| Message ID | alpine.LRH.2.21.2006021212490.12446@namei.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [GIT,PULL,Security] lockdown: Allow unprivileged users to see lockdown status | expand |
On Mon, Jun 1, 2020 at 7:15 PM James Morris <jmorris@namei.org> wrote: > > Just one update for the security subsystem: allows unprivileged users to > see the status of the lockdown feature. From Jeremy Cline. Hmm. That branch seems to have sprouted another commit just today. I ended up taking that too as trivial, but it shows how you seem to basically send me a pointer to a live branch. Please don't do that. When you make changes to that branch, I now get those changes that you may not have meant to send me (and that I get upset for being surprised by). An easy solution to that is to send me a signed tag instead of a pointer to a branch. Then you can continue to update the branch, while the tag stays stable. Plus we've been encouraging signed tags for pull requests anyway. Linus
The pull request you sent on Tue, 2 Jun 2020 12:15:04 +1000 (AEST):
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/56f2e3b7d819f4fa44857ba81aa6870f18714ea0
Thank you!
On Tue, 2 Jun 2020, Linus Torvalds wrote: > On Mon, Jun 1, 2020 at 7:15 PM James Morris <jmorris@namei.org> wrote: > > > > Just one update for the security subsystem: allows unprivileged users to > > see the status of the lockdown feature. From Jeremy Cline. > > Hmm. > > That branch seems to have sprouted another commit just today. Oops, sorry, I thought it was already pulled. > > I ended up taking that too as trivial, but it shows how you seem to > basically send me a pointer to a live branch. Please don't do that. > When you make changes to that branch, I now get those changes that you > may not have meant to send me (and that I get upset for being > surprised by). > > An easy solution to that is to send me a signed tag instead of a > pointer to a branch. Then you can continue to update the branch, while > the tag stays stable. > > Plus we've been encouraging signed tags for pull requests anyway. Ok.
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 40b790536def..ae594c0a127f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -175,7 +175,7 @@ static int __init lockdown_secfs_init(void) { struct dentry *dentry; - dentry = securityfs_create_file("lockdown", 0600, NULL, NULL, + dentry = securityfs_create_file("lockdown", 0644, NULL, NULL, &lockdown_ops); return PTR_ERR_OR_ZERO(dentry); }
Hi Linus, Just one update for the security subsystem: allows unprivileged users to see the status of the lockdown feature. From Jeremy Cline. Please pull. The following changes since commit 3e27a33932df104f4f9ff811467b0b4ccebde773: security: remove duplicated include from security.h (2020-02-21 08:53:48 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general for you to fetch changes up to 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c: lockdown: Allow unprivileged users to see lockdown status (2020-05-14 10:23:05 -0700) ---------------------------------------------------------------- Jeremy Cline (1): lockdown: Allow unprivileged users to see lockdown status security/lockdown/lockdown.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- commit 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c Author: Jeremy Cline <jcline@redhat.com> Date: Thu May 14 10:05:46 2020 -0400 lockdown: Allow unprivileged users to see lockdown status A number of userspace tools, such as systemtap, need a way to see the current lockdown state so they can gracefully deal with the kernel being locked down. The state is already exposed in /sys/kernel/security/lockdown, but is only readable by root. Adjust the permissions so unprivileged users can read the state. Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM") Cc: Frank Ch. Eigler <fche@redhat.com> Signed-off-by: Jeremy Cline <jcline@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>