diff options
author | Christopher M. Riedl <cmr@informatik.wtf> | 2019-09-07 01:11:24 -0500 |
---|---|---|
committer | Michael Ellerman <mpe@ellerman.id.au> | 2019-10-28 21:54:15 +1100 |
commit | 69393cb03ccdf29f3b452d3482ef918469d1c098 (patch) | |
tree | 875a3709277c308df80ba2e923fd71db5c543a4b /include/linux/security.h | |
parent | 96664dee5cf1815777286227b09884b4f019727f (diff) | |
download | lwn-69393cb03ccdf29f3b452d3482ef918469d1c098.tar.gz lwn-69393cb03ccdf29f3b452d3482ef918469d1c098.zip |
powerpc/xmon: Restrict when kernel is locked down
Xmon should be either fully or partially disabled depending on the
kernel lockdown state.
Put xmon into read-only mode for lockdown=integrity and prevent user
entry into xmon when lockdown=confidentiality. Xmon checks the lockdown
state on every attempted entry:
(1) during early xmon'ing
(2) when triggered via sysrq
(3) when toggled via debugfs
(4) when triggered via a previously enabled breakpoint
The following lockdown state transitions are handled:
(1) lockdown=none -> lockdown=integrity
set xmon read-only mode
(2) lockdown=none -> lockdown=confidentiality
clear all breakpoints, set xmon read-only mode,
prevent user re-entry into xmon
(3) lockdown=integrity -> lockdown=confidentiality
clear all breakpoints, set xmon read-only mode,
prevent user re-entry into xmon
Suggested-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190907061124.1947-3-cmr@informatik.wtf
Diffstat (limited to 'include/linux/security.h')
-rw-r--r-- | include/linux/security.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index a8d59d612d27..79567eacb834 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -116,12 +116,14 @@ enum lockdown_reason { LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, LOCKDOWN_DEBUGFS, + LOCKDOWN_XMON_WR, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, LOCKDOWN_PERF, LOCKDOWN_TRACEFS, + LOCKDOWN_XMON_RW, LOCKDOWN_CONFIDENTIALITY_MAX, }; |