From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: John Keeping <john@metanate.com>, Mike Snitzer <snitzer@redhat.com>, Sasha Levin <sashal@kernel.org>, dm-devel@redhat.com Subject: [PATCH AUTOSEL 5.4 27/31] dm verity: fix require_signatures module_param permissions Date: Thu, 3 Jun 2021 13:09:15 -0400 [thread overview] Message-ID: <20210603170919.3169112-27-sashal@kernel.org> (raw) In-Reply-To: <20210603170919.3169112-1-sashal@kernel.org> From: John Keeping <john@metanate.com> [ Upstream commit 0c1f3193b1cdd21e7182f97dc9bca7d284d18a15 ] The third parameter of module_param() is permissions for the sysfs node but it looks like it is being used as the initial value of the parameter here. In fact, false here equates to omitting the file from sysfs and does not affect the value of require_signatures. Making the parameter writable is not simple because going from false->true is fine but it should not be possible to remove the requirement to verify a signature. But it can be useful to inspect the value of this parameter from userspace, so change the permissions to make a read-only file in sysfs. Signed-off-by: John Keeping <john@metanate.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/md/dm-verity-verify-sig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c index 614e43db93aa..919154ae4cae 100644 --- a/drivers/md/dm-verity-verify-sig.c +++ b/drivers/md/dm-verity-verify-sig.c @@ -15,7 +15,7 @@ #define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s static bool require_signatures; -module_param(require_signatures, bool, false); +module_param(require_signatures, bool, 0444); MODULE_PARM_DESC(require_signatures, "Verify the roothash of dm-verity hash tree"); -- 2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sasha Levin <sashal@kernel.org>, dm-devel@redhat.com, John Keeping <john@metanate.com>, Mike Snitzer <snitzer@redhat.com> Subject: [dm-devel] [PATCH AUTOSEL 5.4 27/31] dm verity: fix require_signatures module_param permissions Date: Thu, 3 Jun 2021 13:09:15 -0400 [thread overview] Message-ID: <20210603170919.3169112-27-sashal@kernel.org> (raw) In-Reply-To: <20210603170919.3169112-1-sashal@kernel.org> From: John Keeping <john@metanate.com> [ Upstream commit 0c1f3193b1cdd21e7182f97dc9bca7d284d18a15 ] The third parameter of module_param() is permissions for the sysfs node but it looks like it is being used as the initial value of the parameter here. In fact, false here equates to omitting the file from sysfs and does not affect the value of require_signatures. Making the parameter writable is not simple because going from false->true is fine but it should not be possible to remove the requirement to verify a signature. But it can be useful to inspect the value of this parameter from userspace, so change the permissions to make a read-only file in sysfs. Signed-off-by: John Keeping <john@metanate.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/md/dm-verity-verify-sig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c index 614e43db93aa..919154ae4cae 100644 --- a/drivers/md/dm-verity-verify-sig.c +++ b/drivers/md/dm-verity-verify-sig.c @@ -15,7 +15,7 @@ #define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s static bool require_signatures; -module_param(require_signatures, bool, false); +module_param(require_signatures, bool, 0444); MODULE_PARM_DESC(require_signatures, "Verify the roothash of dm-verity hash tree"); -- 2.30.2 -- dm-devel mailing list dm-devel@redhat.com https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-06-03 17:13 UTC|newest] Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-06-03 17:08 [PATCH AUTOSEL 5.4 01/31] ASoC: max98088: fix ni clock divider calculation Sasha Levin 2021-06-03 17:08 ` Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 02/31] spi: Fix spi device unregister flow Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 03/31] net/nfc/rawsock.c: fix a permission check bug Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 04/31] usb: cdns3: Fix runtime PM imbalance on error Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 05/31] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet Sasha Levin 2021-06-03 17:08 ` Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 06/31] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet Sasha Levin 2021-06-03 17:08 ` Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 07/31] vfio-ccw: Serialize FSM IDLE state with I/O completion Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 08/31] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE Sasha Levin 2021-06-03 17:08 ` Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 09/31] spi: sprd: Add " Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 10/31] isdn: mISDN: netjet: Fix crash in nj_probe: Sasha Levin 2021-06-03 17:08 ` [PATCH AUTOSEL 5.4 11/31] bonding: init notify_work earlier to avoid uninitialized use Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 12/31] netlink: disable IRQs for netlink_lock_table() Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 13/31] net: mdiobus: get rid of a BUG_ON() Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 14/31] cgroup: disable controllers at parse time Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 15/31] wq: handle VM suspension in stall detection Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 16/31] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 17/31] RDS tcp loopback connection can hang Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 18/31] scsi: bnx2fc: Return failure if io_req is already in ABTS processing Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 19/31] scsi: vmw_pvscsi: Set correct residual data length Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 20/31] scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 21/31] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 22/31] net: macb: ensure the device is available before accessing GEMGXL control registers Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 23/31] net: appletalk: cops: Fix data race in cops_probe1 Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 24/31] net: dsa: microchip: enable phy errata workaround on 9567 Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 25/31] nvme-fabrics: decode host pathing error for connect Sasha Levin 2021-06-03 17:09 ` Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 26/31] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Sasha Levin 2021-06-03 17:09 ` Sasha Levin [this message] 2021-06-03 17:09 ` [dm-devel] [PATCH AUTOSEL 5.4 27/31] dm verity: fix require_signatures module_param permissions Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 28/31] bnx2x: Fix missing error code in bnx2x_iov_init_one() Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 29/31] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME Sasha Levin 2021-06-03 17:09 ` Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 30/31] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 30/31] powerpc/fsl: set fsl, i2c-erratum-a004447 " Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 31/31] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 " Sasha Levin 2021-06-03 17:09 ` [PATCH AUTOSEL 5.4 31/31] powerpc/fsl: set fsl, i2c-erratum-a004447 " Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210603170919.3169112-27-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=dm-devel@redhat.com \ --cc=john@metanate.com \ --cc=linux-kernel@vger.kernel.org \ --cc=snitzer@redhat.com \ --cc=stable@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.