From: Petr Pavlu <petr.pavlu@suse.com>
To: Siddharth Nayyar <sidnayyar@google.com>
Cc: Nathan Chancellor <nathan@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
Nicolas Schier <nicolas.schier@linux.dev>,
Arnd Bergmann <arnd@arndb.de>,
linux-kbuild@vger.kernel.org, linux-arch@vger.kernel.org,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 10/10] module loader: enforce symbol import protection
Date: Wed, 8 Oct 2025 17:35:28 +0200 [thread overview]
Message-ID: <75099eaa-4b51-4580-ac82-2c9f892f34b2@suse.com> (raw)
In-Reply-To: <20250829105418.3053274-11-sidnayyar@google.com>
On 8/29/25 12:54 PM, Siddharth Nayyar wrote:
> The module loader will reject unsigned modules from loading if such a
> module attempts to import a symbol which has the import protection bit
> set in the kflagstab entry for the symbol.
>
> Signed-off-by: Siddharth Nayyar <sidnayyar@google.com>
> ---
> [...]
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index 4437c2a451ea..ece074a6ba7b 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -380,6 +380,7 @@ static bool find_exported_symbol_in_section(const struct symsearch *syms,
> fsa->crc = symversion(syms->crcs, sym - syms->start);
> fsa->sym = sym;
> fsa->license = (sym_flags & KSYM_FLAG_GPL_ONLY) ? GPL_ONLY : NOT_GPL_ONLY;
> + fsa->is_protected = sym_flags & KSYM_FLAG_PROTECTED;
>
> return true;
> }
> @@ -1273,6 +1274,11 @@ static const struct kernel_symbol *resolve_symbol(struct module *mod,
> goto getname;
> }
>
> + if (fsa.is_protected && !mod->sig_ok) {
> + fsa.sym = ERR_PTR(-EACCES);
> + goto getname;
> + }
> +
> getname:
> /* We must make copy under the lock if we failed to get ref. */
> strscpy(ownername, module_name(fsa.owner), MODULE_NAME_LEN);
The is_protected check should be moved before the ref_module() call.
Adding a reference to another module should be always the last step,
after all symbol checks have been performed.
> @@ -1550,8 +1556,12 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
> break;
>
> ret = PTR_ERR(ksym) ?: -ENOENT;
> - pr_warn("%s: Unknown symbol %s (err %d)\n",
> - mod->name, name, ret);
> + if (ret == -EACCES)
> + pr_warn("%s: Protected symbol %s (err %d)\n",
> + mod->name, name, ret);
> + else
> + pr_warn("%s: Unknown symbol %s (err %d)\n",
> + mod->name, name, ret);
> break;
>
> default:
I suggest moving the error message about the symbol being protected down
into resolve_symbol(), at the point where this issue is detected. This
approach is generally used for other checks, such as the CRC or
namespace check. Additionally, I think it would make sense to change the
current "Unknown symbol" warning here to "Unresolved symbol" to be more
accurate.
--
Thanks,
Petr
next prev parent reply other threads:[~2025-10-08 15:35 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 10:54 [RFC PATCH 00/10] scalable symbol flags with __kflagstab Siddharth Nayyar
2025-08-29 10:54 ` [PATCH 01/10] define kernel symbol flags Siddharth Nayyar
2025-08-29 10:54 ` [PATCH 02/10] linker: add kflagstab section to vmlinux and modules Siddharth Nayyar
2025-08-29 10:54 ` [PATCH 03/10] modpost: create entries for kflagstab Siddharth Nayyar
2025-08-29 10:54 ` [PATCH 04/10] module loader: use kflagstab instead of *_gpl sections Siddharth Nayyar
2025-10-08 13:19 ` Petr Pavlu
2025-08-29 10:54 ` [PATCH 05/10] modpost: put all exported symbols in ksymtab section Siddharth Nayyar
2025-08-29 10:54 ` [PATCH 06/10] module loader: remove references of *_gpl sections Siddharth Nayyar
2025-10-08 13:22 ` Petr Pavlu
2025-08-29 10:54 ` [PATCH 07/10] linker: remove *_gpl sections from vmlinux and modules Siddharth Nayyar
2025-08-29 10:54 ` [PATCH 08/10] remove references to *_gpl sections in documentation Siddharth Nayyar
2025-10-08 13:24 ` Petr Pavlu
2025-08-29 10:54 ` [PATCH 09/10] modpost: add symbol import protection flag to kflagstab Siddharth Nayyar
2025-10-08 13:35 ` Petr Pavlu
2025-08-29 10:54 ` [PATCH 10/10] module loader: enforce symbol import protection Siddharth Nayyar
2025-10-08 15:35 ` Petr Pavlu [this message]
2025-09-01 12:27 ` [RFC PATCH 00/10] scalable symbol flags with __kflagstab Petr Pavlu
2025-09-03 23:28 ` Sid Nayyar
2025-09-08 10:09 ` Petr Pavlu
2025-09-15 15:53 ` Sid Nayyar
2025-09-22 11:41 ` Petr Pavlu
2025-09-26 0:11 ` Sid Nayyar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75099eaa-4b51-4580-ac82-2c9f892f34b2@suse.com \
--to=petr.pavlu@suse.com \
--cc=arnd@arndb.de \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=nathan@kernel.org \
--cc=nicolas.schier@linux.dev \
--cc=samitolvanen@google.com \
--cc=sidnayyar@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).