Re: Building Hello World LSM

"Thomas F. J.-M. Pasquier" <tfjmp2@xxxxxxxxx> · Mon, 19 Jan 2015 00:29:57 +0000

Here is the security part of the .config:

#
# Security options
#
CONFIG_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_BIG_KEYS=y
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
# CONFIG_SECURITY_SELINUX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
CONFIG_SECURITY_HELLOWORLD=y
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_HELLOWORLD=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="helloworld"
CONFIG_CRYPTO=y

SELinux is not loading before my module. SELinux was working on the kernel that came with the distribution, did not try to build my kernel with it on. I will try to do so.

Thank you very much,
Thomas

On 19 January 2015 at 00:20, Dave Tian <dave.jing.tian@xxxxxxxxx> wrote:
Did SELinux get loaded before your changes (Fedora uses SELinux by default)? Would you please post your security config? I still suspect that there was sth messed up in the config.

Thanks,
Dave

On Jan 18, 2015, at 7:09 PM, Thomas F. J.-M. Pasquier <tfjmp2@xxxxxxxxx> wrote:

No, other LSM. Checked in the config file. The only one selected is mine and it is set "Default Security Module" when using menuconfig.

On Mon Jan 19 2015 at 12:07:33 AM Tian Dave <dave.jing.tian@xxxxxxxxx> wrote:
Then which LSM was triggered? SELinux? You probably need to disable other LSM before making your LSM work.
Thanks,
Dave

2015-01-18 18:49 GMT-05:00 Thomas F. J.-M. Pasquier <tfjmp2@xxxxxxxxx>:
Hi everyone,
Kernel version 3.17.8

I am trying to build a skeleton LSM module, but I am not having much luck so far. The problem seems to be that the LSM init function is never called.

I am selecting my helloworld LSM when building the kernel and it is set as default (checked and re-checked in menuconfig + in the file).

The build is going fine (my module is built as I would expect). The rest of the building procedure goes fine. I reboot, the new image works just fine except my LSM is not in (nor any other, it seems, for that matter).

Here is the init function:
static __init int hw_init(void){
	/* avoid security registration races */
	if (!security_module_enable(&hw_ops)){
		printk(KERN_INFO "hw:  Disabled at boot.\n");
		return 0;
	}

	printk(KERN_INFO "hw:  Initializing.\n");

	if (register_security(&hw_ops))
		panic("hw: Unable to register with kernel.\n");
	else
		printk(KERN_INFO "hw: registered with the kernel.\n");

	return 0;
}

security_initcall(hw_init);

I looked at how it was done in SELinux and the other security module and I don't seem to be doing things differently or incorrectly. I checked the log level just in case and that's not the issue either.

I am tempted to say the problem come from my building procedure/configuration, rather than the module/code in itself (the dist on top of the kernel is fedora21). I have been at it for a while now and any help would be most welcomed.

Thank you in advance.

Regards,
Thomas

_______________________________________________

Kernelnewbies mailing list

Kernelnewbies@kernelnewbies.org

http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies