tracing: Do not create directories if lockdown is in affect

commit a356646a56857c2e5ad875beec734d7145ecd49a upstream.

If lockdown is disabling tracing on boot up, it prevents the tracing files
from even bering created. But when that happens, there's several places that
will give a warning that the files were not created as that is usually a
sign of a bug.

Add in strategic locations where a check is made to see if tracing is
disabled by lockdown, and if it is, do not go further, and fail silently
(but print that tracing is disabled by lockdown, without doing a WARN_ON()).

Cc: Matthew Garrett <mjg59@google.com>
Fixes: 17911ff38aa5 ("tracing: Add locked_down checks to the open calls of files created for tracefs")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 66358d66c9336ca9ec87de22056f56cc0da9f61f..4bf050fcfe3be6deed57d1c7687d8985f4c71c56 100644 (file)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -11,6 +11,7 @@
 #include <linux/trace_seq.h>
 #include <linux/spinlock.h>
 #include <linux/irq_work.h>
+#include <linux/security.h>
 #include <linux/uaccess.h>
 #include <linux/hardirq.h>
 #include <linux/kthread.h>     /* for self test */
@@ -5068,6 +5069,11 @@ static __init int test_ringbuffer(void)
        int cpu;
        int ret = 0;
 
+       if (security_locked_down(LOCKDOWN_TRACEFS)) {
+               pr_warning("Lockdown is enabled, skipping ring buffer tests\n");
+               return 0;
+       }
+
        pr_info("Running ring buffer tests...\n");
 
        buffer = ring_buffer_alloc(RB_TEST_BUFFER_SIZE, RB_FL_OVERWRITE);

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index d8bd9b1d8bcea587433fa03b498bee744cc78c09..bcb72f102613561e9a00c61affaeaf1ce1661dd4 100644 (file)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1804,6 +1804,12 @@ int __init register_tracer(struct tracer *type)
                return -1;
        }
 
+       if (security_locked_down(LOCKDOWN_TRACEFS)) {
+               pr_warning("Can not register tracer %s due to lockdown\n",
+                          type->name);
+               return -EPERM;
+       }
+
        mutex_lock(&trace_types_lock);
 
        tracing_selftest_running = true;
@@ -8647,6 +8653,11 @@ struct dentry *tracing_init_dentry(void)
 {
        struct trace_array *tr = &global_trace;
 
+       if (security_locked_down(LOCKDOWN_TRACEFS)) {
+               pr_warning("Tracing disabled due to lockdown\n");
+               return ERR_PTR(-EPERM);
+       }
+
        /* The top level trace array uses  NULL as parent */
        if (tr->dir)
                return NULL;
@@ -9089,6 +9100,12 @@ __init static int tracer_alloc_buffers(void)
        int ring_buf_size;
        int ret = -ENOMEM;
 
+
+       if (security_locked_down(LOCKDOWN_TRACEFS)) {
+               pr_warning("Tracing disabled due to lockdown\n");
+               return -EPERM;
+       }
+
        /*
         * Make sure we don't accidently add more trace options
         * than we have bits for.