Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module
From: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
Date: Tue, 05 Jun 2018 17:35:13 -0400
Cc: Paul Moore <paul@xxxxxxxxxxxxxx>, linux-integrity <linux-integrity@xxxxxxxxxxxxxxx>, linux-security-module <linux-security-module@xxxxxxxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, "Luis R . Rodriguez" <mcgrof@xxxxxxxxxx>, Eric Biederman <ebiederm@xxxxxxxxxxxx>, Kexec Mailing List <kexec@xxxxxxxxxxxxxxxxxxx>, Andres Rodriguez <andresx7@xxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>, Jeff Vander Stoep <jeffv@xxxxxxxxxx>, Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
In-reply-to: <CAGXu5jLXSEWHorm6=h9+1cP-y8ZX2_ALcra6g9x7Tm-O0kU3DQ@mail.gmail.com>

On Tue, 2018-06-05 at 12:45 -0700, Kees Cook wrote:

> And if you must have a separate enum, please change this to fail
> closed instead of open (and mark the fall-through):
> 
> int rc = -EPERM;
> 
> switch (id) {
> case LOADING_MODULE:
>     rc = loadpin_read_file(NULL, READING_MODULE);
>     /* Fall-through */
> default:
>     break;
> }

This will fail the sysfs firmware fallback loading and the kexec_load
syscall without any message, as you have for init_module.  Is that
what you want?

Mimi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Follow-Ups:
- Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module
  - From: Kees Cook

References:
- [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures
  - From: Mimi Zohar
- [PATCH v4 8/8] module: replace the existing LSM hook in init_module
  - From: Mimi Zohar
- Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module
  - From: Paul Moore
- Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module
  - From: Mimi Zohar
- Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module
  - From: Paul Moore
- [PATCH v4a 8/8] module: replace the existing LSM hook in init_module
  - From: Mimi Zohar
- Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module
  - From: Kees Cook

Prev by Date: violations and invalidated PCR value
Next by Date: Re: [PATCH v3 4/4] ima: Differentiate auditing policy rules from "audit" actions
Previous by thread: Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module
Next by thread: Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module
Index(es):
- Date
- Thread

[Index of Archives] [Linux Kernel] [Linux Kernel Hardening] [Linux NFS] [Linux NILFS] [Linux USB Devel] [Video for Linux] [Linux Audio Users] [Yosemite News] [Linux SCSI]