Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp840295ybt; Tue, 7 Jul 2020 01:21:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwGY6UF/TQyojLt78fgrv/1Wkbolyo2dRgf0vLzYYJAB80TNHR0IwCNN9/0BYPlME3J5/xb X-Received: by 2002:a17:906:c201:: with SMTP id d1mr39836164ejz.40.1594110090811; Tue, 07 Jul 2020 01:21:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594110090; cv=none; d=google.com; s=arc-20160816; b=mqyORzjELqIYvm33qPdaHXlkb7Pkq2MfhKc3GdsnU+GljGnu6wQLVDpTY+4WbxkwTn CJx8z6VHFnaCCLDXIvpbeYLC15s5Si6g+cWHMJ3brWjq9SZs17bVFSNU25q60AixC+UX InGO4ckKH5GQFJVfkLeta5385rCV+xpLXiBAhrhOAyRiC7CLFRk7NLc8goWGTXdxMGmq wLbh7/qwlQaTFtCRsekxiERqfQNV9OwLh7wnxhw5FIIhm/JAnPc2AcM9gKcTujbR7Uum uu+5FurXAT1SNgekhwamNcJgSfuO3uqyiN/234OQagAnMI8B6xe/Fydua7MubTsDIBsm BONA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=3/TGGX2kn2NKL/BgEqb75l7336ZUov57vqrEk8SkHU4=; b=egmDU8AdCEKVr65E9IcHvEGBH+Lvc6FVdGKI92UjWqL9bKNr2SMAJGLIjymbXmltfi 7DK1nHGeDIGskWfIa66kPAnwZW0nHErKGuW8BgqUZBCOnhnykD4A9de/Ub3CTRNzUakL /jCIbq6YqHQnGdb6FeXGJ+9f11MCkynZNBqxNVg5Lin/V63RoruwtNMTWWA5TY0AgHNY e950PzktQkJsNCFo2UZRzspbhCvbm3i40YFvXmJgJ7Xh2npjRpNGK8rpRMmxCdze9AGj YkOO8IOyrMBBgpcOMKNEbY5AR1zG4JMkpLJadq+sVxZ1rGgJDxfDLRYu09xmL/2Y8dmS 7lww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bTBN7lfi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h20si14880662ejk.652.2020.07.07.01.21.06; Tue, 07 Jul 2020 01:21:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bTBN7lfi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728048AbgGGITd (ORCPT + 99 others); Tue, 7 Jul 2020 04:19:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51476 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726951AbgGGITc (ORCPT ); Tue, 7 Jul 2020 04:19:32 -0400 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 057A2C08C5DF for ; Tue, 7 Jul 2020 01:19:32 -0700 (PDT) Received: by mail-pf1-x441.google.com with SMTP id q17so18103945pfu.8 for ; Tue, 07 Jul 2020 01:19:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3/TGGX2kn2NKL/BgEqb75l7336ZUov57vqrEk8SkHU4=; b=bTBN7lfilcJGYJdlbwQDX/rqp45HFb8HgJGAGBOBV9CKgL4pKePubhej06HA9A/RP4 GYmlJTS16HrfkuEjFWhk2UBxLPGgXCrjCJm0sfYpW7tUAiCXQijLn14wMx50qyTlAyIa KcmWeWhBMi7HFssd/6ma4MzBpKX5m9i8fZazg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3/TGGX2kn2NKL/BgEqb75l7336ZUov57vqrEk8SkHU4=; b=pSx3bMFMx1hlW3X/wMJJXpA92niZx3Y88rQW31sgbm617vtklbM9uegGukofycB2lT RTPD2rcZMr+lHXiNJMNhFQ1/aqbuwnlZd1f/BZnOple5AQYdOijadeBguWaEQmPGl29h Sqj437tpluIbaP9QYwDtN9dXV97Bw26+zcnJaylynEKTzIXFNKNAHQx37yAlIucfcZgs s1BeImIRUr77x44+UaYAsG01IEnMagqpAnI86AzzZXE17cCXTXeZq9M6m20pmU71v3sa Q5yyX9vm/WJP7C38/YcekSOFFMVeAiLpOtb1e/yICHtrHW1d8yZlYH2QVjTpAtcM+rpN 4tKQ== X-Gm-Message-State: AOAM530jF4EQTIR0f5xN3vSWuCpVSElS8bJDhnQYJ1jF15v2tVoWFbj0 NYh/QxPpRGgus/FrTEIpbp7Bfg== X-Received: by 2002:a63:df54:: with SMTP id h20mr42712026pgj.319.1594109971059; Tue, 07 Jul 2020 01:19:31 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id r8sm20795455pfh.29.2020.07.07.01.19.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jul 2020 01:19:30 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Jessica Yu , Luis Chamberlain , Mimi Zohar , Scott Branden , Greg Kroah-Hartman , "Rafael J. Wysocki" , Alexander Viro , Dmitry Kasatkin , "Serge E. Hallyn" , Casey Schaufler , "Eric W. Biederman" , Peter Zijlstra , Matthew Garrett , David Howells , Mauro Carvalho Chehab , Randy Dunlap , "Joel Fernandes (Google)" , KP Singh , Dave Olsthoorn , Hans de Goede , Peter Jones , Andrew Morton , Stephen Boyd , Paul Moore , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 4/4] module: Add hook for security_kernel_post_read_file() Date: Tue, 7 Jul 2020 01:19:26 -0700 Message-Id: <20200707081926.3688096-5-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200707081926.3688096-1-keescook@chromium.org> References: <20200707081926.3688096-1-keescook@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Calls to security_kernel_load_data() should be paired with a call to security_kernel_post_read_file() with a NULL file argument. Add the missing call so the module contents are visible to the LSMs interested in measuring the module content. (This also paves the way for moving module signature checking out of the module core and into an LSM.) Cc: Jessica Yu Fixes: c77b8cdf745d ("module: replace the existing LSM hook in init_module") Signed-off-by: Kees Cook --- kernel/module.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c index 0c6573b98c36..af9679f8e5c6 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2980,7 +2980,12 @@ static int copy_module_from_user(const void __user *umod, unsigned long len, return -EFAULT; } - return 0; + err = security_kernel_post_read_file(NULL, (char *)info->hdr, + info->len, READING_MODULE); + if (err) + vfree(info->hdr); + + return err; } static void free_copy(struct load_info *info) -- 2.25.1