From 910adacdbc2bbca1937e7c7201b2a18185df2a0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Mon, 3 Feb 2020 14:33:00 +0100 Subject: [PATCH] add kernel_lockdown.7 man page - resolves: #1797591 --- man-pages-5.04-kernel_lockdown.patch | 113 +++++++++++++++++++++++++++ man-pages.spec | 9 ++- 2 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 man-pages-5.04-kernel_lockdown.patch diff --git a/man-pages-5.04-kernel_lockdown.patch b/man-pages-5.04-kernel_lockdown.patch new file mode 100644 index 0000000..c38a2b4 --- /dev/null +++ b/man-pages-5.04-kernel_lockdown.patch @@ -0,0 +1,113 @@ +diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 +new file mode 100644 +index 0000000..5ec4289 +--- /dev/null ++++ b/man7/kernel_lockdown.7 +@@ -0,0 +1,107 @@ ++.\" ++.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. ++.\" Written by David Howells (dhowells@redhat.com) ++.\" ++.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA) ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version ++.\" 2 of the License, or (at your option) any later version. ++.\" %%%LICENSE_END ++.\" ++.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual" ++.SH NAME ++Kernel Lockdown \- Kernel image access prevention feature ++.SH DESCRIPTION ++The Kernel Lockdown feature is designed to prevent both direct and indirect ++access to a running kernel image, attempting to protect against unauthorised ++modification of the kernel image and to prevent access to security and ++cryptographic data located in kernel memory, whilst still permitting driver ++modules to be loaded. ++.P ++Lockdown is typically enabled during boot and may be terminated, if configured, ++by typing a special key combination on a directly attached physical keyboard. ++.P ++If a prohibited or restricted feature is accessed or used, the kernel will emit ++a message that looks like: ++.P ++.RS ++ Lockdown: X: Y is restricted, see man kernel_lockdown.7 ++.RE ++.P ++where X indicates the process name and Y indicates what is restricted. ++.P ++On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled ++if the system boots in EFI Secure Boot mode. ++.P ++If the kernel is appropriately configured, lockdown may be lifted by typing the ++appropriate sequence on a directly attached physical keyboard. For x86 ++machines, this is ++.IR SysRq+x . ++.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ++.SH COVERAGE ++When lockdown is in effect, a number of features are disabled or have their use ++restricted. This includes special device files and kernel services that allow ++direct access of the kernel image: ++.P ++.RS ++/dev/mem ++.br ++/dev/kmem ++.br ++/dev/kcore ++.br ++/dev/ioports ++.br ++BPF ++.br ++kprobes ++.RE ++.P ++and the ability to directly configure and control devices, so as to prevent the ++use of a device to access or modify a kernel image: ++.P ++.RS ++The use of module parameters that directly specify hardware parameters to ++drivers through the kernel command line or when loading a module. ++.P ++The use of direct PCI BAR access. ++.P ++The use of the ioperm and iopl instructions on x86. ++.P ++The use of the KD*IO console ioctls. ++.P ++The use of the TIOCSSERIAL serial ioctl. ++.P ++The alteration of MSR registers on x86. ++.P ++The replacement of the PCMCIA CIS. ++.P ++The overriding of ACPI tables. ++.P ++The use of ACPI error injection. ++.P ++The specification of the ACPI RDSP address. ++.P ++The use of ACPI custom methods. ++.RE ++.P ++Certain facilities are restricted: ++.P ++.RS ++Only validly signed modules may be loaded (waived if the module file being ++loaded is vouched for by IMA appraisal). ++.P ++Only validly signed binaries may be kexec'd (waived if the binary image file to ++be executed is vouched for by IMA appraisal). ++.P ++Unencrypted hibernation/suspend to swap are disallowed as the kernel image is ++saved to a medium that can then be accessed. ++.P ++Use of debugfs is not permitted as this allows a whole range of actions ++including direct configuration of, access to and driving of hardware. ++.P ++IMA requires the addition of the "secure_boot" rules to the policy, whether or ++not they are specified on the command line, for both the builtin and custom ++policies in secure boot lockdown mode. ++.RE diff --git a/man-pages.spec b/man-pages.spec index 7337481..ddb2e55 100644 --- a/man-pages.spec +++ b/man-pages.spec @@ -7,7 +7,7 @@ Summary: Linux kernel and C library user-space interface documentation Name: man-pages Version: 5.04 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL+ and GPLv2+ and BSD and MIT and Copyright only and IEEE URL: http://www.kernel.org/doc/man-pages/ Source: http://www.kernel.org/pub/linux/docs/man-pages/man-pages-%{version}.tar.xz @@ -37,6 +37,8 @@ Patch0: man-pages-posix-2013-a-pthread_once.patch # resolves: #650985 # https://bugzilla.kernel.org/show_bug.cgi?id=53781 Patch21: man-pages-3.42-close.patch +# resolves: #1797591 +Patch22: man-pages-5.04-kernel_lockdown.patch %description A large collection of manual pages from the Linux Documentation Project (LDP). @@ -46,6 +48,7 @@ A large collection of manual pages from the Linux Documentation Project (LDP). %patch0 -p1 %patch21 -p1 +%patch22 -p1 # rename posix README so we don't have conflict %{__mv} %{posix_name}/README %{posix_name}/%{posix_name}.README @@ -85,6 +88,10 @@ popd %{_mandir}/man*/* %changelog +* Mon Feb 03 2020 Nikola Forró - 5.04-3 +- add kernel_lockdown.7 man page + resolves: #1797591 + * Wed Jan 29 2020 Fedora Release Engineering - 5.04-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild