APPLIED: [PATCH v2 00/57][X] Lockdown updates
Khaled Elmously
khalid.elmously at canonical.com
Tue Jun 30 04:03:45 UTC 2020
On 2020-06-19 11:49:13 , Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1884159
>
> v2 adds lockdown for debugfs and a patch for /dev/efi_test which was
> mistakenly omittted from v1.
>
> The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5:
>
> UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates
>
> for you to fetch changes up to 09045d1dca266467713d77a9f49b3e72f79787d5:
>
> UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down (2020-06-19 10:21:02 -0500)
>
> Thanks,
> Seth
>
> ----------------------------------------------------------------
> Chun-Yi Lee (1):
> UBUNTU: SAUCE: (efi-lockdown) kexec_file: Disable at runtime if the
> kernel is locked down
>
> David Howells (42):
> UBUNTU: SAUCE: (efi-lockdown) x86/mmiotrace: Lock down the
> testmmiotrace module
> Annotate module params that specify hardware parameters (eg. ioport)
> Annotate hardware config module parameters in arch/x86/mm/
> Annotate hardware config module parameters in drivers/char/ipmi/
> Annotate hardware config module parameters in drivers/char/mwave/
> Annotate hardware config module parameters in drivers/char/
> Annotate hardware config module parameters in drivers/clocksource/
> Annotate hardware config module parameters in drivers/cpufreq/
> Annotate hardware config module parameters in drivers/gpio/
> Annotate hardware config module parameters in drivers/i2c/
> Annotate hardware config module parameters in drivers/input/
> Annotate hardware config module parameters in drivers/isdn/
> Annotate hardware config module parameters in drivers/media/
> Annotate hardware config module parameters in drivers/misc/
> Annotate hardware config module parameters in drivers/mmc/host/
> Annotate hardware config module parameters in drivers/net/appletalk/
> Annotate hardware config module parameters in drivers/net/arcnet/
> Annotate hardware config module parameters in drivers/net/can/
> Annotate hardware config module parameters in drivers/net/ethernet/
> Annotate hardware config module parameters in drivers/net/hamradio/
> Annotate hardware config module parameters in drivers/net/irda/
> Annotate hardware config module parameters in drivers/net/wan/
> Annotate hardware config module parameters in drivers/net/wireless/
> Annotate hardware config module parameters in drivers/parport/
> Annotate hardware config module parameters in drivers/pci/hotplug/
> Annotate hardware config module parameters in drivers/pcmcia/
> Annotate hardware config module parameters in drivers/scsi/
> Annotate hardware config module parameters in drivers/staging/media/
> Annotate hardware config module parameters in drivers/staging/speakup/
> Annotate hardware config module parameters in drivers/staging/vme/
> Annotate hardware config module parameters in drivers/tty/
> Annotate hardware config module parameters in drivers/video/
> Annotate hardware config module parameters in drivers/watchdog/
> Annotate hardware config module parameters in fs/pstore/
> Annotate hardware config module parameters in sound/drivers/
> Annotate hardware config module parameters in sound/isa/
> Annotate hardware config module parameters in sound/oss/
> Annotate hardware config module parameters in sound/pci/
> UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify
> hardware parameters (eg. ioport)
> UBUNTU: SAUCE: (efi-lockdown) Prohibit PCMCIA CIS storage when the
> kernel is locked down
> UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL
> UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files
> when the kernel is locked down
>
> Javier Martinez Canillas (1):
> efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
>
> Linn Crosetto (1):
> acpi: Disable ACPI table override if the kernel is locked down
>
> Matthew Garrett (1):
> UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem,kmem,port} when the
> kernel is locked down
>
> Nicolai Stange (9):
> debugfs: prevent access to possibly dead file_operations at file open
> debugfs: prevent access to removed files' private data
> debugfs: add support for self-protecting attribute file fops
> debugfs: unproxify integer attribute files
> debugfs: unproxify files created through debugfs_create_bool()
> debugfs: unproxify files created through debugfs_create_blob()
> debugfs: unproxify files created through debugfs_create_u32_array()
> debugfs: full_proxy_open(): free proxy on ->open() failure
> debugfs: open_proxy_open(): avoid double fops release
>
> Seth Forshee (2):
> Revert "Restrict /dev/mem and /dev/kmem when module loading is
> restricted"
> Revert "x86: Lock down IO port access when module security is enabled"
>
> arch/x86/kernel/ioport.c | 5 +-
> arch/x86/mm/testmmiotrace.c | 5 +-
> drivers/acpi/osl.c | 5 +
> drivers/char/applicom.c | 4 +-
> drivers/char/ipmi/ipmi_si_intf.c | 14 +-
> drivers/char/mem.c | 13 +-
> drivers/char/mwave/mwavedd.c | 8 +-
> drivers/clocksource/cs5535-clockevt.c | 2 +-
> drivers/cpufreq/speedstep-smi.c | 2 +-
> drivers/firmware/efi/test/efi_test.c | 7 +
> drivers/gpio/gpio-104-idio-16.c | 2 +-
> drivers/i2c/busses/i2c-ali15x3.c | 2 +-
> drivers/i2c/busses/i2c-elektor.c | 6 +-
> drivers/i2c/busses/i2c-parport-light.c | 4 +-
> drivers/i2c/busses/i2c-pca-isa.c | 4 +-
> drivers/i2c/busses/i2c-piix4.c | 2 +-
> drivers/i2c/busses/i2c-sis5595.c | 2 +-
> drivers/i2c/busses/i2c-viapro.c | 2 +-
> drivers/i2c/busses/scx200_acb.c | 2 +-
> drivers/input/mouse/inport.c | 2 +-
> drivers/input/mouse/logibm.c | 2 +-
> drivers/input/touchscreen/mk712.c | 4 +-
> drivers/isdn/hardware/avm/b1isa.c | 4 +-
> drivers/isdn/hardware/avm/t1isa.c | 4 +-
> drivers/isdn/hisax/config.c | 10 +-
> drivers/media/pci/zoran/zoran_card.c | 2 +-
> drivers/misc/dummy-irq.c | 2 +-
> drivers/mmc/host/wbsd.c | 8 +-
> drivers/net/appletalk/cops.c | 6 +-
> drivers/net/appletalk/ltpc.c | 6 +-
> drivers/net/arcnet/com20020-isa.c | 4 +-
> drivers/net/arcnet/com90io.c | 4 +-
> drivers/net/arcnet/com90xx.c | 4 +-
> drivers/net/can/cc770/cc770_isa.c | 8 +-
> drivers/net/can/sja1000/sja1000_isa.c | 8 +-
> drivers/net/ethernet/3com/3c509.c | 2 +-
> drivers/net/ethernet/3com/3c59x.c | 4 +-
> drivers/net/ethernet/8390/ne.c | 4 +-
> drivers/net/ethernet/8390/smc-ultra.c | 4 +-
> drivers/net/ethernet/8390/wd.c | 8 +-
> drivers/net/ethernet/amd/lance.c | 6 +-
> drivers/net/ethernet/amd/ni65.c | 6 +-
> drivers/net/ethernet/cirrus/cs89x0.c | 6 +-
> drivers/net/ethernet/dec/tulip/de4x5.c | 2 +-
> drivers/net/ethernet/hp/hp100.c | 2 +-
> drivers/net/ethernet/realtek/atp.c | 4 +-
> drivers/net/ethernet/smsc/smc9194.c | 4 +-
> drivers/net/hamradio/baycom_epp.c | 2 +-
> drivers/net/hamradio/baycom_par.c | 2 +-
> drivers/net/hamradio/baycom_ser_fdx.c | 4 +-
> drivers/net/hamradio/baycom_ser_hdx.c | 4 +-
> drivers/net/hamradio/dmascc.c | 2 +-
> drivers/net/irda/ali-ircc.c | 6 +-
> drivers/net/irda/nsc-ircc.c | 6 +-
> drivers/net/irda/smsc-ircc2.c | 10 +-
> drivers/net/irda/w83977af_ir.c | 4 +-
> drivers/net/wan/cosa.c | 6 +-
> drivers/net/wan/hostess_sv11.c | 6 +-
> drivers/net/wan/sbni.c | 4 +-
> drivers/net/wan/sealevel.c | 8 +-
> drivers/net/wireless/airo.c | 4 +-
> drivers/parport/parport_pc.c | 8 +-
> drivers/pci/hotplug/cpcihp_generic.c | 2 +-
> drivers/pcmcia/cistpl.c | 3 +
> drivers/pcmcia/i82365.c | 8 +-
> drivers/pcmcia/tcic.c | 8 +-
> drivers/scsi/aha152x.c | 4 +-
> drivers/scsi/aha1542.c | 2 +-
> drivers/scsi/g_NCR5380.c | 17 +-
> drivers/scsi/gdth.c | 2 +-
> drivers/scsi/qlogicfas.c | 4 +-
> drivers/staging/media/lirc/lirc_sir.c | 4 +-
> drivers/staging/speakup/speakup_acntpc.c | 2 +-
> drivers/staging/speakup/speakup_dtlk.c | 2 +-
> drivers/staging/speakup/speakup_keypc.c | 2 +-
> drivers/staging/vme/devices/vme_pio2_core.c | 8 +-
> drivers/tty/cyclades.c | 4 +-
> drivers/tty/moxa.c | 2 +-
> drivers/tty/mxser.c | 2 +-
> drivers/tty/rocket.c | 10 +-
> drivers/tty/serial/8250/8250_core.c | 4 +-
> drivers/tty/serial/serial_core.c | 5 +
> drivers/tty/synclink.c | 6 +-
> drivers/video/fbdev/arcfb.c | 8 +-
> drivers/video/fbdev/n411.c | 6 +-
> drivers/watchdog/cpu5wdt.c | 2 +-
> drivers/watchdog/eurotechwdt.c | 4 +-
> drivers/watchdog/pc87413_wdt.c | 2 +-
> drivers/watchdog/sc1200wdt.c | 2 +-
> drivers/watchdog/wdt.c | 4 +-
> fs/debugfs/file.c | 443 +++++++++++++++++---
> fs/debugfs/inode.c | 101 ++++-
> fs/debugfs/internal.h | 26 ++
> fs/pstore/ram.c | 2 +-
> include/linux/debugfs.h | 49 ++-
> include/linux/moduleparam.h | 65 ++-
> kernel/kexec_file.c | 6 +
> kernel/params.c | 25 +-
> lib/Kconfig.debug | 1 +
> sound/drivers/mpu401/mpu401.c | 4 +-
> sound/drivers/mtpav.c | 4 +-
> sound/drivers/serial-u16550.c | 4 +-
> sound/isa/ad1848/ad1848.c | 6 +-
> sound/isa/adlib.c | 2 +-
> sound/isa/cmi8328.c | 12 +-
> sound/isa/cmi8330.c | 20 +-
> sound/isa/cs423x/cs4231.c | 12 +-
> sound/isa/cs423x/cs4236.c | 18 +-
> sound/isa/es1688/es1688.c | 12 +-
> sound/isa/es18xx.c | 12 +-
> sound/isa/galaxy/galaxy.c | 16 +-
> sound/isa/gus/gusclassic.c | 8 +-
> sound/isa/gus/gusextreme.c | 16 +-
> sound/isa/gus/gusmax.c | 8 +-
> sound/isa/gus/interwave.c | 10 +-
> sound/isa/msnd/msnd_pinnacle.c | 20 +-
> sound/isa/opl3sa2.c | 16 +-
> sound/isa/opti9xx/miro.c | 14 +-
> sound/isa/opti9xx/opti92x-ad1848.c | 14 +-
> sound/isa/sb/jazz16.c | 12 +-
> sound/isa/sb/sb16.c | 14 +-
> sound/isa/sb/sb8.c | 6 +-
> sound/isa/sc6000.c | 12 +-
> sound/isa/sscape.c | 12 +-
> sound/isa/wavefront/wavefront.c | 18 +-
> sound/oss/ad1848.c | 8 +-
> sound/oss/aedsp16.c | 12 +-
> sound/oss/mpu401.c | 4 +-
> sound/oss/msnd_pinnacle.c | 20 +-
> sound/oss/opl3.c | 2 +-
> sound/oss/pas2_card.c | 18 +-
> sound/oss/pss.c | 14 +-
> sound/oss/sb_card.c | 10 +-
> sound/oss/trix.c | 18 +-
> sound/oss/uart401.c | 4 +-
> sound/oss/uart6850.c | 4 +-
> sound/oss/waveartist.c | 8 +-
> sound/pci/als4000.c | 2 +-
> sound/pci/cmipci.c | 6 +-
> sound/pci/ens1370.c | 2 +-
> sound/pci/riptide/riptide.c | 6 +-
> sound/pci/sonicvibes.c | 2 +-
> sound/pci/via82xx.c | 2 +-
> sound/pci/ymfpci/ymfpci.c | 6 +-
> 144 files changed, 1075 insertions(+), 519 deletions(-)
> create mode 100644 fs/debugfs/internal.h
>
> --
> 2.27.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list