From: "Marvin P." <theparanoidandroid@nili.ca>
To: linux-fsdevel@vger.kernel.org
Subject: Question: read-only file access in kernel module (verify checksums)
Date: Thu, 05 Jan 2017 16:04:52 -0400 [thread overview]
Message-ID: <a95847e9266ef7f6c7bb46ddb13d33b0@nili.ca> (raw)
In-Reply-To: <fa5c04859017846da289ee09297db83c@nili.ca>
Good day,
I'm going over some code in a kernel module to implement file access
functionality in an LKM. I've gone through Grek KH's lengthy article on
it, and noted the pitfalls (interpreting data, how one should go through
sysfs instead, etc): all good points and duly noted. I have also opted
to go with `filp_open()` and `vfs_read()`, and to verify if the file is
safe to access via `locks_verify_area()`, at the advice of a fellow dev
who works with file systems.
One of the policy/legal requirements I have is that "all due efforts
must be made to only allow process XYZ to access the driver". To
accommodate this, the md5sum of the userspace process/app that talks to
the driver/LKM is hard-coded in the kernel module at build time. When a
process connects to the driver, the full path to the program/binary
associated with the task is acquired via `get_task_mm()`, `d_path()`,
etc, and then passed to `filp_open()` and `vfs_read()` to buffer the
data to the Linux kernel crypto API. If the checksum of the program
matches what is expected, access is permitted. Otherwise, the process is
killed and the attempt logged.
Is it possible to apply an FL_POSIX lock (or file lock in general)
to the file from the module I'm reviewing, so that I can accomplish two
things:
1) Make sure the program binary isn't unlinked or altered while the
module is reading/hashing it, so the module has a guaranteed chance to
finish reading it.
2) Prevent the program binary from being moved, or the symlink used to
access it being altered, while the verification is in place (ie: simple
guard against TOCTTOU attacks). The program lives in /bin typically, but
is accessed via a symlink in /usr/bin for testing.
Since these checks are made very rarely (unless an unauthorized user has
root access to the system and is hammering the kernel module), there is
no concern with it being an expensive operation.
Thank you for your time and assistance.
By Canadian eMail, Nili.ca
next parent reply other threads:[~2017-01-05 20:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa5c04859017846da289ee09297db83c@nili.ca>
2017-01-05 20:04 ` Marvin P. [this message]
2017-01-07 4:27 ` Question: read-only file access in kernel module (verify checksums) Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a95847e9266ef7f6c7bb46ddb13d33b0@nili.ca \
--to=theparanoidandroid@nili.ca \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).