Re: [PATCH 1/2] module: add syscall to load module from fd

[Mimi Zohar <zohar@linux.vnet.ibm.com>]

On Fri, 2012-09-07 at 10:19 -0700, Kees Cook wrote:
> On Fri, Sep 7, 2012 at 10:12 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > On Fri, 2012-09-07 at 09:45 +0930, Rusty Russell wrote:
> >> Kees Cook <keescook@chromium.org> writes:
> >> > Instead of (or in addition to) kernel module signing, being able to reason
> >> > about the origin of a kernel module would be valuable in situations
> >> > where an OS already trusts a specific file system, file, etc, due to
> >> > things like security labels or an existing root of trust to a partition
> >> > through things like dm-verity.
> >> >
> >> > This introduces a new syscall (currently only on x86), similar to
> >> > init_module, that has only two arguments. The first argument is used as
> >> > a file descriptor to the module and the second argument is a pointer to
> >> > the NULL terminated string of module arguments.
> >>
> >> Thanks.  Minor comments follow:
> >
> > Rusty, sorry for bringing this up again, but with Kees' new syscall,
> > which passes in the file descriptor, appraising the integrity of kernel
> > modules could be like appraising the integrity of any other file on the
> > filesystem.  All that would be needed is a new security hook, which is
> > needed in anycase for IMA measurement.
> 
> The second patch in this series provides such a hook.

Thanks! Don't know how I missed it.

> 
> > [...]
> > This method is a consistent and extensible approach to verifying the
> > integrity of file data/metadata, including kernel modules. The only
> > downside to this approach, I think, is that it requires changes to the
> > userspace tool.
> 
> I'm fine with this -- it's an expected change that I'll pursue with
> glibc, kmod, etc. Without the userspace changes, nothing will use the
> new syscall. :) I've already got kmod (and older module-init-tools)
> patched to do this locally.

Great!

Mimi