From patchwork Wed Apr 25 08:59:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sargun Dhillon X-Patchwork-Id: 10361917 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EDEE460225 for ; Wed, 25 Apr 2018 08:59:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA63E28E76 for ; Wed, 25 Apr 2018 08:59:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CED9D28ED2; Wed, 25 Apr 2018 08:59:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3FD5228E76 for ; Wed, 25 Apr 2018 08:59:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751069AbeDYI7r (ORCPT ); Wed, 25 Apr 2018 04:59:47 -0400 Received: from mail-it0-f65.google.com ([209.85.214.65]:39488 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750986AbeDYI7q (ORCPT ); Wed, 25 Apr 2018 04:59:46 -0400 Received: by mail-it0-f65.google.com with SMTP id c3-v6so4407398itj.4 for ; Wed, 25 Apr 2018 01:59:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=lISJAIAkfueKMzpWLKgOdRgiMX+zjD3L8KiKlxR55aw=; b=spck+SvFI+EcTqKUQkqKShPfQ86lKPFA8uXi/Eg9qYRGcjSfML25ZEhpDfZJbHvi2D 6ik95svsJHNi11f2f9ZNDAd2OfebG8hGyzuzaw33klleFlfUvYKfVOLZHf3W+ZTowu0V CecO+L5jVwUm9z/dbmzUckyjleQdMsGf9SbmA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=lISJAIAkfueKMzpWLKgOdRgiMX+zjD3L8KiKlxR55aw=; b=IT1gMLojS4MtyTNXjlqs5qwB5O4PTzNb7ksThdFWC1I3X+Qy4dS7UVBfOV+13Mmmni pEK7YwI0dkabdATTYxHNU5usm58D1rMKqs4SRLPZuPk8/RPVVb7gsSJPEEJqf0kbhwsU kVJKxBpnHAfdHpOvacCPP6XapKKNobCJu+XbaGfKEuI1ynkp7MXSHjbMs4ZRn5tHMRXq qk2XinvTpjcYEFrM/e0cYF7/bdk7gG7AlGeT0/UyFpUzvLO0bltuKddxWZLEJXTRiek7 3Svi4u1gPev49tPqdbrglcdiZKOirSmFOd0jnP1xvdfyrO9LgaXrLWpRqlPzIz5eQLX1 9LNA== X-Gm-Message-State: ALQs6tA80PKTFd5HRZhUpercYAu8gbj5w49sLhyPBVvaGyc/ocJsZnO3 95ibx9aztXkhD8eSSATtdFP+Arzu09wyRg== X-Google-Smtp-Source: AIpwx4++7AveC7UA99BSNeEN84NWCqu4CYDcRMZQEITgdiqVgYWDY6xKyMX93oh6Cp4uM+Bgw5lqCA== X-Received: by 2002:a24:4d8e:: with SMTP id l136-v6mr20936921itb.121.1524646785537; Wed, 25 Apr 2018 01:59:45 -0700 (PDT) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id n67-v6sm8153500ioe.20.2018.04.25.01.59.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Apr 2018 01:59:44 -0700 (PDT) Date: Wed, 25 Apr 2018 08:59:43 +0000 From: Sargun Dhillon To: linux-security-module@vger.kernel.org Cc: penguin-kernel@i-love.sakura.ne.jp, keescook@chromium.org, igor.stoppa@huawei.com, casey@schaufler-ca.com, jmorris@namei.org, sds@tycho.nsa.gov, paul@paul-moore.com, plautrba@redhat.com Subject: [PATCH v7 5/6] security: Panic on forced unloading of security module Message-ID: <8daf3d7f289acc3a23c4652a8ddd8db2b9c39d85.1524645853.git.sargun@sargun.me> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Although, when LSMs are loaded, the kernel takes a refcount on them, the administrator can force unload the module if the CONFIG_MODULE_FORCE_UNLOAD is set. Although this may be fine for some cases, in the case of security modules, this is problematic, as it may leave the system unsecure, or unaudited. Although, a kernel panic will occur on the next attempt to make a callback for that hook, new code could be loaded, which would not trigger a panic, allowing for silent failure. Therefore, we must panic on an attempt to forcefully unload an LSM. Signed-off-by: Sargun Dhillon --- security/security.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/security/security.c b/security/security.c index 8d8a227eeeea..204b9978ba24 100644 --- a/security/security.c +++ b/security/security.c @@ -89,6 +89,34 @@ static void __init do_security_initcalls(void) } } +/* + * Check if one of our modules is being unloaded. This can happen if + * CONFIG_MODULE_FORCE_UNLOAD is enabled. + * If it is being unloaded, panic and let the user know what's going on + */ +static int security_module_cb(struct notifier_block *nb, unsigned long val, + void *data) +{ + struct module *mod = data; + struct lsm_info *info; + + if (val != MODULE_STATE_GOING) + return NOTIFY_DONE; + + mutex_lock(&lsm_info_lock); + hlist_for_each_entry(info, &lsm_info_head, list) + if (mod == info->owner) + panic("Security module %s is being unloaded forcefully\n", + info->name); + mutex_unlock(&lsm_info_lock); + + return NOTIFY_DONE; +} + +static struct notifier_block security_nb = { + .notifier_call = security_module_cb, +}; + /** * security_init - initializes the security framework * @@ -99,6 +127,9 @@ int __init security_init(void) pr_info("Security Framework initialized with%s writable hooks\n", IS_ENABLED(CONFIG_SECURITY_WRITABLE_HOOKS) ? "" : "out"); + if (IS_ENABLED(CONFIG_SECURITY_WRITABLE_HOOKS) && + IS_ENABLED(CONFIG_MODULE_FORCE_UNLOAD)) + register_module_notifier(&security_nb); /* * Load minor LSMs, with the capability module always first. */