Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp4506458pxb; Tue, 31 Aug 2021 06:54:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwuBzLwfwM+pp2/vnSPC9p2mbhnyoQ+J7pD5vKt29lfHM3UljZBjX0jkXlU/c/WFzVja8PD X-Received: by 2002:a92:cf50:: with SMTP id c16mr10969023ilr.162.1630418088830; Tue, 31 Aug 2021 06:54:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630418088; cv=none; d=google.com; s=arc-20160816; b=FeReukFKiNZJbQfBlAySeqyRM6PvGzOoFJUlvtBedeLOHyp3ve5rjxPmyUqKRCJin7 GjCjHmgPqxrMzICAOgXUd8KE9rB+sGuqghWxKZgHx08S/REm8I6t0rjdPjhKo7ZA9xar eIXBaUutuJaVEuVmYm3yQbgRm+EXahIQ0eOSo/nweo93FMSkBvoCNpQ7idx9mLeFYLab iHdqLX8cV0uO0qMwlSRPGJ2pwGQEViOuvXIRpA5XzA/KCpJTat1ng+3+dZNZzL09KhkP q5Gp2vnKv1XMEy6fMMsFqMI0kKYKlz0oXFJnkxgV+W+xN2xsD3WsjHnAP225VA/I3y5B OEqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=0KsdRco5g3Rxsur7HnzmWia1aqV1LswyiZ+q0x+vuSY=; b=LzXMWzFCX3CL3fJtqlM5TPF9vXli3kDxLbbCCFIQMC1uCO22EfaZsu8ZRtqMobW1lR NMXy2iyqIm8Ut2Hj9k0re20/W+HB5QeDaCCEk7hzrpugxPf61dBQYqoasW/tZSzeN4XT ypocQz9gvRslUTfzjGBvw2CJzFpp4GM5PICooCQWvvL5j9Sik1vUyJ4RrktM3jcaMxWh drMTYNuhr4a1vcVhLYxir/xYLSwXbga2FXfnlRTfWjzlW2HmeLHuFf7meMzhXJfR6j5V aO9K74DoyrsfHZHxavlfaTOEVbv6RvN/T2CDmYY8ILe5QFcij9+3Rke28zb09uZ1UiM+ sfEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=HQ7YjqNn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v2si16344854iot.49.2021.08.31.06.54.33; Tue, 31 Aug 2021 06:54:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=HQ7YjqNn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234224AbhHaNyj (ORCPT + 99 others); Tue, 31 Aug 2021 09:54:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57314 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237433AbhHaNyi (ORCPT ); Tue, 31 Aug 2021 09:54:38 -0400 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6CB91C06179A for ; Tue, 31 Aug 2021 06:53:42 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id q17so26985445edv.2 for ; Tue, 31 Aug 2021 06:53:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0KsdRco5g3Rxsur7HnzmWia1aqV1LswyiZ+q0x+vuSY=; b=HQ7YjqNn+GvyrMyaEw4Ts6k7wU5aPcFPAWZ/MvIgnb/b3nJTG/bZDiK6JU5Urc0OGw eYdX1ndiXPm2WmlL+IK4/u/BaFz6AbYdNIgxPmK/jtKVgAB4AXg1YnEwThk50eDSwxKa 5zamzfT+Mw9ZsLCNbbSg/KnigE4n5pxUzOD+A/0pPF9mh4JO0EwgAg6tp4mjPp+2ybhC LKwkjJVc1hih9nB2NRvpLDKH15CvIzCDRkybcb8PHSW6J2tGC65jUPq2wh7pHwEv7mh1 GGntJW/v2BIHeuezNaO8q8z3cKspObfYA7MpK111176yeraZmzPIIb/SJwoe9ailV5zQ GIEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0KsdRco5g3Rxsur7HnzmWia1aqV1LswyiZ+q0x+vuSY=; b=MZhj3cAFjC+fUSKz1GBgNq09fxjDDZ0F7wqJOfjG1BwbsAbgo8KduKm2YlHciizLpF k90dF/JiaVHeFuqHS0rFZ1QUwxvH/JMGozz5IMWArmaqM8f0adTsAIpJ6yyK/7OKvNjV O0+YPTPv3ddqa4Er0wiYM+q/tDAClAaOWLGw3GWnmSNRWWywkfJTBb+D6AlVbBaZKn50 FtdYodWFg4kQNhgqZrmu9N6W9sWWVN1OTOVBI0qgUr0q5cc7dMmM7YBBIU+pL3c5oMZn geUrjNbaBhtEudDwNN766oC8rjXQnhY+W0dxN1KLkZnxUcuv3vTGT1YkZ8sWCqWtiOxD nW/Q== X-Gm-Message-State: AOAM5317QTIe/1hruM4sVhyWbdipjaXtURvyerfVonm8zdPca9Mkjv5Y ne2nFXDgb+x5w9YxHKwzu74Hg9WF1EyEic5PxrmG X-Received: by 2002:a05:6402:4cf:: with SMTP id n15mr30419950edw.269.1630418020725; Tue, 31 Aug 2021 06:53:40 -0700 (PDT) MIME-Version: 1.0 References: <20210616085118.1141101-1-omosnace@redhat.com> In-Reply-To: From: Paul Moore Date: Tue, 31 Aug 2021 09:53:29 -0400 Message-ID: Subject: Re: [PATCH v3] lockdown,selinux: fix wrong subject in some SELinux lockdown checks To: Ondrej Mosnacek Cc: Dan Williams , Linux Security Module list , James Morris , Steven Rostedt , Ingo Molnar , Steffen Klassert , Herbert Xu , "David S . Miller" , Stephen Smalley , SElinux list , linuxppc-dev , X86 ML , Linux ACPI , linux-cxl@vger.kernel.org, linux-efi , linux-fsdevel , Linux PCI , Linux-pm mailing list , linux-serial@vger.kernel.org, bpf , Netdev , Kexec Mailing List , Linux Kernel Mailing List , Casey Schaufler Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 31, 2021 at 5:09 AM Ondrej Mosnacek wrote: > On Sat, Jun 19, 2021 at 12:18 AM Dan Williams wrote: > > On Wed, Jun 16, 2021 at 1:51 AM Ondrej Mosnacek wrote: ... > > > diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c > > > index 2acc6173da36..c1747b6555c7 100644 > > > --- a/drivers/cxl/mem.c > > > +++ b/drivers/cxl/mem.c > > > @@ -568,7 +568,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode) > > > if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS)) > > > return false; > > > > > > - if (security_locked_down(LOCKDOWN_NONE)) > > > + if (security_locked_down(current_cred(), LOCKDOWN_NONE)) > > > > Acked-by: Dan Williams > > > > ...however that usage looks wrong. The expectation is that if kernel > > integrity protections are enabled then raw command access should be > > disabled. So I think that should be equivalent to LOCKDOWN_PCI_ACCESS > > in terms of the command capabilities to filter. > > Yes, the LOCKDOWN_NONE seems wrong here... but it's a pre-existing bug > and I didn't want to go down yet another rabbit hole trying to fix it. > I'll look at this again once this patch is settled - it may indeed be > as simple as replacing LOCKDOWN_NONE with LOCKDOWN_PCI_ACCESS. At this point you should be well aware of my distaste for merging patches that have known bugs in them. Yes, this is a pre-existing condition, but it seems well within the scope of this work to address it as well. This isn't something that is going to get merged while the merge window is open, so at the very least you've got almost two weeks to sort this out - please do that. -- paul moore www.paul-moore.com