Hi Linus,
Just one update for the security subsystem: allows unprivileged users to
see the status of the lockdown feature. From Jeremy Cline.
Please pull.
The following changes since commit 3e27a33932df104f4f9ff811467b0b4ccebde773:
security: remove duplicated include from security.h (2020-02-21 08:53:48 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
for you to fetch changes up to 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c:
lockdown: Allow unprivileged users to see lockdown status (2020-05-14 10:23:05 -0700)
----------------------------------------------------------------
Jeremy Cline (1):
lockdown: Allow unprivileged users to see lockdown status
security/lockdown/lockdown.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---
commit 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c
Author: Jeremy Cline <[email protected]>
Date: Thu May 14 10:05:46 2020 -0400
lockdown: Allow unprivileged users to see lockdown status
A number of userspace tools, such as systemtap, need a way to see the
current lockdown state so they can gracefully deal with the kernel being
locked down. The state is already exposed in
/sys/kernel/security/lockdown, but is only readable by root. Adjust the
permissions so unprivileged users can read the state.
Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
Cc: Frank Ch. Eigler <[email protected]>
Signed-off-by: Jeremy Cline <[email protected]>
Signed-off-by: James Morris <[email protected]>
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 40b790536def..ae594c0a127f 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -175,7 +175,7 @@ static int __init lockdown_secfs_init(void)
{
struct dentry *dentry;
- dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
+ dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
&lockdown_ops);
return PTR_ERR_OR_ZERO(dentry);
}
On Mon, Jun 1, 2020 at 7:15 PM James Morris <[email protected]> wrote:
>
> Just one update for the security subsystem: allows unprivileged users to
> see the status of the lockdown feature. From Jeremy Cline.
Hmm.
That branch seems to have sprouted another commit just today.
I ended up taking that too as trivial, but it shows how you seem to
basically send me a pointer to a live branch. Please don't do that.
When you make changes to that branch, I now get those changes that you
may not have meant to send me (and that I get upset for being
surprised by).
An easy solution to that is to send me a signed tag instead of a
pointer to a branch. Then you can continue to update the branch, while
the tag stays stable.
Plus we've been encouraging signed tags for pull requests anyway.
Linus
The pull request you sent on Tue, 2 Jun 2020 12:15:04 +1000 (AEST):
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/56f2e3b7d819f4fa44857ba81aa6870f18714ea0
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.wiki.kernel.org/userdoc/prtracker
On Tue, 2 Jun 2020, Linus Torvalds wrote:
> On Mon, Jun 1, 2020 at 7:15 PM James Morris <[email protected]> wrote:
> >
> > Just one update for the security subsystem: allows unprivileged users to
> > see the status of the lockdown feature. From Jeremy Cline.
>
> Hmm.
>
> That branch seems to have sprouted another commit just today.
Oops, sorry, I thought it was already pulled.
>
> I ended up taking that too as trivial, but it shows how you seem to
> basically send me a pointer to a live branch. Please don't do that.
> When you make changes to that branch, I now get those changes that you
> may not have meant to send me (and that I get upset for being
> surprised by).
>
> An easy solution to that is to send me a signed tag instead of a
> pointer to a branch. Then you can continue to update the branch, while
> the tag stays stable.
>
> Plus we've been encouraging signed tags for pull requests anyway.
Ok.
--
James Morris
<[email protected]>