From: Rusty Russell <rusty@rustcorp.com.au>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Arnd Bergmann <arnd@arndb.de>,
James Morris <james.l.morris@oracle.com>,
Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>,
Kees Cook <keescook@chromium.org>, Jiri Kosina <jkosina@suse.cz>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 1/4] module: add syscall to load module from fd
Date: Thu, 04 Oct 2012 15:09:04 +0930 [thread overview]
Message-ID: <87obki23uv.fsf@rustcorp.com.au> (raw)
In-Reply-To: <CAGXu5jJ5Ap18DmAR6T5REgxffeKp08vtuxB7CXxQ66ntXsf0HA@mail.gmail.com>
Kees Cook <keescook@chromium.org> writes:
> On Thu, Sep 20, 2012 at 3:14 PM, Kees Cook <keescook@chromium.org> wrote:
>> As part of the effort to create a stronger boundary between root and
>> kernel, Chrome OS wants to be able to enforce that kernel modules are
>> being loaded only from our read-only crypto-hash verified (dm_verity)
>> root filesystem. Since the init_module syscall hands the kernel a module
>> as a memory blob, no reasoning about the origin of the blob can be made.
>>
>> Earlier proposals for appending signatures to kernel modules would not be
>> useful in Chrome OS, since it would involve adding an additional set of
>> keys to our kernel and builds for no good reason: we already trust the
>> contents of our root filesystem. We don't need to verify those kernel
>> modules a second time. Having to do signature checking on module loading
>> would slow us down and be redundant. All we need to know is where a
>> module is coming from so we can say yes/no to loading it.
>>
>> If a file descriptor is used as the source of a kernel module, many more
>> things can be reasoned about. In Chrome OS's case, we could enforce that
>> the module lives on the filesystem we expect it to live on. In the case
>> of IMA (or other LSMs), it would be possible, for example, to examine
>> extended attributes that may contain signatures over the contents of
>> the module.
>>
>> This introduces a new syscall (on x86), similar to init_module, that has
>> only two arguments. The first argument is used as a file descriptor to
>> the module and the second argument is a pointer to the NULL terminated
>> string of module arguments.
>
> Hi Rusty,
>
> Is this likely to land in the 3.7 change window? I'd really like to
> get the syscall number assigned so I can start sending patches to
> glibc, kmod, etc. My tree is here, FWIW:
No, unfortunately it's a little late and there were issues with ARM
signoffs and syscall numbers...
> http://git.kernel.org/?p=linux/kernel/git/kees/linux.git;a=shortlog;h=refs/heads/module-fd-syscall
Messy merge due to the module signing stuff going in :(
Please rebase on top of my kernel.org modules-next branch, and I'll pull
into my modules-wip branch for 3.8.
Thanks,
Rusty.
next prev parent reply other threads:[~2012-10-04 5:44 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-20 22:14 [PATCH 1/4] module: add syscall to load module from fd Kees Cook
2012-09-20 22:14 ` [PATCH 2/4] security: introduce kernel_module_from_file hook Kees Cook
2012-09-21 12:42 ` Mimi Zohar
2012-09-20 22:14 ` [PATCH 3/4] ARM: add finit_module syscall to ARM Kees Cook
2012-09-21 13:15 ` Arnd Bergmann
2012-09-21 14:59 ` Russell King
2012-09-21 15:43 ` Kees Cook
2012-09-20 22:15 ` [PATCH 4/4] add finit_module syscall to asm-generic Kees Cook
2012-09-21 2:22 ` [PATCH 1/4] module: add syscall to load module from fd James Morris
2012-09-21 3:07 ` Kees Cook
2012-09-21 3:09 ` Mimi Zohar
2012-09-21 17:56 ` John Johansen
2012-10-03 22:40 ` Kees Cook
2012-10-04 5:39 ` Rusty Russell [this message]
2012-10-04 12:50 ` Mimi Zohar
2012-10-05 3:50 ` Rusty Russell
2012-10-05 7:12 ` Kees Cook
2012-10-04 20:28 ` Kees Cook
2012-10-09 21:54 ` Michael Kerrisk
2012-10-09 21:58 ` H. Peter Anvin
2012-10-09 22:03 ` Michael Kerrisk (man-pages)
2012-10-09 22:09 ` H. Peter Anvin
[not found] ` <CAKgNAkjfkbYOQocuGRAKU=0P2CQCvmedhRMJZPnkUMnnxSOsqg@mail.gmail.com>
2012-10-10 5:54 ` Michael Kerrisk (man-pages)
2012-10-11 22:16 ` Rusty Russell
2012-10-12 5:16 ` Michael Kerrisk (man-pages)
2012-10-18 3:12 ` Rusty Russell
2012-10-18 5:39 ` Lucas De Marchi
2012-10-18 12:59 ` Michael Kerrisk (man-pages)
2012-10-22 7:39 ` Rusty Russell
2012-10-23 2:37 ` Lucas De Marchi
2012-10-23 3:40 ` Kees Cook
2012-10-23 4:08 ` Lucas De Marchi
2012-10-23 15:42 ` Kees Cook
2012-10-23 15:45 ` H. Peter Anvin
2012-10-23 16:25 ` Lucas De Marchi
2012-10-24 3:06 ` Rusty Russell
2012-10-23 7:38 ` Michael Kerrisk (man-pages)
2012-10-30 21:57 ` Kees Cook
2012-11-01 1:03 ` Rusty Russell
[not found] ` <87sj97hs5e.fsf-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>
2012-12-21 0:01 ` Michael Kerrisk
2012-12-21 0:01 ` Michael Kerrisk
2013-01-03 0:12 ` Rusty Russell
2013-01-03 0:12 ` Rusty Russell
[not found] ` <87fw2j5dlj.fsf-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>
2013-01-06 18:59 ` Michael Kerrisk (man-pages)
2013-01-06 18:59 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkggu9+AuMRqTFeNy9sJVCMcZVRZx43t=svF=gm+P4DnuQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-06 20:24 ` Kees Cook
2013-01-06 20:24 ` Kees Cook
[not found] ` <CAGXu5jJXoYO3CzpENAZYANLzySPPjzDVO_qLonqwxUUu1Ux=sg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07 1:41 ` Michael Kerrisk (man-pages)
2013-01-07 1:41 ` Michael Kerrisk (man-pages)
2013-01-09 17:29 ` Lucas De Marchi
2013-01-09 17:29 ` Lucas De Marchi
[not found] ` <CAMOw1v6Jk7adSeppunBe0GaW3w3MREU0_hW68_Fbh2599jctkg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-10 0:55 ` Michael Kerrisk (man-pages)
2013-01-10 0:55 ` Michael Kerrisk (man-pages)
2012-10-18 4:24 ` H. Peter Anvin
2012-10-18 8:05 ` Michael Kerrisk (man-pages)
2012-10-18 14:26 ` H. Peter Anvin
2012-10-18 15:28 ` Kees Cook
2012-10-18 15:30 ` H. Peter Anvin
2012-10-19 2:23 ` Rusty Russell
2012-10-19 2:54 ` H. Peter Anvin
2012-10-19 10:46 ` Alon Ziv
2012-10-20 4:05 ` Rusty Russell
-- strict thread matches above, loose matches on Subject: below --
2012-10-04 20:22 [PATCH v5] " Kees Cook
2012-10-04 20:22 ` [PATCH 1/4] " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87obki23uv.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=eparis@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.