Received: by 10.223.185.116 with SMTP id b49csp5863032wrg; Wed, 7 Mar 2018 20:28:21 -0800 (PST) X-Google-Smtp-Source: AG47ELsu72jufkpo5FUOp+JTlt0RjGHbZmpwLoczW0OYfJX8HztF3LQwACCCAepRc0ts8Z17JLXK X-Received: by 10.99.173.71 with SMTP id y7mr19824035pgo.432.1520483301738; Wed, 07 Mar 2018 20:28:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520483301; cv=none; d=google.com; s=arc-20160816; b=PjSCernWY3MEgvR8muMAO9vp3uWHxgXTLrtqRAUXjHfHJ+GT3Am/oBe293phTfcIav anA1GgXnJ0fIqH8oJhhoMdSnvofXmXgvTIhqYNBJP1xU1mfKwIt3D/WexrDAWEM+693z Yk72pypy7BFAJrBPN0uQY83MBSAzYw6E96kKPJQPT4ZrSb6nnYG+Xs1qf6O1Tx97sXEP IXNBmNBZY30HmgIMZ0MWsTdyfiS5Sd02xM8GOjPU7wkYM3Rss0gC1poqmtctvdslHeny Li0T2RO9yhUGgw8jjcTFxNrNeo2FEG8wFR/gWuvJFkonIN+mV9Dvo9yijEtFUf0iGplQ 9IwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=bxCeKiIKI2zy1Nx1oKSJBPhqbMmd0cHUQj3sZDpnm9w=; b=IDc2o0+tRD0lH87XLzHQEl67nquVCqvuxrQtIrPaaKaKQyTqMx38San4OuZMcYNVrY SOf2lkrp0bW296tw08BOdKUIdRaxZhxZQl37vnt/c1TA1Cv9RCYQ87Q9cFc9kW7PmUdw 8CkE0AsviOOdi4QNXBdc1LKwKRjyViFYDw6thFdcvh9ugM4eLif4rb4ZcyfVwn4HKdPi /JKbyztJOSFlnAhVrHJCAYtbMMSBCFtdPZOSrmXPtv61QQNCrpyY1Xew4Cjd8eFTuZt/ jG9GZYi3pIJK6ZqSnmxLo7pfVHn3pr/j4koiLIz6XM5d7vNSCbR68NdTNmL8xZdmD3yK zHtw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p4-v6si635101pls.512.2018.03.07.20.28.07; Wed, 07 Mar 2018 20:28:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934607AbeCHE1M (ORCPT + 99 others); Wed, 7 Mar 2018 23:27:12 -0500 Received: from out30-131.freemail.mail.aliyun.com ([115.124.30.131]:45886 "EHLO out30-131.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754066AbeCHE1L (ORCPT ); Wed, 7 Mar 2018 23:27:11 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R141e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e01355;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0Sz3uhW6_1520483226; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:106.11.233.10) by smtp.aliyun-inc.com(127.0.0.1); Thu, 08 Mar 2018 12:27:07 +0800 From: Jia Zhang To: jeyu@kernel.org Cc: linux-kernel@vger.kernel.org, zhang.jia@linux.alibaba.com Subject: [PATCH 3/4] module: Support to show the current enforcement policy Date: Thu, 8 Mar 2018 12:27:02 +0800 Message-Id: <1520483223-6596-4-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1520483223-6596-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1520483223-6596-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org /sys/kernel/security/modsign/enforce gives the result of current enforcement policy of loading module. Signed-off-by: Jia Zhang --- kernel/module.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/kernel/module.c b/kernel/module.c index 79825ea..6b032577 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2794,11 +2794,60 @@ static int module_sig_check(struct load_info *info, int flags) return err; } + +#ifdef CONFIG_SECURITYFS +static ssize_t modsign_enforce_read(struct file *filp, char __user *ubuf, + size_t count, loff_t *offp) +{ + char buf[2]; + + sprintf(buf, "%d", is_module_sig_enforced()); + + return simple_read_from_buffer(ubuf, count, offp, buf, 1); +} + +static const struct file_operations modsign_enforce_ops = { + .read = modsign_enforce_read, + .llseek = generic_file_llseek, +}; + +static int __init securityfs_init(void) +{ + struct dentry *modsign_dir; + struct dentry *enforce; + + modsign_dir = securityfs_create_dir("modsign", NULL); + if (IS_ERR(modsign_dir)) + return -1; + + enforce = securityfs_create_file("enforce", + S_IRUSR | S_IRGRP, modsign_dir, + NULL, &modsign_enforce_ops); + if (IS_ERR(enforce)) + goto out; + + return 0; +out: + securityfs_remove(modsign_dir); + + return -1; +} +#else /* !CONFIG_SECURITYFS */ +static int __init securityfs_init(void) +{ + return 0; +} +#endif #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) { return 0; } + +static int __init securityfs_init(void) +{ + return 0; +} #endif /* !CONFIG_MODULE_SIG */ /* Sanity checks against invalid binaries, wrong arch, weird elf version. */ @@ -4395,8 +4444,14 @@ void module_layout(struct module *mod, static int __init initialize_module(void) { + int ret; + proc_modules_init(); + ret = securityfs_init(); + if (unlikely(ret)) + return ret; + return 0; } module_init(initialize_module); -- 1.8.3.1