[PATCH v7 5/6] security: Panic on forced unloading of security module

[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-25
[PATCH v7 1/6] security: Move LSM registration arguments to struct lsm_info · Sargun Dhillon <hidden> · 2018-04-25
[PATCH v7 1/6] security: Move LSM registration arguments to struct lsm_info · jmorris@namei.org (James Morris) · 2018-05-01
[PATCH v7 1/6] security: Move LSM registration arguments to struct lsm_info · Kees Cook <hidden> · 2018-05-01
[PATCH v7 1/6] security: Move LSM registration arguments to struct lsm_info · Sargun Dhillon <hidden> · 2018-05-01
[PATCH v7 2/6] security: Make security_hook_heads private · Sargun Dhillon <hidden> · 2018-04-25
[PATCH v7 3/6] security: Introduce mutable (RW) hooks · Sargun Dhillon <hidden> · 2018-04-25
[PATCH v7 4/6] security: Expose security_add_hooks externally and add error handling · Sargun Dhillon <hidden> · 2018-04-25
[PATCH v7 5/6] security: Panic on forced unloading of security module · Sargun Dhillon <hidden> · 2018-04-25
[PATCH v7 6/6] security: Add SECURITY_UNREGISTRABLE_HOOKS to allow for hook removal · Sargun Dhillon <hidden> · 2018-04-25
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · penguin-kernel@i-love.sakura.ne.jp (Tetsuo Handa) · 2018-04-26
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-26
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2018-04-26
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-26
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-26
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2018-04-27
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-27
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · casey@schaufler-ca.com (Casey Schaufler) · 2018-04-27
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2018-04-29
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · casey@schaufler-ca.com (Casey Schaufler) · 2018-04-29
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-30
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · casey@schaufler-ca.com (Casey Schaufler) · 2018-04-30
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-30
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · casey@schaufler-ca.com (Casey Schaufler) · 2018-04-30
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · jmorris@namei.org (James Morris) · 2018-04-30
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-30
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · jmorris@namei.org (James Morris) · 2018-05-01
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · jmorris@namei.org (James Morris) · 2018-05-01
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · Sargun Dhillon <hidden> · 2018-04-27
[PATCH v7 0/6] Safe LSM (un)loading, and immutable hooks · casey@schaufler-ca.com (Casey Schaufler) · 2018-04-27

STALE2950d

From: Sargun Dhillon <hidden>
Date: 2018-04-25 08:59:43
Subsystem: security subsystem, the rest · Maintainers: Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

Although, when LSMs are loaded, the kernel takes a refcount on them, the
administrator can force unload the module if the
CONFIG_MODULE_FORCE_UNLOAD is set. Although this may be fine for some
cases, in the case of security modules, this is problematic, as it
may leave the system unsecure, or unaudited.

Although, a kernel panic will occur on the next attempt to make a
callback for that hook, new code could be loaded, which would not
trigger a panic, allowing for silent failure. Therefore, we must
panic on an attempt to forcefully unload an LSM.

Signed-off-by: Sargun Dhillon <redacted>
---
 security/security.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/security/security.c b/security/security.c
index 8d8a227eeeea..204b9978ba24 100644
--- a/security/security.c
+++ b/security/security.c

@@ -89,6 +89,34 @@ static void __init do_security_initcalls(void)
 	}
 }
 
+/*
+ * Check if one of our modules is being unloaded. This can happen if
+ * CONFIG_MODULE_FORCE_UNLOAD is enabled.
+ * If it is being unloaded, panic and let the user know what's going on
+ */
+static int security_module_cb(struct notifier_block *nb, unsigned long val,
+				void *data)
+{
+	struct module *mod = data;
+	struct lsm_info *info;
+
+	if (val != MODULE_STATE_GOING)
+		return NOTIFY_DONE;
+
+	mutex_lock(&lsm_info_lock);
+	hlist_for_each_entry(info, &lsm_info_head, list)
+		if (mod == info->owner)
+			panic("Security module %s is being unloaded forcefully\n",
+				info->name);
+	mutex_unlock(&lsm_info_lock);
+
+	return NOTIFY_DONE;
+}
+
+static struct notifier_block security_nb = {
+	.notifier_call	= security_module_cb,
+};
+
 /**
  * security_init - initializes the security framework
  *

@@ -99,6 +127,9 @@ int __init security_init(void)
 	pr_info("Security Framework initialized with%s writable hooks\n",
 		IS_ENABLED(CONFIG_SECURITY_WRITABLE_HOOKS) ? "" : "out");
 
+	if (IS_ENABLED(CONFIG_SECURITY_WRITABLE_HOOKS) &&
+		IS_ENABLED(CONFIG_MODULE_FORCE_UNLOAD))
+		register_module_notifier(&security_nb);
 	/*
 	 * Load minor LSMs, with the capability module always first.
 	 */

-- 
2.14.1

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help