ACK/Cmnt: [PATCH v2 00/57][X] Lockdown updates
Stefan Bader
stefan.bader at canonical.com
Mon Jun 22 07:27:52 UTC 2020
On 19.06.20 18:49, Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1884159
>
> v2 adds lockdown for debugfs and a patch for /dev/efi_test which was
> mistakenly omittted from v1.
>
> The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5:
>
> UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates
>
> for you to fetch changes up to 09045d1dca266467713d77a9f49b3e72f79787d5:
>
> UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down (2020-06-19 10:21:02 -0500)
>
> Thanks,
> Seth
>
> ----------------------------------------------------------------
> Chun-Yi Lee (1):
> UBUNTU: SAUCE: (efi-lockdown) kexec_file: Disable at runtime if the
> kernel is locked down
>
> David Howells (42):
> UBUNTU: SAUCE: (efi-lockdown) x86/mmiotrace: Lock down the
> testmmiotrace module
> Annotate module params that specify hardware parameters (eg. ioport)
> Annotate hardware config module parameters in arch/x86/mm/
> Annotate hardware config module parameters in drivers/char/ipmi/
> Annotate hardware config module parameters in drivers/char/mwave/
> Annotate hardware config module parameters in drivers/char/
> Annotate hardware config module parameters in drivers/clocksource/
> Annotate hardware config module parameters in drivers/cpufreq/
> Annotate hardware config module parameters in drivers/gpio/
> Annotate hardware config module parameters in drivers/i2c/
> Annotate hardware config module parameters in drivers/input/
> Annotate hardware config module parameters in drivers/isdn/
> Annotate hardware config module parameters in drivers/media/
> Annotate hardware config module parameters in drivers/misc/
> Annotate hardware config module parameters in drivers/mmc/host/
> Annotate hardware config module parameters in drivers/net/appletalk/
> Annotate hardware config module parameters in drivers/net/arcnet/
> Annotate hardware config module parameters in drivers/net/can/
> Annotate hardware config module parameters in drivers/net/ethernet/
> Annotate hardware config module parameters in drivers/net/hamradio/
> Annotate hardware config module parameters in drivers/net/irda/
> Annotate hardware config module parameters in drivers/net/wan/
> Annotate hardware config module parameters in drivers/net/wireless/
> Annotate hardware config module parameters in drivers/parport/
> Annotate hardware config module parameters in drivers/pci/hotplug/
> Annotate hardware config module parameters in drivers/pcmcia/
> Annotate hardware config module parameters in drivers/scsi/
> Annotate hardware config module parameters in drivers/staging/media/
> Annotate hardware config module parameters in drivers/staging/speakup/
> Annotate hardware config module parameters in drivers/staging/vme/
> Annotate hardware config module parameters in drivers/tty/
> Annotate hardware config module parameters in drivers/video/
> Annotate hardware config module parameters in drivers/watchdog/
> Annotate hardware config module parameters in fs/pstore/
> Annotate hardware config module parameters in sound/drivers/
> Annotate hardware config module parameters in sound/isa/
> Annotate hardware config module parameters in sound/oss/
> Annotate hardware config module parameters in sound/pci/
> UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify
> hardware parameters (eg. ioport)
> UBUNTU: SAUCE: (efi-lockdown) Prohibit PCMCIA CIS storage when the
> kernel is locked down
> UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL
> UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files
> when the kernel is locked down
>
> Javier Martinez Canillas (1):
> efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
>
> Linn Crosetto (1):
> acpi: Disable ACPI table override if the kernel is locked down
>
> Matthew Garrett (1):
> UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem,kmem,port} when the
> kernel is locked down
>
> Nicolai Stange (9):
> debugfs: prevent access to possibly dead file_operations at file open
> debugfs: prevent access to removed files' private data
> debugfs: add support for self-protecting attribute file fops
> debugfs: unproxify integer attribute files
> debugfs: unproxify files created through debugfs_create_bool()
> debugfs: unproxify files created through debugfs_create_blob()
> debugfs: unproxify files created through debugfs_create_u32_array()
> debugfs: full_proxy_open(): free proxy on ->open() failure
> debugfs: open_proxy_open(): avoid double fops release
>
> Seth Forshee (2):
> Revert "Restrict /dev/mem and /dev/kmem when module loading is
> restricted"
> Revert "x86: Lock down IO port access when module security is enabled"
>
> arch/x86/kernel/ioport.c | 5 +-
> arch/x86/mm/testmmiotrace.c | 5 +-
> drivers/acpi/osl.c | 5 +
> drivers/char/applicom.c | 4 +-
> drivers/char/ipmi/ipmi_si_intf.c | 14 +-
> drivers/char/mem.c | 13 +-
> drivers/char/mwave/mwavedd.c | 8 +-
> drivers/clocksource/cs5535-clockevt.c | 2 +-
> drivers/cpufreq/speedstep-smi.c | 2 +-
> drivers/firmware/efi/test/efi_test.c | 7 +
> drivers/gpio/gpio-104-idio-16.c | 2 +-
> drivers/i2c/busses/i2c-ali15x3.c | 2 +-
> drivers/i2c/busses/i2c-elektor.c | 6 +-
> drivers/i2c/busses/i2c-parport-light.c | 4 +-
> drivers/i2c/busses/i2c-pca-isa.c | 4 +-
> drivers/i2c/busses/i2c-piix4.c | 2 +-
> drivers/i2c/busses/i2c-sis5595.c | 2 +-
> drivers/i2c/busses/i2c-viapro.c | 2 +-
> drivers/i2c/busses/scx200_acb.c | 2 +-
> drivers/input/mouse/inport.c | 2 +-
> drivers/input/mouse/logibm.c | 2 +-
> drivers/input/touchscreen/mk712.c | 4 +-
> drivers/isdn/hardware/avm/b1isa.c | 4 +-
> drivers/isdn/hardware/avm/t1isa.c | 4 +-
> drivers/isdn/hisax/config.c | 10 +-
> drivers/media/pci/zoran/zoran_card.c | 2 +-
> drivers/misc/dummy-irq.c | 2 +-
> drivers/mmc/host/wbsd.c | 8 +-
> drivers/net/appletalk/cops.c | 6 +-
> drivers/net/appletalk/ltpc.c | 6 +-
> drivers/net/arcnet/com20020-isa.c | 4 +-
> drivers/net/arcnet/com90io.c | 4 +-
> drivers/net/arcnet/com90xx.c | 4 +-
> drivers/net/can/cc770/cc770_isa.c | 8 +-
> drivers/net/can/sja1000/sja1000_isa.c | 8 +-
> drivers/net/ethernet/3com/3c509.c | 2 +-
> drivers/net/ethernet/3com/3c59x.c | 4 +-
> drivers/net/ethernet/8390/ne.c | 4 +-
> drivers/net/ethernet/8390/smc-ultra.c | 4 +-
> drivers/net/ethernet/8390/wd.c | 8 +-
> drivers/net/ethernet/amd/lance.c | 6 +-
> drivers/net/ethernet/amd/ni65.c | 6 +-
> drivers/net/ethernet/cirrus/cs89x0.c | 6 +-
> drivers/net/ethernet/dec/tulip/de4x5.c | 2 +-
> drivers/net/ethernet/hp/hp100.c | 2 +-
> drivers/net/ethernet/realtek/atp.c | 4 +-
> drivers/net/ethernet/smsc/smc9194.c | 4 +-
> drivers/net/hamradio/baycom_epp.c | 2 +-
> drivers/net/hamradio/baycom_par.c | 2 +-
> drivers/net/hamradio/baycom_ser_fdx.c | 4 +-
> drivers/net/hamradio/baycom_ser_hdx.c | 4 +-
> drivers/net/hamradio/dmascc.c | 2 +-
> drivers/net/irda/ali-ircc.c | 6 +-
> drivers/net/irda/nsc-ircc.c | 6 +-
> drivers/net/irda/smsc-ircc2.c | 10 +-
> drivers/net/irda/w83977af_ir.c | 4 +-
> drivers/net/wan/cosa.c | 6 +-
> drivers/net/wan/hostess_sv11.c | 6 +-
> drivers/net/wan/sbni.c | 4 +-
> drivers/net/wan/sealevel.c | 8 +-
> drivers/net/wireless/airo.c | 4 +-
> drivers/parport/parport_pc.c | 8 +-
> drivers/pci/hotplug/cpcihp_generic.c | 2 +-
> drivers/pcmcia/cistpl.c | 3 +
> drivers/pcmcia/i82365.c | 8 +-
> drivers/pcmcia/tcic.c | 8 +-
> drivers/scsi/aha152x.c | 4 +-
> drivers/scsi/aha1542.c | 2 +-
> drivers/scsi/g_NCR5380.c | 17 +-
> drivers/scsi/gdth.c | 2 +-
> drivers/scsi/qlogicfas.c | 4 +-
> drivers/staging/media/lirc/lirc_sir.c | 4 +-
> drivers/staging/speakup/speakup_acntpc.c | 2 +-
> drivers/staging/speakup/speakup_dtlk.c | 2 +-
> drivers/staging/speakup/speakup_keypc.c | 2 +-
> drivers/staging/vme/devices/vme_pio2_core.c | 8 +-
> drivers/tty/cyclades.c | 4 +-
> drivers/tty/moxa.c | 2 +-
> drivers/tty/mxser.c | 2 +-
> drivers/tty/rocket.c | 10 +-
> drivers/tty/serial/8250/8250_core.c | 4 +-
> drivers/tty/serial/serial_core.c | 5 +
> drivers/tty/synclink.c | 6 +-
> drivers/video/fbdev/arcfb.c | 8 +-
> drivers/video/fbdev/n411.c | 6 +-
> drivers/watchdog/cpu5wdt.c | 2 +-
> drivers/watchdog/eurotechwdt.c | 4 +-
> drivers/watchdog/pc87413_wdt.c | 2 +-
> drivers/watchdog/sc1200wdt.c | 2 +-
> drivers/watchdog/wdt.c | 4 +-
> fs/debugfs/file.c | 443 +++++++++++++++++---
> fs/debugfs/inode.c | 101 ++++-
> fs/debugfs/internal.h | 26 ++
> fs/pstore/ram.c | 2 +-
> include/linux/debugfs.h | 49 ++-
> include/linux/moduleparam.h | 65 ++-
> kernel/kexec_file.c | 6 +
> kernel/params.c | 25 +-
> lib/Kconfig.debug | 1 +
> sound/drivers/mpu401/mpu401.c | 4 +-
> sound/drivers/mtpav.c | 4 +-
> sound/drivers/serial-u16550.c | 4 +-
> sound/isa/ad1848/ad1848.c | 6 +-
> sound/isa/adlib.c | 2 +-
> sound/isa/cmi8328.c | 12 +-
> sound/isa/cmi8330.c | 20 +-
> sound/isa/cs423x/cs4231.c | 12 +-
> sound/isa/cs423x/cs4236.c | 18 +-
> sound/isa/es1688/es1688.c | 12 +-
> sound/isa/es18xx.c | 12 +-
> sound/isa/galaxy/galaxy.c | 16 +-
> sound/isa/gus/gusclassic.c | 8 +-
> sound/isa/gus/gusextreme.c | 16 +-
> sound/isa/gus/gusmax.c | 8 +-
> sound/isa/gus/interwave.c | 10 +-
> sound/isa/msnd/msnd_pinnacle.c | 20 +-
> sound/isa/opl3sa2.c | 16 +-
> sound/isa/opti9xx/miro.c | 14 +-
> sound/isa/opti9xx/opti92x-ad1848.c | 14 +-
> sound/isa/sb/jazz16.c | 12 +-
> sound/isa/sb/sb16.c | 14 +-
> sound/isa/sb/sb8.c | 6 +-
> sound/isa/sc6000.c | 12 +-
> sound/isa/sscape.c | 12 +-
> sound/isa/wavefront/wavefront.c | 18 +-
> sound/oss/ad1848.c | 8 +-
> sound/oss/aedsp16.c | 12 +-
> sound/oss/mpu401.c | 4 +-
> sound/oss/msnd_pinnacle.c | 20 +-
> sound/oss/opl3.c | 2 +-
> sound/oss/pas2_card.c | 18 +-
> sound/oss/pss.c | 14 +-
> sound/oss/sb_card.c | 10 +-
> sound/oss/trix.c | 18 +-
> sound/oss/uart401.c | 4 +-
> sound/oss/uart6850.c | 4 +-
> sound/oss/waveartist.c | 8 +-
> sound/pci/als4000.c | 2 +-
> sound/pci/cmipci.c | 6 +-
> sound/pci/ens1370.c | 2 +-
> sound/pci/riptide/riptide.c | 6 +-
> sound/pci/sonicvibes.c | 2 +-
> sound/pci/via82xx.c | 2 +-
> sound/pci/ymfpci/ymfpci.c | 6 +-
> 144 files changed, 1075 insertions(+), 519 deletions(-)
> create mode 100644 fs/debugfs/internal.h
>
It would have been better to do the debugfs part as an additional submission.
This somewhat is too large to review. Even the debugfs part alone. Only reason
to be somewhat easy on it is that debugfs should not be part of normal use so
hopefully breakage is not that critical...
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200622/dc1613dd/attachment-0001.sig>
More information about the kernel-team
mailing list