| From a356646a56857c2e5ad875beec734d7145ecd49a Mon Sep 17 00:00:00 2001 |
| From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> |
| Date: Mon, 2 Dec 2019 16:25:27 -0500 |
| Subject: tracing: Do not create directories if lockdown is in affect |
| |
| From: Steven Rostedt (VMware) <rostedt@goodmis.org> |
| |
| commit a356646a56857c2e5ad875beec734d7145ecd49a upstream. |
| |
| If lockdown is disabling tracing on boot up, it prevents the tracing files |
| from even bering created. But when that happens, there's several places that |
| will give a warning that the files were not created as that is usually a |
| sign of a bug. |
| |
| Add in strategic locations where a check is made to see if tracing is |
| disabled by lockdown, and if it is, do not go further, and fail silently |
| (but print that tracing is disabled by lockdown, without doing a WARN_ON()). |
| |
| Cc: Matthew Garrett <mjg59@google.com> |
| Fixes: 17911ff38aa5 ("tracing: Add locked_down checks to the open calls of files created for tracefs") |
| Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| kernel/trace/ring_buffer.c | 6 ++++++ |
| kernel/trace/trace.c | 17 +++++++++++++++++ |
| 2 files changed, 23 insertions(+) |
| |
| --- a/kernel/trace/ring_buffer.c |
| +++ b/kernel/trace/ring_buffer.c |
| @@ -11,6 +11,7 @@ |
| #include <linux/trace_seq.h> |
| #include <linux/spinlock.h> |
| #include <linux/irq_work.h> |
| +#include <linux/security.h> |
| #include <linux/uaccess.h> |
| #include <linux/hardirq.h> |
| #include <linux/kthread.h> /* for self test */ |
| @@ -5068,6 +5069,11 @@ static __init int test_ringbuffer(void) |
| int cpu; |
| int ret = 0; |
| |
| + if (security_locked_down(LOCKDOWN_TRACEFS)) { |
| + pr_warning("Lockdown is enabled, skipping ring buffer tests\n"); |
| + return 0; |
| + } |
| + |
| pr_info("Running ring buffer tests...\n"); |
| |
| buffer = ring_buffer_alloc(RB_TEST_BUFFER_SIZE, RB_FL_OVERWRITE); |
| --- a/kernel/trace/trace.c |
| +++ b/kernel/trace/trace.c |
| @@ -1804,6 +1804,12 @@ int __init register_tracer(struct tracer |
| return -1; |
| } |
| |
| + if (security_locked_down(LOCKDOWN_TRACEFS)) { |
| + pr_warning("Can not register tracer %s due to lockdown\n", |
| + type->name); |
| + return -EPERM; |
| + } |
| + |
| mutex_lock(&trace_types_lock); |
| |
| tracing_selftest_running = true; |
| @@ -8647,6 +8653,11 @@ struct dentry *tracing_init_dentry(void) |
| { |
| struct trace_array *tr = &global_trace; |
| |
| + if (security_locked_down(LOCKDOWN_TRACEFS)) { |
| + pr_warning("Tracing disabled due to lockdown\n"); |
| + return ERR_PTR(-EPERM); |
| + } |
| + |
| /* The top level trace array uses NULL as parent */ |
| if (tr->dir) |
| return NULL; |
| @@ -9089,6 +9100,12 @@ __init static int tracer_alloc_buffers(v |
| int ring_buf_size; |
| int ret = -ENOMEM; |
| |
| + |
| + if (security_locked_down(LOCKDOWN_TRACEFS)) { |
| + pr_warning("Tracing disabled due to lockdown\n"); |
| + return -EPERM; |
| + } |
| + |
| /* |
| * Make sure we don't accidently add more trace options |
| * than we have bits for. |