Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
Hi Igor, [auto build test ERROR on linus/master] [cannot apply to v4.12] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Igor-Stoppa/mm-security-ro-protection-for-dynamic-data/20170711-084116 config: score-spct6600_defconfig (attached as .config) compiler: score-elf-gcc (GCC) 4.9.1 20140622 (prerelease) reproduce: wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=score All errors (new ones prefixed by >>): security/security.o: In function `security_init': >> security.c:(.init.text+0x68): undefined reference to `pmalloc_create_pool' >> security.c:(.init.text+0x98): undefined reference to `pmalloc' >> security.c:(.init.text+0x150): undefined reference to `pmalloc_protect_pool' --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
Resending my reply, I mistakenly used the wrong mail account yesterday and my reply didn't et to the ml. On 27/06/17 20:51, Christoph Hellwig wrote: > On Tue, Jun 27, 2017 at 08:33:23PM +0300, Igor Stoppa wrote: [...] >> The default value is disabled, unless SE Linux debugging is turned on. > > Can we please just force it to be read-only? I'm sorry, I'm not quite sure I understand your comment. I'm trying to replicate the behavior of __lsm_ro_after_init: line 1967 @ [1] - Did I get it wrong? thanks, igor [1] https://kernel.googlesource.com/pub/scm/linux/kernel/git/jmorris/linux-security/+/5965453d5e3fb425e6f9d6b4fec403bda3f33107/include/linux/lsm_hooks.h
Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
On Tue, Jun 27, 2017 at 08:33:23PM +0300, Igor Stoppa wrote: > From: Igor Stoppa > > This patch shows how it is possible to take advantage of pmalloc: > instead of using the build-time option __lsm_ro_after_init, to decide if > it is possible to keep the hooks modifiable, now this becomes a > boot-time decision, based on the kernel command line. > > This patch relies on: > > "Convert security_hook_heads into explicit array of struct list_head" > Author: Tetsuo Handa > > to break free from the static constraint imposed by the previous > hardening model, based on __ro_after_init. > > The default value is disabled, unless SE Linux debugging is turned on. Can we please just force it to be read-only?
Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
Hi Igor,
[auto build test ERROR on mmotm/master]
[cannot apply to linus/master linux/master v4.12-rc7 next-20170626]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
https://github.com/0day-ci/linux/commits/Igor-Stoppa/ro-protection-for-dynamic-data/20170627-103230
base: git://git.cmpxchg.org/linux-mmotm.git master
config: tile-tilegx_defconfig (attached as .config)
compiler: tilegx-linux-gcc (GCC) 4.6.2
reproduce:
wget
https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=tile
All errors (new ones prefixed by >>):
init/built-in.o: In function `start_kernel':
init/main.c:678: undefined reference to `pmalloc_init'
security/built-in.o: In function `security_init':
>> security/security.c:75: undefined reference to `pmalloc_create_pool'
>> security/security.c:77: undefined reference to `pmalloc'
>> security/security.c:96: undefined reference to `pmalloc_protect_pool'
vim +75 security/security.c
69 * This should be called early in the kernel initialization sequence.
70 */
71 int __init security_init(void)
72 {
73 enum security_hook_index i;
74
> 75 sec_pool = pmalloc_create_pool("security",
PMALLOC_DEFAULT_ALLOC_ORDER);
76 BUG_ON(!sec_pool);
> 77 hook_heads = pmalloc(sec_pool,
78 sizeof(struct list_head) *
LSM_MAX_HOOK_INDEX);
79 BUG_ON(!hook_heads);
80 for (i = 0; i < LSM_MAX_HOOK_INDEX; i++)
81 INIT_LIST_HEAD(&hook_heads[i]);
82 pr_info("Security Framework initialized\n");
83
84 /*
85 * Load minor LSMs, with the capability module always first.
86 */
87 capability_add_hooks();
88 yama_add_hooks();
89 loadpin_add_hooks();
90
91 /*
92 * Load all the remaining security modules.
93 */
94 do_security_initcalls();
95 if (!dynamic_lsm)
> 96 pmalloc_protect_pool(sec_pool);
97 return 0;
98 }
99
---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
.config.gz
Description: application/gzip
Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
Hi Igor, [auto build test ERROR on mmotm/master] [cannot apply to linus/master linux/master v4.12-rc7 next-20170626] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Igor-Stoppa/ro-protection-for-dynamic-data/20170627-103230 base: git://git.cmpxchg.org/linux-mmotm.git master config: ia64-allmodconfig (attached as .config) compiler: ia64-linux-gcc (GCC) 6.2.0 reproduce: wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=ia64 All errors (new ones prefixed by >>): init/built-in.o: In function `start_kernel': (.init.text+0x1832): undefined reference to `pmalloc_init' mm/built-in.o: In function `__check_object_size': (.text+0x14f1b2): undefined reference to `__pmalloc_check_object' security/built-in.o: In function `security_init': >> (.init.text+0x802): undefined reference to `pmalloc_create_pool' security/built-in.o: In function `security_init': >> (.init.text+0x832): undefined reference to `pmalloc' security/built-in.o: In function `security_init': >> (.init.text+0x9d2): undefined reference to `pmalloc_protect_pool' --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
