queue-6.1/s390-hypfs-enable-limited-access-during-lockdown.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 4ccd2e8dac0336a98f05e0b0fe4dfb3718f46e03 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Thu, 21 Aug 2025 15:12:37 +0200
 Subject: s390/hypfs: Enable limited access during lockdown

 From: Peter Oberparleiter <oberpar@linux.ibm.com>

 [ Upstream commit 3868f910440c47cd5d158776be4ba4e2186beda7 ]

 When kernel lockdown is active, debugfs_locked_down() blocks access to
 hypfs files that register ioctl callbacks, even if the ioctl interface
 is not required for a function. This unnecessarily breaks userspace
 tools that only rely on read operations.

 Resolve this by registering a minimal set of file operations during
 lockdown, avoiding ioctl registration and preserving access for affected
 tooling.

 Note that this change restores hypfs functionality when lockdown is
 active from early boot (e.g. via lockdown=integrity kernel parameter),
 but does not apply to scenarios where lockdown is enabled dynamically
 while Linux is running.

 Tested-by: Mete Durlu <meted@linux.ibm.com>
 Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
 Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
 Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
 Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  arch/s390/hypfs/hypfs_dbfs.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/arch/s390/hypfs/hypfs_dbfs.c b/arch/s390/hypfs/hypfs_dbfs.c
 index c5f53dc3dbbc..5848f2e374a6 100644
 --- a/arch/s390/hypfs/hypfs_dbfs.c
 +++ b/arch/s390/hypfs/hypfs_dbfs.c
 @@ -6,6 +6,7 @@
   * Author(s): Michael Holzheu <holzheu@linux.vnet.ibm.com>
   */

 +#include <linux/security.h>
  #include <linux/slab.h>
  #include "hypfs.h"

 @@ -83,7 +84,7 @@ void hypfs_dbfs_create_file(struct hypfs_dbfs_file *df)
  {
  	const struct file_operations *fops = &dbfs_ops;

 -	if (df->unlocked_ioctl)
 +	if (df->unlocked_ioctl && !security_locked_down(LOCKDOWN_DEBUGFS))
  		fops = &dbfs_ops_ioctl;
  	df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, fops);
  	mutex_init(&df->lock);
 --
 2.50.1
	From 4ccd2e8dac0336a98f05e0b0fe4dfb3718f46e03 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Thu, 21 Aug 2025 15:12:37 +0200
	Subject: s390/hypfs: Enable limited access during lockdown

	From: Peter Oberparleiter <oberpar@linux.ibm.com>

	[ Upstream commit 3868f910440c47cd5d158776be4ba4e2186beda7 ]

	When kernel lockdown is active, debugfs_locked_down() blocks access to
	hypfs files that register ioctl callbacks, even if the ioctl interface
	is not required for a function. This unnecessarily breaks userspace
	tools that only rely on read operations.

	Resolve this by registering a minimal set of file operations during
	lockdown, avoiding ioctl registration and preserving access for affected
	tooling.

	Note that this change restores hypfs functionality when lockdown is
	active from early boot (e.g. via lockdown=integrity kernel parameter),
	but does not apply to scenarios where lockdown is enabled dynamically
	while Linux is running.

	Tested-by: Mete Durlu <meted@linux.ibm.com>
	Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
	Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
	Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
	Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	arch/s390/hypfs/hypfs_dbfs.c \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	diff --git a/arch/s390/hypfs/hypfs_dbfs.c b/arch/s390/hypfs/hypfs_dbfs.c
	index c5f53dc3dbbc..5848f2e374a6 100644
	--- a/arch/s390/hypfs/hypfs_dbfs.c
	+++ b/arch/s390/hypfs/hypfs_dbfs.c
	@@ -6,6 +6,7 @@
	* Author(s): Michael Holzheu <holzheu@linux.vnet.ibm.com>
	*/

	+#include <linux/security.h>
	#include <linux/slab.h>
	#include "hypfs.h"

	@@ -83,7 +84,7 @@ void hypfs_dbfs_create_file(struct hypfs_dbfs_file *df)
	{
	const struct file_operations *fops = &dbfs_ops;

	- if (df->unlocked_ioctl)
	+ if (df->unlocked_ioctl && !security_locked_down(LOCKDOWN_DEBUGFS))
	fops = &dbfs_ops_ioctl;
	df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, fops);
	mutex_init(&df->lock);
	--
	2.50.1