linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] ima: log message to module appraisal error
@ 2017-12-04 20:23 Bruno E. O. Meneguele
  2017-12-04 23:35 ` Joe Perches
  0 siblings, 1 reply; 5+ messages in thread
From: Bruno E. O. Meneguele @ 2017-12-04 20:23 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: linux-integrity, linux-ima-devel, linux-security-module, linux-kernel

Simple but useful message log to the user in case of module appraise is
forced and fails due to the lack of file descriptor, that might be
caused by kmod calls to compressed modules.

Signed-off-by: Bruno E. O. Meneguele <brdeoliv@redhat.com>
---
 security/integrity/ima/ima_main.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 770654694efc..95ec39910058 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -366,8 +366,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
 
 	if (!file && read_id == READING_MODULE) {
 		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
-		    (ima_appraise & IMA_APPRAISE_ENFORCE))
+		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+			pr_err("impossible to appraise a module without a file \
+			       descriptor. sig_enforce kernel parameter might \
+			       help\n");
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
+		}
 		return 0;	/* We rely on module signature checking */
 	}
 	return 0;
-- 
2.14.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] ima: log message to module appraisal error
  2017-12-04 20:23 [PATCH v2] ima: log message to module appraisal error Bruno E. O. Meneguele
@ 2017-12-04 23:35 ` Joe Perches
  2017-12-05 10:05   ` Bruno E. O. Meneguele
  0 siblings, 1 reply; 5+ messages in thread
From: Joe Perches @ 2017-12-04 23:35 UTC (permalink / raw)
  To: Bruno E. O. Meneguele, Mimi Zohar, Dmitry Kasatkin
  Cc: linux-integrity, linux-ima-devel, linux-security-module, linux-kernel

On Mon, 2017-12-04 at 18:23 -0200, Bruno E. O. Meneguele wrote:
> Simple but useful message log to the user in case of module appraise is
> forced and fails due to the lack of file descriptor, that might be
> caused by kmod calls to compressed modules.
[]
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
[]
> @@ -366,8 +366,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
>  
>  	if (!file && read_id == READING_MODULE) {
>  		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
> -		    (ima_appraise & IMA_APPRAISE_ENFORCE))
> +		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> +			pr_err("impossible to appraise a module without a file \
> +			       descriptor. sig_enforce kernel parameter might \
> +			       help\n");
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You should probably use scripts/checkpatch.pl on your proposed
patches
before sending them.

You've got a lot of tabs and spaces after every line continuation.
Please coalesce the format on a single line and avoid this defect.

			pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");

cheers, Joe

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] ima: log message to module appraisal error
  2017-12-04 23:35 ` Joe Perches
@ 2017-12-05 10:05   ` Bruno E. O. Meneguele
  0 siblings, 0 replies; 5+ messages in thread
From: Bruno E. O. Meneguele @ 2017-12-05 10:05 UTC (permalink / raw)
  To: Joe Perches
  Cc: Mimi Zohar, Dmitry Kasatkin, linux-integrity, linux-ima-devel,
	linux-security-module, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1397 bytes --]

On 04-12, Joe Perches wrote:
> On Mon, 2017-12-04 at 18:23 -0200, Bruno E. O. Meneguele wrote:
> > Simple but useful message log to the user in case of module appraise is
> > forced and fails due to the lack of file descriptor, that might be
> > caused by kmod calls to compressed modules.
> []
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> []
> > @@ -366,8 +366,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
> >  
> >  	if (!file && read_id == READING_MODULE) {
> >  		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
> > -		    (ima_appraise & IMA_APPRAISE_ENFORCE))
> > +		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> > +			pr_err("impossible to appraise a module without a file \
> > +			       descriptor. sig_enforce kernel parameter might \
> > +			       help\n");
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> You should probably use scripts/checkpatch.pl on your proposed
> patches
> before sending them.
> 
> You've got a lot of tabs and spaces after every line continuation.
> Please coalesce the format on a single line and avoid this defect.
> 
> 			pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
> 

Oh gosh, sorry for that. You're right. I'll post a v3, changing to the
way you pointed, soon.

Thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] ima: log message to module appraisal error
  2017-12-05 13:35 Bruno E. O. Meneguele
@ 2017-12-05 13:40 ` Bruno E. O. Meneguele
  0 siblings, 0 replies; 5+ messages in thread
From: Bruno E. O. Meneguele @ 2017-12-05 13:40 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: linux-integrity, linux-ima-devel, linux-security-module, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1536 bytes --]

Ignore this erroneously sent email.
v2 was already superseded by v3.

On 05-12, Bruno E. O. Meneguele wrote:
> Simple but useful message log to the user in case of module appraise is
> forced and fails due to the lack of file descriptor, that might be
> caused by kmod calls to compressed modules.
> 
> Signed-off-by: Bruno E. O. Meneguele <brdeoliv@redhat.com>
> ---
>  security/integrity/ima/ima_main.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 770654694efc..95ec39910058 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -366,8 +366,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
>  
>  	if (!file && read_id == READING_MODULE) {
>  		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
> -		    (ima_appraise & IMA_APPRAISE_ENFORCE))
> +		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> +			pr_err("impossible to appraise a module without a file \
> +			       descriptor. sig_enforce kernel parameter might \
> +			       help\n");
>  			return -EACCES;	/* INTEGRITY_UNKNOWN */
> +		}
>  		return 0;	/* We rely on module signature checking */
>  	}
>  	return 0;
> -- 
> 2.14.3
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH v2] ima: log message to module appraisal error
@ 2017-12-05 13:35 Bruno E. O. Meneguele
  2017-12-05 13:40 ` Bruno E. O. Meneguele
  0 siblings, 1 reply; 5+ messages in thread
From: Bruno E. O. Meneguele @ 2017-12-05 13:35 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: linux-integrity, linux-ima-devel, linux-security-module, linux-kernel

Simple but useful message log to the user in case of module appraise is
forced and fails due to the lack of file descriptor, that might be
caused by kmod calls to compressed modules.

Signed-off-by: Bruno E. O. Meneguele <brdeoliv@redhat.com>
---
 security/integrity/ima/ima_main.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 770654694efc..95ec39910058 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -366,8 +366,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
 
 	if (!file && read_id == READING_MODULE) {
 		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
-		    (ima_appraise & IMA_APPRAISE_ENFORCE))
+		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+			pr_err("impossible to appraise a module without a file \
+			       descriptor. sig_enforce kernel parameter might \
+			       help\n");
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
+		}
 		return 0;	/* We rely on module signature checking */
 	}
 	return 0;
-- 
2.14.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-12-05 13:40 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-04 20:23 [PATCH v2] ima: log message to module appraisal error Bruno E. O. Meneguele
2017-12-04 23:35 ` Joe Perches
2017-12-05 10:05   ` Bruno E. O. Meneguele
2017-12-05 13:35 Bruno E. O. Meneguele
2017-12-05 13:40 ` Bruno E. O. Meneguele

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).