diff mbox series

[2/6] cxl/pci: Fix lockdown level

Message ID 163072204525.2250120.16615792476976546735.stgit@dwillia2-desk3.amr.corp.intel.com
State Accepted
Commit 9e56614c44b994b78fc9fcb2070bcbe3f5df0d7b
Headers show
Series cxl fixes for v5.15-rc1 | expand

Commit Message

Dan Williams Sept. 4, 2021, 2:20 a.m. UTC 
A proposed rework of security_locked_down() users identified that the
cxl_pci driver was passing the wrong lockdown_reason. Update
cxl_mem_raw_command_allowed() to fail raw command access when raw pci
access is also disabled.

Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")
Cc: Ben Widawsky <ben.widawsky@intel.com>
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: <stable@vger.kernel.org>
Cc: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 drivers/cxl/pci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paul Moore Sept. 4, 2021, 3:57 a.m. UTC | #1 
On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:
>
> A proposed rework of security_locked_down() users identified that the
> cxl_pci driver was passing the wrong lockdown_reason. Update
> cxl_mem_raw_command_allowed() to fail raw command access when raw pci
> access is also disabled.
>
> Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")
> Cc: Ben Widawsky <ben.widawsky@intel.com>
> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Cc: <stable@vger.kernel.org>
> Cc: Ondrej Mosnacek <omosnace@redhat.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  drivers/cxl/pci.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Hi Dan,

Thanks for fixing this up.  Would you mind if this was included in
Ondrej's patchset, or would you prefer to merge it via another tree
(e.g. cxl)?

> diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c
> index 651e8d4ec974..37903259ee79 100644
> --- a/drivers/cxl/pci.c
> +++ b/drivers/cxl/pci.c
> @@ -575,7 +575,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode)
>         if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS))
>                 return false;
>
> -       if (security_locked_down(LOCKDOWN_NONE))
> +       if (security_locked_down(LOCKDOWN_PCI_ACCESS))
>                 return false;
>
>         if (cxl_raw_allow_all)
>
Dan Williams Sept. 7, 2021, 5:38 p.m. UTC | #2 
On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:
> >
> > A proposed rework of security_locked_down() users identified that the
> > cxl_pci driver was passing the wrong lockdown_reason. Update
> > cxl_mem_raw_command_allowed() to fail raw command access when raw pci
> > access is also disabled.
> >
> > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")
> > Cc: Ben Widawsky <ben.widawsky@intel.com>
> > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > Cc: <stable@vger.kernel.org>
> > Cc: Ondrej Mosnacek <omosnace@redhat.com>
> > Cc: Paul Moore <paul@paul-moore.com>
> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > ---
> >  drivers/cxl/pci.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> Hi Dan,
>
> Thanks for fixing this up.  Would you mind if this was included in
> Ondrej's patchset, or would you prefer to merge it via another tree
> (e.g. cxl)?

I was planning to merge this via the cxl tree for v5.15-rc1.
Paul Moore Sept. 7, 2021, 7:46 p.m. UTC | #3 
On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote:
> On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote:
> >
> > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:
> > >
> > > A proposed rework of security_locked_down() users identified that the
> > > cxl_pci driver was passing the wrong lockdown_reason. Update
> > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci
> > > access is also disabled.
> > >
> > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")
> > > Cc: Ben Widawsky <ben.widawsky@intel.com>
> > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > > Cc: <stable@vger.kernel.org>
> > > Cc: Ondrej Mosnacek <omosnace@redhat.com>
> > > Cc: Paul Moore <paul@paul-moore.com>
> > > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > > ---
> > >  drivers/cxl/pci.c |    2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > Hi Dan,
> >
> > Thanks for fixing this up.  Would you mind if this was included in
> > Ondrej's patchset, or would you prefer to merge it via another tree
> > (e.g. cxl)?
>
> I was planning to merge this via the cxl tree for v5.15-rc1.

Okay, thanks.
Ondrej Mosnacek Sept. 10, 2021, 12:55 p.m. UTC | #4 
On Tue, Sep 7, 2021 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote:
> > On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote:
> > >
> > > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:
> > > >
> > > > A proposed rework of security_locked_down() users identified that the
> > > > cxl_pci driver was passing the wrong lockdown_reason. Update
> > > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci
> > > > access is also disabled.
> > > >
> > > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")
> > > > Cc: Ben Widawsky <ben.widawsky@intel.com>
> > > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > > > Cc: <stable@vger.kernel.org>
> > > > Cc: Ondrej Mosnacek <omosnace@redhat.com>
> > > > Cc: Paul Moore <paul@paul-moore.com>
> > > > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > > > ---
> > > >  drivers/cxl/pci.c |    2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > Hi Dan,
> > >
> > > Thanks for fixing this up.  Would you mind if this was included in
> > > Ondrej's patchset, or would you prefer to merge it via another tree
> > > (e.g. cxl)?
> >
> > I was planning to merge this via the cxl tree for v5.15-rc1.
>
> Okay, thanks.

And I can see the patch is now in Linus' tree, so if Paul agrees I'll
rebase the patch on top of v5.15-rc1 once it's tagged and do one more
respin. There are a few other minor conflicts and one new
security_locked_down() call to cover, anyway.

Dan, is it okay if I preserve your Acked-by from the last version?
There will be no other change in the cxl area than rebasing on top of
this patch.

Thank you for taking care of the fix!

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
Dan Williams Sept. 10, 2021, 2:56 p.m. UTC | #5 
On Fri, Sep 10, 2021 at 5:55 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Tue, Sep 7, 2021 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote:
> > > On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote:
> > > >
> > > > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:
> > > > >
> > > > > A proposed rework of security_locked_down() users identified that the
> > > > > cxl_pci driver was passing the wrong lockdown_reason. Update
> > > > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci
> > > > > access is also disabled.
> > > > >
> > > > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")
> > > > > Cc: Ben Widawsky <ben.widawsky@intel.com>
> > > > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > > > > Cc: <stable@vger.kernel.org>
> > > > > Cc: Ondrej Mosnacek <omosnace@redhat.com>
> > > > > Cc: Paul Moore <paul@paul-moore.com>
> > > > > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > > > > ---
> > > > >  drivers/cxl/pci.c |    2 +-
> > > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > Hi Dan,
> > > >
> > > > Thanks for fixing this up.  Would you mind if this was included in
> > > > Ondrej's patchset, or would you prefer to merge it via another tree
> > > > (e.g. cxl)?
> > >
> > > I was planning to merge this via the cxl tree for v5.15-rc1.
> >
> > Okay, thanks.
>
> And I can see the patch is now in Linus' tree, so if Paul agrees I'll
> rebase the patch on top of v5.15-rc1 once it's tagged and do one more
> respin. There are a few other minor conflicts and one new
> security_locked_down() call to cover, anyway.
>
> Dan, is it okay if I preserve your Acked-by from the last version?

Sure.

> There will be no other change in the cxl area than rebasing on top of
> this patch.
>
> Thank you for taking care of the fix!

Thanks for the patience as I circled back.
Paul Moore Sept. 10, 2021, 5:46 p.m. UTC | #6 
On Fri, Sep 10, 2021 at 8:55 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> And I can see the patch is now in Linus' tree, so if Paul agrees I'll
> rebase the patch on top of v5.15-rc1 once it's tagged ...

Please do, thanks.
diff mbox series

Patch

diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c
index 651e8d4ec974..37903259ee79 100644
--- a/drivers/cxl/pci.c
+++ b/drivers/cxl/pci.c
@@ -575,7 +575,7 @@  static bool cxl_mem_raw_command_allowed(u16 opcode)
 	if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS))
 		return false;
 
-	if (security_locked_down(LOCKDOWN_NONE))
+	if (security_locked_down(LOCKDOWN_PCI_ACCESS))
 		return false;
 
 	if (cxl_raw_allow_all)