[SRU][PATCH 0/1][C,D,u] fix EPERM bug in efi-lockdown

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][PATCH 0/1][C,D,u] fix EPERM bug in efi-lockdown

Kamal Mostafa-2
BugLink: https://bugs.launchpad.net/bugs/1807686

A bug in the pre-release version of efi-lockdown patch* applied to Cosmic and
later kernels improperly results in EPERM failures for some debugfs files.

Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down")

Upstream's version of this code never introduced the bug, so the fix patch
isn't upstream either.

The fix patch looks correct by inspection.

 -Kamal

---

Vasily Gorbik (1):
  UBUNTU: SAUCE: debugfs: avoid EPERM when no open file operation
    defined

 fs/debugfs/file.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][PATCH 1/1][C, D, u] UBUNTU: SAUCE: debugfs: avoid EPERM when no open file operation defined

Kamal Mostafa-2
From: Vasily Gorbik <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1807686

With "debugfs: Restrict debugfs when the kernel is locked down"
return code "r" is unconditionally set to -EPERM, which stays like that
until function return if no "open" file operation defined, effectivelly
resulting in "Operation not permitted" for all such files despite kernel
lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.

In particular this breaks 2 debugfs files on s390:
/sys/kernel/debug/s390_hypfs/diag_304
/sys/kernel/debug/s390_hypfs/diag_204

To address that set EPERM return code only when debugfs_is_locked_down
returns true.

Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Vasily Gorbik <[hidden email]>
Reference: https://lore.kernel.org/patchwork/patch/1015495/
Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Kamal Mostafa <[hidden email]>
---
 fs/debugfs/file.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index c33042c1eff3..3a5033ff9ec7 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
 
  real_fops = debugfs_real_fops(filp);
 
- r = -EPERM;
- if (debugfs_is_locked_down(inode, filp, real_fops))
+ if (debugfs_is_locked_down(inode, filp, real_fops)) {
+ r = -EPERM;
  goto out;
+ }
 
  real_fops = fops_get(real_fops);
  if (!real_fops) {
@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
  return r == -EIO ? -ENOENT : r;
 
  real_fops = debugfs_real_fops(filp);
- r = -EPERM;
- if (debugfs_is_locked_down(inode, filp, real_fops))
+ if (debugfs_is_locked_down(inode, filp, real_fops)) {
+ r = -EPERM;
  goto out;
+ }
 
  real_fops = fops_get(real_fops);
  if (!real_fops) {
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][PATCH 1/1][C, D, u] UBUNTU: SAUCE: debugfs: avoid EPERM when no open file operation defined

Tyler Hicks-2
On 2019-01-09 12:52:35, Kamal Mostafa wrote:

> From: Vasily Gorbik <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1807686
>
> With "debugfs: Restrict debugfs when the kernel is locked down"
> return code "r" is unconditionally set to -EPERM, which stays like that
> until function return if no "open" file operation defined, effectivelly
> resulting in "Operation not permitted" for all such files despite kernel
> lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
>
> In particular this breaks 2 debugfs files on s390:
> /sys/kernel/debug/s390_hypfs/diag_304
> /sys/kernel/debug/s390_hypfs/diag_204
>
> To address that set EPERM return code only when debugfs_is_locked_down
> returns true.
>
> Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
> Signed-off-by: Vasily Gorbik <[hidden email]>
> Reference: https://lore.kernel.org/patchwork/patch/1015495/
> Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down")
> Signed-off-by: Kamal Mostafa <[hidden email]>

Acked-by: Tyler Hicks <[hidden email]>

Tyler

> ---
>  fs/debugfs/file.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
> index c33042c1eff3..3a5033ff9ec7 100644
> --- a/fs/debugfs/file.c
> +++ b/fs/debugfs/file.c
> @@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
>  
>   real_fops = debugfs_real_fops(filp);
>  
> - r = -EPERM;
> - if (debugfs_is_locked_down(inode, filp, real_fops))
> + if (debugfs_is_locked_down(inode, filp, real_fops)) {
> + r = -EPERM;
>   goto out;
> + }
>  
>   real_fops = fops_get(real_fops);
>   if (!real_fops) {
> @@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
>   return r == -EIO ? -ENOENT : r;
>  
>   real_fops = debugfs_real_fops(filp);
> - r = -EPERM;
> - if (debugfs_is_locked_down(inode, filp, real_fops))
> + if (debugfs_is_locked_down(inode, filp, real_fops)) {
> + r = -EPERM;
>   goto out;
> + }
>  
>   real_fops = fops_get(real_fops);
>   if (!real_fops) {
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK / APPLIED[D/Unstable]: [SRU][PATCH 1/1][C, D, u] UBUNTU: SAUCE: debugfs: avoid EPERM when no open file operation defined

Seth Forshee
In reply to this post by Kamal Mostafa-2
On Wed, Jan 09, 2019 at 12:52:35PM -0800, Kamal Mostafa wrote:

> From: Vasily Gorbik <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1807686
>
> With "debugfs: Restrict debugfs when the kernel is locked down"
> return code "r" is unconditionally set to -EPERM, which stays like that
> until function return if no "open" file operation defined, effectivelly
> resulting in "Operation not permitted" for all such files despite kernel
> lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
>
> In particular this breaks 2 debugfs files on s390:
> /sys/kernel/debug/s390_hypfs/diag_304
> /sys/kernel/debug/s390_hypfs/diag_204
>
> To address that set EPERM return code only when debugfs_is_locked_down
> returns true.
>
> Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
> Signed-off-by: Vasily Gorbik <[hidden email]>
> Reference: https://lore.kernel.org/patchwork/patch/1015495/
> Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down")
> Signed-off-by: Kamal Mostafa <[hidden email]>

Looks correct.

Acked-by: Seth Forshee <[hidden email]>

Applied to disco/master-next and unstable/master. I'll also point the
guys maintaining the lockdown patches at this to try and get it
incorporated there. Thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED(C): [SRU][PATCH 0/1][C,D,u] fix EPERM bug in efi-lockdown

Khaled Elmously
In reply to this post by Kamal Mostafa-2
On 2019-01-09 12:52:34 , Kamal Mostafa wrote:

> BugLink: https://bugs.launchpad.net/bugs/1807686
>
> A bug in the pre-release version of efi-lockdown patch* applied to Cosmic and
> later kernels improperly results in EPERM failures for some debugfs files.
>
> Fixes: a1ba65da9cea ("UBUNTU: SAUCE: (efi-lockdown) debugfs: Restrict debugfs when the kernel is locked down")
>
> Upstream's version of this code never introduced the bug, so the fix patch
> isn't upstream either.
>
> The fix patch looks correct by inspection.
>
>  -Kamal
>
> ---
>
> Vasily Gorbik (1):
>   UBUNTU: SAUCE: debugfs: avoid EPERM when no open file operation
>     defined
>
>  fs/debugfs/file.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team