From patchwork Fri Jun 19 16:49:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1313146 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pPtg5xN7zB4C4; Sat, 20 Jun 2020 02:50:19 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmKDY-0006il-R2; Fri, 19 Jun 2020 16:50:16 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmKDV-0006iH-Vv for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:50:13 +0000 Received: from mail-il1-f200.google.com ([209.85.166.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmKDV-0006JH-KY for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:50:13 +0000 Received: by mail-il1-f200.google.com with SMTP id a4so6897640ilq.2 for ; Fri, 19 Jun 2020 09:50:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=/k4qmXYVnAn3Ulv8JVZdQUsSBBhn/1eGw5DNkeKF/gQ=; b=je0P/ON7zJxVnsGYMdlJp98Lu3aN5YKDPrBfF1QWAQiF177bHZpDrpr6PbmacbfgkE 8qm/zHhqywWXDkpUZLC3hB8qae1lvQbGIc8BdTwK99ndIK2PonUSQdDI/E8ecfxE7FmL 8Wdhg6q0Ik1MCl7lpAarKZmHAyEvampRXG65+dqbp06J+jJsLE0tpCTrfF50IGBzXmmn tZ2J/RYEns2E99jt1ubotxg62n6tOKG7CSVv2Nge+4QjnaZi5DGaaiTMMQyH2CD3wcKn PvymjKqPF1NBhcWhRmP3bBnL7oG75gV2gKNApskDgrYzEkVHLKIfIYJdBCU7+9P5EmRq E1wA== X-Gm-Message-State: AOAM532l3bL1wnlSvzasOl369pdpQ9W61MiW8WpmAFo9n8Fpg3bRl4CQ b/U4bY2/EF8HYooDDUoKA2UatHP9Wj8TTGqJMOQvjk5I3LIHnTIzJUVxP4DkOln2g2pP8yMDnHr kfUw/FOMnGV2rxL5JW/ZqnSufJfPqJyTv3FKxTA6KEg== X-Received: by 2002:a02:844d:: with SMTP id l13mr4647187jah.105.1592585412176; Fri, 19 Jun 2020 09:50:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzrXdSlLdVa/mIesx7rM9IyQ2EFaHZCu2Z+1/8pgWWprT8ePWjF2vZF8t77B2t5MmFz3K7R4g== X-Received: by 2002:a02:844d:: with SMTP id l13mr4647160jah.105.1592585411843; Fri, 19 Jun 2020 09:50:11 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389]) by smtp.gmail.com with ESMTPSA id v11sm3413727ile.61.2020.06.19.09.50.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 09:50:11 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH v2 00/57][X] Lockdown updates Date: Fri, 19 Jun 2020 11:49:13 -0500 Message-Id: <20200619165010.645925-1-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1884159 v2 adds lockdown for debugfs and a patch for /dev/efi_test which was mistakenly omittted from v1. The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5: UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200) are available in the Git repository at: git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates for you to fetch changes up to 09045d1dca266467713d77a9f49b3e72f79787d5: UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down (2020-06-19 10:21:02 -0500) Thanks, Seth ---------------------------------------------------------------- Chun-Yi Lee (1): UBUNTU: SAUCE: (efi-lockdown) kexec_file: Disable at runtime if the kernel is locked down David Howells (42): UBUNTU: SAUCE: (efi-lockdown) x86/mmiotrace: Lock down the testmmiotrace module Annotate module params that specify hardware parameters (eg. ioport) Annotate hardware config module parameters in arch/x86/mm/ Annotate hardware config module parameters in drivers/char/ipmi/ Annotate hardware config module parameters in drivers/char/mwave/ Annotate hardware config module parameters in drivers/char/ Annotate hardware config module parameters in drivers/clocksource/ Annotate hardware config module parameters in drivers/cpufreq/ Annotate hardware config module parameters in drivers/gpio/ Annotate hardware config module parameters in drivers/i2c/ Annotate hardware config module parameters in drivers/input/ Annotate hardware config module parameters in drivers/isdn/ Annotate hardware config module parameters in drivers/media/ Annotate hardware config module parameters in drivers/misc/ Annotate hardware config module parameters in drivers/mmc/host/ Annotate hardware config module parameters in drivers/net/appletalk/ Annotate hardware config module parameters in drivers/net/arcnet/ Annotate hardware config module parameters in drivers/net/can/ Annotate hardware config module parameters in drivers/net/ethernet/ Annotate hardware config module parameters in drivers/net/hamradio/ Annotate hardware config module parameters in drivers/net/irda/ Annotate hardware config module parameters in drivers/net/wan/ Annotate hardware config module parameters in drivers/net/wireless/ Annotate hardware config module parameters in drivers/parport/ Annotate hardware config module parameters in drivers/pci/hotplug/ Annotate hardware config module parameters in drivers/pcmcia/ Annotate hardware config module parameters in drivers/scsi/ Annotate hardware config module parameters in drivers/staging/media/ Annotate hardware config module parameters in drivers/staging/speakup/ Annotate hardware config module parameters in drivers/staging/vme/ Annotate hardware config module parameters in drivers/tty/ Annotate hardware config module parameters in drivers/video/ Annotate hardware config module parameters in drivers/watchdog/ Annotate hardware config module parameters in fs/pstore/ Annotate hardware config module parameters in sound/drivers/ Annotate hardware config module parameters in sound/isa/ Annotate hardware config module parameters in sound/oss/ Annotate hardware config module parameters in sound/pci/ UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify hardware parameters (eg. ioport) UBUNTU: SAUCE: (efi-lockdown) Prohibit PCMCIA CIS storage when the kernel is locked down UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down Javier Martinez Canillas (1): efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN Linn Crosetto (1): acpi: Disable ACPI table override if the kernel is locked down Matthew Garrett (1): UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem,kmem,port} when the kernel is locked down Nicolai Stange (9): debugfs: prevent access to possibly dead file_operations at file open debugfs: prevent access to removed files' private data debugfs: add support for self-protecting attribute file fops debugfs: unproxify integer attribute files debugfs: unproxify files created through debugfs_create_bool() debugfs: unproxify files created through debugfs_create_blob() debugfs: unproxify files created through debugfs_create_u32_array() debugfs: full_proxy_open(): free proxy on ->open() failure debugfs: open_proxy_open(): avoid double fops release Seth Forshee (2): Revert "Restrict /dev/mem and /dev/kmem when module loading is restricted" Revert "x86: Lock down IO port access when module security is enabled" arch/x86/kernel/ioport.c | 5 +- arch/x86/mm/testmmiotrace.c | 5 +- drivers/acpi/osl.c | 5 + drivers/char/applicom.c | 4 +- drivers/char/ipmi/ipmi_si_intf.c | 14 +- drivers/char/mem.c | 13 +- drivers/char/mwave/mwavedd.c | 8 +- drivers/clocksource/cs5535-clockevt.c | 2 +- drivers/cpufreq/speedstep-smi.c | 2 +- drivers/firmware/efi/test/efi_test.c | 7 + drivers/gpio/gpio-104-idio-16.c | 2 +- drivers/i2c/busses/i2c-ali15x3.c | 2 +- drivers/i2c/busses/i2c-elektor.c | 6 +- drivers/i2c/busses/i2c-parport-light.c | 4 +- drivers/i2c/busses/i2c-pca-isa.c | 4 +- drivers/i2c/busses/i2c-piix4.c | 2 +- drivers/i2c/busses/i2c-sis5595.c | 2 +- drivers/i2c/busses/i2c-viapro.c | 2 +- drivers/i2c/busses/scx200_acb.c | 2 +- drivers/input/mouse/inport.c | 2 +- drivers/input/mouse/logibm.c | 2 +- drivers/input/touchscreen/mk712.c | 4 +- drivers/isdn/hardware/avm/b1isa.c | 4 +- drivers/isdn/hardware/avm/t1isa.c | 4 +- drivers/isdn/hisax/config.c | 10 +- drivers/media/pci/zoran/zoran_card.c | 2 +- drivers/misc/dummy-irq.c | 2 +- drivers/mmc/host/wbsd.c | 8 +- drivers/net/appletalk/cops.c | 6 +- drivers/net/appletalk/ltpc.c | 6 +- drivers/net/arcnet/com20020-isa.c | 4 +- drivers/net/arcnet/com90io.c | 4 +- drivers/net/arcnet/com90xx.c | 4 +- drivers/net/can/cc770/cc770_isa.c | 8 +- drivers/net/can/sja1000/sja1000_isa.c | 8 +- drivers/net/ethernet/3com/3c509.c | 2 +- drivers/net/ethernet/3com/3c59x.c | 4 +- drivers/net/ethernet/8390/ne.c | 4 +- drivers/net/ethernet/8390/smc-ultra.c | 4 +- drivers/net/ethernet/8390/wd.c | 8 +- drivers/net/ethernet/amd/lance.c | 6 +- drivers/net/ethernet/amd/ni65.c | 6 +- drivers/net/ethernet/cirrus/cs89x0.c | 6 +- drivers/net/ethernet/dec/tulip/de4x5.c | 2 +- drivers/net/ethernet/hp/hp100.c | 2 +- drivers/net/ethernet/realtek/atp.c | 4 +- drivers/net/ethernet/smsc/smc9194.c | 4 +- drivers/net/hamradio/baycom_epp.c | 2 +- drivers/net/hamradio/baycom_par.c | 2 +- drivers/net/hamradio/baycom_ser_fdx.c | 4 +- drivers/net/hamradio/baycom_ser_hdx.c | 4 +- drivers/net/hamradio/dmascc.c | 2 +- drivers/net/irda/ali-ircc.c | 6 +- drivers/net/irda/nsc-ircc.c | 6 +- drivers/net/irda/smsc-ircc2.c | 10 +- drivers/net/irda/w83977af_ir.c | 4 +- drivers/net/wan/cosa.c | 6 +- drivers/net/wan/hostess_sv11.c | 6 +- drivers/net/wan/sbni.c | 4 +- drivers/net/wan/sealevel.c | 8 +- drivers/net/wireless/airo.c | 4 +- drivers/parport/parport_pc.c | 8 +- drivers/pci/hotplug/cpcihp_generic.c | 2 +- drivers/pcmcia/cistpl.c | 3 + drivers/pcmcia/i82365.c | 8 +- drivers/pcmcia/tcic.c | 8 +- drivers/scsi/aha152x.c | 4 +- drivers/scsi/aha1542.c | 2 +- drivers/scsi/g_NCR5380.c | 17 +- drivers/scsi/gdth.c | 2 +- drivers/scsi/qlogicfas.c | 4 +- drivers/staging/media/lirc/lirc_sir.c | 4 +- drivers/staging/speakup/speakup_acntpc.c | 2 +- drivers/staging/speakup/speakup_dtlk.c | 2 +- drivers/staging/speakup/speakup_keypc.c | 2 +- drivers/staging/vme/devices/vme_pio2_core.c | 8 +- drivers/tty/cyclades.c | 4 +- drivers/tty/moxa.c | 2 +- drivers/tty/mxser.c | 2 +- drivers/tty/rocket.c | 10 +- drivers/tty/serial/8250/8250_core.c | 4 +- drivers/tty/serial/serial_core.c | 5 + drivers/tty/synclink.c | 6 +- drivers/video/fbdev/arcfb.c | 8 +- drivers/video/fbdev/n411.c | 6 +- drivers/watchdog/cpu5wdt.c | 2 +- drivers/watchdog/eurotechwdt.c | 4 +- drivers/watchdog/pc87413_wdt.c | 2 +- drivers/watchdog/sc1200wdt.c | 2 +- drivers/watchdog/wdt.c | 4 +- fs/debugfs/file.c | 443 +++++++++++++++++--- fs/debugfs/inode.c | 101 ++++- fs/debugfs/internal.h | 26 ++ fs/pstore/ram.c | 2 +- include/linux/debugfs.h | 49 ++- include/linux/moduleparam.h | 65 ++- kernel/kexec_file.c | 6 + kernel/params.c | 25 +- lib/Kconfig.debug | 1 + sound/drivers/mpu401/mpu401.c | 4 +- sound/drivers/mtpav.c | 4 +- sound/drivers/serial-u16550.c | 4 +- sound/isa/ad1848/ad1848.c | 6 +- sound/isa/adlib.c | 2 +- sound/isa/cmi8328.c | 12 +- sound/isa/cmi8330.c | 20 +- sound/isa/cs423x/cs4231.c | 12 +- sound/isa/cs423x/cs4236.c | 18 +- sound/isa/es1688/es1688.c | 12 +- sound/isa/es18xx.c | 12 +- sound/isa/galaxy/galaxy.c | 16 +- sound/isa/gus/gusclassic.c | 8 +- sound/isa/gus/gusextreme.c | 16 +- sound/isa/gus/gusmax.c | 8 +- sound/isa/gus/interwave.c | 10 +- sound/isa/msnd/msnd_pinnacle.c | 20 +- sound/isa/opl3sa2.c | 16 +- sound/isa/opti9xx/miro.c | 14 +- sound/isa/opti9xx/opti92x-ad1848.c | 14 +- sound/isa/sb/jazz16.c | 12 +- sound/isa/sb/sb16.c | 14 +- sound/isa/sb/sb8.c | 6 +- sound/isa/sc6000.c | 12 +- sound/isa/sscape.c | 12 +- sound/isa/wavefront/wavefront.c | 18 +- sound/oss/ad1848.c | 8 +- sound/oss/aedsp16.c | 12 +- sound/oss/mpu401.c | 4 +- sound/oss/msnd_pinnacle.c | 20 +- sound/oss/opl3.c | 2 +- sound/oss/pas2_card.c | 18 +- sound/oss/pss.c | 14 +- sound/oss/sb_card.c | 10 +- sound/oss/trix.c | 18 +- sound/oss/uart401.c | 4 +- sound/oss/uart6850.c | 4 +- sound/oss/waveartist.c | 8 +- sound/pci/als4000.c | 2 +- sound/pci/cmipci.c | 6 +- sound/pci/ens1370.c | 2 +- sound/pci/riptide/riptide.c | 6 +- sound/pci/sonicvibes.c | 2 +- sound/pci/via82xx.c | 2 +- sound/pci/ymfpci/ymfpci.c | 6 +- 144 files changed, 1075 insertions(+), 519 deletions(-) create mode 100644 fs/debugfs/internal.h Acked-by: Stefan Bader Acked-by: Andrea Righi