add kernel_lockdown.7 man page

- resolves: #1797591

man-pages-5.04-kernel_lockdown.patch

@@ -0,0 +1,113 @@
+diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7
+new file mode 100644
+index 0000000..5ec4289
+--- /dev/null
++++ b/man7/kernel_lockdown.7
+@@ -0,0 +1,107 @@
++.\"
++.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
++.\" Written by David Howells (dhowells@redhat.com)
++.\"
++.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
++.\" This program is free software; you can redistribute it and/or
++.\" modify it under the terms of the GNU General Public License
++.\" as published by the Free Software Foundation; either version
++.\" 2 of the License, or (at your option) any later version.
++.\" %%%LICENSE_END
++.\"
++.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
++.SH NAME
++Kernel Lockdown \- Kernel image access prevention feature
++.SH DESCRIPTION
++The Kernel Lockdown feature is designed to prevent both direct and indirect
++access to a running kernel image, attempting to protect against unauthorised
++modification of the kernel image and to prevent access to security and
++cryptographic data located in kernel memory, whilst still permitting driver
++modules to be loaded.
++.P
++Lockdown is typically enabled during boot and may be terminated, if configured,
++by typing a special key combination on a directly attached physical keyboard.
++.P
++If a prohibited or restricted feature is accessed or used, the kernel will emit
++a message that looks like:
++.P
++.RS
++ Lockdown: X: Y is restricted, see man kernel_lockdown.7
++.RE
++.P
++where X indicates the process name and Y indicates what is restricted.
++.P
++On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
++if the system boots in EFI Secure Boot mode.
++.P
++If the kernel is appropriately configured, lockdown may be lifted by typing the
++appropriate sequence on a directly attached physical keyboard.  For x86
++machines, this is
++.IR SysRq+x .
++.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
++.SH COVERAGE
++When lockdown is in effect, a number of features are disabled or have their use
++restricted.  This includes special device files and kernel services that allow
++direct access of the kernel image:
++.P
++.RS
++/dev/mem
++.br
++/dev/kmem
++.br
++/dev/kcore
++.br
++/dev/ioports
++.br
++BPF
++.br
++kprobes
++.RE
++.P
++and the ability to directly configure and control devices, so as to prevent the
++use of a device to access or modify a kernel image:
++.P
++.RS
++The use of module parameters that directly specify hardware parameters to
++drivers through the kernel command line or when loading a module.
++.P
++The use of direct PCI BAR access.
++.P
++The use of the ioperm and iopl instructions on x86.
++.P
++The use of the KD*IO console ioctls.
++.P
++The use of the TIOCSSERIAL serial ioctl.
++.P
++The alteration of MSR registers on x86.
++.P
++The replacement of the PCMCIA CIS.
++.P
++The overriding of ACPI tables.
++.P
++The use of ACPI error injection.
++.P
++The specification of the ACPI RDSP address.
++.P
++The use of ACPI custom methods.
++.RE
++.P
++Certain facilities are restricted:
++.P
++.RS
++Only validly signed modules may be loaded (waived if the module file being
++loaded is vouched for by IMA appraisal).
++.P
++Only validly signed binaries may be kexec'd (waived if the binary image file to
++be executed is vouched for by IMA appraisal).
++.P
++Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
++saved to a medium that can then be accessed.
++.P
++Use of debugfs is not permitted as this allows a whole range of actions
++including direct configuration of, access to and driving of hardware.
++.P
++IMA requires the addition of the "secure_boot" rules to the policy, whether or
++not they are specified on the command line, for both the builtin and custom
++policies in secure boot lockdown mode.
++.RE

man-pages.spec

@@ -7,7 +7,7 @@
 Summary: Linux kernel and C library user-space interface documentation
 Name: man-pages
 Version: 5.04
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPL+ and GPLv2+ and BSD and MIT and Copyright only and IEEE
 URL: http://www.kernel.org/doc/man-pages/
 Source: http://www.kernel.org/pub/linux/docs/man-pages/man-pages-%{version}.tar.xz
@@ -37,6 +37,8 @@ Patch0: man-pages-posix-2013-a-pthread_once.patch
 # resolves: #650985
 # https://bugzilla.kernel.org/show_bug.cgi?id=53781
 Patch21: man-pages-3.42-close.patch
+# resolves: #1797591
+Patch22: man-pages-5.04-kernel_lockdown.patch
 
 %description
 A large collection of manual pages from the Linux Documentation Project (LDP).
@@ -46,6 +48,7 @@ A large collection of manual pages from the Linux Documentation Project (LDP).
 
 %patch0 -p1
 %patch21 -p1
+%patch22 -p1
 
 # rename posix README so we don't have conflict
 %{__mv} %{posix_name}/README %{posix_name}/%{posix_name}.README
@@ -85,6 +88,10 @@ popd
 %{_mandir}/man*/*
 
 %changelog
+* Mon Feb 03 2020 Nikola Forró <nforro@redhat.com> - 5.04-3
+- add kernel_lockdown.7 man page
+  resolves: #1797591
+
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.04-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild