From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Sat, 9 May 2026 03:20:41 +0300 From: Vitaly Chikunov To: ALT Linux kernel packages development Message-ID: References: <20260506173722.1012394-1-egori@altlinux.org> <20260506173722.1012394-3-egori@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260506173722.1012394-3-egori@altlinux.org> Subject: Re: [d-kernel] [PATCH 2/6] security: lockdown: expose security_lock_kernel_down function X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 May 2026 00:20:41 -0000 Archived-At: List-Archive: List-Post: On Wed, May 06, 2026 at 08:37:18PM +0300, Egor Ignatov wrote: > From: Jeremy Cline > > In order to automatically lock down kernels running on UEFI machines > booted in Secure Boot mode, expose the security_lock_kernel_down() function. > > Based on Fedora patches: > - security: lockdown: expose a hook to lock the kernel down > - efi,lockdown: fix kernel lockdown on Secure Boot Но, у второго патча автор Ondrej Mosnacek, а мы скорее берем его изменения, а не из первого патча. Кроме того, тэг `Signed-off-by` не укатает на авторство. Может лучше указать во From себя, но добавить: Based-on-a-patch-by: Jeremy Cline Based-on-a-patch-by: Ondrej Mosnacek Такое есть в ядре, хоть и редко. > > Signed-off-by: Jeremy Cline > Signed-off-by: Ondrej Mosnacek > Signed-off-by: Egor Ignatov > --- > include/linux/security.h | 9 +++++++++ > security/lockdown/lockdown.c | 11 +++++++++++ > 2 files changed, 20 insertions(+) > > diff --git a/include/linux/security.h b/include/linux/security.h > index ee88dd2d2d..5c816f0b8b 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -2405,4 +2405,13 @@ static inline void security_initramfs_populated(void) > } > #endif /* CONFIG_SECURITY */ > > +#ifdef CONFIG_SECURITY_LOCKDOWN_LSM > +extern int security_lock_kernel_down(const char *where, enum lockdown_reason level); > +#else > +static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level) > +{ > + return 0; > +} > +#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */ > + > #endif /* ! __LINUX_SECURITY_H */ > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > index 8d46886d2c..14a9cdff94 100644 > --- a/security/lockdown/lockdown.c > +++ b/security/lockdown/lockdown.c > @@ -72,6 +72,17 @@ static int lockdown_is_locked_down(enum lockdown_reason what) > return 0; > } > > +/** > + * security_lock_kernel_down() - Put the kernel into lock-down mode. > + * > + * @where: Where the lock-down is originating from (e.g. command line option) > + * @level: The lock-down level (can only increase) > + */ > +int security_lock_kernel_down(const char *where, enum lockdown_reason level) > +{ > + return lock_kernel_down(where, level); > +} > + > static struct security_hook_list lockdown_hooks[] __ro_after_init = { > LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), > }; > -- > 2.50.1 > > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel