lockdown: Print current->comm in restriction messages (b602614a) · Commits · 戴 / test

Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7 Signed-off-by:

David Howells <dhowells@redhat.com> Signed-off-by:

Matthew Garrett <mjg59@google.com> Reviewed-by:

Kees Cook <keescook@chromium.org> Signed-off-by:

James Morris <jmorris@namei.org>

fs/proc/kcore.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -548,11 +548,12 @@ static int open_kcore(struct inode inode, struct file filp)
		{
		int ret = security_locked_down(LOCKDOWN_KCORE);

		if (ret)
		return ret;
		if (!capable(CAP_SYS_RAWIO))
		return -EPERM;

		if (ret)
		return ret;

		filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL);
		if (!filp->private_data)
		return -ENOMEM;

security/lockdown/lockdown.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param);
		*/
		static int lockdown_is_locked_down(enum lockdown_reason what)
		{
		if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
		"Invalid lockdown reason"))
		return -EPERM;

		if (kernel_locked_down >= what) {
		if (lockdown_reasons[what])
		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
		lockdown_reasons[what]);
		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
		current->comm, lockdown_reasons[what]);
		return -EPERM;
		}

Admin message