| Message ID | 20190109205235.19437-2-kamal@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | fix EPERM bug in efi-lockdown | expand |
On 2019-01-09 12:52:35, Kamal Mostafa wrote: > From: Vasily Gorbik <gor@linux.ibm.com> > > BugLink: https://bugs.launchpad.net/bugs/1807686 > > With "debugfs: Restrict debugfs when the kernel is locked down" > return code "r" is unconditionally set to -EPERM, which stays like that > until function return if no "open" file operation defined, effectivelly > resulting in "Operation not permitted" for all such files despite kernel > lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. > > In particular this breaks 2 debugfs files on s390: > /sys/kernel/debug/s390_hypfs/diag_304 > /sys/kernel/debug/s390_hypfs/diag_204 > > To address that set EPERM return code only when debugfs_is_locked_down > returns true. > > Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") > Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> > Reference: https://lore.kernel.org/patchwork/patch/1015495/ > Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down") > Signed-off-by: Kamal Mostafa <kamal@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Tyler > --- > fs/debugfs/file.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c > index c33042c1eff3..3a5033ff9ec7 100644 > --- a/fs/debugfs/file.c > +++ b/fs/debugfs/file.c > @@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) > > real_fops = debugfs_real_fops(filp); > > - r = -EPERM; > - if (debugfs_is_locked_down(inode, filp, real_fops)) > + if (debugfs_is_locked_down(inode, filp, real_fops)) { > + r = -EPERM; > goto out; > + } > > real_fops = fops_get(real_fops); > if (!real_fops) { > @@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) > return r == -EIO ? -ENOENT : r; > > real_fops = debugfs_real_fops(filp); > - r = -EPERM; > - if (debugfs_is_locked_down(inode, filp, real_fops)) > + if (debugfs_is_locked_down(inode, filp, real_fops)) { > + r = -EPERM; > goto out; > + } > > real_fops = fops_get(real_fops); > if (!real_fops) { > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Wed, Jan 09, 2019 at 12:52:35PM -0800, Kamal Mostafa wrote: > From: Vasily Gorbik <gor@linux.ibm.com> > > BugLink: https://bugs.launchpad.net/bugs/1807686 > > With "debugfs: Restrict debugfs when the kernel is locked down" > return code "r" is unconditionally set to -EPERM, which stays like that > until function return if no "open" file operation defined, effectivelly > resulting in "Operation not permitted" for all such files despite kernel > lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. > > In particular this breaks 2 debugfs files on s390: > /sys/kernel/debug/s390_hypfs/diag_304 > /sys/kernel/debug/s390_hypfs/diag_204 > > To address that set EPERM return code only when debugfs_is_locked_down > returns true. > > Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") > Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> > Reference: https://lore.kernel.org/patchwork/patch/1015495/ > Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down") > Signed-off-by: Kamal Mostafa <kamal@canonical.com> Looks correct. Acked-by: Seth Forshee <seth.forshee@canonical.com> Applied to disco/master-next and unstable/master. I'll also point the guys maintaining the lockdown patches at this to try and get it incorporated there. Thanks!
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index c33042c1eff3..3a5033ff9ec7 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) real_fops = debugfs_real_fops(filp); - r = -EPERM; - if (debugfs_is_locked_down(inode, filp, real_fops)) + if (debugfs_is_locked_down(inode, filp, real_fops)) { + r = -EPERM; goto out; + } real_fops = fops_get(real_fops); if (!real_fops) { @@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) return r == -EIO ? -ENOENT : r; real_fops = debugfs_real_fops(filp); - r = -EPERM; - if (debugfs_is_locked_down(inode, filp, real_fops)) + if (debugfs_is_locked_down(inode, filp, real_fops)) { + r = -EPERM; goto out; + } real_fops = fops_get(real_fops); if (!real_fops) {