Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Luis R. Rodriguez
On Fri, Nov 10, 2017 at 12:13 PM, Mimi Zohar wrote: > On Fri, 2017-11-10 at 12:58 -0500, Mimi Zohar wrote: >> >> + >> +static struct security_hook_list fw_lockdown_hooks[] = { >> + LSM_HOOK_INIT(fw_lockdown_file_check, fw_lockdown_bprm_check) > > Sigh, that should

Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Luis R. Rodriguez
On Fri, Nov 10, 2017 at 12:13 PM, Mimi Zohar wrote: > On Fri, 2017-11-10 at 12:58 -0500, Mimi Zohar wrote: >> >> + >> +static struct security_hook_list fw_lockdown_hooks[] = { >> + LSM_HOOK_INIT(fw_lockdown_file_check, fw_lockdown_bprm_check) > > Sigh, that should have be: >

Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Mimi Zohar
On Fri, 2017-11-10 at 12:58 -0500, Mimi Zohar wrote: > > + > +static struct security_hook_list fw_lockdown_hooks[] = { > + LSM_HOOK_INIT(fw_lockdown_file_check, fw_lockdown_bprm_check) Sigh, that should have be: LSM_HOOK_INIT(kernel_read_file, fw_lockdown_read_file) > +};

Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Mimi Zohar
On Fri, 2017-11-10 at 12:58 -0500, Mimi Zohar wrote: > > + > +static struct security_hook_list fw_lockdown_hooks[] = { > + LSM_HOOK_INIT(fw_lockdown_file_check, fw_lockdown_bprm_check) Sigh, that should have be: LSM_HOOK_INIT(kernel_read_file, fw_lockdown_read_file) > +};

Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Mimi Zohar
On Fri, 2017-11-10 at 20:35 +0100, Luis R. Rodriguez wrote: > On Fri, Nov 10, 2017 at 12:58:23PM -0500, Mimi Zohar wrote: > > Hi David, > > > > If you are interested in preventing the loading of unsigned firmware, > > the patch below is straight forward.  The patch has ONLY been tested > > with

Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Mimi Zohar
On Fri, 2017-11-10 at 20:35 +0100, Luis R. Rodriguez wrote: > On Fri, Nov 10, 2017 at 12:58:23PM -0500, Mimi Zohar wrote: > > Hi David, > > > > If you are interested in preventing the loading of unsigned firmware, > > the patch below is straight forward.  The patch has ONLY been tested > > with

Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Luis R. Rodriguez
On Fri, Nov 10, 2017 at 12:58:23PM -0500, Mimi Zohar wrote: > Hi David, > > If you are interested in preventing the loading of unsigned firmware, > the patch below is straight forward.  The patch has ONLY been tested > with IMA-appraisal enabled, and works as intended - allowing only > signed

Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Luis R. Rodriguez
On Fri, Nov 10, 2017 at 12:58:23PM -0500, Mimi Zohar wrote: > Hi David, > > If you are interested in preventing the loading of unsigned firmware, > the patch below is straight forward.  The patch has ONLY been tested > with IMA-appraisal enabled, and works as intended - allowing only > signed

[RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Mimi Zohar
Hi David, If you are interested in preventing the loading of unsigned firmware, the patch below is straight forward.  The patch has ONLY been tested with IMA-appraisal enabled, and works as intended - allowing only signed firmware to be loaded. Mimi --- If the kernel is locked down and

[RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Mimi Zohar
Hi David, If you are interested in preventing the loading of unsigned firmware, the patch below is straight forward.  The patch has ONLY been tested with IMA-appraisal enabled, and works as intended - allowing only signed firmware to be loaded. Mimi --- If the kernel is locked down and