From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
To: linux-kernel@vger.kernel.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Yue Haibing <yuehaibing@huawei.com>,
Tanya Agarwal <tanyaagarwal25699@gmail.com>,
Kees Cook <kees@kernel.org>,
linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Subject: [PATCH 1/2] security: introduce security_lock_kernel_down()
Date: Thu, 26 Jun 2025 15:10:38 -0700 [thread overview]
Message-ID: <1750975839-32463-2-git-send-email-hamzamahfooz@linux.microsoft.com> (raw)
In-Reply-To: <1750975839-32463-1-git-send-email-hamzamahfooz@linux.microsoft.com>
Define and export security_lock_kernel_down(), so that we can lock down
the kernel from other parts of the kernel.
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
---
include/linux/lsm_hook_defs.h | 1 +
include/linux/security.h | 8 ++++++++
security/lockdown/lockdown.c | 1 +
security/security.c | 15 +++++++++++++++
4 files changed, 25 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index bf3bbac4e02a..08ffd103c863 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -442,6 +442,7 @@ LSM_HOOK(int, 0, bpf_token_cmd, const struct bpf_token *token, enum bpf_cmd cmd)
LSM_HOOK(int, 0, bpf_token_capable, const struct bpf_token *token, int cap)
#endif /* CONFIG_BPF_SYSCALL */
+LSM_HOOK(int, 0, lock_down, const char *where, enum lockdown_reason level)
LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
#ifdef CONFIG_PERF_EVENTS
diff --git a/include/linux/security.h b/include/linux/security.h
index cc9b54d95d22..373f8dd2a265 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -573,6 +573,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp);
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
int security_locked_down(enum lockdown_reason what);
int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
void *val, size_t val_len, u64 id, u64 flags);
@@ -1576,6 +1577,13 @@ static inline int security_inode_getsecctx(struct inode *inode,
{
return -EOPNOTSUPP;
}
+
+static inline int security_lock_kernel_down(const char *where,
+ enum lockdown_reason level)
+{
+ return -EOPNOTSUPP;
+}
+
static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index cf83afa1d879..3839a62c2c17 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
}
static struct security_hook_list lockdown_hooks[] __ro_after_init = {
+ LSM_HOOK_INIT(lock_down, lock_kernel_down),
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
};
diff --git a/security/security.c b/security/security.c
index fb57e8fddd91..51fbe8124388 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5789,6 +5789,21 @@ void security_bpf_token_free(struct bpf_token *token)
}
#endif /* CONFIG_BPF_SYSCALL */
+/**
+ * security_lock_kernel_down() - Lock down the kernel
+ * @where: the location from where the lock down is being initiated
+ * @level: requested lock down level
+ *
+ * Attempt to lock down the kernel at the requested level.
+ *
+ * Return: Returns 0 on success, error on failure.
+ */
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return call_int_hook(lock_down, where, level);
+}
+EXPORT_SYMBOL(security_lock_kernel_down);
+
/**
* security_locked_down() - Check if a kernel feature is allowed
* @what: requested kernel feature
--
2.49.0
next prev parent reply other threads:[~2025-06-26 22:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-26 22:10 [PATCH 0/2] Secure Boot lock down Hamza Mahfooz
2025-06-26 22:10 ` Hamza Mahfooz [this message]
2025-06-26 22:10 ` [PATCH 2/2] efi: introduce EFI_KERNEL_LOCK_DOWN_IN_SECURE_BOOT Hamza Mahfooz
2025-07-16 21:29 ` [PATCH 0/2] Secure Boot lock down Hamza Mahfooz
2025-07-17 18:22 ` Paul Moore
2025-07-24 12:59 ` Nicolas Bouchinet
2025-07-24 14:13 ` sergeh
2025-07-24 15:03 ` Nicolas Bouchinet
2025-07-25 2:43 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1750975839-32463-2-git-send-email-hamzamahfooz@linux.microsoft.com \
--to=hamzamahfooz@linux.microsoft.com \
--cc=ardb@kernel.org \
--cc=jmorris@namei.org \
--cc=kees@kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=tanyaagarwal25699@gmail.com \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.