Received: by 10.223.164.221 with SMTP id h29csp4435270wrb; Thu, 19 Oct 2017 15:50:28 -0700 (PDT) X-Google-Smtp-Source: ABhQp+TTQmmKdPNqefdXp2NJjC1aIjr2i9o6mTpwsp90RUH5HJlmEdYrxsl7x329OhX6rraQF72s X-Received: by 10.99.109.2 with SMTP id i2mr2537757pgc.194.1508453428235; Thu, 19 Oct 2017 15:50:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508453428; cv=none; d=google.com; s=arc-20160816; b=E3jmc6wOomY+30ngDrnY+cLb/rVb9L+1YxdXFIuVWj0cCvzI6Ruko1u3ZmbUEPH2Op qQIWtD1HEk+egt2C3dOPaE4DWI+RWoNpgFxASfDHeTvvuaSwCa3tp+r1tFPjveaYYZah sCzJ2ku3QkgKxKVlPi8m3N/gXC1HXV95tEmpsga3isVSbirSWy9XXBqMzdcx35QWwox8 JqHjV34nBPbzvPvA2QQyBHhjhkxf+0AeweDAjW/P8KXLnDs1i/c63ncgSuYmf6ZQc7sj BZLVXQrToGCx/Kb5EC8LOIf//HSuRhQeAiZIlk5n/eQqYQRevorUgnU7Gl59yW3jVwGm cqKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-id:mime-version :subject:cc:to:references:in-reply-to:from:organization:dmarc-filter :arc-authentication-results; bh=CaIe5HwthkFpVLnK3xnSkpPMG+FziM8BjzCTi+QaCEM=; b=Yw5hX16uHDF35g1zzriMZyUyH9kXogDOfNA7ELGhrW8/yluS7qIaSIXto6v9PAo+ZJ Hv55L4BEoo1rmUaRrlOlrkHSmY3X56cQxGgOoyIZ3w+PmulmYJENBuwdmCDSzM+8TR03 043Bjn08VaIOEDABCIgxc+LSDWIYOALbdBS6/khhAHivbS9ZMkQLxWHoK9/MgN6JXvAX bezkLmkz+tFX0cEcpmuXEDSGonmblZ+SOnuasR6i8h4/6giF4QFDuTXla3E6cArhJ10a CYLkIxbFBhUE2pedAOexo8jo74kYB0p/tqmJ7f7hbPLpUFAAvFxsrVram/N8fW79K+cE lnmQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2si9182242pga.173.2017.10.19.15.50.14; Thu, 19 Oct 2017 15:50:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753080AbdJSWMf (ORCPT + 99 others); Thu, 19 Oct 2017 18:12:35 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35194 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752172AbdJSWMd (ORCPT ); Thu, 19 Oct 2017 18:12:33 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 16E95BDCE; Thu, 19 Oct 2017 22:12:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 16E95BDCE Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=dhowells@redhat.com Received: from warthog.procyon.org.uk (ovpn-120-81.rdu2.redhat.com [10.10.120.81]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0E6525D75E; Thu, 19 Oct 2017 22:12:30 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <97659d0c-6992-3025-0f85-819d23e954cc@infradead.org> References: <97659d0c-6992-3025-0f85-819d23e954cc@infradead.org> <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842464774.7923.7951986297563109339.stgit@warthog.procyon.org.uk> To: Randy Dunlap Cc: dhowells@redhat.com, linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, matthew.garrett@nebula.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, jforbes@redhat.com Subject: Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <10670.1508451150.1@warthog.procyon.org.uk> Date: Thu, 19 Oct 2017 23:12:30 +0100 Message-ID: <10671.1508451150@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 19 Oct 2017 22:12:33 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Randy Dunlap wrote: > > +config ALLOW_LOCKDOWN_LIFT > > + bool > > + help > > + Allow the lockdown on a kernel to be lifted, thereby restoring the > > + ability of userspace to access the kernel image (eg. by SysRq+x under > > how about: on > > > + x86). I'll just get rid of this config option, I think - it doesn't make anything available outside of lock_down.c. > > +#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY > > is that the same as: CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ? > tested? My test machine doesn't have a physical keyboard attached, but you're right. David From 1581708820622906590@xxx Thu Oct 19 17:44:38 +0000 2017 X-GM-THRID: 1581705988971189585 X-Gmail-Labels: Inbox,Category Forums