lockdown: Print current->comm in restriction messages

Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <jmorris@namei.org>
author: Matthew Garrett <matthewgarrett@google.com> 2019-08-19 17:18:05 -0700
committer: James Morris <jmorris@namei.org> 2019-08-19 21:54:17 -0700
commit: b602614a81078bf29c82b2671bb96a63488f68d6 (patch)
tree: eb83d8f6461eeff1bd51eda39267ab0f523bd5f8 /security/lockdown
parent: 1957a85b0032a81e6482ca4aab883643b8dae06e (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 84df03b1f5a7..0068cec77c05 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -81,10 +81,14 @@ early_param("lockdown", lockdown_param);
  */
 static int lockdown_is_locked_down(enum lockdown_reason what)
 {
+	if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
+		 "Invalid lockdown reason"))
+		return -EPERM;
+
 	if (kernel_locked_down >= what) {
 		if (lockdown_reasons[what])
-			pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-				  lockdown_reasons[what]);
+			pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
+				  current->comm, lockdown_reasons[what]);
 		return -EPERM;
 	}
author	Matthew Garrett <matthewgarrett@google.com>	2019-08-19 17:18:05 -0700
committer	James Morris <jmorris@namei.org>	2019-08-19 21:54:17 -0700
commit	b602614a81078bf29c82b2671bb96a63488f68d6 (patch)
tree	eb83d8f6461eeff1bd51eda39267ab0f523bd5f8 /security/lockdown
parent	1957a85b0032a81e6482ca4aab883643b8dae06e (diff)