Received: by 10.223.185.116 with SMTP id b49csp7193230wrg; Thu, 1 Mar 2018 01:10:56 -0800 (PST) X-Google-Smtp-Source: AG47ELvJRGLHe4EjYZbOqozoQy/0iTKLFJxokGTwHEWpgC2vcA/NkDxCnUcp/2N253GQEAViAI06 X-Received: by 10.99.125.22 with SMTP id y22mr973296pgc.125.1519895456418; Thu, 01 Mar 2018 01:10:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519895456; cv=none; d=google.com; s=arc-20160816; b=1DsBqGj7Mn9CXS8t4EqwjS/piF/QUedw5SaBn2R0MqMYWZzZt/ywzDo8nUkv6OjIbX vV8FmK3dazDKlcal2lf373ov82IDAhQKah2Ef0hxr69fh/NqMqKJbxxNsZv/QNbH69i1 RmGN3r2M8M3YZl/WIXI2Doc+GBJncUXKlg7mSL893w2jgVtK5J2oWZ7WblNa+qg0Rs5l TDT8M1Vof6WZB/tjQ+izxJZ6I+L4u8R+rrZtAUJbU8JVPdBgZj7W2d1I8CdAEFnPhwc9 ct2IQCnO9p3+GzT8TYAbZeXxVCd/GbPwoP8kfDyz4B8FyyVmlh8jHctT+TKXepH4JbrD 159w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=mNCLEP3mwybjllspllWGwGyDp6g0r7Vu8r2ZXOP4yPo=; b=AijCkZbfMxygCJKEiGt8g7GmzM+mfn3pIQskiTKgJIlLWpuQX7IWcIHtIlhRiWFC/i O4s5U+PP7Q+zbIjlZT4odEE2E7IUQ3memYsrrjZi2y9/UTMLtXM/ASCq8kmIX+JBDqs+ LgTnqbGnF3RAqGVsvNFZjyUe5D9vTCnB8h+jxggVWggzP4HjyxGxawbwp0y1Uz/qs/Kq 9pZJ3/UKBsGvLkiCAwH8jP2cm1HzcmPBH2eIYgl2MFUIoQv30IdPhFuSs5VmNJ563hsX MSBKGV/RybjHbfVJDy8jNXDoDpSb4JmSMyH46I2LWv7sd6wz+R91fNM3bxWQ+Zfv7oIA 8heg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b12-v6si2844720plx.355.2018.03.01.01.10.42; Thu, 01 Mar 2018 01:10:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966686AbeCAJJZ (ORCPT + 99 others); Thu, 1 Mar 2018 04:09:25 -0500 Received: from out30-131.freemail.mail.aliyun.com ([115.124.30.131]:39725 "EHLO out30-131.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966674AbeCAJJV (ORCPT ); Thu, 1 Mar 2018 04:09:21 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R111e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e07486;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0SykeDyI_1519895347; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:106.11.233.45) by smtp.aliyun-inc.com(127.0.0.1); Thu, 01 Mar 2018 17:09:07 +0800 From: Jia Zhang To: jeyu@kernel.org Cc: zhang.jia@linux.alibaba.com, linux-kernel@vger.kernel.org Subject: [PATCH 3/4] module: Support to show the current enforcement policy Date: Thu, 1 Mar 2018 17:09:05 +0800 Message-Id: <1519895346-7961-3-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1519895346-7961-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1519895346-7961-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org /sys/kernel/security/modsign/enforce gives the result of current enforcement policy of loading module. Signed-off-by: Jia Zhang --- kernel/module.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/kernel/module.c b/kernel/module.c index 79825ea..e3c6c8e 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2794,11 +2794,60 @@ static int module_sig_check(struct load_info *info, int flags) return err; } + +#ifdef CONFIG_SECURITYFS +static ssize_t modsign_enforce_read(struct file *filp, char __user *ubuf, + size_t count, loff_t *offp) +{ + char buf[2]; + + sprintf(buf, "%d", !!sig_enforce); + + return simple_read_from_buffer(ubuf, count, offp, buf, 1); +} + +static const struct file_operations modsign_enforce_ops = { + .read = modsign_enforce_read, + .llseek = generic_file_llseek, +}; + +static int __init securityfs_init(void) +{ + struct dentry *modsign_dir; + struct dentry *enforce; + + modsign_dir = securityfs_create_dir("modsign", NULL); + if (IS_ERR(modsign_dir)) + return -1; + + enforce = securityfs_create_file("enforce", + S_IRUSR | S_IRGRP, modsign_dir, + NULL, &modsign_enforce_ops); + if (IS_ERR(enforce)) + goto out; + + return 0; +out: + securityfs_remove(modsign_dir); + + return -1; +} +#else /* !CONFIG_SECURITYFS */ +static int __init securityfs_init(void) +{ + return 0; +} +#endif #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) { return 0; } + +static int __init securityfs_init(void) +{ + return 0; +} #endif /* !CONFIG_MODULE_SIG */ /* Sanity checks against invalid binaries, wrong arch, weird elf version. */ @@ -4395,8 +4444,14 @@ void module_layout(struct module *mod, static int __init initialize_module(void) { + int ret; + proc_modules_init(); + ret = securityfs_init(); + if (unlikely(ret)) + return ret; + return 0; } module_init(initialize_module); -- 1.8.3.1