2020-02-20 15:18:35

by Jeremy Cline

[permalink] [raw]
Subject: [PATCH] lockdown: Allow unprivileged users to see lockdown status

A number of userspace tools, such as systemtap, need a way to see the
current lockdown state so they can gracefully deal with the kernel being
locked down. The state is already exposed in
/sys/kernel/security/lockdown, but is only readable by root. Adjust the
permissions so unprivileged users can read the state.

Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
Cc: Frank Ch. Eigler <[email protected]>
Signed-off-by: Jeremy Cline <[email protected]>
---
security/lockdown/lockdown.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 5a952617a0eb..87cbdc64d272 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
{
struct dentry *dentry;

- dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
+ dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
&lockdown_ops);
return PTR_ERR_OR_ZERO(dentry);
}
--
2.24.1


2020-02-21 16:52:08

by James Morris

[permalink] [raw]
Subject: Re: [PATCH] lockdown: Allow unprivileged users to see lockdown status

On Thu, 20 Feb 2020, Jeremy Cline wrote:

> A number of userspace tools, such as systemtap, need a way to see the
> current lockdown state so they can gracefully deal with the kernel being
> locked down. The state is already exposed in
> /sys/kernel/security/lockdown, but is only readable by root. Adjust the
> permissions so unprivileged users can read the state.
>
> Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
> Cc: Frank Ch. Eigler <[email protected]>
> Signed-off-by: Jeremy Cline <[email protected]>

Looks fine to me, any objection from Matthew or others?

> ---
> security/lockdown/lockdown.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index 5a952617a0eb..87cbdc64d272 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
> {
> struct dentry *dentry;
>
> - dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
> + dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
> &lockdown_ops);
> return PTR_ERR_OR_ZERO(dentry);
> }
>

--
James Morris
<[email protected]>

2020-05-11 13:45:12

by Jeremy Cline

[permalink] [raw]
Subject: Re: [PATCH] lockdown: Allow unprivileged users to see lockdown status

On Sat, Feb 22, 2020 at 03:51:24AM +1100, James Morris wrote:
> On Thu, 20 Feb 2020, Jeremy Cline wrote:
>
> > A number of userspace tools, such as systemtap, need a way to see the
> > current lockdown state so they can gracefully deal with the kernel being
> > locked down. The state is already exposed in
> > /sys/kernel/security/lockdown, but is only readable by root. Adjust the
> > permissions so unprivileged users can read the state.
> >
> > Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
> > Cc: Frank Ch. Eigler <[email protected]>
> > Signed-off-by: Jeremy Cline <[email protected]>
>
> Looks fine to me, any objection from Matthew or others?
>

Can we take resounding silence as no objections?

- Jeremy

> > ---
> > security/lockdown/lockdown.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> > index 5a952617a0eb..87cbdc64d272 100644
> > --- a/security/lockdown/lockdown.c
> > +++ b/security/lockdown/lockdown.c
> > @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
> > {
> > struct dentry *dentry;
> >
> > - dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
> > + dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
> > &lockdown_ops);
> > return PTR_ERR_OR_ZERO(dentry);
> > }
> >
>
> --
> James Morris
> <[email protected]>
>

2020-05-14 02:46:17

by James Morris

[permalink] [raw]
Subject: Re: [PATCH] lockdown: Allow unprivileged users to see lockdown status

On Mon, 11 May 2020, Jeremy Cline wrote:

> On Sat, Feb 22, 2020 at 03:51:24AM +1100, James Morris wrote:
> > On Thu, 20 Feb 2020, Jeremy Cline wrote:
> >
> > > A number of userspace tools, such as systemtap, need a way to see the
> > > current lockdown state so they can gracefully deal with the kernel being
> > > locked down. The state is already exposed in
> > > /sys/kernel/security/lockdown, but is only readable by root. Adjust the
> > > permissions so unprivileged users can read the state.
> > >
> > > Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
> > > Cc: Frank Ch. Eigler <[email protected]>
> > > Signed-off-by: Jeremy Cline <[email protected]>
> >
> > Looks fine to me, any objection from Matthew or others?
> >
>
> Can we take resounding silence as no objections?

Please resend and I'll apply it to my tree.

>
> - Jeremy
>
> > > ---
> > > security/lockdown/lockdown.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> > > index 5a952617a0eb..87cbdc64d272 100644
> > > --- a/security/lockdown/lockdown.c
> > > +++ b/security/lockdown/lockdown.c
> > > @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
> > > {
> > > struct dentry *dentry;
> > >
> > > - dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
> > > + dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
> > > &lockdown_ops);
> > > return PTR_ERR_OR_ZERO(dentry);
> > > }
> > >
> >
> > --
> > James Morris
> > <[email protected]>
> >
>

--
James Morris
<[email protected]>

2020-05-14 14:08:47

by Jeremy Cline

[permalink] [raw]
Subject: [PATCH RESEND] lockdown: Allow unprivileged users to see lockdown status

A number of userspace tools, such as systemtap, need a way to see the
current lockdown state so they can gracefully deal with the kernel being
locked down. The state is already exposed in
/sys/kernel/security/lockdown, but is only readable by root. Adjust the
permissions so unprivileged users can read the state.

Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
Cc: Frank Ch. Eigler <[email protected]>
Signed-off-by: Jeremy Cline <[email protected]>
---
security/lockdown/lockdown.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 5a952617a0eba..87cbdc64d272c 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
{
struct dentry *dentry;

- dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
+ dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
&lockdown_ops);
return PTR_ERR_OR_ZERO(dentry);
}
--
2.26.2

2020-05-14 17:30:13

by James Morris

[permalink] [raw]
Subject: Re: [PATCH RESEND] lockdown: Allow unprivileged users to see lockdown status

On Thu, 14 May 2020, Jeremy Cline wrote:

> A number of userspace tools, such as systemtap, need a way to see the
> current lockdown state so they can gracefully deal with the kernel being
> locked down. The state is already exposed in
> /sys/kernel/security/lockdown, but is only readable by root. Adjust the
> permissions so unprivileged users can read the state.
>
> Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
> Cc: Frank Ch. Eigler <[email protected]>
> Signed-off-by: Jeremy Cline <[email protected]>

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general


--
James Morris
<[email protected]>