From: Kees Cook <keescook@chromium.org>
To: James Morris <jmorris@namei.org>
Cc: Kees Cook <keescook@chromium.org>,
Casey Schaufler <casey@schaufler-ca.com>,
John Johansen <john.johansen@canonical.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
LSM <linux-security-module@vger.kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
linux-doc@vger.kernel.org, linux-arch@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce"
Date: Mon, 1 Oct 2018 17:54:46 -0700 [thread overview]
Message-ID: <20181002005505.6112-14-keescook@chromium.org> (raw)
In-Reply-To: <20181002005505.6112-1-keescook@chromium.org>
LoadPin's "enable" setting is really about enforcement, not whether
or not the LSM is using LSM hooks. Instead, split this out so that LSM
enabling can be logically distinct from whether enforcement is happening
(for example, the pinning happens when the LSM is enabled, but the pin
is only checked when "enforce" is set). This allows LoadPin to continue
to operate sanely in test environments once LSM enable/disable is
centrally handled (i.e. we want LoadPin to be enabled separately from
its enforcement).
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
---
security/loadpin/Kconfig | 4 ++--
security/loadpin/loadpin.c | 21 +++++++++++----------
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
index dd01aa91e521..8653608a3693 100644
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -10,10 +10,10 @@ config SECURITY_LOADPIN
have a root filesystem backed by a read-only device such as
dm-verity or a CDROM.
-config SECURITY_LOADPIN_ENABLED
+config SECURITY_LOADPIN_ENFORCING
bool "Enforce LoadPin at boot"
depends on SECURITY_LOADPIN
help
If selected, LoadPin will enforce pinning at boot. If not
selected, it can be enabled at boot with the kernel parameter
- "loadpin.enabled=1".
+ "loadpin.enforcing=1".
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index 0716af28808a..d8a68a6f6fef 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -44,7 +44,7 @@ static void report_load(const char *origin, struct file *file, char *operation)
kfree(pathname);
}
-static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
+static int enforcing = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCING);
static struct super_block *pinned_root;
static DEFINE_SPINLOCK(pinned_root_spinlock);
@@ -60,8 +60,8 @@ static struct ctl_path loadpin_sysctl_path[] = {
static struct ctl_table loadpin_sysctl_table[] = {
{
- .procname = "enabled",
- .data = &enabled,
+ .procname = "enforcing",
+ .data = &enforcing,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
@@ -97,7 +97,7 @@ static void check_pinning_enforcement(struct super_block *mnt_sb)
loadpin_sysctl_table))
pr_notice("sysctl registration failed!\n");
else
- pr_info("load pinning can be disabled.\n");
+ pr_info("enforcement can be disabled.\n");
} else
pr_info("load pinning engaged.\n");
}
@@ -128,7 +128,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
/* This handles the older init_module API that has a NULL file. */
if (!file) {
- if (!enabled) {
+ if (!enforcing) {
report_load(origin, NULL, "old-api-pinning-ignored");
return 0;
}
@@ -151,7 +151,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
* Unlock now since it's only pinned_root we care about.
* In the worst case, we will (correctly) report pinning
* failures before we have announced that pinning is
- * enabled. This would be purely cosmetic.
+ * enforcing. This would be purely cosmetic.
*/
spin_unlock(&pinned_root_spinlock);
check_pinning_enforcement(pinned_root);
@@ -161,7 +161,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
}
if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) {
- if (unlikely(!enabled)) {
+ if (unlikely(!enforcing)) {
report_load(origin, file, "pinning-ignored");
return 0;
}
@@ -186,10 +186,11 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
void __init loadpin_add_hooks(void)
{
- pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
+ pr_info("ready to pin (currently %senforcing)\n",
+ enforcing ? "" : "not ");
security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
}
/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
-module_param(enabled, int, 0);
-MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)");
+module_param(enforcing, int, 0);
+MODULE_PARM_DESC(enforcing, "Enforce module/firmware pinning");
--
2.17.1
next prev parent reply other threads:[~2018-10-02 0:55 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-02 0:54 [PATCH security-next v4 00/32] LSM: Explict LSM ordering Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 01/32] LSM: Correctly announce start of LSM initialization Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 02/32] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 03/32] LSM: Rename .security_initcall section to .lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 04/32] LSM: Remove initcall tracing Kees Cook
2018-10-02 21:14 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 05/32] LSM: Convert from initcall to struct lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 06/32] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook
2018-10-02 21:15 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 07/32] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook
2018-10-02 21:16 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 08/32] LSM: Record LSM name in struct lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 09/32] LSM: Provide init debugging infrastructure Kees Cook
2018-10-02 21:17 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 10/32] LSM: Don't ignore initialization failures Kees Cook
2018-10-02 21:20 ` James Morris
2018-10-02 21:38 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 11/32] LSM: Introduce LSM_FLAG_LEGACY_MAJOR Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 12/32] LSM: Provide separate ordered initialization Kees Cook
2018-10-02 0:54 ` Kees Cook [this message]
2018-10-02 1:06 ` [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" Randy Dunlap
2018-10-02 4:47 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 14/32] LSM: Plumb visibility into optional "enabled" state Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 15/32] LSM: Lift LSM selection out of individual LSMs Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 16/32] LSM: Prepare for arbitrary LSM enabling Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 17/32] LSM: Introduce CONFIG_LSM_ENABLE Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 18/32] LSM: Introduce lsm.enable= and lsm.disable= Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 19/32] LSM: Prepare for reorganizing "security=" logic Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 20/32] LSM: Refactor "security=" in terms of enable/disable Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic Kees Cook
2018-10-02 1:18 ` Randy Dunlap
2018-10-02 4:49 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 22/32] apparmor: Remove boot parameter Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 23/32] selinux: " Kees Cook
2018-10-02 12:12 ` Paul Moore
2018-10-02 13:42 ` Stephen Smalley
2018-10-02 14:44 ` Kees Cook
2018-10-02 14:58 ` Stephen Smalley
2018-10-02 16:33 ` Jordan Glover
2018-10-02 16:54 ` Kees Cook
2018-10-02 18:33 ` Stephen Smalley
2018-10-02 19:02 ` Kees Cook
2018-10-02 18:57 ` John Johansen
2018-10-02 19:17 ` Kees Cook
2018-10-02 19:47 ` John Johansen
2018-10-02 20:29 ` Kees Cook
2018-10-02 21:11 ` John Johansen
2018-10-02 22:06 ` James Morris
2018-10-02 23:06 ` Kees Cook
2018-10-02 23:46 ` John Johansen
2018-10-02 23:54 ` Kees Cook
2018-10-03 0:05 ` John Johansen
2018-10-03 0:12 ` Kees Cook
2018-10-03 13:15 ` John Johansen
2018-10-03 13:39 ` Stephen Smalley
2018-10-03 17:26 ` Kees Cook
2018-10-03 19:43 ` Stephen Smalley
2018-10-04 5:38 ` John Johansen
2018-10-04 16:02 ` Kees Cook
2018-10-08 14:25 ` Paul Moore
2018-10-03 18:17 ` James Morris
2018-10-03 18:20 ` Kees Cook
2018-10-03 18:28 ` James Morris
2018-10-03 20:10 ` Kees Cook
2018-10-03 20:36 ` Kees Cook
2018-10-03 21:19 ` James Morris
2018-10-04 5:56 ` John Johansen
2018-10-04 16:18 ` Kees Cook
2018-10-04 17:40 ` Jordan Glover
2018-10-04 17:42 ` Kees Cook
2018-10-03 21:34 ` James Morris
2018-10-03 23:55 ` Kees Cook
2018-10-03 23:59 ` Randy Dunlap
2018-10-04 0:03 ` Kees Cook
2018-10-04 6:22 ` John Johansen
2018-10-04 6:18 ` John Johansen
2018-10-04 17:49 ` James Morris
2018-10-05 0:05 ` Kees Cook
2018-10-05 4:58 ` James Morris
2018-10-05 16:29 ` James Morris
2018-10-05 16:35 ` Kees Cook
2018-10-02 23:28 ` John Johansen
2018-10-02 16:34 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 24/32] LSM: Build ordered list of ordered LSMs for init Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 25/32] LSM: Introduce CONFIG_LSM_ORDER Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 26/32] LSM: Introduce "lsm.order=" for boottime ordering Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 27/32] LoadPin: Initialize as ordered LSM Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 28/32] Yama: " Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 29/32] LSM: Introduce enum lsm_order Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 30/32] capability: Initialize as LSM_ORDER_FIRST Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 31/32] LSM: Separate idea of "major" LSM from "exclusive" LSM Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 32/32] LSM: Add all exclusive LSMs to ordered initialization Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181002005505.6112-14-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).