Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
Hi Igor, [auto build test ERROR on linus/master] [cannot apply to v4.12] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Igor-Stoppa/mm-security-ro-protection-for-dynamic-data/20170711-084116 config: score-spct6600_defconfig (attached as .config) compiler: score-elf-gcc (GCC) 4.9.1 20140622 (prerelease) reproduce: wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=score All errors (new ones prefixed by >>): security/security.o: In function `security_init': >> security.c:(.init.text+0x68): undefined reference to `pmalloc_create_pool' >> security.c:(.init.text+0x98): undefined reference to `pmalloc' >> security.c:(.init.text+0x150): undefined reference to `pmalloc_protect_pool' --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
Resending my reply, I mistakenly used the wrong mail account yesterday and my reply didn't et to the ml. On 27/06/17 20:51, Christoph Hellwig wrote: > On Tue, Jun 27, 2017 at 08:33:23PM +0300, Igor Stoppa wrote: [...] >> The default value is disabled, unless SE Linux debugging is turned on. > > Can we please just force it to be read-only? I'm sorry, I'm not quite sure I understand your comment. I'm trying to replicate the behavior of __lsm_ro_after_init: line 1967 @ [1] - Did I get it wrong? thanks, igor [1] https://kernel.googlesource.com/pub/scm/linux/kernel/git/jmorris/linux-security/+/5965453d5e3fb425e6f9d6b4fec403bda3f33107/include/linux/lsm_hooks.h
Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
On Tue, Jun 27, 2017 at 08:33:23PM +0300, Igor Stoppa wrote: > From: Igor Stoppa > > This patch shows how it is possible to take advantage of pmalloc: > instead of using the build-time option __lsm_ro_after_init, to decide if > it is possible to keep the hooks modifiable, now this becomes a > boot-time decision, based on the kernel command line. > > This patch relies on: > > "Convert security_hook_heads into explicit array of struct list_head" > Author: Tetsuo Handa > > to break free from the static constraint imposed by the previous > hardening model, based on __ro_after_init. > > The default value is disabled, unless SE Linux debugging is turned on. Can we please just force it to be read-only?
Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
Hi Igor, [auto build test ERROR on mmotm/master] [cannot apply to linus/master linux/master v4.12-rc7 next-20170626] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Igor-Stoppa/ro-protection-for-dynamic-data/20170627-103230 base: git://git.cmpxchg.org/linux-mmotm.git master config: tile-tilegx_defconfig (attached as .config) compiler: tilegx-linux-gcc (GCC) 4.6.2 reproduce: wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=tile All errors (new ones prefixed by >>): init/built-in.o: In function `start_kernel': init/main.c:678: undefined reference to `pmalloc_init' security/built-in.o: In function `security_init': >> security/security.c:75: undefined reference to `pmalloc_create_pool' >> security/security.c:77: undefined reference to `pmalloc' >> security/security.c:96: undefined reference to `pmalloc_protect_pool' vim +75 security/security.c 69 * This should be called early in the kernel initialization sequence. 70 */ 71 int __init security_init(void) 72 { 73 enum security_hook_index i; 74 > 75 sec_pool = pmalloc_create_pool("security", PMALLOC_DEFAULT_ALLOC_ORDER); 76 BUG_ON(!sec_pool); > 77 hook_heads = pmalloc(sec_pool, 78 sizeof(struct list_head) * LSM_MAX_HOOK_INDEX); 79 BUG_ON(!hook_heads); 80 for (i = 0; i < LSM_MAX_HOOK_INDEX; i++) 81 INIT_LIST_HEAD(&hook_heads[i]); 82 pr_info("Security Framework initialized\n"); 83 84 /* 85 * Load minor LSMs, with the capability module always first. 86 */ 87 capability_add_hooks(); 88 yama_add_hooks(); 89 loadpin_add_hooks(); 90 91 /* 92 * Load all the remaining security modules. 93 */ 94 do_security_initcalls(); 95 if (!dynamic_lsm) > 96 pmalloc_protect_pool(sec_pool); 97 return 0; 98 } 99 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH 3/3] Make LSM Writable Hooks a command line option
Hi Igor, [auto build test ERROR on mmotm/master] [cannot apply to linus/master linux/master v4.12-rc7 next-20170626] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Igor-Stoppa/ro-protection-for-dynamic-data/20170627-103230 base: git://git.cmpxchg.org/linux-mmotm.git master config: ia64-allmodconfig (attached as .config) compiler: ia64-linux-gcc (GCC) 6.2.0 reproduce: wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=ia64 All errors (new ones prefixed by >>): init/built-in.o: In function `start_kernel': (.init.text+0x1832): undefined reference to `pmalloc_init' mm/built-in.o: In function `__check_object_size': (.text+0x14f1b2): undefined reference to `__pmalloc_check_object' security/built-in.o: In function `security_init': >> (.init.text+0x802): undefined reference to `pmalloc_create_pool' security/built-in.o: In function `security_init': >> (.init.text+0x832): undefined reference to `pmalloc' security/built-in.o: In function `security_init': >> (.init.text+0x9d2): undefined reference to `pmalloc_protect_pool' --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip