From: sargun@sargun.me (Sargun Dhillon)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v7 5/6] security: Panic on forced unloading of security module
Date: Wed, 25 Apr 2018 08:59:43 +0000 [thread overview]
Message-ID: <8daf3d7f289acc3a23c4652a8ddd8db2b9c39d85.1524645853.git.sargun@sargun.me> (raw)
In-Reply-To: <cover.1524645853.git.sargun@sargun.me>
Although, when LSMs are loaded, the kernel takes a refcount on them, the
administrator can force unload the module if the
CONFIG_MODULE_FORCE_UNLOAD is set. Although this may be fine for some
cases, in the case of security modules, this is problematic, as it
may leave the system unsecure, or unaudited.
Although, a kernel panic will occur on the next attempt to make a
callback for that hook, new code could be loaded, which would not
trigger a panic, allowing for silent failure. Therefore, we must
panic on an attempt to forcefully unload an LSM.
Signed-off-by: Sargun Dhillon <sargun@sargun.me>
---
security/security.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/security/security.c b/security/security.c
index 8d8a227eeeea..204b9978ba24 100644
--- a/security/security.c
+++ b/security/security.c
@@ -89,6 +89,34 @@ static void __init do_security_initcalls(void)
}
}
+/*
+ * Check if one of our modules is being unloaded. This can happen if
+ * CONFIG_MODULE_FORCE_UNLOAD is enabled.
+ * If it is being unloaded, panic and let the user know what's going on
+ */
+static int security_module_cb(struct notifier_block *nb, unsigned long val,
+ void *data)
+{
+ struct module *mod = data;
+ struct lsm_info *info;
+
+ if (val != MODULE_STATE_GOING)
+ return NOTIFY_DONE;
+
+ mutex_lock(&lsm_info_lock);
+ hlist_for_each_entry(info, &lsm_info_head, list)
+ if (mod == info->owner)
+ panic("Security module %s is being unloaded forcefully\n",
+ info->name);
+ mutex_unlock(&lsm_info_lock);
+
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block security_nb = {
+ .notifier_call = security_module_cb,
+};
+
/**
* security_init - initializes the security framework
*
@@ -99,6 +127,9 @@ int __init security_init(void)
pr_info("Security Framework initialized with%s writable hooks\n",
IS_ENABLED(CONFIG_SECURITY_WRITABLE_HOOKS) ? "" : "out");
+ if (IS_ENABLED(CONFIG_SECURITY_WRITABLE_HOOKS) &&
+ IS_ENABLED(CONFIG_MODULE_FORCE_UNLOAD))
+ register_module_notifier(&security_nb);
/*
* Load minor LSMs, with the capability module always first.
*/
--
2.14.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-04-25 8:59 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-25 8:58 [PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks Sargun Dhillon
2018-04-25 8:58 ` [PATCH v7 1/6] security: Move LSM registration arguments to struct lsm_info Sargun Dhillon
2018-05-01 18:34 ` James Morris
2018-05-01 19:19 ` Kees Cook
2018-05-01 19:35 ` Sargun Dhillon
2018-04-25 8:59 ` [PATCH v7 2/6] security: Make security_hook_heads private Sargun Dhillon
2018-04-25 8:59 ` [PATCH v7 3/6] security: Introduce mutable (RW) hooks Sargun Dhillon
2018-04-25 8:59 ` [PATCH v7 4/6] security: Expose security_add_hooks externally and add error handling Sargun Dhillon
2018-04-25 8:59 ` Sargun Dhillon [this message]
2018-04-25 8:59 ` [PATCH v7 6/6] security: Add SECURITY_UNREGISTRABLE_HOOKS to allow for hook removal Sargun Dhillon
2018-04-26 7:15 ` [PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks Tetsuo Handa
2018-04-26 7:41 ` Sargun Dhillon
2018-04-26 12:07 ` Tetsuo Handa
2018-04-26 16:40 ` Sargun Dhillon
2018-04-26 17:29 ` Sargun Dhillon
2018-04-27 13:25 ` Tetsuo Handa
2018-04-27 20:21 ` Sargun Dhillon
2018-04-27 20:45 ` Casey Schaufler
2018-04-29 11:49 ` Tetsuo Handa
2018-04-29 21:23 ` Casey Schaufler
2018-04-30 16:11 ` Sargun Dhillon
2018-04-30 16:46 ` Casey Schaufler
2018-04-30 18:25 ` Sargun Dhillon
2018-04-30 19:37 ` Casey Schaufler
[not found] ` <f4f44e71-8df2-e5e6-d213-cf97eda6cb4a@digikod.net>
2018-05-01 20:42 ` James Morris
2018-04-30 21:16 ` James Morris
2018-04-30 21:29 ` Sargun Dhillon
2018-05-01 18:49 ` James Morris
2018-05-01 19:02 ` James Morris
2018-04-27 20:32 ` Sargun Dhillon
2018-04-27 20:59 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8daf3d7f289acc3a23c4652a8ddd8db2b9c39d85.1524645853.git.sargun@sargun.me \
--to=sargun@sargun.me \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.