From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66EBA296BDF; Tue, 26 Aug 2025 14:44:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756219492; cv=none; b=UILscP67UJSOoC6XeFLdqW7T29BzHwDXNAqcDVf2U++Ubgl+H+V+oJHKOjRqw9hP4Mzx7Dd3XpMtE3WqZFgoqbytWrScvuD6t3m8zuBJSQZOqE/F7tIQZZhIiJInijAkFiljYh420SqH48IRpNA1pOdfReH9W7WH85fMf+4EpLM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756219492; c=relaxed/simple; bh=5bmVF2pJ81A1F+14sPcz6rXnxQytUH1NaMnnI65zEtM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=n1bTBUXof/MKAW14YSG4EskutGgVVm4hkaDThQkjQ0SsFGVy8YcGke8YKXRXTtTYFrOccmi5D57KRwoGvnNaUt7743Raiz3xSnq6z5inNPQn09PU5PG2hAeXNKjDCH9ozEwJ+8Qdi/ccYr+K1GZyz6W17WFmacBMsmo9y+Nhedg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=BAYcbsuJ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="BAYcbsuJ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF1E3C4CEF1; Tue, 26 Aug 2025 14:44:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1756219492; bh=5bmVF2pJ81A1F+14sPcz6rXnxQytUH1NaMnnI65zEtM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BAYcbsuJmEgqB6nxDbPqnNkoAVnSqJHCmg02l+L9+v5hYPW4rnJs2CZeWpU8IiBsg UwtQ71vUlUUxwC5Z9x4FQAsg29ndGqwzSctxsqjPsC3P0080d8LLUXhIIuFzkGZwK5 KlNcsFnU0N8PM1gbt8mVkCWDc8hw+lxmtDzWmc0A= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mete Durlu , Vasily Gorbik , Peter Oberparleiter , Alexander Gordeev , Sasha Levin Subject: [PATCH 5.4 403/403] s390/hypfs: Enable limited access during lockdown Date: Tue, 26 Aug 2025 13:12:09 +0200 Message-ID: <20250826110918.174424369@linuxfoundation.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250826110905.607690791@linuxfoundation.org> References: <20250826110905.607690791@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Peter Oberparleiter [ Upstream commit 3868f910440c47cd5d158776be4ba4e2186beda7 ] When kernel lockdown is active, debugfs_locked_down() blocks access to hypfs files that register ioctl callbacks, even if the ioctl interface is not required for a function. This unnecessarily breaks userspace tools that only rely on read operations. Resolve this by registering a minimal set of file operations during lockdown, avoiding ioctl registration and preserving access for affected tooling. Note that this change restores hypfs functionality when lockdown is active from early boot (e.g. via lockdown=integrity kernel parameter), but does not apply to scenarios where lockdown is enabled dynamically while Linux is running. Tested-by: Mete Durlu Reviewed-by: Vasily Gorbik Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down") Signed-off-by: Peter Oberparleiter Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin --- arch/s390/hypfs/hypfs_dbfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/s390/hypfs/hypfs_dbfs.c b/arch/s390/hypfs/hypfs_dbfs.c index c5f53dc3dbbc..5848f2e374a6 100644 --- a/arch/s390/hypfs/hypfs_dbfs.c +++ b/arch/s390/hypfs/hypfs_dbfs.c @@ -6,6 +6,7 @@ * Author(s): Michael Holzheu */ +#include #include #include "hypfs.h" @@ -83,7 +84,7 @@ void hypfs_dbfs_create_file(struct hypfs_dbfs_file *df) { const struct file_operations *fops = &dbfs_ops; - if (df->unlocked_ioctl) + if (df->unlocked_ioctl && !security_locked_down(LOCKDOWN_DEBUGFS)) fops = &dbfs_ops_ioctl; df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, fops); mutex_init(&df->lock); -- 2.50.1