From: David Howells <dhowells@xxxxxxxxxx> Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. This is limited to lockdown confidentiality mode and is still permitted in integrity mode. Signed-off-by: David Howells <dhowells@xxxxxxxxxx> Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx> --- fs/proc/kcore.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index bbcc185062bb..1c556a453569 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/proc/kcore", LOCKDOWN_CONFIDENTIALITY)) + return -EPERM; if (!capable(CAP_SYS_RAWIO)) return -EPERM; -- 2.21.0.392.gf8f6787159e-goog