diff mbox series

[2/6] cxl/pci: Fix lockdown level

Message ID 163072204525.2250120.16615792476976546735.stgit@dwillia2-desk3.amr.corp.intel.com
State Accepted
Commit 9e56614c44b994b78fc9fcb2070bcbe3f5df0d7b
Headers show
Series cxl fixes for v5.15-rc1 | expand

Commit Message

Dan Williams Sept. 4, 2021, 2:20 a.m. UTC
A proposed rework of security_locked_down() users identified that the
cxl_pci driver was passing the wrong lockdown_reason. Update
cxl_mem_raw_command_allowed() to fail raw command access when raw pci
access is also disabled.

Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")
Cc: Ben Widawsky <ben.widawsky@intel.com>
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: <stable@vger.kernel.org>
Cc: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 drivers/cxl/pci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Dan Williams Sept. 7, 2021, 5:38 p.m. UTC | #1
On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote:
>

> On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:

> >

> > A proposed rework of security_locked_down() users identified that the

> > cxl_pci driver was passing the wrong lockdown_reason. Update

> > cxl_mem_raw_command_allowed() to fail raw command access when raw pci

> > access is also disabled.

> >

> > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")

> > Cc: Ben Widawsky <ben.widawsky@intel.com>

> > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>

> > Cc: <stable@vger.kernel.org>

> > Cc: Ondrej Mosnacek <omosnace@redhat.com>

> > Cc: Paul Moore <paul@paul-moore.com>

> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>

> > ---

> >  drivers/cxl/pci.c |    2 +-

> >  1 file changed, 1 insertion(+), 1 deletion(-)

>

> Hi Dan,

>

> Thanks for fixing this up.  Would you mind if this was included in

> Ondrej's patchset, or would you prefer to merge it via another tree

> (e.g. cxl)?


I was planning to merge this via the cxl tree for v5.15-rc1.
Paul Moore Sept. 7, 2021, 7:46 p.m. UTC | #2
On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote:
> On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote:

> >

> > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:

> > >

> > > A proposed rework of security_locked_down() users identified that the

> > > cxl_pci driver was passing the wrong lockdown_reason. Update

> > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci

> > > access is also disabled.

> > >

> > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")

> > > Cc: Ben Widawsky <ben.widawsky@intel.com>

> > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>

> > > Cc: <stable@vger.kernel.org>

> > > Cc: Ondrej Mosnacek <omosnace@redhat.com>

> > > Cc: Paul Moore <paul@paul-moore.com>

> > > Signed-off-by: Dan Williams <dan.j.williams@intel.com>

> > > ---

> > >  drivers/cxl/pci.c |    2 +-

> > >  1 file changed, 1 insertion(+), 1 deletion(-)

> >

> > Hi Dan,

> >

> > Thanks for fixing this up.  Would you mind if this was included in

> > Ondrej's patchset, or would you prefer to merge it via another tree

> > (e.g. cxl)?

>

> I was planning to merge this via the cxl tree for v5.15-rc1.


Okay, thanks.

-- 
paul moore
www.paul-moore.com
Ondrej Mosnacek Sept. 10, 2021, 12:55 p.m. UTC | #3
On Tue, Sep 7, 2021 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote:

> > On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote:

> > >

> > > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:

> > > >

> > > > A proposed rework of security_locked_down() users identified that the

> > > > cxl_pci driver was passing the wrong lockdown_reason. Update

> > > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci

> > > > access is also disabled.

> > > >

> > > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")

> > > > Cc: Ben Widawsky <ben.widawsky@intel.com>

> > > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>

> > > > Cc: <stable@vger.kernel.org>

> > > > Cc: Ondrej Mosnacek <omosnace@redhat.com>

> > > > Cc: Paul Moore <paul@paul-moore.com>

> > > > Signed-off-by: Dan Williams <dan.j.williams@intel.com>

> > > > ---

> > > >  drivers/cxl/pci.c |    2 +-

> > > >  1 file changed, 1 insertion(+), 1 deletion(-)

> > >

> > > Hi Dan,

> > >

> > > Thanks for fixing this up.  Would you mind if this was included in

> > > Ondrej's patchset, or would you prefer to merge it via another tree

> > > (e.g. cxl)?

> >

> > I was planning to merge this via the cxl tree for v5.15-rc1.

>

> Okay, thanks.


And I can see the patch is now in Linus' tree, so if Paul agrees I'll
rebase the patch on top of v5.15-rc1 once it's tagged and do one more
respin. There are a few other minor conflicts and one new
security_locked_down() call to cover, anyway.

Dan, is it okay if I preserve your Acked-by from the last version?
There will be no other change in the cxl area than rebasing on top of
this patch.

Thank you for taking care of the fix!

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
Dan Williams Sept. 10, 2021, 2:56 p.m. UTC | #4
On Fri, Sep 10, 2021 at 5:55 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>

> On Tue, Sep 7, 2021 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote:

> > On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote:

> > > On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote:

> > > >

> > > > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote:

> > > > >

> > > > > A proposed rework of security_locked_down() users identified that the

> > > > > cxl_pci driver was passing the wrong lockdown_reason. Update

> > > > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci

> > > > > access is also disabled.

> > > > >

> > > > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command")

> > > > > Cc: Ben Widawsky <ben.widawsky@intel.com>

> > > > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>

> > > > > Cc: <stable@vger.kernel.org>

> > > > > Cc: Ondrej Mosnacek <omosnace@redhat.com>

> > > > > Cc: Paul Moore <paul@paul-moore.com>

> > > > > Signed-off-by: Dan Williams <dan.j.williams@intel.com>

> > > > > ---

> > > > >  drivers/cxl/pci.c |    2 +-

> > > > >  1 file changed, 1 insertion(+), 1 deletion(-)

> > > >

> > > > Hi Dan,

> > > >

> > > > Thanks for fixing this up.  Would you mind if this was included in

> > > > Ondrej's patchset, or would you prefer to merge it via another tree

> > > > (e.g. cxl)?

> > >

> > > I was planning to merge this via the cxl tree for v5.15-rc1.

> >

> > Okay, thanks.

>

> And I can see the patch is now in Linus' tree, so if Paul agrees I'll

> rebase the patch on top of v5.15-rc1 once it's tagged and do one more

> respin. There are a few other minor conflicts and one new

> security_locked_down() call to cover, anyway.

>

> Dan, is it okay if I preserve your Acked-by from the last version?


Sure.

> There will be no other change in the cxl area than rebasing on top of

> this patch.

>

> Thank you for taking care of the fix!


Thanks for the patience as I circled back.
Paul Moore Sept. 10, 2021, 5:46 p.m. UTC | #5
On Fri, Sep 10, 2021 at 8:55 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> And I can see the patch is now in Linus' tree, so if Paul agrees I'll

> rebase the patch on top of v5.15-rc1 once it's tagged ...


Please do, thanks.

-- 
paul moore
www.paul-moore.com
diff mbox series

Patch

diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c
index 651e8d4ec974..37903259ee79 100644
--- a/drivers/cxl/pci.c
+++ b/drivers/cxl/pci.c
@@ -575,7 +575,7 @@  static bool cxl_mem_raw_command_allowed(u16 opcode)
 	if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS))
 		return false;
 
-	if (security_locked_down(LOCKDOWN_NONE))
+	if (security_locked_down(LOCKDOWN_PCI_ACCESS))
 		return false;
 
 	if (cxl_raw_allow_all)