On Wed, Sep 04, 2013 at 09:51:27PM +0000, Matthew Garrett wrote:
> On Wed, 2013-09-04 at 17:24 -0400, Vivek Goyal wrote:
> > User space kexec-tools need to know whether to verify signature of kernel
> > image being loaded. This patch exports two knobs to user space. One is
> > for knowing if secureboot is enabled, this knob will be set to 1 if secure
> > boot is enabled. Other knob is secure_module_enabled. This knob will be set
> > to 1 if secure modules is one.
>
> How are you verifying that you're really looking at sysfs?
[ CCing kexec fedora list ]
I did what Eric Biederman suggested. I first unshare the mount namespace
of /sbin/kexec from parent. Then I disable any event propogation between
mounts. Then I lazy unmount existing /proc and /sys and remount them. I
think this should make sure that we are seeing at /proc and /sys as
exported by kenrel?
I will soon post my kexec-tools patches too on this list to show exactly
what I am doing. In short this is what I am doing.
- ret = unshare(CLONE_NEWNS);
- ret = mount("", "/", "", MS_REC | MS_PRIVATE, "");
- ret = umount2("/proc", MNT_DETACH);
- ret = mount("none", "/proc", "proc", 0, "");
- ret = umount2("/sys", MNT_DETACH);
- ret = mount("none", "/sys", "sysfs", 0, "");
Thanks
Vivek
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
