From nobody Sun Oct 5 23:45:02 2025 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E82992AF11 for ; Mon, 28 Jul 2025 11:15:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753701336; cv=none; b=nG8ckSg8bTz4N0GswIO1TbSCk3KwLMfqieRGDI3LRMADGczvyvhKE2RnOUnSuOJNehP+mL5D60uByhBNGf4YIzWxpxp2S00pPcgORLWhNUjG75fb4zp9lCRZej3ITZqr0HBFuWkpKrq295Rc7IImpalZ04zSnFRhmU+mkQUYTKA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753701336; c=relaxed/simple; bh=DQPe96cC/AU6GxtBFB12tAZOSwfyWPAvJdw6uCw9DYs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=L0FnXl1GIBhZESeQ/OwoN1FuNCyFf9s0C/4auzboxzyXObSvWEcpCd+UpvL9NlTmGNkLsTiMSXUNeLG6hpBrAdck08aPPFRt/0v79wkhaZaWaizHan7i2QbuJi8oY+kO6aDdWvnvnR7vqc8Wvn9cxxa1mq3nGQnhGp9SX179+iw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=NAv2U+QC; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=NAv2U+QC; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="NAv2U+QC"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="NAv2U+QC" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 17CB31FB3A; Mon, 28 Jul 2025 11:15:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1753701333; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fnnLl4FOeHbRc0wsnVwpr+g5jOOm1MpyAQ7c4TsW3/c=; b=NAv2U+QCOj71djKwiV+05/JByjUItf+4shCUhazmYH1hnyUdlMWMAlJLEmHfqNRjqS0hRn XgskA9XRon18ciehS7qrNtXwd2D/lPUARcO57BXG0CXTb2py92AOevJ5njYt38B7NOxUfn BFouxXCEQ1qSmiyUXZ7sYQQz4SbAsiI= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1753701333; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fnnLl4FOeHbRc0wsnVwpr+g5jOOm1MpyAQ7c4TsW3/c=; b=NAv2U+QCOj71djKwiV+05/JByjUItf+4shCUhazmYH1hnyUdlMWMAlJLEmHfqNRjqS0hRn XgskA9XRon18ciehS7qrNtXwd2D/lPUARcO57BXG0CXTb2py92AOevJ5njYt38B7NOxUfn BFouxXCEQ1qSmiyUXZ7sYQQz4SbAsiI= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 82A3D13A43; Mon, 28 Jul 2025 11:15:32 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id ELKjHNRbh2i6UQAAD6G6ig (envelope-from ); Mon, 28 Jul 2025 11:15:32 +0000 From: Nikolay Borisov To: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, serge@hallyn.com, jmorris@namei.org, dan.j.williams@intel.com, Nikolay Borisov Subject: [PATCH v2 1/3] lockdown: Switch implementation to using bitmap Date: Mon, 28 Jul 2025 14:15:15 +0300 Message-Id: <20250728111517.134116-2-nik.borisov@suse.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250728111517.134116-1-nik.borisov@suse.com> References: <20250728111517.134116-1-nik.borisov@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:mid,suse.com:email]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCPT_COUNT_SEVEN(0.00)[7]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: X-Spam-Score: -2.80 Content-Type: text/plain; charset="utf-8" Tracking the lockdown at the depth granularity rather than at the individual is somewhat inflexible as it provides an "all or nothing" approach. Instead there are use cases where it will be useful to be able to lockdown individual features - TDX for example wants to disable access to just /dev/mem. To accommodate this use case switch the internal implementation to using a bitmap so that individual lockdown features can be turned on. At the same time retain the existing semantic where INTEGRITY_MAX/CONFIDENTIALITY_MAX are treated as wildcards meaning "lock everything below me". Signed-off-by: Nikolay Borisov Reviewed-by: Serge Hallyn --- security/lockdown/lockdown.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index cf83afa1d879..5014d18c423f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -10,12 +10,13 @@ * 2 of the Licence, or (at your option) any later version. */ =20 +#include #include #include #include #include =20 -static enum lockdown_reason kernel_locked_down; +static DECLARE_BITMAP(kernel_locked_down, LOCKDOWN_CONFIDENTIALITY_MAX); =20 static const enum lockdown_reason lockdown_levels[] =3D {LOCKDOWN_NONE, LOCKDOWN_INTEGRITY_MAX, @@ -26,10 +27,15 @@ static const enum lockdown_reason lockdown_levels[] =3D= {LOCKDOWN_NONE, */ static int lock_kernel_down(const char *where, enum lockdown_reason level) { - if (kernel_locked_down >=3D level) - return -EPERM; =20 - kernel_locked_down =3D level; + if (level > LOCKDOWN_CONFIDENTIALITY_MAX) + return -EINVAL; + + if (level =3D=3D LOCKDOWN_INTEGRITY_MAX || level =3D=3D LOCKDOWN_CONFIDEN= TIALITY_MAX) + bitmap_set(kernel_locked_down, 1, level); + else + bitmap_set(kernel_locked_down, level, 1); + pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", where); return 0; @@ -62,13 +68,12 @@ static int lockdown_is_locked_down(enum lockdown_reason= what) "Invalid lockdown reason")) return -EPERM; =20 - if (kernel_locked_down >=3D what) { + if (test_bit(what, kernel_locked_down)) { if (lockdown_reasons[what]) pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_l= ockdown.7\n", current->comm, lockdown_reasons[what]); return -EPERM; } - return 0; } =20 @@ -105,7 +110,7 @@ static ssize_t lockdown_read(struct file *filp, char __= user *buf, size_t count, if (lockdown_reasons[level]) { const char *label =3D lockdown_reasons[level]; =20 - if (kernel_locked_down =3D=3D level) + if (test_bit(level, kernel_locked_down)) offset +=3D sprintf(temp+offset, "[%s] ", label); else offset +=3D sprintf(temp+offset, "%s ", label); --=20 2.34.1 From nobody Sun Oct 5 23:45:02 2025 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 543EF1DFD8B for ; Mon, 28 Jul 2025 11:15:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753701344; cv=none; b=AutGMQJz4vWCUKXFcxxVN0QYTUyf0w3CiLNxbrKie+hfetgKNxV8x4Ht9RfhpsK9kB/KLtRdfRJIywvX5w1MRSGOpTw/b7vdr0bne5mCwYRF68CRX631oknIT0+8udlYDSYrBcMMVswDCZBlgZ2x1oLYAlR7Z/+rrEHHQh6Ht8w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753701344; c=relaxed/simple; bh=CaA1BXxMe5cDZO6ArFR1yUpIP2diBEvxS4ogJKTOSck=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=F/bgBxyYlIS9xeqKn9xjLWN5hv49+6TSBmrR7awd/Nh98uvXor/vvMo9QJS+G2Hp1S8NwW9eaJ8q9gsGDxXh43an6k/SMsl9+oEFYaJ8y25ZgMgjNfFXBqmxd4RZOCDO6i4bO+IQdC9PyQlnn0gwn8vo05iC7LzxMgLVH6t8VvQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=SsF1IMaq; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=SsF1IMaq; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="SsF1IMaq"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="SsF1IMaq" Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id BB5BC1FB47; Mon, 28 Jul 2025 11:15:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1753701333; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iFs3jTAfr8cCeb3xsI/12HydfiDfj9ETzdXOUs2fbDI=; b=SsF1IMaqSr5mg0fI/171N8eWn7dJefqGMvgeOlJ3PEU/eLeOUZsH8JGcZBPFcM2yaO4D1p RJSQCfivZHmoCR0AYt4RhzeNTmA5eLG91g+z7/H3nOt8hk/FUMcLY6vGCPkRkcTQY1YYns 4TUai2Sr01ncV5saCQ46tDZk+opzuPg= Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.com header.s=susede1 header.b=SsF1IMaq DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1753701333; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iFs3jTAfr8cCeb3xsI/12HydfiDfj9ETzdXOUs2fbDI=; b=SsF1IMaqSr5mg0fI/171N8eWn7dJefqGMvgeOlJ3PEU/eLeOUZsH8JGcZBPFcM2yaO4D1p RJSQCfivZHmoCR0AYt4RhzeNTmA5eLG91g+z7/H3nOt8hk/FUMcLY6vGCPkRkcTQY1YYns 4TUai2Sr01ncV5saCQ46tDZk+opzuPg= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 2FB8B138A5; Mon, 28 Jul 2025 11:15:33 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id aOJcCNVbh2i6UQAAD6G6ig (envelope-from ); Mon, 28 Jul 2025 11:15:33 +0000 From: Nikolay Borisov To: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, serge@hallyn.com, jmorris@namei.org, dan.j.williams@intel.com, Nikolay Borisov Subject: [PATCH v2 2/3] lockdown/kunit: Introduce kunit tests Date: Mon, 28 Jul 2025 14:15:16 +0300 Message-Id: <20250728111517.134116-3-nik.borisov@suse.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250728111517.134116-1-nik.borisov@suse.com> References: <20250728111517.134116-1-nik.borisov@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-3.01 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; R_DKIM_ALLOW(-0.20)[suse.com:s=susede1]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; RCPT_COUNT_SEVEN(0.00)[7]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:mid,suse.com:dkim,suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; RCVD_TLS_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DNSWL_BLOCKED(0.00)[2a07:de40:b281:106:10:150:64:167:received,2a07:de40:b281:104:10:150:64:97:from]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[suse.com:+] X-Spam-Flag: NO X-Spam-Level: X-Rspamd-Queue-Id: BB5BC1FB47 X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -3.01 Content-Type: text/plain; charset="utf-8" Add a bunch of tests to ensure lockdown's conversion to bitmap hasn't regressed it. Signed-off-by: Nikolay Borisov Reviewed-by: Serge Hallyn --- security/lockdown/Kconfig | 5 +++ security/lockdown/Makefile | 1 + security/lockdown/lockdown.c | 5 ++- security/lockdown/lockdown_test.c | 54 +++++++++++++++++++++++++++++++ 4 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 security/lockdown/lockdown_test.c diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index e84ddf484010..5fb750da1f8c 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -6,6 +6,11 @@ config SECURITY_LOCKDOWN_LSM Build support for an LSM that enforces a coarse kernel lockdown behaviour. =20 +config SECURITY_LOCKDOWN_LSM_TEST + tristate "Test lockdown functionality" if !KUNIT_ALL_TESTS + depends on SECURITY_LOCKDOWN_LSM && KUNIT + default KUNIT_ALL_TESTS + config SECURITY_LOCKDOWN_LSM_EARLY bool "Enable lockdown LSM early in init" depends on SECURITY_LOCKDOWN_LSM diff --git a/security/lockdown/Makefile b/security/lockdown/Makefile index e3634b9017e7..f35d90e39f1c 100644 --- a/security/lockdown/Makefile +++ b/security/lockdown/Makefile @@ -1 +1,2 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) +=3D lockdown.o +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM_TEST) +=3D lockdown_test.o diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 5014d18c423f..412184121279 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -25,7 +25,10 @@ static const enum lockdown_reason lockdown_levels[] =3D = {LOCKDOWN_NONE, /* * Put the kernel into lock-down mode. */ -static int lock_kernel_down(const char *where, enum lockdown_reason level) +#if !IS_ENABLED(CONFIG_KUNIT) +static +#endif +int lock_kernel_down(const char *where, enum lockdown_reason level) { =20 if (level > LOCKDOWN_CONFIDENTIALITY_MAX) diff --git a/security/lockdown/lockdown_test.c b/security/lockdown/lockdown= _test.c new file mode 100644 index 000000000000..3a3c6db5b470 --- /dev/null +++ b/security/lockdown/lockdown_test.c @@ -0,0 +1,54 @@ +#include +#include + +int lock_kernel_down(const char *where, enum lockdown_reason level); + +static void lockdown_test_invalid_level(struct kunit *test) +{ + KUNIT_EXPECT_EQ(test, -EINVAL, lock_kernel_down("TEST", LOCKDOWN_CONFIDEN= TIALITY_MAX+1)); +} + +static void lockdown_test_depth_locking(struct kunit *test) +{ + KUNIT_EXPECT_EQ(test, 0, lock_kernel_down("TEST", LOCKDOWN_INTEGRITY_MAX)= ); + for (int i =3D 1; i < LOCKDOWN_INTEGRITY_MAX; i++) + KUNIT_EXPECT_EQ_MSG(test, -EPERM, security_locked_down(i), "at i=3D%d", = i); + + KUNIT_EXPECT_EQ(test, -EPERM, security_locked_down(LOCKDOWN_INTEGRITY_MAX= )); +} + +static void lockdown_test_individual_level(struct kunit *test) +{ + KUNIT_EXPECT_EQ(test, 0, lock_kernel_down("TEST", LOCKDOWN_PERF)); + KUNIT_EXPECT_EQ(test, -EPERM, security_locked_down(LOCKDOWN_PERF)); + /* Ensure adjacent levels are untouched */ + KUNIT_EXPECT_EQ(test, 0, security_locked_down(LOCKDOWN_TRACEFS)); + KUNIT_EXPECT_EQ(test, 0, security_locked_down(LOCKDOWN_DBG_READ_KERNEL)); +} + +static void lockdown_test_no_downgrade(struct kunit *test) +{ + KUNIT_EXPECT_EQ(test, 0, lock_kernel_down("TEST", LOCKDOWN_CONFIDENTIALIT= Y_MAX)); + KUNIT_EXPECT_EQ(test, 0, lock_kernel_down("TEST", LOCKDOWN_INTEGRITY_MAX)= ); + /* + * Ensure having locked down to a lower leve after a higher level + * lockdown nothing is lost + */ + KUNIT_EXPECT_EQ(test, -EPERM, security_locked_down(LOCKDOWN_TRACEFS)); +} + +static struct kunit_case lockdown_tests[] =3D { + KUNIT_CASE(lockdown_test_invalid_level), + KUNIT_CASE(lockdown_test_depth_locking), + KUNIT_CASE(lockdown_test_individual_level), + KUNIT_CASE(lockdown_test_no_downgrade), + {} +}; + +static struct kunit_suite lockdown_test_suite =3D { + .name =3D "lockdown test", + .test_cases =3D lockdown_tests, +}; +kunit_test_suite(lockdown_test_suite); + +MODULE_LICENSE("GPL"); --=20 2.34.1 From nobody Sun Oct 5 23:45:02 2025 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD4CA1DFD8B for ; Mon, 28 Jul 2025 11:15:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753701350; cv=none; b=hPVeERxIgT4Uj5BFyqcnuRKrmrMUqsbCYkYbOu8rLhkbKbv9JoOFfmoKF7k0oLLLQ/EVvrWkCNBd+FoSZn+Qy8vbMKtNJi5KRyOYigLM6bymbijyc7k35sv8ZuGEF1oHD3+tMk9+s9hsMrb9Pd88WrGnAx8GpYbRzPNsfnxERCI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753701350; c=relaxed/simple; bh=LoR8Qe1OcISSqRYy+kwwG9v9txQCqrLE7FQmtOtv4u0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qzI4vzjy/mmuqMtrA4YC6ci18P7zSc7xixCkKdQQ36MeYiexrM90KNhiZfdlGQZpwhjZ+qzQjxtr+0LZzXquToSHcHey0Tvi8B1YPBbK9eVadi/iJp5xjKOUH5BBqyzeF0b20UFGV1LtC6IVK46rsgvJuhCO0sPqhSROMGmFaeU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=WyZw2efq; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=WyZw2efq; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="WyZw2efq"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="WyZw2efq" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 7282A1FB45; Mon, 28 Jul 2025 11:15:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1753701334; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MsEIW97hNDziQTk5D+L84bIA7JFzMCdRBZosIOFA4+A=; b=WyZw2efqrlS+gdhzknof16M3vBfRm7r26yt00o+h57ZCxW7PUIvNzO9DhYPYgMo6UcnbP9 2UoK8elk1yo8MYmB3eBPTHrqrlO/yyiRU92uAT1L0K+l1IR2eySSuLiTHVYrLhRNfcH1Vq 0ai6ItT1nVhW2kGMDZhxLYFdGIVcoTE= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1753701334; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MsEIW97hNDziQTk5D+L84bIA7JFzMCdRBZosIOFA4+A=; b=WyZw2efqrlS+gdhzknof16M3vBfRm7r26yt00o+h57ZCxW7PUIvNzO9DhYPYgMo6UcnbP9 2UoK8elk1yo8MYmB3eBPTHrqrlO/yyiRU92uAT1L0K+l1IR2eySSuLiTHVYrLhRNfcH1Vq 0ai6ItT1nVhW2kGMDZhxLYFdGIVcoTE= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D232613A43; Mon, 28 Jul 2025 11:15:33 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id iMr6L9Vbh2i6UQAAD6G6ig (envelope-from ); Mon, 28 Jul 2025 11:15:33 +0000 From: Nikolay Borisov To: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, serge@hallyn.com, jmorris@namei.org, dan.j.williams@intel.com, Nikolay Borisov Subject: [PATCH v2 3/3] lockdown: Use snprintf in lockdown_read Date: Mon, 28 Jul 2025 14:15:17 +0300 Message-Id: <20250728111517.134116-4-nik.borisov@suse.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250728111517.134116-1-nik.borisov@suse.com> References: <20250728111517.134116-1-nik.borisov@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Level: X-Spamd-Result: default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,suse.com:mid,imap1.dmz-prg2.suse.org:helo]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCPT_COUNT_SEVEN(0.00)[7]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Score: -2.80 Content-Type: text/plain; charset="utf-8" Since individual features are now locked down separately ensure that if the printing code is change to list them a buffer overrun won't be introduced. As per Serge's recommendation switch from using sprintf to using snprintf and return EINVAL in case longer than 80 char string hasi to be printed. Signed-off-by: Nikolay Borisov --- security/lockdown/lockdown.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 412184121279..ed1dde41d7d3 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -112,11 +112,19 @@ static ssize_t lockdown_read(struct file *filp, char = __user *buf, size_t count, if (lockdown_reasons[level]) { const char *label =3D lockdown_reasons[level]; + int ret =3D 0; + int write_len =3D 80-offset; + if (test_bit(level, kernel_locked_down)) - offset +=3D sprintf(temp+offset, "[%s] ", label); + ret =3D snprintf(temp+offset, write_len, "[%s] ", label); else - offset +=3D sprintf(temp+offset, "%s ", label); + ret =3D snprintf(temp+offset, write_len, "%s ", label); + + if (ret < 0 || ret >=3D write_len) + return -ENOMEM; + + offset +=3D ret; } } -- 2.34.1