diff mbox series

lockdown: Allow unprivileged users to see lockdown status

Message ID 20200220151738.1492852-1-jcline@redhat.com (mailing list archive)
State New, archived
Headers show
Series lockdown: Allow unprivileged users to see lockdown status | expand

Commit Message

Jeremy Cline Feb. 20, 2020, 3:17 p.m. UTC 
A number of userspace tools, such as systemtap, need a way to see the
current lockdown state so they can gracefully deal with the kernel being
locked down. The state is already exposed in
/sys/kernel/security/lockdown, but is only readable by root. Adjust the
permissions so unprivileged users can read the state.

Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
Cc: Frank Ch. Eigler <fche@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
 security/lockdown/lockdown.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Morris Feb. 21, 2020, 4:51 p.m. UTC | #1 
On Thu, 20 Feb 2020, Jeremy Cline wrote:

> A number of userspace tools, such as systemtap, need a way to see the
> current lockdown state so they can gracefully deal with the kernel being
> locked down. The state is already exposed in
> /sys/kernel/security/lockdown, but is only readable by root. Adjust the
> permissions so unprivileged users can read the state.
> 
> Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
> Cc: Frank Ch. Eigler <fche@redhat.com>
> Signed-off-by: Jeremy Cline <jcline@redhat.com>

Looks fine to me, any objection from Matthew or others?

> ---
>  security/lockdown/lockdown.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index 5a952617a0eb..87cbdc64d272 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
>  {
>  	struct dentry *dentry;
>  
> -	dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
> +	dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
>  					&lockdown_ops);
>  	return PTR_ERR_OR_ZERO(dentry);
>  }
>
Jeremy Cline May 11, 2020, 1:42 p.m. UTC | #2 
On Sat, Feb 22, 2020 at 03:51:24AM +1100, James Morris wrote:
> On Thu, 20 Feb 2020, Jeremy Cline wrote:
> 
> > A number of userspace tools, such as systemtap, need a way to see the
> > current lockdown state so they can gracefully deal with the kernel being
> > locked down. The state is already exposed in
> > /sys/kernel/security/lockdown, but is only readable by root. Adjust the
> > permissions so unprivileged users can read the state.
> > 
> > Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
> > Cc: Frank Ch. Eigler <fche@redhat.com>
> > Signed-off-by: Jeremy Cline <jcline@redhat.com>
> 
> Looks fine to me, any objection from Matthew or others?
> 

Can we take resounding silence as no objections?

- Jeremy

> > ---
> >  security/lockdown/lockdown.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> > index 5a952617a0eb..87cbdc64d272 100644
> > --- a/security/lockdown/lockdown.c
> > +++ b/security/lockdown/lockdown.c
> > @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
> >  {
> >  	struct dentry *dentry;
> >  
> > -	dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
> > +	dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
> >  					&lockdown_ops);
> >  	return PTR_ERR_OR_ZERO(dentry);
> >  }
> > 
> 
> -- 
> James Morris
> <jmorris@namei.org>
>
James Morris May 14, 2020, 2:43 a.m. UTC | #3 
On Mon, 11 May 2020, Jeremy Cline wrote:

> On Sat, Feb 22, 2020 at 03:51:24AM +1100, James Morris wrote:
> > On Thu, 20 Feb 2020, Jeremy Cline wrote:
> > 
> > > A number of userspace tools, such as systemtap, need a way to see the
> > > current lockdown state so they can gracefully deal with the kernel being
> > > locked down. The state is already exposed in
> > > /sys/kernel/security/lockdown, but is only readable by root. Adjust the
> > > permissions so unprivileged users can read the state.
> > > 
> > > Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
> > > Cc: Frank Ch. Eigler <fche@redhat.com>
> > > Signed-off-by: Jeremy Cline <jcline@redhat.com>
> > 
> > Looks fine to me, any objection from Matthew or others?
> > 
> 
> Can we take resounding silence as no objections?

Please resend and I'll apply it to my tree.

> 
> - Jeremy
> 
> > > ---
> > >  security/lockdown/lockdown.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> > > index 5a952617a0eb..87cbdc64d272 100644
> > > --- a/security/lockdown/lockdown.c
> > > +++ b/security/lockdown/lockdown.c
> > > @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
> > >  {
> > >  	struct dentry *dentry;
> > >  
> > > -	dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
> > > +	dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
> > >  					&lockdown_ops);
> > >  	return PTR_ERR_OR_ZERO(dentry);
> > >  }
> > > 
> > 
> > -- 
> > James Morris
> > <jmorris@namei.org>
> > 
>
diff mbox series

Patch

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 5a952617a0eb..87cbdc64d272 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -150,7 +150,7 @@  static int __init lockdown_secfs_init(void)
 {
 	struct dentry *dentry;
 
-	dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
+	dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
 					&lockdown_ops);
 	return PTR_ERR_OR_ZERO(dentry);
 }