Received: by 10.223.185.116 with SMTP id b49csp5863175wrg; Wed, 7 Mar 2018 20:28:31 -0800 (PST) X-Google-Smtp-Source: AG47ELu/x/00hXRN12h2a4tgsGxudtivTrGKNpuuLOYV1E12Y2Sknq2YkmfBH6kSyVTFGAtJ08kY X-Received: by 10.98.79.90 with SMTP id d87mr24916973pfb.41.1520483311829; Wed, 07 Mar 2018 20:28:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520483311; cv=none; d=google.com; s=arc-20160816; b=vSEVavkIXrxGBmdwdmfgUzkTm+HpwW2lAmIqDEvhhKFK3yL4KWMUcoIbrs+nKFhL1L osNsWeWMbi3LJX6rm9Y5d4yCLyDdnSavqYWzIxHLbSdSskecu2FYqVxqRk2rttfdwcnp ie7g/49CdHLmClp9rT/f3C5bHhKnb08WbwFxvKzGi1PE7goQNO0LEseLn0sV1xOlwxVG JzF8a6v7PUWmEotb/2D0KGiq5PeknFJmRCQ2pT/Ihk1GXN+/qzf8VWKQSrpzIUugvHRc 8U25MHLE/WsoQjoU3bFCiS81AkvNmmcf1PE73iBhZSx+A/+wVb2FO6Iy+Zfiu5lJm0gj q27w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=LY9X4nhrlUcGYgqYS+S8VASj2AkwWyQTxZHYk6h8k2A=; b=rjPXmIXgTJvlN43G96t/HpjH9gq5kXrSisBzBQOQS5Gtd5XwmypsGJchiM9rn45OOd HitApIse2ZSNwMU6yBNs75YrCRWFlmHWvCXoOma6oCaafb6W7w3Q65EZEdiDdQX/ATVU TEqcL3MJG0w2teDaf/jw7o/I96I0TSUrqC0OKsIBGDGbakM5v6eW7OxKThNPnqVMDEb4 pKYtB2LuvpjL1tg0GdrdXN1XuMwg2xbf2rq9d93guJ2OItVUPyxVHGCfnw6xCZDSRHh3 GNTrosbz34X33TTXox/Ufcv5F326wHgSJXVi96X3E6oMu/DSkhshpT/ptndYUS8VvWd9 QfWw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t5si12422362pgq.379.2018.03.07.20.28.17; Wed, 07 Mar 2018 20:28:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934752AbeCHE1V (ORCPT + 99 others); Wed, 7 Mar 2018 23:27:21 -0500 Received: from out30-133.freemail.mail.aliyun.com ([115.124.30.133]:60313 "EHLO out30-133.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934149AbeCHE1T (ORCPT ); Wed, 7 Mar 2018 23:27:19 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R131e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01f04455;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0Sz3h0H2_1520483227; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:106.11.232.123) by smtp.aliyun-inc.com(127.0.0.1); Thu, 08 Mar 2018 12:27:07 +0800 From: Jia Zhang To: jeyu@kernel.org Cc: linux-kernel@vger.kernel.org, zhang.jia@linux.alibaba.com Subject: [PATCH 4/4] module: Support to disable validity enforcement in runtime Date: Thu, 8 Mar 2018 12:27:03 +0800 Message-Id: <1520483223-6596-5-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1520483223-6596-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1520483223-6596-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In order to disable the module validity enforcement, writing a PKCS#7 signature corresponding the signed content '0' is required. Given a simple way to archive this: $ echo -n 0 > data $ openssl smime -sign -nocerts -noattr -binary -in data \ -inkey -signer -outform der \ -out data.sig Note that the signing key must be a trust key located in system trusted keyring. So even the root privilige cannot simply disable the enforcement. Signed-off-by: Jia Zhang --- kernel/module.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 114 insertions(+), 4 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 6b032577..16be198 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -64,6 +64,7 @@ #include #include #include +#include #include #include "module-internal.h" @@ -288,6 +289,11 @@ bool is_module_sig_enforced(void) } EXPORT_SYMBOL(is_module_sig_enforced); +static void set_module_sig_enforce(bool enforce) +{ + sig_enforce = enforce; +} + /* Block module loading/unloading? */ int modules_disabled = 0; core_param(nomodule, modules_disabled, bint, 0); @@ -2796,6 +2802,61 @@ static int module_sig_check(struct load_info *info, int flags) } #ifdef CONFIG_SECURITYFS +/* + * Check the intention of setting the enforcement policy. + * + * Return 1 if enabling the policy, or return 0 if disabling + * the policy. Note that the root privilege cannot simply + * disable the policy without the authentication given by a + * trusted key. + */ +static int check_enforce(char *buf, size_t count) +{ + u8 *p; + + if (buf[0] == '1') { + if (count == 1 || (count == 2 && buf[1] == '\n')) + return 1; + + return -EINVAL; + } + + /* + * In order to disable the enforcement policy, a PKCS#7 signature + * is supplied. + * + * Assuming ASN.1 encoding supplied, the minimal length would be + * 4-byte header plus at least 256-byte payload. + */ + if (count < 260) + return -EINVAL; + + p = (u8 *)buf; + + /* The primitive type must be a sequnce */ + if (p[0] != 0x30 || p[1] != 0x82) + return -EINVAL; + + /* Match up the length of the supplied buffer */ + if (be16_to_cpup((__be16 *)(p + 2)) != count - 4) + return -EINVAL; + + return 0; +} + +/* + * Disable the enforceme and verify the supplied PKCS#7 signature. + * The signed content is simply the charactoror '0'. + */ +static int disable_enforce(void *pkcs7, size_t pkcs7_len) +{ + char data = '0'; + + return verify_pkcs7_signature(&data, sizeof(data), pkcs7, pkcs7_len, + NULL, VERIFYING_UNSPECIFIED_SIGNATURE, + NULL, NULL); +} + static ssize_t modsign_enforce_read(struct file *filp, char __user *ubuf, size_t count, loff_t *offp) { @@ -2806,7 +2867,50 @@ static ssize_t modsign_enforce_read(struct file *filp, char __user *ubuf, return simple_read_from_buffer(ubuf, count, offp, buf, 1); } -static const struct file_operations modsign_enforce_ops = { +static ssize_t modsign_enforce_write(struct file *filp, + const char __user *ubuf, + size_t count, loff_t *offp) +{ + char *buf; + ssize_t ret; + size_t max_buf_size = 1 << MAX_ORDER; + + if (*offp > 1) + return -EFBIG; + + if (count > max_buf_size) + return -EFBIG; + + buf = kmalloc(count, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + ret = simple_write_to_buffer(buf, count, offp, ubuf, count); + if (ret <= 0) { + kfree(buf); + return ret; + } + + ret = check_enforce(buf, count); + if (is_module_sig_enforced() && !ret) { + ret = disable_enforce(buf, count); + if (!ret) { + set_module_sig_enforce(false); + pr_notice("Kernel module validity enforcement disabled\n"); + ret = count; + } + } else if (!is_module_sig_enforced() && ret == 1) { + set_module_sig_enforce(true); + pr_notice("Kernel module validity enforcement enabled\n"); + ret = count; + } + + kfree(buf); + + return ret; +} + +static struct file_operations modsign_enforce_ops = { .read = modsign_enforce_read, .llseek = generic_file_llseek, }; @@ -2815,14 +2919,20 @@ static int __init securityfs_init(void) { struct dentry *modsign_dir; struct dentry *enforce; + umode_t mode; modsign_dir = securityfs_create_dir("modsign", NULL); if (IS_ERR(modsign_dir)) return -1; - enforce = securityfs_create_file("enforce", - S_IRUSR | S_IRGRP, modsign_dir, - NULL, &modsign_enforce_ops); + mode = S_IRUSR | S_IRGRP; + if (!is_module_sig_enforced()) { + modsign_enforce_ops.write = modsign_enforce_write; + mode |= S_IWUSR; + } + + enforce = securityfs_create_file("enforce", mode, modsign_dir, NULL, + &modsign_enforce_ops); if (IS_ERR(enforce)) goto out; -- 1.8.3.1