[SRU,1/1,C,D,u] UBUNTU: SAUCE: debugfs: avoid EPERM when no open file operation defined

Message ID 20190109205235.19437-2-kamal@canonical.com
State New
Headers show
Series
  • fix EPERM bug in efi-lockdown
Related show

Commit Message

Kamal Mostafa Jan. 9, 2019, 8:52 p.m.
From: Vasily Gorbik <gor@linux.ibm.com>

BugLink: https://bugs.launchpad.net/bugs/1807686

With "debugfs: Restrict debugfs when the kernel is locked down"
return code "r" is unconditionally set to -EPERM, which stays like that
until function return if no "open" file operation defined, effectivelly
resulting in "Operation not permitted" for all such files despite kernel
lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.

In particular this breaks 2 debugfs files on s390:
/sys/kernel/debug/s390_hypfs/diag_304
/sys/kernel/debug/s390_hypfs/diag_204

To address that set EPERM return code only when debugfs_is_locked_down
returns true.

Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Reference: https://lore.kernel.org/patchwork/patch/1015495/
Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/debugfs/file.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Comments

Tyler Hicks Jan. 9, 2019, 9:09 p.m. | #1
On 2019-01-09 12:52:35, Kamal Mostafa wrote:
> From: Vasily Gorbik <gor@linux.ibm.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1807686
> 
> With "debugfs: Restrict debugfs when the kernel is locked down"
> return code "r" is unconditionally set to -EPERM, which stays like that
> until function return if no "open" file operation defined, effectivelly
> resulting in "Operation not permitted" for all such files despite kernel
> lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
> 
> In particular this breaks 2 debugfs files on s390:
> /sys/kernel/debug/s390_hypfs/diag_304
> /sys/kernel/debug/s390_hypfs/diag_204
> 
> To address that set EPERM return code only when debugfs_is_locked_down
> returns true.
> 
> Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
> Reference: https://lore.kernel.org/patchwork/patch/1015495/
> Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down")
> Signed-off-by: Kamal Mostafa <kamal@canonical.com>

Acked-by: Tyler Hicks <tyhicks@canonical.com>

Tyler

> ---
>  fs/debugfs/file.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
> index c33042c1eff3..3a5033ff9ec7 100644
> --- a/fs/debugfs/file.c
> +++ b/fs/debugfs/file.c
> @@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
>  
>  	real_fops = debugfs_real_fops(filp);
>  
> -	r = -EPERM;
> -	if (debugfs_is_locked_down(inode, filp, real_fops))
> +	if (debugfs_is_locked_down(inode, filp, real_fops)) {
> +		r = -EPERM;
>  		goto out;
> +	}
>  
>  	real_fops = fops_get(real_fops);
>  	if (!real_fops) {
> @@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
>  		return r == -EIO ? -ENOENT : r;
>  
>  	real_fops = debugfs_real_fops(filp);
> -	r = -EPERM;
> -	if (debugfs_is_locked_down(inode, filp, real_fops))
> +	if (debugfs_is_locked_down(inode, filp, real_fops)) {
> +		r = -EPERM;
>  		goto out;
> +	}
>  
>  	real_fops = fops_get(real_fops);
>  	if (!real_fops) {
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Seth Forshee Jan. 9, 2019, 9:18 p.m. | #2
On Wed, Jan 09, 2019 at 12:52:35PM -0800, Kamal Mostafa wrote:
> From: Vasily Gorbik <gor@linux.ibm.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1807686
> 
> With "debugfs: Restrict debugfs when the kernel is locked down"
> return code "r" is unconditionally set to -EPERM, which stays like that
> until function return if no "open" file operation defined, effectivelly
> resulting in "Operation not permitted" for all such files despite kernel
> lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
> 
> In particular this breaks 2 debugfs files on s390:
> /sys/kernel/debug/s390_hypfs/diag_304
> /sys/kernel/debug/s390_hypfs/diag_204
> 
> To address that set EPERM return code only when debugfs_is_locked_down
> returns true.
> 
> Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
> Reference: https://lore.kernel.org/patchwork/patch/1015495/
> Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down")
> Signed-off-by: Kamal Mostafa <kamal@canonical.com>

Looks correct.

Acked-by: Seth Forshee <seth.forshee@canonical.com>

Applied to disco/master-next and unstable/master. I'll also point the
guys maintaining the lockdown patches at this to try and get it
incorporated there. Thanks!

Patch

diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index c33042c1eff3..3a5033ff9ec7 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -167,9 +167,10 @@  static int open_proxy_open(struct inode *inode, struct file *filp)
 
 	real_fops = debugfs_real_fops(filp);
 
-	r = -EPERM;
-	if (debugfs_is_locked_down(inode, filp, real_fops))
+	if (debugfs_is_locked_down(inode, filp, real_fops)) {
+		r = -EPERM;
 		goto out;
+	}
 
 	real_fops = fops_get(real_fops);
 	if (!real_fops) {
@@ -296,9 +297,10 @@  static int full_proxy_open(struct inode *inode, struct file *filp)
 		return r == -EIO ? -ENOENT : r;
 
 	real_fops = debugfs_real_fops(filp);
-	r = -EPERM;
-	if (debugfs_is_locked_down(inode, filp, real_fops))
+	if (debugfs_is_locked_down(inode, filp, real_fops)) {
+		r = -EPERM;
 		goto out;
+	}
 
 	real_fops = fops_get(real_fops);
 	if (!real_fops) {