From: Serge Hallyn <serge.hallyn@canonical.com>
To: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Cc: zohar@linux.vnet.ibm.com, jmorris@namei.org,
rusty@rustcorp.com.au, dhowells@redhat.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC v2 4/7] modsig: add integrity_module_check hook
Date: Wed, 15 Aug 2012 15:16:35 -0500 [thread overview]
Message-ID: <20120815201635.GB10088@amd1> (raw)
In-Reply-To: <68a6f647ca1d4429d6b781b6cfeed9c93a346c14.1345055639.git.dmitry.kasatkin@intel.com>
Quoting Dmitry Kasatkin (dmitry.kasatkin@intel.com):
> IMA measures/appraises modules when modprobe or insmod opens and read them.
> Unfortunately, there are no guarantees between what is read by userspace and
> what is passed to the kernel via load_module system call. This patch adds a
> hook called integrity_module_check() to verify the integrity of the module
> being loaded.
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
> ---
> include/linux/integrity.h | 10 ++++++++++
> kernel/module.c | 9 +++++++++
> 2 files changed, 19 insertions(+)
>
> diff --git a/include/linux/integrity.h b/include/linux/integrity.h
> index 66c5fe9..a80ec06 100644
> --- a/include/linux/integrity.h
> +++ b/include/linux/integrity.h
> @@ -37,4 +37,14 @@ static inline void integrity_inode_free(struct inode *inode)
> return;
> }
> #endif /* CONFIG_INTEGRITY_H */
> +
> +#ifdef CONFIG_INTEGRITY_MODULES
> +int integrity_module_check(const void *hdr, const unsigned long len);
sadly not bisect-safe, since integrity_module_check() is defined in
the next patch.
> +#else
> +static inline int integrity_module_check(const void *buf, unsigned long len)
> +{
> + return 0;
> +}
> +#endif
> +
> #endif /* _LINUX_INTEGRITY_H */
> diff --git a/kernel/module.c b/kernel/module.c
> index 4edbd9c..791da47 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -58,6 +58,7 @@
> #include <linux/jump_label.h>
> #include <linux/pfn.h>
> #include <linux/bsearch.h>
> +#include <linux/integrity.h>
>
> #define CREATE_TRACE_POINTS
> #include <trace/events/module.h>
> @@ -2437,6 +2438,14 @@ static int copy_and_check(struct load_info *info,
>
> info->hdr = hdr;
> info->len = len;
> +
> + err = integrity_module_check(hdr, len);
> + if (err < 0)
> + goto free_hdr;
> +
> + /* cut signature tail */
> + info->len = err;
> +
> return 0;
>
> free_hdr:
> --
> 1.7.9.5
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-08-15 20:16 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-15 18:43 [RFC v2 0/7] modsig: signature based kernel module integrity verfication Dmitry Kasatkin
2012-08-15 18:43 ` [RFC v2 1/7] integrity: added digest calculation function Dmitry Kasatkin
2012-08-15 20:11 ` Serge Hallyn
2012-08-15 21:11 ` Kasatkin, Dmitry
2012-08-16 20:32 ` Kasatkin, Dmitry
2012-08-16 21:39 ` Serge Hallyn
2012-08-20 2:59 ` Rusty Russell
2012-08-22 16:38 ` Kasatkin, Dmitry
2012-08-15 18:43 ` [RFC v2 2/7] keys: initialize root uid and session keyrings early Dmitry Kasatkin
2012-08-16 18:26 ` Josh Boyer
2012-08-16 19:08 ` Mimi Zohar
2012-08-16 19:13 ` Josh Boyer
2012-08-16 19:45 ` Mimi Zohar
2012-08-16 19:59 ` Josh Boyer
2012-08-16 20:01 ` Mimi Zohar
2012-08-17 21:27 ` Eric W. Biederman
2012-08-15 18:43 ` [RFC v2 3/7] integrity: create and inititialize a keyring with builtin public key Dmitry Kasatkin
2012-08-16 18:37 ` Josh Boyer
2012-08-16 19:28 ` Mimi Zohar
2012-08-17 6:06 ` Kasatkin, Dmitry
2012-08-16 21:11 ` Kasatkin, Dmitry
2012-08-15 18:43 ` [RFC v2 4/7] modsig: add integrity_module_check hook Dmitry Kasatkin
2012-08-15 20:16 ` Serge Hallyn [this message]
2012-08-15 21:13 ` Kasatkin, Dmitry
2012-08-17 5:45 ` Kasatkin, Dmitry
2012-08-16 18:49 ` Josh Boyer
2012-08-16 19:56 ` Kasatkin, Dmitry
2012-09-03 23:06 ` Rusty Russell
2012-08-15 18:43 ` [RFC v2 5/7] modsig: verify module integrity based on signature Dmitry Kasatkin
2012-08-15 18:43 ` [RFC v2 6/7] modsig: initialize the _module public key keyring Dmitry Kasatkin
2012-08-16 18:54 ` Josh Boyer
2012-08-16 19:57 ` Mimi Zohar
2012-08-15 18:43 ` [RFC v2 7/7] modsig: build rules and scripts to generate keys and sign modules Dmitry Kasatkin
2012-08-16 19:10 ` Josh Boyer
2012-08-16 20:12 ` Kasatkin, Dmitry
2012-08-16 20:31 ` Josh Boyer
2012-08-16 21:04 ` Kasatkin, Dmitry
2012-08-17 0:53 ` Mimi Zohar
2012-08-17 11:40 ` Josh Boyer
2012-08-17 17:08 ` Mimi Zohar
2012-08-17 17:44 ` Josh Boyer
2012-08-17 17:52 ` Josh Boyer
2012-08-20 1:05 ` Mimi Zohar
2012-08-20 12:32 ` Josh Boyer
2012-08-20 13:13 ` Mimi Zohar
2012-08-20 14:23 ` Josh Boyer
2012-08-16 20:12 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120815201635.GB10088@amd1 \
--to=serge.hallyn@canonical.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).