summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorMatthew Garrett <matthewgarrett@google.com>2019-08-20 02:18:03 +0200
committerJames Morris <jmorris@namei.org>2019-08-20 06:54:17 +0200
commitccbd54ff54e8b1880456b81c4aea352ebe208843 (patch)
tree86b2e1acc2014eea41ceb006e17459b0878bd764 /security
parentdebugfs: Restrict debugfs when the kernel is locked down (diff)
downloadlinux-ccbd54ff54e8b1880456b81c4aea352ebe208843.tar.xz
linux-ccbd54ff54e8b1880456b81c4aea352ebe208843.zip
tracefs: Restrict tracefs when the kernel is locked down
Tracefs may release more information about the kernel than desirable, so restrict it when the kernel is locked down in confidentiality mode by preventing open(). (Fixed by Ben Hutchings to avoid a null dereference in default_file_open()) Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/lockdown/lockdown.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index edd1fff0147d..84df03b1f5a7 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -36,6 +36,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_KPROBES] = "use of kprobes",
[LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM",
[LOCKDOWN_PERF] = "unsafe use of perf",
+ [LOCKDOWN_TRACEFS] = "use of tracefs",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};