diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-12-27 20:11:13 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-12-27 20:11:13 +0000 |
commit | eec8c6ac0814cb8adf99ff6e860af8ed9818e88f (patch) | |
tree | 60ed1a1da1fcd5d42ff96aea4eba34077d68a7e6 | |
parent | 31e7fa3b98ed6305ee767d89f5010174bdf75387 (diff) | |
download | kernel_replicant_linux-eec8c6ac0814cb8adf99ff6e860af8ed9818e88f.tar.gz kernel_replicant_linux-eec8c6ac0814cb8adf99ff6e860af8ed9818e88f.tar.bz2 kernel_replicant_linux-eec8c6ac0814cb8adf99ff6e860af8ed9818e88f.zip |
tracing: Do not create directories if lockdown is in affect
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/patches/features/all/lockdown/tracing-Do-not-create-directories-if-lockdown-is-in-.patch | 84 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 86 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index d4b4fe4d17c6..5a12955061b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -364,6 +364,7 @@ linux (5.4.6-1) UNRELEASED; urgency=medium * linux-cpupower: Fix grammar error in package description * debian/control: Make library package descriptions more consistent * Set ABI to 1 + * tracing: Do not create directories if lockdown is in affect [ Aurelien Jarno ] * [armhf,arm64] Fix critical trip point on RPI 3. diff --git a/debian/patches/features/all/lockdown/tracing-Do-not-create-directories-if-lockdown-is-in-.patch b/debian/patches/features/all/lockdown/tracing-Do-not-create-directories-if-lockdown-is-in-.patch new file mode 100644 index 000000000000..ea827bdde6cd --- /dev/null +++ b/debian/patches/features/all/lockdown/tracing-Do-not-create-directories-if-lockdown-is-in-.patch @@ -0,0 +1,84 @@ +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Mon, 2 Dec 2019 16:25:27 -0500 +Subject: tracing: Do not create directories if lockdown is in affect +Origin: https://git.kernel.org/linus/a356646a56857c2e5ad875beec734d7145ecd49a + +If lockdown is disabling tracing on boot up, it prevents the tracing files +from even bering created. But when that happens, there's several places that +will give a warning that the files were not created as that is usually a +sign of a bug. + +Add in strategic locations where a check is made to see if tracing is +disabled by lockdown, and if it is, do not go further, and fail silently +(but print that tracing is disabled by lockdown, without doing a WARN_ON()). + +Cc: Matthew Garrett <mjg59@google.com> +Fixes: 17911ff38aa5 ("tracing: Add locked_down checks to the open calls of files created for tracefs") +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +--- + kernel/trace/ring_buffer.c | 6 ++++++ + kernel/trace/trace.c | 17 +++++++++++++++++ + 2 files changed, 23 insertions(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -11,6 +11,7 @@ + #include <linux/trace_seq.h> + #include <linux/spinlock.h> + #include <linux/irq_work.h> ++#include <linux/security.h> + #include <linux/uaccess.h> + #include <linux/hardirq.h> + #include <linux/kthread.h> /* for self test */ +@@ -5068,6 +5069,11 @@ static __init int test_ringbuffer(void) + int cpu; + int ret = 0; + ++ if (security_locked_down(LOCKDOWN_TRACEFS)) { ++ pr_warning("Lockdown is enabled, skipping ring buffer tests\n"); ++ return 0; ++ } ++ + pr_info("Running ring buffer tests...\n"); + + buffer = ring_buffer_alloc(RB_TEST_BUFFER_SIZE, RB_FL_OVERWRITE); +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1804,6 +1804,12 @@ int __init register_tracer(struct tracer + return -1; + } + ++ if (security_locked_down(LOCKDOWN_TRACEFS)) { ++ pr_warning("Can not register tracer %s due to lockdown\n", ++ type->name); ++ return -EPERM; ++ } ++ + mutex_lock(&trace_types_lock); + + tracing_selftest_running = true; +@@ -8639,6 +8645,11 @@ struct dentry *tracing_init_dentry(void) + { + struct trace_array *tr = &global_trace; + ++ if (security_locked_down(LOCKDOWN_TRACEFS)) { ++ pr_warning("Tracing disabled due to lockdown\n"); ++ return ERR_PTR(-EPERM); ++ } ++ + /* The top level trace array uses NULL as parent */ + if (tr->dir) + return NULL; +@@ -9081,6 +9092,12 @@ __init static int tracer_alloc_buffers(v + int ring_buf_size; + int ret = -ENOMEM; + ++ ++ if (security_locked_down(LOCKDOWN_TRACEFS)) { ++ pr_warning("Tracing disabled due to lockdown\n"); ++ return -EPERM; ++ } ++ + /* + * Make sure we don't accidently add more trace options + * than we have bits for. diff --git a/debian/patches/series b/debian/patches/series index e9e7ed4eec40..d699dd2c2772 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -89,6 +89,7 @@ bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch # Miscellaneous features # Lockdown missing pieces +features/all/lockdown/tracing-Do-not-create-directories-if-lockdown-is-in-.patch features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch features/all/lockdown/add-a-sysrq-option-to-lift-kernel-lockdown.patch |