Add kernel lockdown utility functions#6306
Conversation
|
All 3 definitions are functioning as expected
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces functionality to manage kernel lockdown states in avocado/utils/linux.py, including functions to check the current mode and enable integrity or confidentiality modes via sysfs. The review feedback correctly identifies that the dmesg log verification used during the enablement process is redundant and fragile, as the state change is already confirmed by reading the sysfs file. Consequently, it is recommended to remove these checks and the associated dmesg module import to improve reliability and performance.
| try: | ||
| genio.write_one_line(lockdown_path, "integrity") | ||
| new_mode, _ = is_kernel_lockdown_enabled() | ||
| if new_mode in ["integrity", "confidentiality"]: | ||
| expected_msg = "Kernel is locked down from securityfs" | ||
| dmesg_errors = dmesg.collect_errors_dmesg([expected_msg]) | ||
| if not dmesg_errors: | ||
| return False | ||
| return True | ||
| return False | ||
| except (PermissionError, IOError): | ||
| return False |
There was a problem hiding this comment.
The dmesg verification is redundant and fragile. If the kernel log buffer is cleared or wraps around, this check will return False even if the lockdown was successfully enabled. Since the state change is already verified by checking the sysfs file content via new_mode, this extra check should be removed to improve reliability and performance (as collect_errors_dmesg is an expensive operation that also requires sudo privileges).
try:
genio.write_one_line(lockdown_path, "integrity")
new_mode, _ = is_kernel_lockdown_enabled()
return new_mode in ["integrity", "confidentiality"]
except (PermissionError, IOError):
return False| try: | ||
| genio.write_one_line(lockdown_path, "confidentiality") | ||
| new_mode, _ = is_kernel_lockdown_enabled() | ||
| if new_mode == "confidentiality": | ||
| expected_msg = "Kernel is locked down from securityfs" | ||
| dmesg_errors = dmesg.collect_errors_dmesg([expected_msg]) | ||
| if not dmesg_errors: | ||
| return False | ||
| return True | ||
| return False | ||
| except (PermissionError, IOError): | ||
| return False |
There was a problem hiding this comment.
The dmesg verification is redundant and fragile. If the kernel log buffer is cleared or wraps around, this check will return False even if the lockdown was successfully enabled. Since the state change is already verified by checking the sysfs file content via new_mode, this extra check should be removed to improve reliability and performance (as collect_errors_dmesg is an expensive operation that also requires sudo privileges).
try:
genio.write_one_line(lockdown_path, "confidentiality")
new_mode, _ = is_kernel_lockdown_enabled()
return new_mode == "confidentiality"
except (PermissionError, IOError):
return False| import os | ||
|
|
||
| from avocado.utils import genio, process | ||
| from avocado.utils import dmesg, genio, process |
There was a problem hiding this comment.
If the dmesg verification is removed from the lockdown functions as suggested, the dmesg module import becomes unused and should be removed to keep the code clean.
| from avocado.utils import dmesg, genio, process | |
| from avocado.utils import genio, process |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #6306 +/- ##
==========================================
- Coverage 73.48% 72.14% -1.34%
==========================================
Files 206 206
Lines 22494 23309 +815
==========================================
+ Hits 16530 16817 +287
- Misses 5964 6492 +528 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
maramsmurthy
force-pushed
the
feature-kernel-lockdown-utilities
branch
3 times, most recently
from
b2311c9 to
26301c9
Compare
This commit adds three new utility functions to avocado.utils.linux for managing kernel lockdown security feature: 1. is_kernel_lockdown_enabled(): Check current lockdown state - Returns tuple of (mode, is_enabled) - Supports none, integrity, and confidentiality modes - Handles cases where lockdown feature is unavailable 2. enable_kernel_lockdown_integrity(): Enable integrity mode - Prevents kernel modification - Verifies mode change via sysfs - Validates dmesg for lockdown message 3. enable_kernel_lockdown_confidentiality(): Enable confidentiality mode - Most restrictive mode (prevents modification and data exposure) - Verifies mode change via sysfs - Validates dmesg for lockdown message All functions follow PEP 8 standards and include comprehensive docstrings. Lockdown mode transitions are one-way at runtime and require reboot to downgrade. Signed-off-by: Maram Srimannarayana Murthy <msmurthy@linux.vnet.ibm.com>
maramsmurthy
force-pushed
the
feature-kernel-lockdown-utilities
branch
from
26301c9 to
e0f48e3
Compare
1 participant
This commit adds three new utility functions to avocado.utils.linux for managing kernel lockdown security feature:
is_kernel_lockdown_enabled(): Check current lockdown state
enable_kernel_lockdown_integrity(): Enable integrity mode
enable_kernel_lockdown_confidentiality(): Enable confidentiality mode
All functions follow PEP 8 standards and include comprehensive docstrings. Lockdown mode transitions are one-way at runtime and require reboot to downgrade.