[3/3] Make LSM Writable Hooks a command line option

Message ID	20170626144116.27599-4-igor.stoppa@huawei.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Igor Stoppa <igor.stoppa@huawei.com> To: <keescook@chromium.org>, <mhocko@kernel.org>, <jmorris@namei.org>, <labbott@redhat.com> CC: <penguin-kernel@I-love.SAKURA.ne.jp>, <paul@paul-moore.com>, <sds@tycho.nsa.gov>, <casey@schaufler-ca.com>, <hch@infradead.org>, <linux-security-module@vger.kernel.org>, <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>, <kernel-hardening@lists.openwall.com>, "Igor Stoppa" <igor.stoppa@gmail.com>, Igor Stoppa <igor.stoppa@huawei.com> Subject: [PATCH 3/3] Make LSM Writable Hooks a command line option Date: Mon, 26 Jun 2017 17:41:16 +0300 Message-ID: <20170626144116.27599-4-igor.stoppa@huawei.com> In-Reply-To: <20170626144116.27599-1-igor.stoppa@huawei.com> References: <20170626144116.27599-1-igor.stoppa@huawei.com> MIME-Version: 1.0 Content-Type: text/plain Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk

Message ID

20170626144116.27599-4-igor.stoppa@huawei.com (mailing list archive)

State

New, archived

Headers

From: Igor Stoppa <igor.stoppa@huawei.com>
To: <keescook@chromium.org>, <mhocko@kernel.org>, <jmorris@namei.org>,
	<labbott@redhat.com>
CC: <penguin-kernel@I-love.SAKURA.ne.jp>, <paul@paul-moore.com>,
	<sds@tycho.nsa.gov>, <casey@schaufler-ca.com>, <hch@infradead.org>,
	<linux-security-module@vger.kernel.org>, <linux-mm@kvack.org>,
	<linux-kernel@vger.kernel.org>, <kernel-hardening@lists.openwall.com>,
	"Igor Stoppa" <igor.stoppa@gmail.com>,
	Igor Stoppa <igor.stoppa@huawei.com>
Subject: [PATCH 3/3] Make LSM Writable Hooks a command line option
Date: Mon, 26 Jun 2017 17:41:16 +0300
Message-ID: <20170626144116.27599-4-igor.stoppa@huawei.com>
In-Reply-To: <20170626144116.27599-1-igor.stoppa@huawei.com>
References: <20170626144116.27599-1-igor.stoppa@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Commit Message

Igor Stoppa June 26, 2017, 2:41 p.m. UTC

From: Igor Stoppa <igor.stoppa@gmail.com>

This patch shows how it is possible to take advantage of pmalloc:
instead of using the build-time option __lsm_ro_after_init, to decide if
it is possible to keep the hooks modifiable, now this becomes a
boot-time decision, based on the kernel command line.

This patch relies on:

"Convert security_hook_heads into explicit array of struct list_head"
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

to break free from the static constraint imposed by the previous
hardening model, based on __ro_after_init.

The default value is disabled, unless SE Linux debugging is turned on.

Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/security.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

Comments

kernel test robot June 27, 2017, 5:07 a.m. UTC | #1

Hi Igor,

[auto build test ERROR on mmotm/master]
[cannot apply to linus/master linux/master v4.12-rc7 next-20170626]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Igor-Stoppa/ro-protection-for-dynamic-data/20170627-103230
base:   git://git.cmpxchg.org/linux-mmotm.git master
config: ia64-allmodconfig (attached as .config)
compiler: ia64-linux-gcc (GCC) 6.2.0
reproduce:
        wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        make.cross ARCH=ia64 

All errors (new ones prefixed by >>):

   init/built-in.o: In function `start_kernel':
   (.init.text+0x1832): undefined reference to `pmalloc_init'
   mm/built-in.o: In function `__check_object_size':
   (.text+0x14f1b2): undefined reference to `__pmalloc_check_object'
   security/built-in.o: In function `security_init':
>> (.init.text+0x802): undefined reference to `pmalloc_create_pool'
   security/built-in.o: In function `security_init':
>> (.init.text+0x832): undefined reference to `pmalloc'
   security/built-in.o: In function `security_init':
>> (.init.text+0x9d2): undefined reference to `pmalloc_protect_pool'

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

kernel test robot June 27, 2017, 6:48 a.m. UTC | #2

Hi Igor,

[auto build test ERROR on mmotm/master]
[cannot apply to linus/master linux/master v4.12-rc7 next-20170626]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Igor-Stoppa/ro-protection-for-dynamic-data/20170627-103230
base:   git://git.cmpxchg.org/linux-mmotm.git master
config: tile-tilegx_defconfig (attached as .config)
compiler: tilegx-linux-gcc (GCC) 4.6.2
reproduce:
        wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        make.cross ARCH=tile 

All errors (new ones prefixed by >>):

   init/built-in.o: In function `start_kernel':
   init/main.c:678: undefined reference to `pmalloc_init'
   security/built-in.o: In function `security_init':
>> security/security.c:75: undefined reference to `pmalloc_create_pool'
>> security/security.c:77: undefined reference to `pmalloc'
>> security/security.c:96: undefined reference to `pmalloc_protect_pool'

vim +75 security/security.c

    69	 * This should be called early in the kernel initialization sequence.
    70	 */
    71	int __init security_init(void)
    72	{
    73		enum security_hook_index i;
    74	
  > 75		sec_pool = pmalloc_create_pool("security", PMALLOC_DEFAULT_ALLOC_ORDER);
    76		BUG_ON(!sec_pool);
  > 77		hook_heads = pmalloc(sec_pool,
    78				     sizeof(struct list_head) * LSM_MAX_HOOK_INDEX);
    79		BUG_ON(!hook_heads);
    80		for (i = 0; i < LSM_MAX_HOOK_INDEX; i++)
    81			INIT_LIST_HEAD(&hook_heads[i]);
    82		pr_info("Security Framework initialized\n");
    83	
    84		/*
    85		 * Load minor LSMs, with the capability module always first.
    86		 */
    87		capability_add_hooks();
    88		yama_add_hooks();
    89		loadpin_add_hooks();
    90	
    91		/*
    92		 * Load all the remaining security modules.
    93		 */
    94		do_security_initcalls();
    95		if (!dynamic_lsm)
  > 96			pmalloc_protect_pool(sec_pool);
    97		return 0;
    98	}
    99	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

diff --git a/security/security.c b/security/security.c
index 44c47b6..c7b4670 100644
--- a/security/security.c
+++ b/security/security.c
@@ -27,6 +27,7 @@ 
 #include <linux/personality.h>
 #include <linux/backing-dev.h>
 #include <linux/string.h>
+#include <linux/pmalloc.h>
 #include <net/flow.h>
 
 #define MAX_LSM_EVM_XATTR	2
@@ -34,10 +35,19 @@ 
 /* Maximum number of letters for an LSM name string */
 #define SECURITY_NAME_MAX	10
 
-static struct list_head hook_heads[LSM_MAX_HOOK_INDEX]
-	__lsm_ro_after_init;
 static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
 
+static int dynamic_lsm = IS_ENABLED(CONFIG_SECURITY_SELINUX_DISABLE);
+
+static __init int set_dynamic_lsm(char *str)
+{
+	get_option(&str, &dynamic_lsm);
+	return 0;
+}
+early_param("dynamic_lsm", set_dynamic_lsm);
+
+static struct list_head *hook_heads;
+static struct gen_pool *sec_pool;
 char *lsm_names;
 /* Boot-time LSM user choice */
 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
@@ -62,6 +72,11 @@  int __init security_init(void)
 {
 	enum security_hook_index i;
 
+	sec_pool = pmalloc_create_pool("security", PMALLOC_DEFAULT_ALLOC_ORDER);
+	BUG_ON(!sec_pool);
+	hook_heads = pmalloc(sec_pool,
+			     sizeof(struct list_head) * LSM_MAX_HOOK_INDEX);
+	BUG_ON(!hook_heads);
 	for (i = 0; i < LSM_MAX_HOOK_INDEX; i++)
 		INIT_LIST_HEAD(&hook_heads[i]);
 	pr_info("Security Framework initialized\n");
@@ -77,7 +92,8 @@  int __init security_init(void)
 	 * Load all the remaining security modules.
 	 */
 	do_security_initcalls();
-
+	if (!dynamic_lsm)
+		pmalloc_protect_pool(sec_pool);
 	return 0;
 }

[3/3] Make LSM Writable Hooks a command line option

Commit Message

Comments

Patch