# git rev-parse -q --verify aefcf2f4b58155d27340ba5f9ddbe9513da8286d^{commit} aefcf2f4b58155d27340ba5f9ddbe9513da8286d already have revision, skipping fetch # git checkout -q -f -B kisskb aefcf2f4b58155d27340ba5f9ddbe9513da8286d # git clean -qxdf # < git log -1 # commit aefcf2f4b58155d27340ba5f9ddbe9513da8286d # Merge: f1f2f614d535 45893a0abee6 # Author: Linus Torvalds # Date: Sat Sep 28 08:14:15 2019 -0700 # # Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security # # Pull kernel lockdown mode from James Morris: # "This is the latest iteration of the kernel lockdown patchset, from # Matthew Garrett, David Howells and others. # # From the original description: # # This patchset introduces an optional kernel lockdown feature, # intended to strengthen the boundary between UID 0 and the kernel. # When enabled, various pieces of kernel functionality are restricted. # Applications that rely on low-level access to either hardware or the # kernel may cease working as a result - therefore this should not be # enabled without appropriate evaluation beforehand. # # The majority of mainstream distributions have been carrying variants # of this patchset for many years now, so there's value in providing a # doesn't meet every distribution requirement, but gets us much closer # to not requiring external patches. # # There are two major changes since this was last proposed for mainline: # # - Separating lockdown from EFI secure boot. Background discussion is # covered here: https://lwn.net/Articles/751061/ # # - Implementation as an LSM, with a default stackable lockdown LSM # module. This allows the lockdown feature to be policy-driven, # rather than encoding an implicit policy within the mechanism. # # The new locked_down LSM hook is provided to allow LSMs to make a # policy decision around whether kernel functionality that would allow # tampering with or examining the runtime state of the kernel should be # permitted. # # The included lockdown LSM provides an implementation with a simple # policy intended for general purpose use. This policy provides a coarse # level of granularity, controllable via the kernel command line: # # lockdown={integrity|confidentiality} # # Enable the kernel lockdown feature. If set to integrity, kernel features # that allow userland to modify the running kernel are disabled. If set to # confidentiality, kernel features that allow userland to extract # confidential information from the kernel are also disabled. # # This may also be controlled via /sys/kernel/security/lockdown and # overriden by kernel configuration. # # New or existing LSMs may implement finer-grained controls of the # lockdown features. Refer to the lockdown_reason documentation in # include/linux/security.h for details. # # The lockdown feature has had signficant design feedback and review # across many subsystems. This code has been in linux-next for some # weeks, with a few fixes applied along the way. # # Stephen Rothwell noted that commit 9d1f8be5cf42 ("bpf: Restrict bpf # when kernel lockdown is in confidentiality mode") is missing a # Signed-off-by from its author. Matthew responded that he is providing # this under category (c) of the DCO" # # * 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (31 commits) # kexec: Fix file verification on S390 # security: constify some arrays in lockdown LSM # lockdown: Print current->comm in restriction messages # efi: Restrict efivar_ssdt_load when the kernel is locked down # tracefs: Restrict tracefs when the kernel is locked down # debugfs: Restrict debugfs when the kernel is locked down # kexec: Allow kexec_file() with appropriate IMA policy when locked down # lockdown: Lock down perf when in confidentiality mode # bpf: Restrict bpf when kernel lockdown is in confidentiality mode # lockdown: Lock down tracing and perf kprobes when in confidentiality mode # lockdown: Lock down /proc/kcore # x86/mmiotrace: Lock down the testmmiotrace module # lockdown: Lock down module params that specify hardware parameters (eg. ioport) # lockdown: Lock down TIOCSSERIAL # lockdown: Prohibit PCMCIA CIS storage when the kernel is locked down # acpi: Disable ACPI table override if the kernel is locked down # acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down # ACPI: Limit access to custom_method when the kernel is locked down # x86/msr: Restrict MSR access when the kernel is locked down # x86: Lock down IO port access when the kernel is locked down # ... # < /opt/cross/kisskb/br-aarch64-glibc-2016.08-613-ge98b4dd/bin/aarch64-linux-gcc --version # < /opt/cross/kisskb/br-aarch64-glibc-2016.08-613-ge98b4dd/bin/aarch64-linux-ld --version # < git log --format=%s --max-count=1 aefcf2f4b58155d27340ba5f9ddbe9513da8286d # < make -s -j 120 ARCH=arm64 O=/kisskb/build/linus_arm64-allmodconfig_arm64-gcc5.4 CROSS_COMPILE=/opt/cross/kisskb/br-aarch64-glibc-2016.08-613-ge98b4dd/bin/aarch64-linux- allmodconfig # make -s -j 120 ARCH=arm64 O=/kisskb/build/linus_arm64-allmodconfig_arm64-gcc5.4 CROSS_COMPILE=/opt/cross/kisskb/br-aarch64-glibc-2016.08-613-ge98b4dd/bin/aarch64-linux- arch/arm64/Makefile:27: ld does not support --fix-cortex-a53-843419; kernel may be susceptible to erratum arch/arm64/Makefile:38: LSE atomics not supported by binutils /kisskb/src/fs/cifs/smb2pdu.c: In function 'SMB2_ioctl_init': /kisskb/src/fs/cifs/smb2pdu.c:2682:19: warning: 'in_data_buf' may be used uninitialized in this function [-Wmaybe-uninitialized] iov[1].iov_base = in_data_buf; ^ In file included from /kisskb/src/include/linux/list.h:9:0, from /kisskb/src/include/linux/wait.h:7, from /kisskb/src/include/linux/wait_bit.h:8, from /kisskb/src/include/linux/fs.h:6, from /kisskb/src/fs/btrfs/send.c:7: /kisskb/src/fs/btrfs/send.c: In function 'process_extent': /kisskb/src/include/linux/kernel.h:37:33: warning: 'clone_src_i_size' may be used uninitialized in this function [-Wmaybe-uninitialized] #define IS_ALIGNED(x, a) (((x) & ((typeof(x))(a) - 1)) == 0) ^ /kisskb/src/fs/btrfs/send.c:5088:6: note: 'clone_src_i_size' was declared here u64 clone_src_i_size; ^ /kisskb/src/drivers/i2c/busses/i2c-sh_mobile.c: In function 'sh_mobile_i2c_isr': /kisskb/src/drivers/i2c/busses/i2c-sh_mobile.c:399:26: warning: 'data' may be used uninitialized in this function [-Wmaybe-uninitialized] pd->msg->buf[real_pos] = data; ^ /kisskb/src/drivers/i2c/busses/i2c-sh_mobile.c:372:16: note: 'data' was declared here unsigned char data; ^ In file included from /kisskb/src/include/linux/wait.h:9:0, from /kisskb/src/include/linux/net.h:19, from /kisskb/src/drivers/infiniband/sw/siw/siw_qp_rx.c:8: /kisskb/src/drivers/infiniband/sw/siw/siw_qp_rx.c: In function 'siw_proc_send': /kisskb/src/include/linux/spinlock.h:288:3: warning: 'flags' may be used uninitialized in this function [-Wmaybe-uninitialized] _raw_spin_unlock_irqrestore(lock, flags); \ ^ /kisskb/src/drivers/infiniband/sw/siw/siw_qp_rx.c:335:16: note: 'flags' was declared here unsigned long flags; ^ In file included from /kisskb/src/include/linux/rwsem.h:16:0, from /kisskb/src/include/linux/notifier.h:15, from /kisskb/src/include/linux/clk.h:14, from /kisskb/src/drivers/tty/serial/sh-sci.c:24: /kisskb/src/drivers/tty/serial/sh-sci.c: In function 'sci_dma_rx_submit': /kisskb/src/include/linux/spinlock.h:288:3: warning: 'flags' may be used uninitialized in this function [-Wmaybe-uninitialized] _raw_spin_unlock_irqrestore(lock, flags); \ ^ /kisskb/src/drivers/tty/serial/sh-sci.c:1351:16: note: 'flags' was declared here unsigned long flags; ^ WARNING: "HYPERVISOR_platform_op" [vmlinux] is a static EXPORT_SYMBOL_GPL WARNING: "HYPERVISOR_platform_op" [vmlinux] is a static EXPORT_SYMBOL_GPL Completed OK # rm -rf /kisskb/build/linus_arm64-allmodconfig_arm64-gcc5.4 # Build took: 0:10:10.303867