[PATCH 1/2] security: introduce security_lock_kernel_down()

Thu Jun 26 22:10:38 UTC 2025

Define and export security_lock_kernel_down(), so that we can lock down
the kernel from other parts of the kernel.

Signed-off-by: Hamza Mahfooz <hamzamahfooz at linux.microsoft.com>
---
 include/linux/lsm_hook_defs.h |  1 +
 include/linux/security.h      |  8 ++++++++
 security/lockdown/lockdown.c  |  1 +
 security/security.c           | 15 +++++++++++++++
 4 files changed, 25 insertions(+)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index bf3bbac4e02a..08ffd103c863 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -442,6 +442,7 @@ LSM_HOOK(int, 0, bpf_token_cmd, const struct bpf_token *token, enum bpf_cmd cmd)
 LSM_HOOK(int, 0, bpf_token_capable, const struct bpf_token *token, int cap)
 #endif /* CONFIG_BPF_SYSCALL */
 
+LSM_HOOK(int, 0, lock_down, const char *where, enum lockdown_reason level)
 LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
 
 #ifdef CONFIG_PERF_EVENTS
diff --git a/include/linux/security.h b/include/linux/security.h
index cc9b54d95d22..373f8dd2a265 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -573,6 +573,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp);
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
 int security_locked_down(enum lockdown_reason what);
 int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
 		      void *val, size_t val_len, u64 id, u64 flags);
@@ -1576,6 +1577,13 @@ static inline int security_inode_getsecctx(struct inode *inode,
 {
 	return -EOPNOTSUPP;
 }
+
+static inline int security_lock_kernel_down(const char *where,
+					    enum lockdown_reason level)
+{
+    return -EOPNOTSUPP;
+}
+
 static inline int security_locked_down(enum lockdown_reason what)
 {
 	return 0;
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index cf83afa1d879..3839a62c2c17 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
 }
 
 static struct security_hook_list lockdown_hooks[] __ro_after_init = {
+	LSM_HOOK_INIT(lock_down, lock_kernel_down),
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
 };
 
diff --git a/security/security.c b/security/security.c
index fb57e8fddd91..51fbe8124388 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5789,6 +5789,21 @@ void security_bpf_token_free(struct bpf_token *token)
 }
 #endif /* CONFIG_BPF_SYSCALL */
 
+/**
+ * security_lock_kernel_down() - Lock down the kernel
+ * @where: the location from where the lock down is being initiated
+ * @level: requested lock down level
+ *
+ * Attempt to lock down the kernel at the requested level.
+ *
+ * Return: Returns 0 on success, error on failure.
+ */
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return call_int_hook(lock_down, where, level);
+}
+EXPORT_SYMBOL(security_lock_kernel_down);
+
 /**
  * security_locked_down() - Check if a kernel feature is allowed
  * @what: requested kernel feature
-- 
2.49.0


