Building Hello World LSM

Sun Jan 18 20:08:50 EST 2015

Ok, re-built activating with SELinux and it is not working either. My
problem seems indeed to be my build process rather than anything relating
to my code :(. However, it does not get me closer of understanding what I
am doing wrong. Here is the security config for the build with SELinux on:

#
# Security options
#
CONFIG_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_BIG_KEYS=y
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
CONFIG_LSM_MMAP_MIN_ADDR=65536
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
# CONFIG_SECURITY_HELLOWORLD is not set
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_SELINUX=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="selinux"
CONFIG_CRYPTO=y

Thanks a lot Dave for pointing in the right direction.

Thomas

On 19 January 2015 at 00:29, Thomas F. J.-M. Pasquier <tfjmp2 at cam.ac.uk>
wrote:

> Here is the security part of the .config:
>
> #
> # Security options
> #
> CONFIG_KEYS=y
> CONFIG_PERSISTENT_KEYRINGS=y
> CONFIG_BIG_KEYS=y
> # CONFIG_ENCRYPTED_KEYS is not set
> CONFIG_KEYS_DEBUG_PROC_KEYS=y
> # CONFIG_SECURITY_DMESG_RESTRICT is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> CONFIG_SECURITY_NETWORK=y
> CONFIG_SECURITY_NETWORK_XFRM=y
> CONFIG_SECURITY_PATH=y
> CONFIG_INTEL_TXT=y
> # CONFIG_SECURITY_SELINUX is not set
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_HELLOWORLD=y
> # CONFIG_IMA is not set
> # CONFIG_EVM is not set
> CONFIG_DEFAULT_SECURITY_HELLOWORLD=y
> # CONFIG_DEFAULT_SECURITY_DAC is not set
> CONFIG_DEFAULT_SECURITY="helloworld"
> CONFIG_CRYPTO=y
>
>
> SELinux is not loading before my module. SELinux was working on the kernel
> that came with the distribution, did not try to build my kernel with it on.
> I will try to do so.
>
> Thank you very much,
> Thomas
>
> On 19 January 2015 at 00:20, Dave Tian <dave.jing.tian at gmail.com> wrote:
>
>> Did SELinux get loaded before your changes (Fedora uses SELinux by
>> default)? Would you please post your security config? I still suspect that
>> there was sth messed up in the config.
>>
>> Thanks,
>> Dave
>>
>>
>> On Jan 18, 2015, at 7:09 PM, Thomas F. J.-M. Pasquier <tfjmp2 at cam.ac.uk>
>> wrote:
>>
>> No, other LSM. Checked in the config file. The only one selected is mine
>> and it is set "Default Security Module" when using menuconfig.
>>
>> On Mon Jan 19 2015 at 12:07:33 AM Tian Dave <dave.jing.tian at gmail.com>
>> wrote:
>>
>>> Then which LSM was triggered? SELinux? You probably need to disable
>>> other LSM before making your LSM work.
>>>
>>> Thanks,
>>> Dave
>>>
>>> 2015-01-18 18:49 GMT-05:00 Thomas F. J.-M. Pasquier <tfjmp2 at cam.ac.uk>:
>>>
>>>> Hi everyone,
>>>>
>>>> Kernel version 3.17.8
>>>>
>>>> I am trying to build a skeleton LSM module, but I am not having much
>>>> luck so far. The problem seems to be that the LSM init function is never
>>>> called.
>>>>
>>>> I am selecting my helloworld LSM when building the kernel and it is set
>>>> as default (checked and re-checked in menuconfig + in the file).
>>>>
>>>> The build is going fine (my module is built as I would expect). The
>>>> rest of the building procedure goes fine. I reboot, the new image works
>>>> just fine except my LSM is not in (nor any other, it seems, for that
>>>> matter).
>>>>
>>>> Here is the init function:
>>>> static __init int hw_init(void){
>>>> /* avoid security registration races */
>>>> if (!security_module_enable(&hw_ops)){
>>>> printk(KERN_INFO "hw:  Disabled at boot.\n");
>>>> return 0;
>>>> }
>>>>
>>>> printk(KERN_INFO "hw:  Initializing.\n");
>>>>
>>>> if (register_security(&hw_ops))
>>>> panic("hw: Unable to register with kernel.\n");
>>>> else
>>>> printk(KERN_INFO "hw: registered with the kernel.\n");
>>>>
>>>> return 0;
>>>> }
>>>>
>>>> security_initcall(hw_init);
>>>>
>>>> I looked at how it was done in SELinux and the other security module
>>>> and I don't seem to be doing things differently or incorrectly. I checked
>>>> the log level just in case and that's not the issue either.
>>>>
>>>> I am tempted to say the problem come from my building
>>>> procedure/configuration, rather than the module/code in itself (the dist on
>>>> top of the kernel is fedora21). I have been at it for a while now and any
>>>> help would be most welcomed.
>>>>
>>>> Thank you in advance.
>>>>
>>>> Regards,
>>>> Thomas
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20150119/0710b3c1/attachment-0001.html 