[LTP] [PATCH 3/3] Add lockdown checks to init_module* and finit_module* tests

Cyril Hrubis chrubis@suse.cz
Tue Jul 20 14:45:56 CEST 2021


Hi!
> > I'm slightly afraid that the order of checks may change over the time
> > and we will get EPERM in all these cases, but maybe I'm just overly
> > cautious. Other than this the code looks good.
> 
> I don't think we need to worry about that. With root privileges, the
> EPERM error is returned when a kernel module does not have a valid
> signature. How would something that is not even a valid kernel module in
> the first place fail that check?
>
> The only subtests that actually try to load a valid kernel module are
> null-param, invalid-param and module-exists. All three of them now
> handle lockdown correctly.

Right, we have to be able to read the signature in order to produce
EPERM and the same for the init_module() there has to be a pointer to
a module data that kernel can check the signature from.

Patch pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz


More information about the ltp mailing list