Re: [PATCH] Add kernel parameter to blacklist modules

From: Rusty Russell <rusty@rustcorp.com.au>
To: Prarit Bhargava <prarit@redhat.com>, linux-kernel@vger.kernel.org
Cc: Prarit Bhargava <prarit@redhat.com>,
	Jonathan Corbet <corbet@lwn.net>,
	linux-doc@vger.kernel.org
Subject: Re: [PATCH] Add kernel parameter to blacklist modules
Date: Tue, 14 Jun 2016 06:53:57 +0930	[thread overview]
Message-ID: <87h9cw7pg2.fsf@rustcorp.com.au> (raw)
In-Reply-To: <1465821161-13889-1-git-send-email-prarit@redhat.com>

Prarit Bhargava <prarit@redhat.com> writes:
> Blacklisting a module in linux has long been a problem.  The process of
> blacklisting a module has changed over time, and it seems that every OS
> does it slightly differently and depends on the age of the init system
> used on that OS.

Hi Prarit,

        I don't mind the idea, but we can refine the implementation a
little I think.

1) Use core_param(module_blacklist, module_blacklist, charp, 0400)
   instead of __setup().  I'd like to kill __setup(), really.
2) Simply search the blacklist string at load time, no new datastructures.

Not completely sure about #2, but I think it'll be fairly neat.

Thanks,
Rusty.

> The current Fedora/systemd procedure is to use rd.blacklist=module_name,
> however, that doesn't cover the case after the initramfs and before a boot
> prompt (where one is supposed to use /etc/modprobe.d/blacklist.conf to
> blacklist runtime loading). Using rd.shell to get an early prompt is
> hit-or-miss, and doesn't cover all situations AFAICT.  Explaining all of this
> to an end user isn't trivial.  This becomes especially difficult when
> attempting to blacklist a module during system install from RO media.
>
> This patch adds this functionality of blacklisting a module by its name
> via the kernel parameter module_blacklist=module_name.  The parameter
> can also accept comma separated values.
>
> Usage example:
>
> [root@intel-mohonpeak-02 ~]# insmod /home/dummy-module/dummy-module.ko
> insmod: ERROR: could not insert module /home/rhel7/redhat/debug/dummy-module/dummy-module.ko: Operation not permitted
> [root@intel-mohonpeak-02 ~]# dmesg | grep black
> [    0.000000] Command line: BOOT_IMAGE=/vmlinuz-4.7.0-rc2+ root=/dev/mapper/rhel_intel--mohonpeak--02-root ro crashkernel=auto rd.lvm.lv=rhel_intel-mohonpeak-02/root rd.lvm.lv=rhel_intel-mohonpeak-02/swap console=ttyS0,115200 LANG=en_US.UTF-8 module_blacklist=dummy_module
> [    0.000000] Kernel command line: BOOT_IMAGE=/vmlinuz-4.7.0-rc2+ root=/dev/mapper/rhel_intel--mohonpeak--02-root ro crashkernel=auto rd.lvm.lv=rhel_intel-mohonpeak-02/root rd.lvm.lv=rhel_intel-mohonpeak-02/swap console=ttyS0,115200 LANG=en_US.UTF-8 module_blacklist=dummy_module
> [    0.000000] blacklisting module dummy_module
> [   85.127433] module dummy_module has been blacklisted.  This module will not load.
>
> Signed-off-by: Prarit Bhargava <prarit@redhat.com>
> Cc: Jonathan Corbet <corbet@lwn.net>
> Cc: Rusty Russell <rusty@rustcorp.com.au>
> Cc: linux-doc@vger.kernel.org
> ---
>  Documentation/kernel-parameters.txt |    3 +++
>  kernel/module.c                     |   37 +++++++++++++++++++++++++++++++++++
>  2 files changed, 40 insertions(+)
>
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index 82b42c958d1c..c720b96f2efc 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -2295,6 +2295,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>  			Note that if CONFIG_MODULE_SIG_FORCE is set, that
>  			is always true, so this option does nothing.
>  
> +	module_blacklist=  [KNL] Do not load a comma-separated list of
> +			modules.  Useful for debugging problem modules.
> +
>  	mousedev.tap_time=
>  			[MOUSE] Maximum time between finger touching and
>  			leaving touchpad surface for touch to be considered
> diff --git a/kernel/module.c b/kernel/module.c
> index 5f71aa63ed2a..ed3076d98a32 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -46,6 +46,7 @@
>  #include <linux/string.h>
>  #include <linux/mutex.h>
>  #include <linux/rculist.h>
> +#include <linux/bootmem.h>
>  #include <asm/uaccess.h>
>  #include <asm/cacheflush.h>
>  #include <asm/mmu_context.h>
> @@ -3155,16 +3156,52 @@ int __weak module_frob_arch_sections(Elf_Ehdr *hdr,
>  	return 0;
>  }
>  
> +struct mod_blacklist_entry {
> +	struct list_head next;
> +	char *buf;
> +};
> +
> +static LIST_HEAD(blacklisted_modules);
> +static int __init module_blacklist(char *str)
> +{
> +	char *str_entry;
> +	struct mod_blacklist_entry *entry;
> +
> +	/* str argument is a comma-separated list of module names */
> +	do {
> +		str_entry = strsep(&str, ",");
> +		if (str_entry) {
> +			pr_debug("blacklisting module %s\n", str_entry);
> +			entry = alloc_bootmem(sizeof(*entry));
> +			entry->buf = alloc_bootmem(strlen(str_entry) + 1);
> +			strcpy(entry->buf, str_entry);
> +			list_add(&entry->next, &blacklisted_modules);
> +		}
> +	} while (str_entry);
> +
> +	return 0;
> +}
> +__setup("module_blacklist=", module_blacklist);
> +
>  static struct module *layout_and_allocate(struct load_info *info, int flags)
>  {
>  	/* Module within temporary copy. */
>  	struct module *mod;
>  	int err;
> +	struct mod_blacklist_entry *entry;
>  
>  	mod = setup_load_info(info, flags);
>  	if (IS_ERR(mod))
>  		return mod;
>  
> +	/* Has this module been blacklisted by the user? */
> +	list_for_each_entry(entry, &blacklisted_modules, next) {
> +		if (!strcmp(mod->name, entry->buf)) {
> +			pr_debug("module %s blacklisted\n", mod->name);
> +			return ERR_PTR(-EPERM);
> +		}
> +	}
> +
>  	err = check_modinfo(mod, info, flags);
>  	if (err)
>  		return ERR_PTR(err);
> -- 
> 1.7.9.3