diff mbox series

[GIT,PULL,Security] lockdown: Allow unprivileged users to see lockdown status

Message ID alpine.LRH.2.21.2006021212490.12446@namei.org (mailing list archive)
State New, archived
Headers show
Series [GIT,PULL,Security] lockdown: Allow unprivileged users to see lockdown status | expand

Pull-request

git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general

Commit Message

James Morris June 2, 2020, 2:15 a.m. UTC
Hi Linus,

Just one update for the security subsystem: allows unprivileged users to 
see the status of the lockdown feature. From Jeremy Cline.

Please pull.


The following changes since commit 3e27a33932df104f4f9ff811467b0b4ccebde773:

  security: remove duplicated include from security.h (2020-02-21 08:53:48 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general

for you to fetch changes up to 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c:

  lockdown: Allow unprivileged users to see lockdown status (2020-05-14 10:23:05 -0700)

----------------------------------------------------------------
Jeremy Cline (1):
      lockdown: Allow unprivileged users to see lockdown status

 security/lockdown/lockdown.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

---
commit 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c
Author: Jeremy Cline <jcline@redhat.com>
Date:   Thu May 14 10:05:46 2020 -0400

    lockdown: Allow unprivileged users to see lockdown status
    
    A number of userspace tools, such as systemtap, need a way to see the
    current lockdown state so they can gracefully deal with the kernel being
    locked down. The state is already exposed in
    /sys/kernel/security/lockdown, but is only readable by root. Adjust the
    permissions so unprivileged users can read the state.
    
    Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
    Cc: Frank Ch. Eigler <fche@redhat.com>
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: James Morris <jmorris@namei.org>

Comments

Linus Torvalds June 3, 2020, 12:39 a.m. UTC | #1
On Mon, Jun 1, 2020 at 7:15 PM James Morris <jmorris@namei.org> wrote:
>
> Just one update for the security subsystem: allows unprivileged users to
> see the status of the lockdown feature. From Jeremy Cline.

Hmm.

That branch seems to have sprouted another commit just today.

I ended up taking that too as trivial, but it shows how you seem to
basically send me a pointer to a live branch. Please don't do that.
When you make changes to that branch, I now get those changes that you
may not have meant to send me (and that I get upset for being
surprised by).

An easy solution to that is to send me a signed tag instead of a
pointer to a branch. Then you can continue to update the branch, while
the tag stays stable.

Plus we've been encouraging signed tags for pull requests anyway.

              Linus
pr-tracker-bot@kernel.org June 3, 2020, 1:10 a.m. UTC | #2
The pull request you sent on Tue, 2 Jun 2020 12:15:04 +1000 (AEST):

> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/56f2e3b7d819f4fa44857ba81aa6870f18714ea0

Thank you!
James Morris June 3, 2020, 9:27 p.m. UTC | #3
On Tue, 2 Jun 2020, Linus Torvalds wrote:

> On Mon, Jun 1, 2020 at 7:15 PM James Morris <jmorris@namei.org> wrote:
> >
> > Just one update for the security subsystem: allows unprivileged users to
> > see the status of the lockdown feature. From Jeremy Cline.
> 
> Hmm.
> 
> That branch seems to have sprouted another commit just today.

Oops, sorry, I thought it was already pulled.

> 
> I ended up taking that too as trivial, but it shows how you seem to
> basically send me a pointer to a live branch. Please don't do that.
> When you make changes to that branch, I now get those changes that you
> may not have meant to send me (and that I get upset for being
> surprised by).
> 
> An easy solution to that is to send me a signed tag instead of a
> pointer to a branch. Then you can continue to update the branch, while
> the tag stays stable.
> 
> Plus we've been encouraging signed tags for pull requests anyway.

Ok.
diff mbox series

Patch

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 40b790536def..ae594c0a127f 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -175,7 +175,7 @@  static int __init lockdown_secfs_init(void)
 {
 	struct dentry *dentry;
 
-	dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
+	dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
 					&lockdown_ops);
 	return PTR_ERR_OR_ZERO(dentry);
 }