| Message ID | 20200619165010.645925-1-seth.forshee@canonical.com |
|---|---|
| Headers | show |
| Series | Lockdown updates | expand |
On 19.06.20 18:49, Seth Forshee wrote: > BugLink: https://bugs.launchpad.net/bugs/1884159 > > v2 adds lockdown for debugfs and a patch for /dev/efi_test which was > mistakenly omittted from v1. > > The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5: > > UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200) > > are available in the Git repository at: > > git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates > > for you to fetch changes up to 09045d1dca266467713d77a9f49b3e72f79787d5: > > UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down (2020-06-19 10:21:02 -0500) > > Thanks, > Seth > > ---------------------------------------------------------------- > Chun-Yi Lee (1): > UBUNTU: SAUCE: (efi-lockdown) kexec_file: Disable at runtime if the > kernel is locked down > > David Howells (42): > UBUNTU: SAUCE: (efi-lockdown) x86/mmiotrace: Lock down the > testmmiotrace module > Annotate module params that specify hardware parameters (eg. ioport) > Annotate hardware config module parameters in arch/x86/mm/ > Annotate hardware config module parameters in drivers/char/ipmi/ > Annotate hardware config module parameters in drivers/char/mwave/ > Annotate hardware config module parameters in drivers/char/ > Annotate hardware config module parameters in drivers/clocksource/ > Annotate hardware config module parameters in drivers/cpufreq/ > Annotate hardware config module parameters in drivers/gpio/ > Annotate hardware config module parameters in drivers/i2c/ > Annotate hardware config module parameters in drivers/input/ > Annotate hardware config module parameters in drivers/isdn/ > Annotate hardware config module parameters in drivers/media/ > Annotate hardware config module parameters in drivers/misc/ > Annotate hardware config module parameters in drivers/mmc/host/ > Annotate hardware config module parameters in drivers/net/appletalk/ > Annotate hardware config module parameters in drivers/net/arcnet/ > Annotate hardware config module parameters in drivers/net/can/ > Annotate hardware config module parameters in drivers/net/ethernet/ > Annotate hardware config module parameters in drivers/net/hamradio/ > Annotate hardware config module parameters in drivers/net/irda/ > Annotate hardware config module parameters in drivers/net/wan/ > Annotate hardware config module parameters in drivers/net/wireless/ > Annotate hardware config module parameters in drivers/parport/ > Annotate hardware config module parameters in drivers/pci/hotplug/ > Annotate hardware config module parameters in drivers/pcmcia/ > Annotate hardware config module parameters in drivers/scsi/ > Annotate hardware config module parameters in drivers/staging/media/ > Annotate hardware config module parameters in drivers/staging/speakup/ > Annotate hardware config module parameters in drivers/staging/vme/ > Annotate hardware config module parameters in drivers/tty/ > Annotate hardware config module parameters in drivers/video/ > Annotate hardware config module parameters in drivers/watchdog/ > Annotate hardware config module parameters in fs/pstore/ > Annotate hardware config module parameters in sound/drivers/ > Annotate hardware config module parameters in sound/isa/ > Annotate hardware config module parameters in sound/oss/ > Annotate hardware config module parameters in sound/pci/ > UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify > hardware parameters (eg. ioport) > UBUNTU: SAUCE: (efi-lockdown) Prohibit PCMCIA CIS storage when the > kernel is locked down > UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL > UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files > when the kernel is locked down > > Javier Martinez Canillas (1): > efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN > > Linn Crosetto (1): > acpi: Disable ACPI table override if the kernel is locked down > > Matthew Garrett (1): > UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem,kmem,port} when the > kernel is locked down > > Nicolai Stange (9): > debugfs: prevent access to possibly dead file_operations at file open > debugfs: prevent access to removed files' private data > debugfs: add support for self-protecting attribute file fops > debugfs: unproxify integer attribute files > debugfs: unproxify files created through debugfs_create_bool() > debugfs: unproxify files created through debugfs_create_blob() > debugfs: unproxify files created through debugfs_create_u32_array() > debugfs: full_proxy_open(): free proxy on ->open() failure > debugfs: open_proxy_open(): avoid double fops release > > Seth Forshee (2): > Revert "Restrict /dev/mem and /dev/kmem when module loading is > restricted" > Revert "x86: Lock down IO port access when module security is enabled" > > arch/x86/kernel/ioport.c | 5 +- > arch/x86/mm/testmmiotrace.c | 5 +- > drivers/acpi/osl.c | 5 + > drivers/char/applicom.c | 4 +- > drivers/char/ipmi/ipmi_si_intf.c | 14 +- > drivers/char/mem.c | 13 +- > drivers/char/mwave/mwavedd.c | 8 +- > drivers/clocksource/cs5535-clockevt.c | 2 +- > drivers/cpufreq/speedstep-smi.c | 2 +- > drivers/firmware/efi/test/efi_test.c | 7 + > drivers/gpio/gpio-104-idio-16.c | 2 +- > drivers/i2c/busses/i2c-ali15x3.c | 2 +- > drivers/i2c/busses/i2c-elektor.c | 6 +- > drivers/i2c/busses/i2c-parport-light.c | 4 +- > drivers/i2c/busses/i2c-pca-isa.c | 4 +- > drivers/i2c/busses/i2c-piix4.c | 2 +- > drivers/i2c/busses/i2c-sis5595.c | 2 +- > drivers/i2c/busses/i2c-viapro.c | 2 +- > drivers/i2c/busses/scx200_acb.c | 2 +- > drivers/input/mouse/inport.c | 2 +- > drivers/input/mouse/logibm.c | 2 +- > drivers/input/touchscreen/mk712.c | 4 +- > drivers/isdn/hardware/avm/b1isa.c | 4 +- > drivers/isdn/hardware/avm/t1isa.c | 4 +- > drivers/isdn/hisax/config.c | 10 +- > drivers/media/pci/zoran/zoran_card.c | 2 +- > drivers/misc/dummy-irq.c | 2 +- > drivers/mmc/host/wbsd.c | 8 +- > drivers/net/appletalk/cops.c | 6 +- > drivers/net/appletalk/ltpc.c | 6 +- > drivers/net/arcnet/com20020-isa.c | 4 +- > drivers/net/arcnet/com90io.c | 4 +- > drivers/net/arcnet/com90xx.c | 4 +- > drivers/net/can/cc770/cc770_isa.c | 8 +- > drivers/net/can/sja1000/sja1000_isa.c | 8 +- > drivers/net/ethernet/3com/3c509.c | 2 +- > drivers/net/ethernet/3com/3c59x.c | 4 +- > drivers/net/ethernet/8390/ne.c | 4 +- > drivers/net/ethernet/8390/smc-ultra.c | 4 +- > drivers/net/ethernet/8390/wd.c | 8 +- > drivers/net/ethernet/amd/lance.c | 6 +- > drivers/net/ethernet/amd/ni65.c | 6 +- > drivers/net/ethernet/cirrus/cs89x0.c | 6 +- > drivers/net/ethernet/dec/tulip/de4x5.c | 2 +- > drivers/net/ethernet/hp/hp100.c | 2 +- > drivers/net/ethernet/realtek/atp.c | 4 +- > drivers/net/ethernet/smsc/smc9194.c | 4 +- > drivers/net/hamradio/baycom_epp.c | 2 +- > drivers/net/hamradio/baycom_par.c | 2 +- > drivers/net/hamradio/baycom_ser_fdx.c | 4 +- > drivers/net/hamradio/baycom_ser_hdx.c | 4 +- > drivers/net/hamradio/dmascc.c | 2 +- > drivers/net/irda/ali-ircc.c | 6 +- > drivers/net/irda/nsc-ircc.c | 6 +- > drivers/net/irda/smsc-ircc2.c | 10 +- > drivers/net/irda/w83977af_ir.c | 4 +- > drivers/net/wan/cosa.c | 6 +- > drivers/net/wan/hostess_sv11.c | 6 +- > drivers/net/wan/sbni.c | 4 +- > drivers/net/wan/sealevel.c | 8 +- > drivers/net/wireless/airo.c | 4 +- > drivers/parport/parport_pc.c | 8 +- > drivers/pci/hotplug/cpcihp_generic.c | 2 +- > drivers/pcmcia/cistpl.c | 3 + > drivers/pcmcia/i82365.c | 8 +- > drivers/pcmcia/tcic.c | 8 +- > drivers/scsi/aha152x.c | 4 +- > drivers/scsi/aha1542.c | 2 +- > drivers/scsi/g_NCR5380.c | 17 +- > drivers/scsi/gdth.c | 2 +- > drivers/scsi/qlogicfas.c | 4 +- > drivers/staging/media/lirc/lirc_sir.c | 4 +- > drivers/staging/speakup/speakup_acntpc.c | 2 +- > drivers/staging/speakup/speakup_dtlk.c | 2 +- > drivers/staging/speakup/speakup_keypc.c | 2 +- > drivers/staging/vme/devices/vme_pio2_core.c | 8 +- > drivers/tty/cyclades.c | 4 +- > drivers/tty/moxa.c | 2 +- > drivers/tty/mxser.c | 2 +- > drivers/tty/rocket.c | 10 +- > drivers/tty/serial/8250/8250_core.c | 4 +- > drivers/tty/serial/serial_core.c | 5 + > drivers/tty/synclink.c | 6 +- > drivers/video/fbdev/arcfb.c | 8 +- > drivers/video/fbdev/n411.c | 6 +- > drivers/watchdog/cpu5wdt.c | 2 +- > drivers/watchdog/eurotechwdt.c | 4 +- > drivers/watchdog/pc87413_wdt.c | 2 +- > drivers/watchdog/sc1200wdt.c | 2 +- > drivers/watchdog/wdt.c | 4 +- > fs/debugfs/file.c | 443 +++++++++++++++++--- > fs/debugfs/inode.c | 101 ++++- > fs/debugfs/internal.h | 26 ++ > fs/pstore/ram.c | 2 +- > include/linux/debugfs.h | 49 ++- > include/linux/moduleparam.h | 65 ++- > kernel/kexec_file.c | 6 + > kernel/params.c | 25 +- > lib/Kconfig.debug | 1 + > sound/drivers/mpu401/mpu401.c | 4 +- > sound/drivers/mtpav.c | 4 +- > sound/drivers/serial-u16550.c | 4 +- > sound/isa/ad1848/ad1848.c | 6 +- > sound/isa/adlib.c | 2 +- > sound/isa/cmi8328.c | 12 +- > sound/isa/cmi8330.c | 20 +- > sound/isa/cs423x/cs4231.c | 12 +- > sound/isa/cs423x/cs4236.c | 18 +- > sound/isa/es1688/es1688.c | 12 +- > sound/isa/es18xx.c | 12 +- > sound/isa/galaxy/galaxy.c | 16 +- > sound/isa/gus/gusclassic.c | 8 +- > sound/isa/gus/gusextreme.c | 16 +- > sound/isa/gus/gusmax.c | 8 +- > sound/isa/gus/interwave.c | 10 +- > sound/isa/msnd/msnd_pinnacle.c | 20 +- > sound/isa/opl3sa2.c | 16 +- > sound/isa/opti9xx/miro.c | 14 +- > sound/isa/opti9xx/opti92x-ad1848.c | 14 +- > sound/isa/sb/jazz16.c | 12 +- > sound/isa/sb/sb16.c | 14 +- > sound/isa/sb/sb8.c | 6 +- > sound/isa/sc6000.c | 12 +- > sound/isa/sscape.c | 12 +- > sound/isa/wavefront/wavefront.c | 18 +- > sound/oss/ad1848.c | 8 +- > sound/oss/aedsp16.c | 12 +- > sound/oss/mpu401.c | 4 +- > sound/oss/msnd_pinnacle.c | 20 +- > sound/oss/opl3.c | 2 +- > sound/oss/pas2_card.c | 18 +- > sound/oss/pss.c | 14 +- > sound/oss/sb_card.c | 10 +- > sound/oss/trix.c | 18 +- > sound/oss/uart401.c | 4 +- > sound/oss/uart6850.c | 4 +- > sound/oss/waveartist.c | 8 +- > sound/pci/als4000.c | 2 +- > sound/pci/cmipci.c | 6 +- > sound/pci/ens1370.c | 2 +- > sound/pci/riptide/riptide.c | 6 +- > sound/pci/sonicvibes.c | 2 +- > sound/pci/via82xx.c | 2 +- > sound/pci/ymfpci/ymfpci.c | 6 +- > 144 files changed, 1075 insertions(+), 519 deletions(-) > create mode 100644 fs/debugfs/internal.h > It would have been better to do the debugfs part as an additional submission. This somewhat is too large to review. Even the debugfs part alone. Only reason to be somewhat easy on it is that debugfs should not be part of normal use so hopefully breakage is not that critical... Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Fri, Jun 19, 2020 at 11:49:13AM -0500, Seth Forshee wrote: > BugLink: https://bugs.launchpad.net/bugs/1884159 > > v2 adds lockdown for debugfs and a patch for /dev/efi_test which was > mistakenly omittted from v1. > > The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5: > > UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200) > > are available in the Git repository at: > > git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates > > for you to fetch changes up to 09045d1dca266467713d77a9f49b3e72f79787d5: > > UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down (2020-06-19 10:21:02 -0500) > > Thanks, > Seth Reviewed, test-built and tested the debugfs access policy. All good in general. I was wondering if we should add a "lockdown" kernel boot parameter, like we have in bionic, that would enable lockdown by calling enforce_signed_modules(), but I guess it's not needed, because (somehow) the boot-loader is already able to enforce the kernel lockdown even without this option. Apart from this comment and the one about debugfs (see my previous email), everything else looks good to me, therefore: Acked-by: Andrea Righi <andrea.righi@canonical.com>
On 2020-06-19 11:49:13 , Seth Forshee wrote: > BugLink: https://bugs.launchpad.net/bugs/1884159 > > v2 adds lockdown for debugfs and a patch for /dev/efi_test which was > mistakenly omittted from v1. > > The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5: > > UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200) > > are available in the Git repository at: > > git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates > > for you to fetch changes up to 09045d1dca266467713d77a9f49b3e72f79787d5: > > UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down (2020-06-19 10:21:02 -0500) > > Thanks, > Seth > > ---------------------------------------------------------------- > Chun-Yi Lee (1): > UBUNTU: SAUCE: (efi-lockdown) kexec_file: Disable at runtime if the > kernel is locked down > > David Howells (42): > UBUNTU: SAUCE: (efi-lockdown) x86/mmiotrace: Lock down the > testmmiotrace module > Annotate module params that specify hardware parameters (eg. ioport) > Annotate hardware config module parameters in arch/x86/mm/ > Annotate hardware config module parameters in drivers/char/ipmi/ > Annotate hardware config module parameters in drivers/char/mwave/ > Annotate hardware config module parameters in drivers/char/ > Annotate hardware config module parameters in drivers/clocksource/ > Annotate hardware config module parameters in drivers/cpufreq/ > Annotate hardware config module parameters in drivers/gpio/ > Annotate hardware config module parameters in drivers/i2c/ > Annotate hardware config module parameters in drivers/input/ > Annotate hardware config module parameters in drivers/isdn/ > Annotate hardware config module parameters in drivers/media/ > Annotate hardware config module parameters in drivers/misc/ > Annotate hardware config module parameters in drivers/mmc/host/ > Annotate hardware config module parameters in drivers/net/appletalk/ > Annotate hardware config module parameters in drivers/net/arcnet/ > Annotate hardware config module parameters in drivers/net/can/ > Annotate hardware config module parameters in drivers/net/ethernet/ > Annotate hardware config module parameters in drivers/net/hamradio/ > Annotate hardware config module parameters in drivers/net/irda/ > Annotate hardware config module parameters in drivers/net/wan/ > Annotate hardware config module parameters in drivers/net/wireless/ > Annotate hardware config module parameters in drivers/parport/ > Annotate hardware config module parameters in drivers/pci/hotplug/ > Annotate hardware config module parameters in drivers/pcmcia/ > Annotate hardware config module parameters in drivers/scsi/ > Annotate hardware config module parameters in drivers/staging/media/ > Annotate hardware config module parameters in drivers/staging/speakup/ > Annotate hardware config module parameters in drivers/staging/vme/ > Annotate hardware config module parameters in drivers/tty/ > Annotate hardware config module parameters in drivers/video/ > Annotate hardware config module parameters in drivers/watchdog/ > Annotate hardware config module parameters in fs/pstore/ > Annotate hardware config module parameters in sound/drivers/ > Annotate hardware config module parameters in sound/isa/ > Annotate hardware config module parameters in sound/oss/ > Annotate hardware config module parameters in sound/pci/ > UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify > hardware parameters (eg. ioport) > UBUNTU: SAUCE: (efi-lockdown) Prohibit PCMCIA CIS storage when the > kernel is locked down > UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL > UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files > when the kernel is locked down > > Javier Martinez Canillas (1): > efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN > > Linn Crosetto (1): > acpi: Disable ACPI table override if the kernel is locked down > > Matthew Garrett (1): > UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem,kmem,port} when the > kernel is locked down > > Nicolai Stange (9): > debugfs: prevent access to possibly dead file_operations at file open > debugfs: prevent access to removed files' private data > debugfs: add support for self-protecting attribute file fops > debugfs: unproxify integer attribute files > debugfs: unproxify files created through debugfs_create_bool() > debugfs: unproxify files created through debugfs_create_blob() > debugfs: unproxify files created through debugfs_create_u32_array() > debugfs: full_proxy_open(): free proxy on ->open() failure > debugfs: open_proxy_open(): avoid double fops release > > Seth Forshee (2): > Revert "Restrict /dev/mem and /dev/kmem when module loading is > restricted" > Revert "x86: Lock down IO port access when module security is enabled" > > arch/x86/kernel/ioport.c | 5 +- > arch/x86/mm/testmmiotrace.c | 5 +- > drivers/acpi/osl.c | 5 + > drivers/char/applicom.c | 4 +- > drivers/char/ipmi/ipmi_si_intf.c | 14 +- > drivers/char/mem.c | 13 +- > drivers/char/mwave/mwavedd.c | 8 +- > drivers/clocksource/cs5535-clockevt.c | 2 +- > drivers/cpufreq/speedstep-smi.c | 2 +- > drivers/firmware/efi/test/efi_test.c | 7 + > drivers/gpio/gpio-104-idio-16.c | 2 +- > drivers/i2c/busses/i2c-ali15x3.c | 2 +- > drivers/i2c/busses/i2c-elektor.c | 6 +- > drivers/i2c/busses/i2c-parport-light.c | 4 +- > drivers/i2c/busses/i2c-pca-isa.c | 4 +- > drivers/i2c/busses/i2c-piix4.c | 2 +- > drivers/i2c/busses/i2c-sis5595.c | 2 +- > drivers/i2c/busses/i2c-viapro.c | 2 +- > drivers/i2c/busses/scx200_acb.c | 2 +- > drivers/input/mouse/inport.c | 2 +- > drivers/input/mouse/logibm.c | 2 +- > drivers/input/touchscreen/mk712.c | 4 +- > drivers/isdn/hardware/avm/b1isa.c | 4 +- > drivers/isdn/hardware/avm/t1isa.c | 4 +- > drivers/isdn/hisax/config.c | 10 +- > drivers/media/pci/zoran/zoran_card.c | 2 +- > drivers/misc/dummy-irq.c | 2 +- > drivers/mmc/host/wbsd.c | 8 +- > drivers/net/appletalk/cops.c | 6 +- > drivers/net/appletalk/ltpc.c | 6 +- > drivers/net/arcnet/com20020-isa.c | 4 +- > drivers/net/arcnet/com90io.c | 4 +- > drivers/net/arcnet/com90xx.c | 4 +- > drivers/net/can/cc770/cc770_isa.c | 8 +- > drivers/net/can/sja1000/sja1000_isa.c | 8 +- > drivers/net/ethernet/3com/3c509.c | 2 +- > drivers/net/ethernet/3com/3c59x.c | 4 +- > drivers/net/ethernet/8390/ne.c | 4 +- > drivers/net/ethernet/8390/smc-ultra.c | 4 +- > drivers/net/ethernet/8390/wd.c | 8 +- > drivers/net/ethernet/amd/lance.c | 6 +- > drivers/net/ethernet/amd/ni65.c | 6 +- > drivers/net/ethernet/cirrus/cs89x0.c | 6 +- > drivers/net/ethernet/dec/tulip/de4x5.c | 2 +- > drivers/net/ethernet/hp/hp100.c | 2 +- > drivers/net/ethernet/realtek/atp.c | 4 +- > drivers/net/ethernet/smsc/smc9194.c | 4 +- > drivers/net/hamradio/baycom_epp.c | 2 +- > drivers/net/hamradio/baycom_par.c | 2 +- > drivers/net/hamradio/baycom_ser_fdx.c | 4 +- > drivers/net/hamradio/baycom_ser_hdx.c | 4 +- > drivers/net/hamradio/dmascc.c | 2 +- > drivers/net/irda/ali-ircc.c | 6 +- > drivers/net/irda/nsc-ircc.c | 6 +- > drivers/net/irda/smsc-ircc2.c | 10 +- > drivers/net/irda/w83977af_ir.c | 4 +- > drivers/net/wan/cosa.c | 6 +- > drivers/net/wan/hostess_sv11.c | 6 +- > drivers/net/wan/sbni.c | 4 +- > drivers/net/wan/sealevel.c | 8 +- > drivers/net/wireless/airo.c | 4 +- > drivers/parport/parport_pc.c | 8 +- > drivers/pci/hotplug/cpcihp_generic.c | 2 +- > drivers/pcmcia/cistpl.c | 3 + > drivers/pcmcia/i82365.c | 8 +- > drivers/pcmcia/tcic.c | 8 +- > drivers/scsi/aha152x.c | 4 +- > drivers/scsi/aha1542.c | 2 +- > drivers/scsi/g_NCR5380.c | 17 +- > drivers/scsi/gdth.c | 2 +- > drivers/scsi/qlogicfas.c | 4 +- > drivers/staging/media/lirc/lirc_sir.c | 4 +- > drivers/staging/speakup/speakup_acntpc.c | 2 +- > drivers/staging/speakup/speakup_dtlk.c | 2 +- > drivers/staging/speakup/speakup_keypc.c | 2 +- > drivers/staging/vme/devices/vme_pio2_core.c | 8 +- > drivers/tty/cyclades.c | 4 +- > drivers/tty/moxa.c | 2 +- > drivers/tty/mxser.c | 2 +- > drivers/tty/rocket.c | 10 +- > drivers/tty/serial/8250/8250_core.c | 4 +- > drivers/tty/serial/serial_core.c | 5 + > drivers/tty/synclink.c | 6 +- > drivers/video/fbdev/arcfb.c | 8 +- > drivers/video/fbdev/n411.c | 6 +- > drivers/watchdog/cpu5wdt.c | 2 +- > drivers/watchdog/eurotechwdt.c | 4 +- > drivers/watchdog/pc87413_wdt.c | 2 +- > drivers/watchdog/sc1200wdt.c | 2 +- > drivers/watchdog/wdt.c | 4 +- > fs/debugfs/file.c | 443 +++++++++++++++++--- > fs/debugfs/inode.c | 101 ++++- > fs/debugfs/internal.h | 26 ++ > fs/pstore/ram.c | 2 +- > include/linux/debugfs.h | 49 ++- > include/linux/moduleparam.h | 65 ++- > kernel/kexec_file.c | 6 + > kernel/params.c | 25 +- > lib/Kconfig.debug | 1 + > sound/drivers/mpu401/mpu401.c | 4 +- > sound/drivers/mtpav.c | 4 +- > sound/drivers/serial-u16550.c | 4 +- > sound/isa/ad1848/ad1848.c | 6 +- > sound/isa/adlib.c | 2 +- > sound/isa/cmi8328.c | 12 +- > sound/isa/cmi8330.c | 20 +- > sound/isa/cs423x/cs4231.c | 12 +- > sound/isa/cs423x/cs4236.c | 18 +- > sound/isa/es1688/es1688.c | 12 +- > sound/isa/es18xx.c | 12 +- > sound/isa/galaxy/galaxy.c | 16 +- > sound/isa/gus/gusclassic.c | 8 +- > sound/isa/gus/gusextreme.c | 16 +- > sound/isa/gus/gusmax.c | 8 +- > sound/isa/gus/interwave.c | 10 +- > sound/isa/msnd/msnd_pinnacle.c | 20 +- > sound/isa/opl3sa2.c | 16 +- > sound/isa/opti9xx/miro.c | 14 +- > sound/isa/opti9xx/opti92x-ad1848.c | 14 +- > sound/isa/sb/jazz16.c | 12 +- > sound/isa/sb/sb16.c | 14 +- > sound/isa/sb/sb8.c | 6 +- > sound/isa/sc6000.c | 12 +- > sound/isa/sscape.c | 12 +- > sound/isa/wavefront/wavefront.c | 18 +- > sound/oss/ad1848.c | 8 +- > sound/oss/aedsp16.c | 12 +- > sound/oss/mpu401.c | 4 +- > sound/oss/msnd_pinnacle.c | 20 +- > sound/oss/opl3.c | 2 +- > sound/oss/pas2_card.c | 18 +- > sound/oss/pss.c | 14 +- > sound/oss/sb_card.c | 10 +- > sound/oss/trix.c | 18 +- > sound/oss/uart401.c | 4 +- > sound/oss/uart6850.c | 4 +- > sound/oss/waveartist.c | 8 +- > sound/pci/als4000.c | 2 +- > sound/pci/cmipci.c | 6 +- > sound/pci/ens1370.c | 2 +- > sound/pci/riptide/riptide.c | 6 +- > sound/pci/sonicvibes.c | 2 +- > sound/pci/via82xx.c | 2 +- > sound/pci/ymfpci/ymfpci.c | 6 +- > 144 files changed, 1075 insertions(+), 519 deletions(-) > create mode 100644 fs/debugfs/internal.h > > -- > 2.27.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
BugLink: https://bugs.launchpad.net/bugs/1884159 v2 adds lockdown for debugfs and a patch for /dev/efi_test which was mistakenly omittted from v1. The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5: UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200) are available in the Git repository at: git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates for you to fetch changes up to 09045d1dca266467713d77a9f49b3e72f79787d5: UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down (2020-06-19 10:21:02 -0500) Thanks, Seth ---------------------------------------------------------------- Chun-Yi Lee (1): UBUNTU: SAUCE: (efi-lockdown) kexec_file: Disable at runtime if the kernel is locked down David Howells (42): UBUNTU: SAUCE: (efi-lockdown) x86/mmiotrace: Lock down the testmmiotrace module Annotate module params that specify hardware parameters (eg. ioport) Annotate hardware config module parameters in arch/x86/mm/ Annotate hardware config module parameters in drivers/char/ipmi/ Annotate hardware config module parameters in drivers/char/mwave/ Annotate hardware config module parameters in drivers/char/ Annotate hardware config module parameters in drivers/clocksource/ Annotate hardware config module parameters in drivers/cpufreq/ Annotate hardware config module parameters in drivers/gpio/ Annotate hardware config module parameters in drivers/i2c/ Annotate hardware config module parameters in drivers/input/ Annotate hardware config module parameters in drivers/isdn/ Annotate hardware config module parameters in drivers/media/ Annotate hardware config module parameters in drivers/misc/ Annotate hardware config module parameters in drivers/mmc/host/ Annotate hardware config module parameters in drivers/net/appletalk/ Annotate hardware config module parameters in drivers/net/arcnet/ Annotate hardware config module parameters in drivers/net/can/ Annotate hardware config module parameters in drivers/net/ethernet/ Annotate hardware config module parameters in drivers/net/hamradio/ Annotate hardware config module parameters in drivers/net/irda/ Annotate hardware config module parameters in drivers/net/wan/ Annotate hardware config module parameters in drivers/net/wireless/ Annotate hardware config module parameters in drivers/parport/ Annotate hardware config module parameters in drivers/pci/hotplug/ Annotate hardware config module parameters in drivers/pcmcia/ Annotate hardware config module parameters in drivers/scsi/ Annotate hardware config module parameters in drivers/staging/media/ Annotate hardware config module parameters in drivers/staging/speakup/ Annotate hardware config module parameters in drivers/staging/vme/ Annotate hardware config module parameters in drivers/tty/ Annotate hardware config module parameters in drivers/video/ Annotate hardware config module parameters in drivers/watchdog/ Annotate hardware config module parameters in fs/pstore/ Annotate hardware config module parameters in sound/drivers/ Annotate hardware config module parameters in sound/isa/ Annotate hardware config module parameters in sound/oss/ Annotate hardware config module parameters in sound/pci/ UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify hardware parameters (eg. ioport) UBUNTU: SAUCE: (efi-lockdown) Prohibit PCMCIA CIS storage when the kernel is locked down UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down Javier Martinez Canillas (1): efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN Linn Crosetto (1): acpi: Disable ACPI table override if the kernel is locked down Matthew Garrett (1): UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem,kmem,port} when the kernel is locked down Nicolai Stange (9): debugfs: prevent access to possibly dead file_operations at file open debugfs: prevent access to removed files' private data debugfs: add support for self-protecting attribute file fops debugfs: unproxify integer attribute files debugfs: unproxify files created through debugfs_create_bool() debugfs: unproxify files created through debugfs_create_blob() debugfs: unproxify files created through debugfs_create_u32_array() debugfs: full_proxy_open(): free proxy on ->open() failure debugfs: open_proxy_open(): avoid double fops release Seth Forshee (2): Revert "Restrict /dev/mem and /dev/kmem when module loading is restricted" Revert "x86: Lock down IO port access when module security is enabled" arch/x86/kernel/ioport.c | 5 +- arch/x86/mm/testmmiotrace.c | 5 +- drivers/acpi/osl.c | 5 + drivers/char/applicom.c | 4 +- drivers/char/ipmi/ipmi_si_intf.c | 14 +- drivers/char/mem.c | 13 +- drivers/char/mwave/mwavedd.c | 8 +- drivers/clocksource/cs5535-clockevt.c | 2 +- drivers/cpufreq/speedstep-smi.c | 2 +- drivers/firmware/efi/test/efi_test.c | 7 + drivers/gpio/gpio-104-idio-16.c | 2 +- drivers/i2c/busses/i2c-ali15x3.c | 2 +- drivers/i2c/busses/i2c-elektor.c | 6 +- drivers/i2c/busses/i2c-parport-light.c | 4 +- drivers/i2c/busses/i2c-pca-isa.c | 4 +- drivers/i2c/busses/i2c-piix4.c | 2 +- drivers/i2c/busses/i2c-sis5595.c | 2 +- drivers/i2c/busses/i2c-viapro.c | 2 +- drivers/i2c/busses/scx200_acb.c | 2 +- drivers/input/mouse/inport.c | 2 +- drivers/input/mouse/logibm.c | 2 +- drivers/input/touchscreen/mk712.c | 4 +- drivers/isdn/hardware/avm/b1isa.c | 4 +- drivers/isdn/hardware/avm/t1isa.c | 4 +- drivers/isdn/hisax/config.c | 10 +- drivers/media/pci/zoran/zoran_card.c | 2 +- drivers/misc/dummy-irq.c | 2 +- drivers/mmc/host/wbsd.c | 8 +- drivers/net/appletalk/cops.c | 6 +- drivers/net/appletalk/ltpc.c | 6 +- drivers/net/arcnet/com20020-isa.c | 4 +- drivers/net/arcnet/com90io.c | 4 +- drivers/net/arcnet/com90xx.c | 4 +- drivers/net/can/cc770/cc770_isa.c | 8 +- drivers/net/can/sja1000/sja1000_isa.c | 8 +- drivers/net/ethernet/3com/3c509.c | 2 +- drivers/net/ethernet/3com/3c59x.c | 4 +- drivers/net/ethernet/8390/ne.c | 4 +- drivers/net/ethernet/8390/smc-ultra.c | 4 +- drivers/net/ethernet/8390/wd.c | 8 +- drivers/net/ethernet/amd/lance.c | 6 +- drivers/net/ethernet/amd/ni65.c | 6 +- drivers/net/ethernet/cirrus/cs89x0.c | 6 +- drivers/net/ethernet/dec/tulip/de4x5.c | 2 +- drivers/net/ethernet/hp/hp100.c | 2 +- drivers/net/ethernet/realtek/atp.c | 4 +- drivers/net/ethernet/smsc/smc9194.c | 4 +- drivers/net/hamradio/baycom_epp.c | 2 +- drivers/net/hamradio/baycom_par.c | 2 +- drivers/net/hamradio/baycom_ser_fdx.c | 4 +- drivers/net/hamradio/baycom_ser_hdx.c | 4 +- drivers/net/hamradio/dmascc.c | 2 +- drivers/net/irda/ali-ircc.c | 6 +- drivers/net/irda/nsc-ircc.c | 6 +- drivers/net/irda/smsc-ircc2.c | 10 +- drivers/net/irda/w83977af_ir.c | 4 +- drivers/net/wan/cosa.c | 6 +- drivers/net/wan/hostess_sv11.c | 6 +- drivers/net/wan/sbni.c | 4 +- drivers/net/wan/sealevel.c | 8 +- drivers/net/wireless/airo.c | 4 +- drivers/parport/parport_pc.c | 8 +- drivers/pci/hotplug/cpcihp_generic.c | 2 +- drivers/pcmcia/cistpl.c | 3 + drivers/pcmcia/i82365.c | 8 +- drivers/pcmcia/tcic.c | 8 +- drivers/scsi/aha152x.c | 4 +- drivers/scsi/aha1542.c | 2 +- drivers/scsi/g_NCR5380.c | 17 +- drivers/scsi/gdth.c | 2 +- drivers/scsi/qlogicfas.c | 4 +- drivers/staging/media/lirc/lirc_sir.c | 4 +- drivers/staging/speakup/speakup_acntpc.c | 2 +- drivers/staging/speakup/speakup_dtlk.c | 2 +- drivers/staging/speakup/speakup_keypc.c | 2 +- drivers/staging/vme/devices/vme_pio2_core.c | 8 +- drivers/tty/cyclades.c | 4 +- drivers/tty/moxa.c | 2 +- drivers/tty/mxser.c | 2 +- drivers/tty/rocket.c | 10 +- drivers/tty/serial/8250/8250_core.c | 4 +- drivers/tty/serial/serial_core.c | 5 + drivers/tty/synclink.c | 6 +- drivers/video/fbdev/arcfb.c | 8 +- drivers/video/fbdev/n411.c | 6 +- drivers/watchdog/cpu5wdt.c | 2 +- drivers/watchdog/eurotechwdt.c | 4 +- drivers/watchdog/pc87413_wdt.c | 2 +- drivers/watchdog/sc1200wdt.c | 2 +- drivers/watchdog/wdt.c | 4 +- fs/debugfs/file.c | 443 +++++++++++++++++--- fs/debugfs/inode.c | 101 ++++- fs/debugfs/internal.h | 26 ++ fs/pstore/ram.c | 2 +- include/linux/debugfs.h | 49 ++- include/linux/moduleparam.h | 65 ++- kernel/kexec_file.c | 6 + kernel/params.c | 25 +- lib/Kconfig.debug | 1 + sound/drivers/mpu401/mpu401.c | 4 +- sound/drivers/mtpav.c | 4 +- sound/drivers/serial-u16550.c | 4 +- sound/isa/ad1848/ad1848.c | 6 +- sound/isa/adlib.c | 2 +- sound/isa/cmi8328.c | 12 +- sound/isa/cmi8330.c | 20 +- sound/isa/cs423x/cs4231.c | 12 +- sound/isa/cs423x/cs4236.c | 18 +- sound/isa/es1688/es1688.c | 12 +- sound/isa/es18xx.c | 12 +- sound/isa/galaxy/galaxy.c | 16 +- sound/isa/gus/gusclassic.c | 8 +- sound/isa/gus/gusextreme.c | 16 +- sound/isa/gus/gusmax.c | 8 +- sound/isa/gus/interwave.c | 10 +- sound/isa/msnd/msnd_pinnacle.c | 20 +- sound/isa/opl3sa2.c | 16 +- sound/isa/opti9xx/miro.c | 14 +- sound/isa/opti9xx/opti92x-ad1848.c | 14 +- sound/isa/sb/jazz16.c | 12 +- sound/isa/sb/sb16.c | 14 +- sound/isa/sb/sb8.c | 6 +- sound/isa/sc6000.c | 12 +- sound/isa/sscape.c | 12 +- sound/isa/wavefront/wavefront.c | 18 +- sound/oss/ad1848.c | 8 +- sound/oss/aedsp16.c | 12 +- sound/oss/mpu401.c | 4 +- sound/oss/msnd_pinnacle.c | 20 +- sound/oss/opl3.c | 2 +- sound/oss/pas2_card.c | 18 +- sound/oss/pss.c | 14 +- sound/oss/sb_card.c | 10 +- sound/oss/trix.c | 18 +- sound/oss/uart401.c | 4 +- sound/oss/uart6850.c | 4 +- sound/oss/waveartist.c | 8 +- sound/pci/als4000.c | 2 +- sound/pci/cmipci.c | 6 +- sound/pci/ens1370.c | 2 +- sound/pci/riptide/riptide.c | 6 +- sound/pci/sonicvibes.c | 2 +- sound/pci/via82xx.c | 2 +- sound/pci/ymfpci/ymfpci.c | 6 +- 144 files changed, 1075 insertions(+), 519 deletions(-) create mode 100644 fs/debugfs/internal.h