UBUNTU: SAUCE: (efi-lockdown) scsi: Lock down the eata driver

When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image.  Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
device to access or modify the kernel image.

The eata driver takes a single string parameter that contains a slew of
settings, including hardware resource configuration.  Prohibit use of the
parameter if the kernel is locked down.

Suggested-by: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Dario Ballabio <ballabio_dario@emc.com>
cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
cc: linux-scsi@vger.kernel.org
(cherry picked from commit 83b96284c638df0320251a0c502d850130095568
 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
index 227dd2c2ec2f16d1cec7e7b2bb5894fa84862b5e..5c036d10c18b8a97a8efdaf4e8842b8505a196fc 100644 (file)
--- a/drivers/scsi/eata.c
+++ b/drivers/scsi/eata.c
@@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
 
        tpnt->proc_name = "eata2x";
 
-       if (strlen(boot_options))
+       if (strlen(boot_options)) {
+               if (kernel_is_locked_down()) {
+                       pr_err("Command line-specified device addresses, irqs and dma channels are not permitted when the kernel is locked down\n");
+                       return -EPERM;
+               }
                option_setup(boot_options);
+       }
 
 #if defined(MODULE)
        /* io_port could have been modified when loading as a module */