[d-kernel] [PATCH 2/6] security: lockdown: expose security_lock_kernel_down function
Egor Ignatov
egori на altlinux.org
Ср Май 6 20:37:18 MSK 2026
From: Jeremy Cline <jcline at redhat.com>
In order to automatically lock down kernels running on UEFI machines
booted in Secure Boot mode, expose the security_lock_kernel_down() function.
Based on Fedora patches:
- security: lockdown: expose a hook to lock the kernel down
- efi,lockdown: fix kernel lockdown on Secure Boot
Signed-off-by: Jeremy Cline <jcline at redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
Signed-off-by: Egor Ignatov <egori at altlinux.org>
---
include/linux/security.h | 9 +++++++++
security/lockdown/lockdown.c | 11 +++++++++++
2 files changed, 20 insertions(+)
diff --git a/include/linux/security.h b/include/linux/security.h
index ee88dd2d2d..5c816f0b8b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2405,4 +2405,13 @@ static inline void security_initramfs_populated(void)
}
#endif /* CONFIG_SECURITY */
+#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
+extern int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+#else
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return 0;
+}
+#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
+
#endif /* ! __LINUX_SECURITY_H */
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8d46886d2c..14a9cdff94 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -72,6 +72,17 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
return 0;
}
+/**
+ * security_lock_kernel_down() - Put the kernel into lock-down mode.
+ *
+ * @where: Where the lock-down is originating from (e.g. command line option)
+ * @level: The lock-down level (can only increase)
+ */
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return lock_kernel_down(where, level);
+}
+
static struct security_hook_list lockdown_hooks[] __ro_after_init = {
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
};
--
2.50.1
Подробная информация о списке рассылки devel-kernel