[PATCH 1/2] security: introduce security_lock_kernel_down()
From: Hamza Mahfooz <hidden>
Date: 2025-06-26 22:13:00
Also in:
linux-efi, lkml
Subsystem:
lockdown security module, security subsystem, the rest · Maintainers:
Nicolas Bouchinet, Xiu Jianfeng, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds
Define and export security_lock_kernel_down(), so that we can lock down the kernel from other parts of the kernel. Signed-off-by: Hamza Mahfooz <redacted> --- include/linux/lsm_hook_defs.h | 1 + include/linux/security.h | 8 ++++++++ security/lockdown/lockdown.c | 1 + security/security.c | 15 +++++++++++++++ 4 files changed, 25 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index bf3bbac4e02a..08ffd103c863 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h@@ -442,6 +442,7 @@ LSM_HOOK(int, 0, bpf_token_cmd, const struct bpf_token *token, enum bpf_cmd cmd) LSM_HOOK(int, 0, bpf_token_capable, const struct bpf_token *token, int cap) #endif /* CONFIG_BPF_SYSCALL */ +LSM_HOOK(int, 0, lock_down, const char *where, enum lockdown_reason level) LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) #ifdef CONFIG_PERF_EVENTS
diff --git a/include/linux/security.h b/include/linux/security.h
index cc9b54d95d22..373f8dd2a265 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h@@ -573,6 +573,7 @@ void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp); +int security_lock_kernel_down(const char *where, enum lockdown_reason level); int security_locked_down(enum lockdown_reason what); int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len, void *val, size_t val_len, u64 id, u64 flags);
@@ -1576,6 +1577,13 @@ static inline int security_inode_getsecctx(struct inode *inode, { return -EOPNOTSUPP; } + +static inline int security_lock_kernel_down(const char *where, + enum lockdown_reason level) +{ + return -EOPNOTSUPP; +} + static inline int security_locked_down(enum lockdown_reason what) { return 0;
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index cf83afa1d879..3839a62c2c17 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what) } static struct security_hook_list lockdown_hooks[] __ro_after_init = { + LSM_HOOK_INIT(lock_down, lock_kernel_down), LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), };
diff --git a/security/security.c b/security/security.c
index fb57e8fddd91..51fbe8124388 100644
--- a/security/security.c
+++ b/security/security.c@@ -5789,6 +5789,21 @@ void security_bpf_token_free(struct bpf_token *token) } #endif /* CONFIG_BPF_SYSCALL */ +/** + * security_lock_kernel_down() - Lock down the kernel + * @where: the location from where the lock down is being initiated + * @level: requested lock down level + * + * Attempt to lock down the kernel at the requested level. + * + * Return: Returns 0 on success, error on failure. + */ +int security_lock_kernel_down(const char *where, enum lockdown_reason level) +{ + return call_int_hook(lock_down, where, level); +} +EXPORT_SYMBOL(security_lock_kernel_down); + /** * security_locked_down() - Check if a kernel feature is allowed * @what: requested kernel feature
--
2.49.0