Re: [PATCH v2 1/3] lockdown: Switch implementation to using bitmap

[PATCH v2 0/3] Allow individual features to be locked down · Nikolay Borisov <hidden> · 2025-07-28
[PATCH v2 1/3] lockdown: Switch implementation to using bitmap · Nikolay Borisov <hidden> · 2025-07-28
Re: [PATCH v2 1/3] lockdown: Switch implementation to using bitmap · "Serge E. Hallyn" <serge@hallyn.com> · 2025-07-28
Re: [PATCH v2 1/3] lockdown: Switch implementation to using bitmap · "Serge E. Hallyn" <serge@hallyn.com> · 2025-07-28
Re: [PATCH v2 1/3] lockdown: Switch implementation to using bitmap · <hidden> · 2025-08-05
[PATCH v2 2/3] lockdown/kunit: Introduce kunit tests · Nikolay Borisov <hidden> · 2025-07-28
Re: [PATCH v2 2/3] lockdown/kunit: Introduce kunit tests · "Serge E. Hallyn" <serge@hallyn.com> · 2025-07-28
Re: [PATCH v2 2/3] lockdown/kunit: Introduce kunit tests · kernel test robot <hidden> · 2025-07-28
Re: [PATCH v2 2/3] lockdown/kunit: Introduce kunit tests · Nikolay Borisov <hidden> · 2025-07-29
Re: [PATCH v2 2/3] lockdown/kunit: Introduce kunit tests · Philip Li <hidden> · 2025-07-29
Re: [PATCH v2 2/3] lockdown/kunit: Introduce kunit tests · kernel test robot <hidden> · 2025-07-29
[PATCH v2 3/3] lockdown: Use snprintf in lockdown_read · Nikolay Borisov <hidden> · 2025-07-28
Re: [PATCH v2 3/3] lockdown: Use snprintf in lockdown_read · "Serge E. Hallyn" <serge@hallyn.com> · 2025-07-28
Re: [PATCH v2 3/3] lockdown: Use snprintf in lockdown_read · Nikolay Borisov <hidden> · 2025-08-05
Re: [PATCH v2 3/3] lockdown: Use snprintf in lockdown_read · <hidden> · 2025-08-05
Re: [PATCH v2 0/3] Allow individual features to be locked down · Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr> · 2025-07-29
Re: [PATCH v2 0/3] Allow individual features to be locked down · Nikolay Borisov <hidden> · 2025-07-29
Re: [PATCH v2 0/3] Allow individual features to be locked down · xiujianfeng <xiujianfeng@huawei.com> · 2025-08-05
Re: [PATCH v2 0/3] Allow individual features to be locked down · Nikolay Borisov <hidden> · 2025-08-05
Re: [PATCH v2 0/3] Allow individual features to be locked down · <hidden> · 2025-08-05
Re: [PATCH v2 0/3] Allow individual features to be locked down · Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr> · 2025-08-14
Re: [PATCH v2 0/3] Allow individual features to be locked down · Nikolay Borisov <hidden> · 2025-08-14
Re: [PATCH v2 0/3] Allow individual features to be locked down · Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr> · 2025-08-14
Re: [PATCH v2 0/3] Allow individual features to be locked down · <hidden> · 2025-08-05

From: <hidden>
Date: 2025-08-05 22:18:34
Also in: lkml

Nikolay Borisov wrote:

quoted hunk ↗ jump to hunk

Tracking the lockdown at the depth granularity rather than at the
individual is somewhat inflexible as it provides an "all or nothing"
approach. Instead there are use cases where it  will be useful to be
able to lockdown individual features - TDX for example wants to disable
access to just /dev/mem.

To accommodate this use case switch the internal implementation to using
a bitmap so that individual lockdown features can be turned on. At the
same time retain the existing semantic where
INTEGRITY_MAX/CONFIDENTIALITY_MAX are treated as wildcards meaning "lock
everything below me".

Signed-off-by: Nikolay Borisov <redacted>
---
 security/lockdown/lockdown.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index cf83afa1d879..5014d18c423f 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c

@@ -10,12 +10,13 @@
  * 2 of the Licence, or (at your option) any later version.
  */
 
+#include <linux/bitmap.h>
 #include <linux/security.h>
 #include <linux/export.h>
 #include <linux/lsm_hooks.h>
 #include <uapi/linux/lsm.h>
 
-static enum lockdown_reason kernel_locked_down;
+static DECLARE_BITMAP(kernel_locked_down, LOCKDOWN_CONFIDENTIALITY_MAX);
 
 static const enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE,
 						 LOCKDOWN_INTEGRITY_MAX,

@@ -26,10 +27,15 @@ static const enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE,
  */
 static int lock_kernel_down(const char *where, enum lockdown_reason level)
 {
-	if (kernel_locked_down >= level)
-		return -EPERM;

So now attempts to reduce security return "success" where previously
they get permission denied?

I think that is an unforunate side effect of trying to have this one
function handle both levels and individual features.

-	kernel_locked_down = level;
+	if (level > LOCKDOWN_CONFIDENTIALITY_MAX)
+		return -EINVAL;
+
+	if (level == LOCKDOWN_INTEGRITY_MAX || level == LOCKDOWN_CONFIDENTIALITY_MAX)
+		bitmap_set(kernel_locked_down, 1, level);
+	else
+		bitmap_set(kernel_locked_down, level, 1);
+

The individual case probably deserves its own interface given all
current kernels expect levels and the future callers probably want to
skip the pr_notice() below given only piecemeal features are being
disabled.

You might even special case just LOCKDOWN_DEV_MEM for now as the only
once that can be indepdently set by an internal caller.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help