Commit b602614a authored by Matthew Garrett's avatar Matthew Garrett Committed by James Morris

lockdown: Print current->comm in restriction messages

Print the content of current->comm in messages generated by lockdown to
indicate a restriction that was hit.  This makes it a bit easier to find
out what caused the message.

The message now patterned something like:

        Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 1957a85b
...@@ -548,11 +548,12 @@ static int open_kcore(struct inode *inode, struct file *filp) ...@@ -548,11 +548,12 @@ static int open_kcore(struct inode *inode, struct file *filp)
{ {
int ret = security_locked_down(LOCKDOWN_KCORE); int ret = security_locked_down(LOCKDOWN_KCORE);
if (ret)
return ret;
if (!capable(CAP_SYS_RAWIO)) if (!capable(CAP_SYS_RAWIO))
return -EPERM; return -EPERM;
if (ret)
return ret;
filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL); filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (!filp->private_data) if (!filp->private_data)
return -ENOMEM; return -ENOMEM;
......
...@@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param); ...@@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param);
*/ */
static int lockdown_is_locked_down(enum lockdown_reason what) static int lockdown_is_locked_down(enum lockdown_reason what)
{ {
if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
"Invalid lockdown reason"))
return -EPERM;
if (kernel_locked_down >= what) { if (kernel_locked_down >= what) {
if (lockdown_reasons[what]) if (lockdown_reasons[what])
pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
lockdown_reasons[what]); current->comm, lockdown_reasons[what]);
return -EPERM; return -EPERM;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment