Re: [PATCH 1/4] module: add syscall to load module from fd

From: Mimi Zohar
Date: Thu Oct 04 2012 - 08:52:57 EST


On Thu, 2012-10-04 at 15:09 +0930, Rusty Russell wrote:
> Kees Cook <keescook@xxxxxxxxxxxx> writes:
>
> > On Thu, Sep 20, 2012 at 3:14 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> >> As part of the effort to create a stronger boundary between root and
> >> kernel, Chrome OS wants to be able to enforce that kernel modules are
> >> being loaded only from our read-only crypto-hash verified (dm_verity)
> >> root filesystem. Since the init_module syscall hands the kernel a module
> >> as a memory blob, no reasoning about the origin of the blob can be made.
> >>
> >> Earlier proposals for appending signatures to kernel modules would not be
> >> useful in Chrome OS, since it would involve adding an additional set of
> >> keys to our kernel and builds for no good reason: we already trust the
> >> contents of our root filesystem. We don't need to verify those kernel
> >> modules a second time. Having to do signature checking on module loading
> >> would slow us down and be redundant. All we need to know is where a
> >> module is coming from so we can say yes/no to loading it.
> >>
> >> If a file descriptor is used as the source of a kernel module, many more
> >> things can be reasoned about. In Chrome OS's case, we could enforce that
> >> the module lives on the filesystem we expect it to live on. In the case
> >> of IMA (or other LSMs), it would be possible, for example, to examine
> >> extended attributes that may contain signatures over the contents of
> >> the module.
> >>
> >> This introduces a new syscall (on x86), similar to init_module, that has
> >> only two arguments. The first argument is used as a file descriptor to
> >> the module and the second argument is a pointer to the NULL terminated
> >> string of module arguments.
> >
> > Hi Rusty,
> >
> > Is this likely to land in the 3.7 change window? I'd really like to
> > get the syscall number assigned so I can start sending patches to
> > glibc, kmod, etc. My tree is here, FWIW:
>
> No, unfortunately it's a little late and there were issues with ARM
> signoffs and syscall numbers...
>
> > http://git.kernel.org/?p=linux/kernel/git/kees/linux.git;a=shortlog;h=refs/heads/module-fd-syscall
>
> Messy merge due to the module signing stuff going in :(
>
> Please rebase on top of my kernel.org modules-next branch, and I'll pull
> into my modules-wip branch for 3.8.

Why? Not only have you had these patches sitting for a while, way
before you had the kernel module patches, they've been acked/signed off
by Kees, Serge, Eric, and myself. All security subtree maintainers.
The module patches could have easily been built on top of Kees' small
patches. I am really disappointed!

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/