* [PATCH V32 08/27] hibernate: Disable when the kernel is locked down
[not found] <20190404003249.14356-1-matthewgarrett@google.com>
@ 2019-04-04 0:32 ` Matthew Garrett
2019-04-04 0:32 ` [PATCH V32 09/27] uswsusp: " Matthew Garrett
1 sibling, 0 replies; 2+ messages in thread
From: Matthew Garrett @ 2019-04-04 0:32 UTC (permalink / raw)
To: jmorris
Cc: linux-security-module, linux-kernel, dhowells, linux-api, luto,
Josh Boyer, Matthew Garrett, rjw, pavel, linux-pm
From: Josh Boyer <jwboyer@fedoraproject.org>
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: rjw@rjwysocki.net
Cc: pavel@ucw.cz
cc: linux-pm@vger.kernel.org
---
kernel/power/hibernate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..928b198cfa26 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -70,7 +70,8 @@ static const struct platform_hibernation_ops *hibernation_ops;
bool hibernation_available(void)
{
- return (nohibernate == 0);
+ return nohibernate == 0 && !kernel_is_locked_down("Hibernation",
+ LOCKDOWN_INTEGRITY);
}
/**
--
2.21.0.392.gf8f6787159e-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH V32 09/27] uswsusp: Disable when the kernel is locked down
[not found] <20190404003249.14356-1-matthewgarrett@google.com>
2019-04-04 0:32 ` [PATCH V32 08/27] hibernate: Disable when the kernel is locked down Matthew Garrett
@ 2019-04-04 0:32 ` Matthew Garrett
1 sibling, 0 replies; 2+ messages in thread
From: Matthew Garrett @ 2019-04-04 0:32 UTC (permalink / raw)
To: jmorris
Cc: linux-security-module, linux-kernel, dhowells, linux-api, luto,
Matthew Garrett, Matthew Garrett, linux-pm, pavel, rjw
From: Matthew Garrett <mjg59@srcf.ucam.org>
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
is locked down.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
cc: linux-pm@vger.kernel.org
Cc: pavel@ucw.cz
Cc: rjw@rjwysocki.net
---
kernel/power/user.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/power/user.c b/kernel/power/user.c
index 2d8b60a3c86b..99e13fd13237 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
if (!hibernation_available())
return -EPERM;
+ if (kernel_is_locked_down("/dev/snapshot", LOCKDOWN_INTEGRITY))
+ return -EPERM;
+
lock_system_sleep();
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
--
2.21.0.392.gf8f6787159e-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-04 0:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20190404003249.14356-1-matthewgarrett@google.com>
2019-04-04 0:32 ` [PATCH V32 08/27] hibernate: Disable when the kernel is locked down Matthew Garrett
2019-04-04 0:32 ` [PATCH V32 09/27] uswsusp: " Matthew Garrett
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).