Message ID | 20200220151738.1492852-1-jcline@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | lockdown: Allow unprivileged users to see lockdown status | expand |
On Thu, 20 Feb 2020, Jeremy Cline wrote: > A number of userspace tools, such as systemtap, need a way to see the > current lockdown state so they can gracefully deal with the kernel being > locked down. The state is already exposed in > /sys/kernel/security/lockdown, but is only readable by root. Adjust the > permissions so unprivileged users can read the state. > > Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM") > Cc: Frank Ch. Eigler <fche@redhat.com> > Signed-off-by: Jeremy Cline <jcline@redhat.com> Looks fine to me, any objection from Matthew or others? > --- > security/lockdown/lockdown.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > index 5a952617a0eb..87cbdc64d272 100644 > --- a/security/lockdown/lockdown.c > +++ b/security/lockdown/lockdown.c > @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void) > { > struct dentry *dentry; > > - dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, > + dentry = securityfs_create_file("lockdown", 0644, NULL, NULL, > &lockdown_ops); > return PTR_ERR_OR_ZERO(dentry); > } >
On Sat, Feb 22, 2020 at 03:51:24AM +1100, James Morris wrote: > On Thu, 20 Feb 2020, Jeremy Cline wrote: > > > A number of userspace tools, such as systemtap, need a way to see the > > current lockdown state so they can gracefully deal with the kernel being > > locked down. The state is already exposed in > > /sys/kernel/security/lockdown, but is only readable by root. Adjust the > > permissions so unprivileged users can read the state. > > > > Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM") > > Cc: Frank Ch. Eigler <fche@redhat.com> > > Signed-off-by: Jeremy Cline <jcline@redhat.com> > > Looks fine to me, any objection from Matthew or others? > Can we take resounding silence as no objections? - Jeremy > > --- > > security/lockdown/lockdown.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > > index 5a952617a0eb..87cbdc64d272 100644 > > --- a/security/lockdown/lockdown.c > > +++ b/security/lockdown/lockdown.c > > @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void) > > { > > struct dentry *dentry; > > > > - dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, > > + dentry = securityfs_create_file("lockdown", 0644, NULL, NULL, > > &lockdown_ops); > > return PTR_ERR_OR_ZERO(dentry); > > } > > > > -- > James Morris > <jmorris@namei.org> >
On Mon, 11 May 2020, Jeremy Cline wrote: > On Sat, Feb 22, 2020 at 03:51:24AM +1100, James Morris wrote: > > On Thu, 20 Feb 2020, Jeremy Cline wrote: > > > > > A number of userspace tools, such as systemtap, need a way to see the > > > current lockdown state so they can gracefully deal with the kernel being > > > locked down. The state is already exposed in > > > /sys/kernel/security/lockdown, but is only readable by root. Adjust the > > > permissions so unprivileged users can read the state. > > > > > > Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM") > > > Cc: Frank Ch. Eigler <fche@redhat.com> > > > Signed-off-by: Jeremy Cline <jcline@redhat.com> > > > > Looks fine to me, any objection from Matthew or others? > > > > Can we take resounding silence as no objections? Please resend and I'll apply it to my tree. > > - Jeremy > > > > --- > > > security/lockdown/lockdown.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > > > index 5a952617a0eb..87cbdc64d272 100644 > > > --- a/security/lockdown/lockdown.c > > > +++ b/security/lockdown/lockdown.c > > > @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void) > > > { > > > struct dentry *dentry; > > > > > > - dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, > > > + dentry = securityfs_create_file("lockdown", 0644, NULL, NULL, > > > &lockdown_ops); > > > return PTR_ERR_OR_ZERO(dentry); > > > } > > > > > > > -- > > James Morris > > <jmorris@namei.org> > > >
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 5a952617a0eb..87cbdc64d272 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void) { struct dentry *dentry; - dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, + dentry = securityfs_create_file("lockdown", 0644, NULL, NULL, &lockdown_ops); return PTR_ERR_OR_ZERO(dentry); }
A number of userspace tools, such as systemtap, need a way to see the current lockdown state so they can gracefully deal with the kernel being locked down. The state is already exposed in /sys/kernel/security/lockdown, but is only readable by root. Adjust the permissions so unprivileged users can read the state. Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM") Cc: Frank Ch. Eigler <fche@redhat.com> Signed-off-by: Jeremy Cline <jcline@redhat.com> --- security/lockdown/lockdown.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)