From: Allen Webb <allenwebb@google.com>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: "linux-modules@vger.kernel.org" <linux-modules@vger.kernel.org>,
"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>
Subject: Re: [PATCH v9 10/10] docs: Include modules.builtin.alias
Date: Mon, 19 Dec 2022 15:40:42 -0600 [thread overview]
Message-ID: <CAJzde07K0siUs-eKfXxVp7R47hF8TdADGeTEvFtwxHVg9NV7FA@mail.gmail.com> (raw)
In-Reply-To: <Y6DWaODE5F9x+Qq1@bombadil.infradead.org>
On Mon, Dec 19, 2022 at 3:23 PM Luis Chamberlain <mcgrof@kernel.org> wrote:
>
> On Mon, Dec 19, 2022 at 02:46:18PM -0600, Allen Webb wrote:
> > Update the documentation to include the presense and use case of
> > modules.builtin.alias.
> >
> > Signed-off-by: Allen Webb <allenwebb@google.com>
> > ---
> > Documentation/kbuild/kbuild.rst | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/Documentation/kbuild/kbuild.rst b/Documentation/kbuild/kbuild.rst
> > index 08f575e6236c..1c7c02040a54 100644
> > --- a/Documentation/kbuild/kbuild.rst
> > +++ b/Documentation/kbuild/kbuild.rst
> > @@ -17,6 +17,12 @@ modules.builtin
> > This file lists all modules that are built into the kernel. This is used
> > by modprobe to not fail when trying to load something builtin.
> >
> > +modules.builtin.alias
> > +---------------------
> > +This file lists all match-id based aliases for modules built into the kernel.
> > +These are intended to enable userspace to make authorization decisions based
> > +on which modules are likely to be bound to a device after it is authorized.
>
> What is an example? This sounds obscure.
Many of the devices that match the usb_storage driver only specify the
vendor id, product id, and device id (VID:PID:D) and do not match
against device class, interface class, etc. Here are some examples
from modules.alias: A grep for wildcards in these fields yields 6136
matches:
grep 'dc\*dsc\*dp\*ic\*isc\*ip\*in\*'
/lib/modules/5.19.11-1rodete1-amd64/modules.alias | wc -l
6136
To write USBGuard policy that only authorizes devices that bind to a
particular module the policy needs to be aware of all these VID:PID:D
which can change between kernel versions.
This is done at runtime rather than excluding modules from the build
because some devices are not needed at or before login or when a
device is locked. By not authorizing new devices that would bind to a
set of modules, these modules become unreachable to an attacker who
seeks to exploit kernel bugs in those modules.
I could add this detail to the documentation file, but I was trying to
keep the description to about the same length as the others around it.
>
> Luis
next prev parent reply other threads:[~2022-12-19 21:41 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAJzde06+FXNpyBzT+NfS2GCfqEERMkGDpdsmHQj=v1foLJW4Cw@mail.gmail.com>
2022-11-29 22:43 ` [PATCH v3] modules: add modalias file to sysfs for modules Allen Webb
2022-11-30 7:06 ` Greg Kroah-Hartman
2022-11-30 22:14 ` [PATCH v4] " Allen Webb
2022-12-01 4:33 ` kernel test robot
2022-12-01 6:06 ` Greg Kroah-Hartman
2022-12-01 9:46 ` kernel test robot
2022-12-08 2:34 ` [PATCH v3] " Luis Chamberlain
2022-12-08 14:22 ` Allen Webb
2022-12-08 15:20 ` Greg Kroah-Hartman
2022-12-16 22:16 ` [PATCH v7 0/5] Generate modules.builtin.alias from match ids Allen Webb
2022-12-16 22:16 ` [PATCH v7 1/5] module.h: MODULE_DEVICE_TABLE for built-in modules Allen Webb
2022-12-17 3:49 ` kernel test robot
2022-12-17 3:59 ` kernel test robot
2022-12-17 4:50 ` kernel test robot
2022-12-17 10:05 ` Christophe Leroy
2022-12-19 15:56 ` Allen Webb
2022-12-16 22:17 ` [PATCH v7 2/5] modpost: Track module name " Allen Webb
2022-12-17 10:08 ` Christophe Leroy
2022-12-16 22:17 ` [PATCH v7 3/5] modpost: Add -b option for emitting built-in aliases Allen Webb
2022-12-17 10:10 ` Christophe Leroy
2022-12-16 22:17 ` [PATCH v7 4/5] file2alias.c: Implement builtin.alias generation Allen Webb
2022-12-17 0:47 ` kernel test robot
2022-12-17 3:09 ` kernel test robot
2022-12-17 10:13 ` Christophe Leroy
2022-12-16 22:17 ` [PATCH v7 5/5] build: Add modules.builtin.alias Allen Webb
2022-12-19 19:18 ` [PATCH v8 0/9] Generate modules.builtin.alias from match ids Allen Webb
2022-12-19 19:18 ` [PATCH v8 1/9] imx: Fix typo Allen Webb
2022-12-19 19:21 ` Greg Kroah-Hartman
2022-12-19 19:55 ` Allen Webb
2022-12-19 19:18 ` [PATCH v8 2/9] rockchip-mailbox: " Allen Webb
2022-12-19 19:18 ` [PATCH v8 3/9] scsi/BusLogic: Always include device id table Allen Webb
2022-12-19 19:18 ` [PATCH v8 4/9] stmpe-spi: Fix typo Allen Webb
2022-12-19 19:18 ` [PATCH v8 5/9] module.h: MODULE_DEVICE_TABLE for built-in modules Allen Webb
2022-12-19 19:18 ` [PATCH v8 6/9] modpost: Track module name " Allen Webb
2022-12-19 19:18 ` [PATCH v8 7/9] modpost: Add -b option for emitting built-in aliases Allen Webb
2022-12-19 19:18 ` [PATCH v8 8/9] file2alias.c: Implement builtin.alias generation Allen Webb
2022-12-19 19:18 ` [PATCH v8 9/9] build: Add modules.builtin.alias Allen Webb
2022-12-19 20:06 ` [PATCH v8 0/9] Generate modules.builtin.alias from match ids Luis Chamberlain
2022-12-19 20:42 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 00/10] " Allen Webb
2022-12-19 20:46 ` [PATCH v9 01/10] imx: Fix typo Allen Webb
2022-12-19 21:23 ` Luis Chamberlain
2022-12-20 6:42 ` Greg Kroah-Hartman
2022-12-20 14:26 ` Allen Webb
2022-12-20 14:32 ` Greg Kroah-Hartman
2022-12-20 14:45 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 02/10] rockchip-mailbox: " Allen Webb
2022-12-20 6:46 ` Greg Kroah-Hartman
2022-12-20 14:58 ` Allen Webb
2022-12-20 18:12 ` Luis Chamberlain
2022-12-20 18:19 ` Allen Webb
2022-12-20 18:47 ` Luis Chamberlain
2022-12-20 19:49 ` Allen Webb
2022-12-20 20:03 ` Luis Chamberlain
2022-12-20 21:57 ` Allen Webb
2022-12-20 23:09 ` Luis Chamberlain
2022-12-27 17:42 ` Allen Webb
2023-01-10 0:25 ` Luis Chamberlain
2023-01-09 11:54 ` Nick Alcock
2023-01-10 18:20 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 03/10] scsi/BusLogic: Always include device id table Allen Webb
2022-12-19 20:46 ` [PATCH v9 04/10] stmpe-spi: Fix typo Allen Webb
2022-12-19 20:46 ` [PATCH v9 05/10] module.h: MODULE_DEVICE_TABLE for built-in modules Allen Webb
2022-12-20 6:45 ` Greg Kroah-Hartman
2022-12-20 16:36 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 06/10] modpost: Track module name " Allen Webb
2022-12-19 20:46 ` [PATCH v9 07/10] modpost: Add -b option for emitting built-in aliases Allen Webb
2022-12-20 6:43 ` Greg Kroah-Hartman
2022-12-20 17:32 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 08/10] file2alias.c: Implement builtin.alias generation Allen Webb
2022-12-19 20:46 ` [PATCH v9 09/10] build: Add modules.builtin.alias Allen Webb
2022-12-19 20:46 ` [PATCH v9 10/10] docs: Include modules.builtin.alias Allen Webb
2022-12-19 20:49 ` Allen Webb
2022-12-19 21:23 ` Luis Chamberlain
2022-12-19 21:40 ` Allen Webb [this message]
2022-12-19 22:07 ` Luis Chamberlain
2022-12-19 22:20 ` Allen Webb
2022-12-19 22:51 ` Luis Chamberlain
2022-12-19 20:46 ` [PATCH v9 10/10] Documentation: " Allen Webb
2023-04-06 19:00 ` [PATCH v10 00/11] Generate modules.builtin.alias from match ids Allen Webb
2023-04-06 19:00 ` [PATCH v10 01/11] rockchip-mailbox: Remove unneeded MODULE_DEVICE_TABLE Allen Webb
2023-04-06 19:00 ` [PATCH v10 02/11] scsi/BusLogic: Always include device id table Allen Webb
2023-04-06 19:00 ` [PATCH v10 03/11] stmpe-spi: Fix MODULE_DEVICE_TABLE entries Allen Webb
2023-05-24 6:52 ` Luis Chamberlain
2023-05-24 6:52 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 04/11] module.h: MODULE_DEVICE_TABLE for built-in modules Allen Webb
2023-05-24 6:44 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 05/11] modpost: Track module name " Allen Webb
2023-04-20 9:47 ` Greg KH
2023-05-24 6:50 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 06/11] modpost: Add -b option for emitting built-in aliases Allen Webb
2023-05-24 6:54 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 07/11] file2alias.c: Implement builtin.alias generation Allen Webb
2023-05-24 7:00 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 08/11] build: Add modules.builtin.alias Allen Webb
2023-05-24 7:02 ` Luis Chamberlain
2023-07-19 19:51 ` Allen Webb
2023-07-26 18:30 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 09/11] Documentation: Include modules.builtin.alias Allen Webb
2023-04-06 19:00 ` [PATCH v10 10/11] Documentation: Update writing_usb_driver for built-in modules Allen Webb
2023-04-06 19:00 ` [PATCH v10 11/11] Documentation: add USB authorization document to driver-api Allen Webb
2023-04-20 9:51 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJzde07K0siUs-eKfXxVp7R47hF8TdADGeTEvFtwxHVg9NV7FA@mail.gmail.com \
--to=allenwebb@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=rafael@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.