lockdown: Print current->comm in restriction messages

Print the content of current->comm in messages generated by lockdown to
indicate a restriction that was hit.  This makes it a bit easier to find
out what caused the message.

The message now patterned something like:

        Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index ee2c576cc94ea9a2786c8a774a0c73ead77b1e95..e2ed8e08cc7adc2b6bb7739e245002ca53f5c873 100644 (file)
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -548,11 +548,12 @@ static int open_kcore(struct inode *inode, struct file *filp)
 {
        int ret = security_locked_down(LOCKDOWN_KCORE);
 
-       if (ret)
-               return ret;
        if (!capable(CAP_SYS_RAWIO))
                return -EPERM;
 
+       if (ret)
+               return ret;
+
        filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL);
        if (!filp->private_data)
                return -ENOMEM;

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 84df03b1f5a75bc9f288faa122aba2d054147cc1..0068cec77c05b51d60ad1b3fae65a45084eb0264 100644 (file)
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param);
  */
 static int lockdown_is_locked_down(enum lockdown_reason what)
 {
+       if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
+                "Invalid lockdown reason"))
+               return -EPERM;
+
        if (kernel_locked_down >= what) {
                if (lockdown_reasons[what])
-                       pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-                                 lockdown_reasons[what]);
+                       pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
+                                 current->comm, lockdown_reasons[what]);
                return -EPERM;
        }