Re: [PATCH 3/4] module: Support to show the current enforcement policy

From: Jia Zhang
Date: Wed Mar 07 2018 - 20:57:20 EST




On 2018/3/8 äå4:14, Jessica Yu wrote:
> +++ Jia Zhang [01/03/18 17:09 +0800]:
>> /sys/kernel/security/modsign/enforce gives the result of current
>> enforcement policy of loading module.
>>
>> Signed-off-by: Jia Zhang <zhang.jia@xxxxxxxxxxxxxxxxx>
>
> Why is this being added as part of securityfs? AFAIK that's primarily
> used by LSMs.

The integrity subsystem such as IMA is also located there.

>
> And we already export sig_enforce to sysfs (See
> /sys/module/module/parameters/sig_enforce).
> It already does exactly what your patchset tries to do, it only allows
> for enablement.

I will respond this in V2.

Thanks,
Jia

> Jessica
>
>> ---
>> kernel/module.c | 55
>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 55 insertions(+)
>>
>> diff --git a/kernel/module.c b/kernel/module.c
>> index 79825ea..e3c6c8e 100644
>> --- a/kernel/module.c
>> +++ b/kernel/module.c
>> @@ -2794,11 +2794,60 @@ static int module_sig_check(struct load_info
>> *info, int flags)
>>
>> ÂÂÂÂreturn err;
>> }
>> +
>> +#ifdef CONFIG_SECURITYFS
>> +static ssize_t modsign_enforce_read(struct file *filp, char __user
>> *ubuf,
>> +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ size_t count, loff_t *offp)
>> +{
>> +ÂÂÂ char buf[2];
>> +
>> +ÂÂÂ sprintf(buf, "%d", !!sig_enforce);
>> +
>> +ÂÂÂ return simple_read_from_buffer(ubuf, count, offp, buf, 1);
>> +}
>> +
>> +static const struct file_operations modsign_enforce_ops = {
>> +ÂÂÂ .read = modsign_enforce_read,
>> +ÂÂÂ .llseek = generic_file_llseek,
>> +};
>> +
>> +static int __init securityfs_init(void)
>> +{
>> +ÂÂÂ struct dentry *modsign_dir;
>> +ÂÂÂ struct dentry *enforce;
>> +
>> +ÂÂÂ modsign_dir = securityfs_create_dir("modsign", NULL);
>> +ÂÂÂ if (IS_ERR(modsign_dir))
>> +ÂÂÂÂÂÂÂ return -1;
>> +
>> +ÂÂÂ enforce = securityfs_create_file("enforce",
>> +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ S_IRUSR | S_IRGRP, modsign_dir,
>> +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ NULL, &modsign_enforce_ops);
>> +ÂÂÂ if (IS_ERR(enforce))
>> +ÂÂÂÂÂÂÂ goto out;
>> +
>> +ÂÂÂ return 0;
>> +out:
>> +ÂÂÂ securityfs_remove(modsign_dir);
>> +
>> +ÂÂÂ return -1;
>> +}
>> +#else /* !CONFIG_SECURITYFS */
>> +static int __init securityfs_init(void)
>> +{
>> +ÂÂÂ return 0;
>> +}
>> +#endif
>> #else /* !CONFIG_MODULE_SIG */
>> static int module_sig_check(struct load_info *info, int flags)
>> {
>> ÂÂÂÂreturn 0;
>> }
>> +
>> +static int __init securityfs_init(void)
>> +{
>> +ÂÂÂ return 0;
>> +}
>> #endif /* !CONFIG_MODULE_SIG */
>>
>> /* Sanity checks against invalid binaries, wrong arch, weird elf
>> version. */
>> @@ -4395,8 +4444,14 @@ void module_layout(struct module *mod,
>>
>> static int __init initialize_module(void)
>> {
>> +ÂÂÂ int ret;
>> +
>> ÂÂÂÂproc_modules_init();
>>
>> +ÂÂÂ ret = securityfs_init();
>> +ÂÂÂ if (unlikely(ret))
>> +ÂÂÂÂÂÂÂ return ret;
>> +
>> ÂÂÂÂreturn 0;
>> }
>> module_init(initialize_module);
>> --Â
>> 1.8.3.1
>>