| Message ID | 150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi David, Thanks for you send our this series. On Thu, Oct 19, 2017 at 03:50:55PM +0100, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells <dhowells@redhat.com> I have reviewed and tested this patch. Please feel free to add: Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Thanks a lot! Joey Lee > --- > > kernel/module.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/module.c b/kernel/module.c > index de66ec825992..3d9a3270c179 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags) > } > > /* Not having a signature is only an error if we're strict. */ > - if (err == -ENOKEY && !sig_enforce) > + if (err == -ENOKEY && !sig_enforce && > + !kernel_is_locked_down("Loading of unsigned modules")) > err = 0; > > return err; > > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, 19 Oct 2017, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: James Morris <james.l.morris@oracle.com>
On Thu, 2017-10-19 at 15:50 +0100, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells <dhowells@redhat.com> > --- > > kernel/module.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/module.c b/kernel/module.c > index de66ec825992..3d9a3270c179 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags) > } > > /* Not having a signature is only an error if we're strict. */ > - if (err == -ENOKEY && !sig_enforce) > + if (err == -ENOKEY && !sig_enforce && > + !kernel_is_locked_down("Loading of unsigned modules")) This kernel_is_locked_down() check is being called for both the original and new module_load syscalls. We need to be able differentiate them. This is fine for the original syscall, but for the new syscall we would need an additional IMA check - !is_ima_appraise_enabled(). Mimi > err = 0; > > return err; -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > This kernel_is_locked_down() check is being called for both the > original and new module_load syscalls. We need to be able > differentiate them. This is fine for the original syscall, but for > the new syscall we would need an additional IMA check - > !is_ima_appraise_enabled(). IMA can only be used with finit_module()? David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[Corrected Matthew Garrett's email address. Cc'ed Bruno Meneguele] On Mon, 2017-10-30 at 17:00 +0000, David Howells wrote: > Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > This kernel_is_locked_down() check is being called for both the > > original and new module_load syscalls. We need to be able > > differentiate them. This is fine for the original syscall, but for > > the new syscall we would need an additional IMA check - > > !is_ima_appraise_enabled(). > > IMA can only be used with finit_module()? Yes, without the file descriptor, IMA-appraisal can't access the xattrs. You should really look at Bruno's patches, which are in my next branch: 8168913c50d5 "ima: check signature enforcement against cmdline param instead of CONFIG" 404090509894 module: export module signature enforcement status Can we get an Ack on the module one? Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/kernel/module.c b/kernel/module.c index de66ec825992..3d9a3270c179 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags) } /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !sig_enforce) + if (err == -ENOKEY && !sig_enforce && + !kernel_is_locked_down("Loading of unsigned modules")) err = 0; return err;
If the kernel is locked down, require that all modules have valid signatures that we can verify. Signed-off-by: David Howells <dhowells@redhat.com> --- kernel/module.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html