Received: by 10.213.65.68 with SMTP id h4csp887896imn; Fri, 23 Mar 2018 20:03:38 -0700 (PDT) X-Google-Smtp-Source: AG47ELunMKPwCmJC4F90oM8YXTj9Jzr1scbRN3mrA8pw2MzH2UDiGnSmI1hvwDnpv5wcjP85TuxF X-Received: by 2002:a17:902:7c18:: with SMTP id x24-v6mr26036282pll.112.1521860618332; Fri, 23 Mar 2018 20:03:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521860618; cv=none; d=google.com; s=arc-20160816; b=l4R5H73k7Yu/HHM4FqadGyCiztrgZkc6i8EP52ylwY0Wmssp+gPCGPvdKMIcfm0g4W Pn0Tgg0MW6GpcjQpUthImEeLjEgIm5+VDtY3fDBCZGhLlbPLS1Xe4rkYI8pcYfzH9RlQ PEmCj33ljwJGiyLG9HCuA1Rjp4ru/+jkNKg6wrdVaNLeMfNvSUnahxg+8fh1aFS1DCiu EUKdAlftWsVcS92dSsg2LoyU5icqjtkgDbrCvIfsq5N1vjupVMYXWFNbC5xyJHm/A4rI fcbcqMn7hCxIR8gt/8Tf9utyRnuvLE9DNg6ftcG96KCxdMURck3+GGHqQAxCGi+6ZqUT gsVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=G4g3q6fEsx2jVaeg7D1NKQBXhWB//i6idGiSagAWngk=; b=jC7VtjoN60QPRFuD5bRKQyM/aUqvLYRCRnvyKzwTSyaPj6T2JHxUT8E2W+jJK7Zq9K YuNhESLfGGYEa5YAtCXEKn6HzL4Joz09AuZ6CfWpsR5UHIHPOVGMyJSYGdWtqRPfwRsy nFZ7Otd/2PoZi+ZmXyVc6huUNahaJteNGbszgiRJ6gsqBis64eH0//VuB4oIfoRXb86M kny7UWZGCg33Wdw/9Dmo2I2M5bRn4wdYEBEiYpQUMeUau8QOzdKJFNVEE7PU4cR8ODnP hGYJmmrEHWrsrME6eUq5gfAgN2nCKK/iMh16ejEnYIHRXtZgynu8fZxhgp+4bEqXgS+e fVjQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v85si6754723pgb.829.2018.03.23.20.02.44; Fri, 23 Mar 2018 20:03:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751777AbeCXC7v (ORCPT + 99 others); Fri, 23 Mar 2018 22:59:51 -0400 Received: from out30-130.freemail.mail.aliyun.com ([115.124.30.130]:35377 "EHLO out30-130.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751288AbeCXC7u (ORCPT ); Fri, 23 Mar 2018 22:59:50 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R191e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e01429;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0T--L1Xh_1521860387; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:106.11.233.197) by smtp.aliyun-inc.com(127.0.0.1); Sat, 24 Mar 2018 10:59:47 +0800 From: Jia Zhang To: jeyu@kernel.org Cc: linux-kernel@vger.kernel.org, zhang.jia@linux.alibaba.com Subject: [PATCH v3 0/3][RESEND] modsign enhancement Date: Sat, 24 Mar 2018 10:59:46 +0800 Message-Id: <1521860389-19262-1-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch series allows to disable module validity enforcement in runtime through the control switch located in securityfs. In order to keep /sys/module/module/parameters/sig_enforce simple, the disablement switch is located at /sys/kernel/security/modsign/disable_enforce. Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to test this control switch. # cat /sys/module/module/parameters/sig_enforce N # echo 1 > /sys/module/module/parameters/sig_enforce # cat /sys/module/module/parameters/sig_enforce Y # echo -n 0 > no_sig_enforce # openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \ -inkey -signer -outform der \ -out /sys/kernel/security/modsign/disable_enforce # cat /sys/module/module/parameters/sig_enforce N Changelog: v3: - The control switch now doesn't support showing the status of sig_enforce. v2: - Support to disable validity enforcement in runtime.