Re: Building Hello World LSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok, re-built activating with SELinux and it is not working either. My problem seems indeed to be my build process rather than anything relating to my code :(. However, it does not get me closer of understanding what I am doing wrong. Here is the security config for the build with SELinux on:

#
# Security options
#
CONFIG_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_BIG_KEYS=y
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
CONFIG_LSM_MMAP_MIN_ADDR=65536
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
# CONFIG_SECURITY_HELLOWORLD is not set
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_SELINUX=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="selinux"
CONFIG_CRYPTO=y

Thanks a lot Dave for pointing in the right direction.

Thomas

On 19 January 2015 at 00:29, Thomas F. J.-M. Pasquier <tfjmp2@xxxxxxxxx> wrote:
Here is the security part of the .config:

#
# Security options
#
CONFIG_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_BIG_KEYS=y
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
# CONFIG_SECURITY_SELINUX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
CONFIG_SECURITY_HELLOWORLD=y
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_HELLOWORLD=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="helloworld"
CONFIG_CRYPTO=y


SELinux is not loading before my module. SELinux was working on the kernel that came with the distribution, did not try to build my kernel with it on. I will try to do so.

Thank you very much,
Thomas

On 19 January 2015 at 00:20, Dave Tian <dave.jing.tian@xxxxxxxxx> wrote:
Did SELinux get loaded before your changes (Fedora uses SELinux by default)? Would you please post your security config? I still suspect that there was sth messed up in the config.

Thanks,
Dave


On Jan 18, 2015, at 7:09 PM, Thomas F. J.-M. Pasquier <tfjmp2@xxxxxxxxx> wrote:

No, other LSM. Checked in the config file. The only one selected is mine and it is set "Default Security Module" when using menuconfig.

On Mon Jan 19 2015 at 12:07:33 AM Tian Dave <dave.jing.tian@xxxxxxxxx> wrote:
Then which LSM was triggered? SELinux? You probably need to disable other LSM before making your LSM work.

Thanks,
Dave

2015-01-18 18:49 GMT-05:00 Thomas F. J.-M. Pasquier <tfjmp2@xxxxxxxxx>:
Hi everyone,

Kernel version 3.17.8

I am trying to build a skeleton LSM module, but I am not having much luck so far. The problem seems to be that the LSM init function is never called.

I am selecting my helloworld LSM when building the kernel and it is set as default (checked and re-checked in menuconfig + in the file).

The build is going fine (my module is built as I would expect). The rest of the building procedure goes fine. I reboot, the new image works just fine except my LSM is not in (nor any other, it seems, for that matter).

Here is the init function:
static __init int hw_init(void){
/* avoid security registration races */
if (!security_module_enable(&hw_ops)){
printk(KERN_INFO "hw:  Disabled at boot.\n");
return 0;
}

printk(KERN_INFO "hw:  Initializing.\n");

if (register_security(&hw_ops))
panic("hw: Unable to register with kernel.\n");
else
printk(KERN_INFO "hw: registered with the kernel.\n");

return 0;
}

security_initcall(hw_init);

I looked at how it was done in SELinux and the other security module and I don't seem to be doing things differently or incorrectly. I checked the log level just in case and that's not the issue either.

I am tempted to say the problem come from my building procedure/configuration, rather than the module/code in itself (the dist on top of the kernel is fedora21). I have been at it for a while now and any help would be most welcomed.

Thank you in advance.

Regards,
Thomas



_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies





_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux