Re: [PATCH 3/3] tracing: Do not create directories if lockdown is in affect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I should have marked this for stable. The commit it fixes (see Fixes tag) is
in 5.4, and it appears this has yet to make it to 5.4 yet.

-- Steve


On Wed, Dec 04, 2019 at 09:05:02PM -0500, Steven Rostedt wrote:
> From: "Steven Rostedt (VMware)" <rostedt@xxxxxxxxxxx>
> 
> If lockdown is disabling tracing on boot up, it prevents the tracing files
> from even bering created. But when that happens, there's several places that
> will give a warning that the files were not created as that is usually a
> sign of a bug.
> 
> Add in strategic locations where a check is made to see if tracing is
> disabled by lockdown, and if it is, do not go further, and fail silently
> (but print that tracing is disabled by lockdown, without doing a WARN_ON()).
> 
> Cc: Matthew Garrett <mjg59@xxxxxxxxxx>
> Fixes: 17911ff38aa5 ("tracing: Add locked_down checks to the open calls of files created for tracefs")
> Signed-off-by: Steven Rostedt (VMware) <rostedt@xxxxxxxxxxx>
> ---
>  kernel/trace/ring_buffer.c |  6 ++++++
>  kernel/trace/trace.c       | 17 +++++++++++++++++
>  2 files changed, 23 insertions(+)
> 
> diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
> index 66358d66c933..4bf050fcfe3b 100644
> --- a/kernel/trace/ring_buffer.c
> +++ b/kernel/trace/ring_buffer.c
> @@ -11,6 +11,7 @@
>  #include <linux/trace_seq.h>
>  #include <linux/spinlock.h>
>  #include <linux/irq_work.h>
> +#include <linux/security.h>
>  #include <linux/uaccess.h>
>  #include <linux/hardirq.h>
>  #include <linux/kthread.h>	/* for self test */
> @@ -5068,6 +5069,11 @@ static __init int test_ringbuffer(void)
>  	int cpu;
>  	int ret = 0;
>  
> +	if (security_locked_down(LOCKDOWN_TRACEFS)) {
> +		pr_warning("Lockdown is enabled, skipping ring buffer tests\n");
> +		return 0;
> +	}
> +
>  	pr_info("Running ring buffer tests...\n");
>  
>  	buffer = ring_buffer_alloc(RB_TEST_BUFFER_SIZE, RB_FL_OVERWRITE);
> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index 02a23a6e5e00..23459d53d576 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -1888,6 +1888,12 @@ int __init register_tracer(struct tracer *type)
>  		return -1;
>  	}
>  
> +	if (security_locked_down(LOCKDOWN_TRACEFS)) {
> +		pr_warning("Can not register tracer %s due to lockdown\n",
> +			   type->name);
> +		return -EPERM;
> +	}
> +
>  	mutex_lock(&trace_types_lock);
>  
>  	tracing_selftest_running = true;
> @@ -8789,6 +8795,11 @@ struct dentry *tracing_init_dentry(void)
>  {
>  	struct trace_array *tr = &global_trace;
>  
> +	if (security_locked_down(LOCKDOWN_TRACEFS)) {
> +		pr_warning("Tracing disabled due to lockdown\n");
> +		return ERR_PTR(-EPERM);
> +	}
> +
>  	/* The top level trace array uses  NULL as parent */
>  	if (tr->dir)
>  		return NULL;
> @@ -9231,6 +9242,12 @@ __init static int tracer_alloc_buffers(void)
>  	int ring_buf_size;
>  	int ret = -ENOMEM;
>  
> +
> +	if (security_locked_down(LOCKDOWN_TRACEFS)) {
> +		pr_warning("Tracing disabled due to lockdown\n");
> +		return -EPERM;
> +	}
> +
>  	/*
>  	 * Make sure we don't accidently add more trace options
>  	 * than we have bits for.
> -- 
> 2.24.0
> 



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux