Re: [PATCH V34 29/29] lockdown: Print current->comm in restriction messages

[PATCH V34 00/29] Lockdown as an LSM · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 01/29] security: Support early LSMs · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 01/29] security: Support early LSMs · Kees Cook <hidden> · 2019-06-22
[PATCH V34 02/29] security: Add a "locked down" LSM hook · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 02/29] security: Add a "locked down" LSM hook · Kees Cook <hidden> · 2019-06-22
[PATCH V34 03/29] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 03/29] security: Add a static lockdown policy LSM · Kees Cook <hidden> · 2019-06-22
[PATCH V34 04/29] Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 04/29] Enforce module signatures if the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 06/29] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 06/29] kexec_load: Disable at runtime if the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 07/29] Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 07/29] Copy secure_boot flag in boot params across kexec reboot · Kees Cook <hidden> · 2019-06-22
[PATCH V34 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Dave Young <hidden> · 2019-06-24
Re: [PATCH V34 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Dave Young <hidden> · 2019-06-25
[PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2019-06-22
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2019-06-24
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Joey Lee <JLee@suse.com> · 2019-07-10
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · joeyli <hidden> · 2019-07-11
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 11/29] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 11/29] PCI: Lock down BAR access when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 12/29] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 12/29] x86: Lock down IO port access when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down · Kees Cook <hidden> · 2019-06-23
[PATCH V34 18/29] Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 18/29] Lock down TIOCSSERIAL · Kees Cook <hidden> · 2019-06-23
[PATCH V34 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Thomas Gleixner <hidden> · 2019-06-23
[PATCH V34 21/29] Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 21/29] Lock down /proc/kcore · Kees Cook <hidden> · 2019-06-23
[PATCH V34 24/29] Lock down perf when in confidentiality mode · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 24/29] Lock down perf when in confidentiality mode · Kees Cook <hidden> · 2019-06-23
[PATCH V34 27/29] tracefs: Restrict tracefs when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down · Ard Biesheuvel <hidden> · 2019-06-25
[PATCH V34 29/29] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 29/29] lockdown: Print current->comm in restriction messages · Kees Cook <hidden> · 2019-06-23
[PATCH V34 26/29] debugfs: Restrict debugfs when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Daniel Borkmann <daniel@iogearbox.net> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@kernel.org> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Daniel Borkmann <daniel@iogearbox.net> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-24
[PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode · Masami Hiramatsu <mhiramat@kernel.org> · 2019-06-23
[PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Daniel Axtens <hidden> · 2019-06-27
Re: [PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-06-27
[PATCH V34 16/29] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 16/29] acpi: Disable ACPI table override if the kernel is locked down · Kees Cook <hidden> · 2019-06-23
[PATCH V34 13/29] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 14/29] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 14/29] ACPI: Limit access to custom_method when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Kees Cook <hidden> · 2019-06-22
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · James Morris <jmorris@namei.org> · 2019-06-27
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-27
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · James Morris <jmorris@namei.org> · 2019-06-27
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-27
Re: [PATCH V34 00/29] Lockdown as an LSM · James Morris <jmorris@namei.org> · 2019-06-24
Re: [PATCH V34 00/29] Lockdown as an LSM · Casey Schaufler <casey@schaufler-ca.com> · 2019-06-24
Re: [PATCH V34 00/29] Lockdown as an LSM · Matthew Garrett <hidden> · 2019-06-24
Re: [PATCH V34 00/29] Lockdown as an LSM · James Morris <jmorris@namei.org> · 2019-06-25
Re: [PATCH V34 00/29] Lockdown as an LSM · John Johansen <john.johansen@canonical.com> · 2019-06-25

From: Kees Cook <hidden>
Date: 2019-06-23 00:25:33
Also in: linux-api, lkml

On Fri, Jun 21, 2019 at 05:03:58PM -0700, Matthew Garrett wrote:

quoted hunk ↗ jump to hunk

Print the content of current->comm in messages generated by lockdown to
indicate a restriction that was hit.  This makes it a bit easier to find
out what caused the message.

The message now patterned something like:

        Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <redacted>
---
 security/lockdown/lockdown.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 98f9ee0026d5..9ca6f442fbc7 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c

@@ -83,8 +83,8 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
 {	
 	if ((kernel_locked_down >= what)) {

To satisfy my paranoia, can you just add here:

		if (WARN(what > LOCKDOWN_..._MAX))
			return -EPERM;

With that:

Reviewed-by: Kees Cook <redacted>

-Kees

 		if (lockdown_reasons[what])
-			pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-				  lockdown_reasons[what]);
+			pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
+				  current->comm, lockdown_reasons[what]);
 		return -EPERM;
 	}
 
-- 
2.22.0.410.gd8fdbe21b5-goog

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help