Building Hello World LSM
Thomas F. J.-M. Pasquier
tfjmp2 at cam.ac.uk
Sun Jan 18 19:29:57 EST 2015
Here is the security part of the .config:
#
# Security options
#
CONFIG_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_BIG_KEYS=y
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
# CONFIG_SECURITY_SELINUX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
CONFIG_SECURITY_HELLOWORLD=y
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_HELLOWORLD=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="helloworld"
CONFIG_CRYPTO=y
SELinux is not loading before my module. SELinux was working on the kernel
that came with the distribution, did not try to build my kernel with it on.
I will try to do so.
Thank you very much,
Thomas
On 19 January 2015 at 00:20, Dave Tian <dave.jing.tian at gmail.com> wrote:
> Did SELinux get loaded before your changes (Fedora uses SELinux by
> default)? Would you please post your security config? I still suspect that
> there was sth messed up in the config.
>
> Thanks,
> Dave
>
>
> On Jan 18, 2015, at 7:09 PM, Thomas F. J.-M. Pasquier <tfjmp2 at cam.ac.uk>
> wrote:
>
> No, other LSM. Checked in the config file. The only one selected is mine
> and it is set "Default Security Module" when using menuconfig.
>
> On Mon Jan 19 2015 at 12:07:33 AM Tian Dave <dave.jing.tian at gmail.com>
> wrote:
>
>> Then which LSM was triggered? SELinux? You probably need to disable other
>> LSM before making your LSM work.
>>
>> Thanks,
>> Dave
>>
>> 2015-01-18 18:49 GMT-05:00 Thomas F. J.-M. Pasquier <tfjmp2 at cam.ac.uk>:
>>
>>> Hi everyone,
>>>
>>> Kernel version 3.17.8
>>>
>>> I am trying to build a skeleton LSM module, but I am not having much
>>> luck so far. The problem seems to be that the LSM init function is never
>>> called.
>>>
>>> I am selecting my helloworld LSM when building the kernel and it is set
>>> as default (checked and re-checked in menuconfig + in the file).
>>>
>>> The build is going fine (my module is built as I would expect). The rest
>>> of the building procedure goes fine. I reboot, the new image works just
>>> fine except my LSM is not in (nor any other, it seems, for that matter).
>>>
>>> Here is the init function:
>>> static __init int hw_init(void){
>>> /* avoid security registration races */
>>> if (!security_module_enable(&hw_ops)){
>>> printk(KERN_INFO "hw: Disabled at boot.\n");
>>> return 0;
>>> }
>>>
>>> printk(KERN_INFO "hw: Initializing.\n");
>>>
>>> if (register_security(&hw_ops))
>>> panic("hw: Unable to register with kernel.\n");
>>> else
>>> printk(KERN_INFO "hw: registered with the kernel.\n");
>>>
>>> return 0;
>>> }
>>>
>>> security_initcall(hw_init);
>>>
>>> I looked at how it was done in SELinux and the other security module and
>>> I don't seem to be doing things differently or incorrectly. I checked the
>>> log level just in case and that's not the issue either.
>>>
>>> I am tempted to say the problem come from my building
>>> procedure/configuration, rather than the module/code in itself (the dist on
>>> top of the kernel is fedora21). I have been at it for a while now and any
>>> help would be most welcomed.
>>>
>>> Thank you in advance.
>>>
>>> Regards,
>>> Thomas
>>>
>>>
>>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20150119/d18b5763/attachment.html
More information about the Kernelnewbies
mailing list