Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5110843imb; Thu, 7 Mar 2019 08:01:23 -0800 (PST) X-Google-Smtp-Source: APXvYqxD2NO5n+GxZZfQqw6dyjMqDd3RAfEgIv0nMvSP3hGYkD4AM7wLXXdOQSxTfNDOfX9hkT7q X-Received: by 2002:a63:7909:: with SMTP id u9mr12232408pgc.243.1551974482947; Thu, 07 Mar 2019 08:01:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551974482; cv=none; d=google.com; s=arc-20160816; b=NfBxdwzKzBYkFf09Xj0cV3jVjzUsdntM4Q1QUt/GXR50ZZzo00tKPn6knhoPqYkEur G/XgS4dVcAikc2DMh8Pj2aMwF+613+9fPmyOFFBi6y92DLYGKiVhcwNXrIxHHRQPDrXw wgljrsC/nk5oiZNSAYtFEYNH59HmFc8oyl1GLGq+ISznj2QmyDv15qQBGdWyAo0Et0RR yv/6kJITKFgjERMiSz3ALaimGsMp/qiMDlCVds3jwa0XD3KjeqvVAkw5lEo1U98ep00Q gK6MxQZxQ42T503PBNXdBJwzuZVuo41MENC0Zyzwn5ysZfEh4AJaTsKM6V2Po3rKt+ZJ GIBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-id:mime-version :subject:cc:to:references:in-reply-to:from:organization; bh=oNaQgEsAk7sCcJYizFpJkQz0A4mzJvY86XCMIyQ81bg=; b=xyx6y+jB0J7sgqeCBldS2Xpo6qKraNyS7VZjkTaGhMKDCU67jLU7dsYITNAQLugGdQ 1Y1R8Z7QcBAJki+jyqHjpZQdPqiGHcNMtqfqeV88ZNDBXrnsb0/k6dehIyFGK0WxbDih xEEHQ3l4xEV548vagOPLd2T5+Sx/BPqPJOiVuqHLeEsUrCU8rEZQUR9UnwoEckBFphTh jnAZg1I97BdZIVWNEMr/3OpsmKjLY4tmKor+oNxwrotixY3RLYcHyCfx+3BIcRRE/m8x 9gXSvErxUvBWLoYmbhu5M/ZuDkpsmNqYgFNcxwdPlE9XlvSlpAfGY+DoIlE66FS/iMlU I8bA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j97si4522487plb.292.2019.03.07.08.01.07; Thu, 07 Mar 2019 08:01:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726696AbfCGP7i (ORCPT + 99 others); Thu, 7 Mar 2019 10:59:38 -0500 Received: from mx1.redhat.com ([209.132.183.28]:39252 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726285AbfCGP7h (ORCPT ); Thu, 7 Mar 2019 10:59:37 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BFE6236807; Thu, 7 Mar 2019 15:59:37 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-121-148.rdu2.redhat.com [10.10.121.148]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4859F5C1A1; Thu, 7 Mar 2019 15:59:33 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <20190306235913.6631-3-matthewgarrett@google.com> References: <20190306235913.6631-3-matthewgarrett@google.com> <20190306235913.6631-1-matthewgarrett@google.com> To: Matthew Garrett Cc: dhowells@redhat.com, jmorris@namei.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <15832.1551974371.1@warthog.procyon.org.uk> Date: Thu, 07 Mar 2019 15:59:31 +0000 Message-ID: <15833.1551974371@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 07 Mar 2019 15:59:37 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Matthew Garrett wrote: > + /* Ban synthetic events from some sysrq functionality */ > + if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && > + op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) > + printk("This sysrq operation is disabled from userspace.\n"); > /* > * Should we check for enabled operations (/proc/sysrq-trigger > * should not) and is the invoked operation enabled? > */ > - if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { > + if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { There's some missing logic here. Probably an else is missing, but it seems more than that. David