Skip to content

Commit b602614

Browse files
Matthew GarrettJames Morris
authored andcommitted
lockdown: Print current->comm in restriction messages
Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells <[email protected]> Signed-off-by: Matthew Garrett <[email protected]> Reviewed-by: Kees Cook <[email protected]> Signed-off-by: James Morris <[email protected]>
1 parent 1957a85 commit b602614

File tree

2 files changed

+9
-4
lines changed

2 files changed

+9
-4
lines changed

fs/proc/kcore.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -548,11 +548,12 @@ static int open_kcore(struct inode *inode, struct file *filp)
548548
{
549549
int ret = security_locked_down(LOCKDOWN_KCORE);
550550

551-
if (ret)
552-
return ret;
553551
if (!capable(CAP_SYS_RAWIO))
554552
return -EPERM;
555553

554+
if (ret)
555+
return ret;
556+
556557
filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL);
557558
if (!filp->private_data)
558559
return -ENOMEM;

security/lockdown/lockdown.c

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param);
8181
*/
8282
static int lockdown_is_locked_down(enum lockdown_reason what)
8383
{
84+
if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
85+
"Invalid lockdown reason"))
86+
return -EPERM;
87+
8488
if (kernel_locked_down >= what) {
8589
if (lockdown_reasons[what])
86-
pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
87-
lockdown_reasons[what]);
90+
pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
91+
current->comm, lockdown_reasons[what]);
8892
return -EPERM;
8993
}
9094

0 commit comments

Comments
 (0)