From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <egori@altlinux.org>
From: Egor Ignatov <egori@altlinux.org>
To: devel-kernel@lists.altlinux.org
Date: Wed,  6 May 2026 20:37:18 +0300
Message-ID: <20260506173722.1012394-3-egori@altlinux.org>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20260506173722.1012394-1-egori@altlinux.org>
References: <20260506173722.1012394-1-egori@altlinux.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [d-kernel] [PATCH 2/6] security: lockdown: expose
	security_lock_kernel_down function
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2026 17:37:34 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/20260506173722.1012394-3-egori@altlinux.org/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>

From: Jeremy Cline <jcline@redhat.com>

In order to automatically lock down kernels running on UEFI machines
booted in Secure Boot mode, expose the security_lock_kernel_down() function.

Based on Fedora patches:
- security: lockdown: expose a hook to lock the kernel down
- efi,lockdown: fix kernel lockdown on Secure Boot

Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 include/linux/security.h     |  9 +++++++++
 security/lockdown/lockdown.c | 11 +++++++++++
 2 files changed, 20 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index ee88dd2d2d..5c816f0b8b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2405,4 +2405,13 @@ static inline void security_initramfs_populated(void)
 }
 #endif /* CONFIG_SECURITY */
 
+#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
+extern int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+#else
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return 0;
+}
+#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
+
 #endif /* ! __LINUX_SECURITY_H */
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8d46886d2c..14a9cdff94 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -72,6 +72,17 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
 	return 0;
 }
 
+/**
+ * security_lock_kernel_down() - Put the kernel into lock-down mode.
+ *
+ * @where: Where the lock-down is originating from (e.g. command line option)
+ * @level: The lock-down level (can only increase)
+ */
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return lock_kernel_down(where, level);
+}
+
 static struct security_hook_list lockdown_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
 };
-- 
2.50.1