From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
To: linux-kernel@vger.kernel.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Yue Haibing <yuehaibing@huawei.com>,
Tanya Agarwal <tanyaagarwal25699@gmail.com>,
Kees Cook <kees@kernel.org>,
linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Subject: [PATCH 1/2] security: introduce security_lock_kernel_down()
Date: Thu, 26 Jun 2025 15:10:38 -0700 [thread overview]
Message-ID: <1750975839-32463-2-git-send-email-hamzamahfooz@linux.microsoft.com> (raw)
In-Reply-To: <1750975839-32463-1-git-send-email-hamzamahfooz@linux.microsoft.com>
Define and export security_lock_kernel_down(), so that we can lock down
the kernel from other parts of the kernel.
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
---
include/linux/lsm_hook_defs.h | 1 +
include/linux/security.h | 8 ++++++++
security/lockdown/lockdown.c | 1 +
security/security.c | 15 +++++++++++++++
4 files changed, 25 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index bf3bbac4e02a..08ffd103c863 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -442,6 +442,7 @@ LSM_HOOK(int, 0, bpf_token_cmd, const struct bpf_token *token, enum bpf_cmd cmd)
LSM_HOOK(int, 0, bpf_token_capable, const struct bpf_token *token, int cap)
#endif /* CONFIG_BPF_SYSCALL */
+LSM_HOOK(int, 0, lock_down, const char *where, enum lockdown_reason level)
LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
#ifdef CONFIG_PERF_EVENTS
diff --git a/include/linux/security.h b/include/linux/security.h
index cc9b54d95d22..373f8dd2a265 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -573,6 +573,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp);
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
int security_locked_down(enum lockdown_reason what);
int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
void *val, size_t val_len, u64 id, u64 flags);
@@ -1576,6 +1577,13 @@ static inline int security_inode_getsecctx(struct inode *inode,
{
return -EOPNOTSUPP;
}
+
+static inline int security_lock_kernel_down(const char *where,
+ enum lockdown_reason level)
+{
+ return -EOPNOTSUPP;
+}
+
static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index cf83afa1d879..3839a62c2c17 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
}
static struct security_hook_list lockdown_hooks[] __ro_after_init = {
+ LSM_HOOK_INIT(lock_down, lock_kernel_down),
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
};
diff --git a/security/security.c b/security/security.c
index fb57e8fddd91..51fbe8124388 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5789,6 +5789,21 @@ void security_bpf_token_free(struct bpf_token *token)
}
#endif /* CONFIG_BPF_SYSCALL */
+/**
+ * security_lock_kernel_down() - Lock down the kernel
+ * @where: the location from where the lock down is being initiated
+ * @level: requested lock down level
+ *
+ * Attempt to lock down the kernel at the requested level.
+ *
+ * Return: Returns 0 on success, error on failure.
+ */
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return call_int_hook(lock_down, where, level);
+}
+EXPORT_SYMBOL(security_lock_kernel_down);
+
/**
* security_locked_down() - Check if a kernel feature is allowed
* @what: requested kernel feature
--
2.49.0
next prev parent reply other threads:[~2025-06-26 22:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-26 22:10 [PATCH 0/2] Secure Boot lock down Hamza Mahfooz
2025-06-26 22:10 ` Hamza Mahfooz [this message]
2025-06-26 22:10 ` [PATCH 2/2] efi: introduce EFI_KERNEL_LOCK_DOWN_IN_SECURE_BOOT Hamza Mahfooz
2025-07-16 21:29 ` [PATCH 0/2] Secure Boot lock down Hamza Mahfooz
2025-07-17 18:22 ` Paul Moore
2025-07-24 12:59 ` Nicolas Bouchinet
2025-07-24 14:13 ` sergeh
2025-07-24 15:03 ` Nicolas Bouchinet
2025-07-25 2:43 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1750975839-32463-2-git-send-email-hamzamahfooz@linux.microsoft.com \
--to=hamzamahfooz@linux.microsoft.com \
--cc=ardb@kernel.org \
--cc=jmorris@namei.org \
--cc=kees@kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=tanyaagarwal25699@gmail.com \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox