config module parameters in drivers/isdn/
> Annotate hardware config module parameters in drivers/media/
> Annotate hardware config module parameters in drivers/misc/
> Annotate hardware config module parameters in drivers/mmc/host/
> Annotate hardware config module parameters in drivers/net/appletalk/
> Annotate hardware config module parameters in drivers/net/arcnet/
> Annotate hardware config module parameters in drivers/net/can/
> Annotate hardware config module parameters in drivers/net/ethernet/
> Annotate hardware config module parameters in drivers/net/hamradio/
> Annotate hardware config module parameters in drivers/net/irda/
> Annotate hardware config module parameters in drivers/net/wan/
> Annotate hardware config module parameters in drivers/net/wireless/
> Annotate hardware config module parameters in drivers/parport/
> Annotate hardware config module parameters in drivers/pci/hotplug/
> Annotate hardware config module parameters in drivers/pcmcia/
> Annotate hardware config module parameters in drivers/scsi/
> Annotate hardware config module parameters in drivers/staging/media/
> Annotate hardware config module parameters in drivers/staging/speakup/
> Annotate hardware config module parameters in drivers/staging/vme/
> Annotate hardware config module parameters in drivers/tty/
> Annotate hardware config module parameters in drivers/video/
> Annotate hardware config module parameters in drivers/watchdog/
> Annotate hardware config module parameters in fs/pstore/
> Annotate hardware config module parameters in sound/drivers/
> Annotate hardware config module parameters in sound/isa/
> Annotate hardware config module parameters in sound/oss/
> Annotate hardware config module parameters in sound/pci/
> UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify
> hardware parameters (eg. ioport)
> UBUNTU: SAUCE: (efi-lockdown) Prohibit PCMCIA CIS storage when the
> kernel is locked down
> UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL
>
> Javier Martinez Canillas (1):
> efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
>
> Linn Crosetto (1):
> acpi: Disable ACPI table override if the kernel is locked down
>
> Matthew Garrett (1):
> UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem,kmem,port} when the
> kernel is locked down
>
> Seth Forshee (2):
> Revert "Restrict /dev/mem and /dev/kmem when module loading is
> restricted"
> Revert "x86: Lock down IO port access when module security is enabled"
>
> arch/x86/kernel/ioport.c | 5 +-
> arch/x86/mm/testmmiotrace.c | 5 +-
> drivers/acpi/osl.c | 5 ++
> drivers/char/applicom.c | 4 +-
> drivers/char/ipmi/ipmi_si_intf.c | 14 ++---
> drivers/char/mem.c | 13 +----
> drivers/char/mwave/mwavedd.c | 8 +--
> drivers/clocksource/cs5535-clockevt.c | 2 +-
> drivers/cpufreq/speedstep-smi.c | 2 +-
> drivers/firmware/efi/test/efi_test.c | 7 +++
> drivers/gpio/gpio-104-idio-16.c | 2 +-
> drivers/i2c/busses/i2c-ali15x3.c | 2 +-
> drivers/i2c/busses/i2c-elektor.c | 6 +-
> drivers/i2c/busses/i2c-parport-light.c | 4 +-
> drivers/i2c/busses/i2c-pca-isa.c | 4 +-
> drivers/i2c/busses/i2c-piix4.c | 2 +-
> drivers/i2c/busses/i2c-sis5595.c | 2 +-
> drivers/i2c/busses/i2c-viapro.c | 2 +-
> drivers/i2c/busses/scx200_acb.c | 2 +-
> drivers/input/mouse/inport.c | 2 +-
> drivers/input/mouse/logibm.c | 2 +-
> drivers/input/touchscreen/mk712.c | 4 +-
> drivers/isdn/hardware/avm/b1isa.c | 4 +-
> drivers/isdn/hardware/avm/t1isa.c | 4 +-
> drivers/isdn/hisax/config.c | 10 ++--
> drivers/media/pci/zoran/zoran_card.c | 2 +-
> drivers/misc/dummy-irq.c | 2 +-
> drivers/mmc/host/wbsd.c | 8 +--
> drivers/net/appletalk/cops.c | 6 +-
> drivers/net/appletalk/ltpc.c | 6 +-
> drivers/net/arcnet/com20020-isa.c | 4 +-
> drivers/net/arcnet/com90io.c | 4 +-
> drivers/net/arcnet/com90xx.c | 4 +-
> drivers/net/can/cc770/cc770_isa.c | 8 +--
> drivers/net/can/sja1000/sja1000_isa.c | 8 +--
> drivers/net/ethernet/3com/3c509.c | 2 +-
> drivers/net/ethernet/3com/3c59x.c | 4 +-
> drivers/net/ethernet/8390/ne.c | 4 +-
> drivers/net/ethernet/8390/smc-ultra.c | 4 +-
> drivers/net/ethernet/8390/wd.c | 8 +--
> drivers/net/ethernet/amd/lance.c | 6 +-
> drivers/net/ethernet/amd/ni65.c | 6 +-
> drivers/net/ethernet/cirrus/cs89x0.c | 6 +-
> drivers/net/ethernet/dec/tulip/de4x5.c | 2 +-
> drivers/net/ethernet/hp/hp100.c | 2 +-
> drivers/net/ethernet/realtek/atp.c | 4 +-
> drivers/net/ethernet/smsc/smc9194.c | 4 +-
> drivers/net/hamradio/baycom_epp.c | 2 +-
> drivers/net/hamradio/baycom_par.c | 2 +-
> drivers/net/hamradio/baycom_ser_fdx.c | 4 +-
> drivers/net/hamradio/baycom_ser_hdx.c | 4 +-
> drivers/net/hamradio/dmascc.c | 2 +-
> drivers/net/irda/ali-ircc.c | 6 +-
> drivers/net/irda/nsc-ircc.c | 6 +-
> drivers/net/irda/smsc-ircc2.c | 10 ++--
> drivers/net/irda/w83977af_ir.c | 4 +-
> drivers/net/wan/cosa.c | 6 +-
> drivers/net/wan/hostess_sv11.c | 6 +-
> drivers/net/wan/sbni.c | 4 +-
> drivers/net/wan/sealevel.c | 8 +--
> drivers/net/wireless/airo.c | 4 +-
> drivers/parport/parport_pc.c | 8 +--
> drivers/pci/hotplug/cpcihp_generic.c | 2 +-
> drivers/pcmcia/cistpl.c | 3 +
> drivers/pcmcia/i82365.c | 8 +--
> drivers/pcmcia/tcic.c | 8 +--
> drivers/scsi/aha152x.c | 4 +-
> drivers/scsi/aha1542.c | 2 +-
> drivers/scsi/g_NCR5380.c | 17 +++++-
> drivers/scsi/gdth.c | 2 +-
> drivers/scsi/qlogicfas.c | 4 +-
> drivers/staging/media/lirc/lirc_sir.c | 4 +-
> drivers/staging/speakup/speakup_acntpc.c | 2 +-
> drivers/staging/speakup/speakup_dtlk.c | 2 +-
> drivers/staging/speakup/speakup_keypc.c | 2 +-
> drivers/staging/vme/devices/vme_pio2_core.c | 8 +--
> drivers/tty/cyclades.c | 4 +-
> drivers/tty/moxa.c | 2 +-
> drivers/tty/mxser.c | 2 +-
> drivers/tty/rocket.c | 10 ++--
> drivers/tty/serial/8250/8250_core.c | 4 +-
> drivers/tty/serial/serial_core.c | 5 ++
> drivers/tty/synclink.c | 6 +-
> drivers/video/fbdev/arcfb.c | 8 +--
> drivers/video/fbdev/n411.c | 6 +-
> drivers/watchdog/cpu5wdt.c | 2 +-
> drivers/watchdog/eurotechwdt.c | 4 +-
> drivers/watchdog/pc87413_wdt.c | 2 +-
> drivers/watchdog/sc1200wdt.c | 2 +-
> drivers/watchdog/wdt.c | 4 +-
> fs/pstore/ram.c | 2 +-
> include/linux/moduleparam.h | 65 ++++++++++++++++++++-
> kernel/kexec_file.c | 6 ++
> kernel/params.c | 25 ++++++--
> sound/drivers/mpu401/mpu401.c | 4 +-
> sound/drivers/mtpav.c | 4 +-
> sound/drivers/serial-u16550.c | 4 +-
> sound/isa/ad1848/ad1848.c | 6 +-
> sound/isa/adlib.c | 2 +-
> sound/isa/cmi8328.c | 12 ++--
> sound/isa/cmi8330.c | 20 +++----
> sound/isa/cs423x/cs4231.c | 12 ++--
> sound/isa/cs423x/cs4236.c | 18 +++---
> sound/isa/es1688/es1688.c | 12 ++--
> sound/isa/es18xx.c | 12 ++--
> sound/isa/galaxy/galaxy.c | 16 ++---
> sound/isa/gus/gusclassic.c | 8 +--
> sound/isa/gus/gusextreme.c | 16 ++---
> sound/isa/gus/gusmax.c | 8 +--
> sound/isa/gus/interwave.c | 10 ++--
> sound/isa/msnd/msnd_pinnacle.c | 20 +++----
> sound/isa/opl3sa2.c | 16 ++---
> sound/isa/opti9xx/miro.c | 14 ++---
> sound/isa/opti9xx/opti92x-ad1848.c | 14 ++---
> sound/isa/sb/jazz16.c | 12 ++--
> sound/isa/sb/sb16.c | 14 ++---
> sound/isa/sb/sb8.c | 6 +-
> sound/isa/sc6000.c | 12 ++--
> sound/isa/sscape.c | 12 ++--
> sound/isa/wavefront/wavefront.c | 18 +++---
> sound/oss/ad1848.c | 8 +--
> sound/oss/aedsp16.c | 12 ++--
> sound/oss/mpu401.c | 4 +-
> sound/oss/msnd_pinnacle.c | 20 +++----
> sound/oss/opl3.c | 2 +-
> sound/oss/pas2_card.c | 18 +++---
> sound/oss/pss.c | 14 ++---
> sound/oss/sb_card.c | 10 ++--
> sound/oss/trix.c | 18 +++---
> sound/oss/uart401.c | 4 +-
> sound/oss/uart6850.c | 4 +-
> sound/oss/waveartist.c | 8 +--
> sound/pci/als4000.c | 2 +-
> sound/pci/cmipci.c | 6 +-
> sound/pci/ens1370.c | 2 +-
> sound/pci/riptide/riptide.c | 6 +-
> sound/pci/sonicvibes.c | 2 +-
> sound/pci/via82xx.c | 2 +-
> sound/pci/ymfpci/ymfpci.c | 6 +-
> 139 files changed, 543 insertions(+), 431 deletions(-)
>
Luckily most changes were module parameter annotations and of those most were
cherry picks... I did skip mostly over those. There rest more or less appears to
be matching what the description says. I had two remarks but not important and
done as direct replies.
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200619/87bc4bc2/attachment-0001.sig>
More information about the kernel-team
mailing list