From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: Date: Wed, 20 May 2026 15:25:14 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: devel-kernel@lists.altlinux.org References: <20260506173722.1012394-1-egori@altlinux.org> <20260506173722.1012394-3-egori@altlinux.org> Content-Language: en-US, ru From: Egor Ignatov In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [d-kernel] [PATCH 2/6] security: lockdown: expose security_lock_kernel_down function X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2026 12:25:17 -0000 Archived-At: List-Archive: List-Post: On 5/9/26 3:20 AM, Vitaly Chikunov wrote: > On Wed, May 06, 2026 at 08:37:18PM +0300, Egor Ignatov wrote: >> From: Jeremy Cline >> >> In order to automatically lock down kernels running on UEFI machines >> booted in Secure Boot mode, expose the security_lock_kernel_down() function. >> >> Based on Fedora patches: >> - security: lockdown: expose a hook to lock the kernel down >> - efi,lockdown: fix kernel lockdown on Secure Boot > > Но, у второго патча автор Ondrej Mosnacek, а мы скорее берем его > изменения, а не из первого патча. > > Кроме того, тэг `Signed-off-by` не укатает на авторство. > > Может лучше указать во From себя, но добавить: > > Based-on-a-patch-by: Jeremy Cline > Based-on-a-patch-by: Ondrej Mosnacek > > Такое есть в ядре, хоть и редко. Хорошо, так и сделаю. >> >> Signed-off-by: Jeremy Cline >> Signed-off-by: Ondrej Mosnacek >> Signed-off-by: Egor Ignatov >> --- >> include/linux/security.h | 9 +++++++++ >> security/lockdown/lockdown.c | 11 +++++++++++ >> 2 files changed, 20 insertions(+) >> >> diff --git a/include/linux/security.h b/include/linux/security.h >> index ee88dd2d2d..5c816f0b8b 100644 >> --- a/include/linux/security.h >> +++ b/include/linux/security.h >> @@ -2405,4 +2405,13 @@ static inline void security_initramfs_populated(void) >> } >> #endif /* CONFIG_SECURITY */ >> >> +#ifdef CONFIG_SECURITY_LOCKDOWN_LSM >> +extern int security_lock_kernel_down(const char *where, enum lockdown_reason level); >> +#else >> +static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level) >> +{ >> + return 0; >> +} >> +#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */ >> + >> #endif /* ! __LINUX_SECURITY_H */ >> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c >> index 8d46886d2c..14a9cdff94 100644 >> --- a/security/lockdown/lockdown.c >> +++ b/security/lockdown/lockdown.c >> @@ -72,6 +72,17 @@ static int lockdown_is_locked_down(enum lockdown_reason what) >> return 0; >> } >> >> +/** >> + * security_lock_kernel_down() - Put the kernel into lock-down mode. >> + * >> + * @where: Where the lock-down is originating from (e.g. command line option) >> + * @level: The lock-down level (can only increase) >> + */ >> +int security_lock_kernel_down(const char *where, enum lockdown_reason level) >> +{ >> + return lock_kernel_down(where, level); >> +} >> + >> static struct security_hook_list lockdown_hooks[] __ro_after_init = { >> LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), >> }; >> -- >> 2.50.1 >> >> _______________________________________________ >> devel-kernel mailing list >> devel-kernel@lists.altlinux.org >> https://lists.altlinux.org/mailman/listinfo/devel-kernel > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel -- Egor Ignatov ALT Linux Team