lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87fusflb6m.fsf@rustcorp.com.au>
Date:	Wed, 15 Jun 2016 06:50:33 +0930
From:	Rusty Russell <rusty@...tcorp.com.au>
To:	Prarit Bhargava <prarit@...hat.com>, linux-kernel@...r.kernel.org
Cc:	Prarit Bhargava <prarit@...hat.com>,
	Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org
Subject: Re: [PATCH v2] Add kernel parameter to blacklist modules

Prarit Bhargava <prarit@...hat.com> writes:
> Blacklisting a module in linux has long been a problem.  The current
> procedure is to use rd.blacklist=module_name, however, that doesn't
> cover the case after the initramfs and before a boot prompt (where one
> is supposed to use /etc/modprobe.d/blacklist.conf to blacklist
> runtime loading). Using rd.shell to get an early prompt is hit-or-miss,
> and doesn't cover all situations AFAICT.
>
> This patch adds this functionality of permanently blacklisting a module
> by its name via the kernel parameter module_blacklist=module_name.
>
> [v2]: Rusty, use core_param() instead of __setup(), and drop struct which
> simplifies things.
>
> Signed-off-by: Prarit Bhargava <prarit@...hat.com>
> Cc: Jonathan Corbet <corbet@....net>
> Cc: Rusty Russell <rusty@...tcorp.com.au>
> Cc: linux-doc@...r.kernel.org
> ---
>  Documentation/kernel-parameters.txt |    3 +++
>  kernel/module.c                     |   25 +++++++++++++++++++++++++
>  2 files changed, 28 insertions(+)
>
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index 82b42c958d1c..c720b96f2efc 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -2295,6 +2295,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>  			Note that if CONFIG_MODULE_SIG_FORCE is set, that
>  			is always true, so this option does nothing.
>  
> +	module_blacklist=  [KNL] Do not load a comma-separated list of
> +			modules.  Useful for debugging problem modules.
> +
>  	mousedev.tap_time=
>  			[MOUSE] Maximum time between finger touching and
>  			leaving touchpad surface for touch to be considered
> diff --git a/kernel/module.c b/kernel/module.c
> index 5f71aa63ed2a..5ff5287b19a8 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -3155,6 +3155,28 @@ int __weak module_frob_arch_sections(Elf_Ehdr *hdr,
>  	return 0;
>  }
>  
> +/* module_blacklist is a comma-separated list of module names */
> +static char *module_blacklist;
> +static bool blacklisted(char *module_name)
> +{
> +	char *str, *entry;
> +
> +	if (!module_blacklist)
> +		return false;
> +
> +	str = module_blacklist;
> +	do {
> +		entry = strsep(&str, ",");
> +		if (!strcmp(module_name, entry)) {
> +			pr_info("module %s is blacklisted\n", module_name);
> +			return true;
> +		}

strsep mangles the string; this will only work once :)

This is untested, and a little ugly:

       len = strlen(module_name);
       
       while ((p = strstr(p, module_name)) != NULL) {
              if ((p == module_blacklist || p[-1] == ',') &&
                  (p[len] == ',' || p[len] == '\0'))
                        return true;
              p += len;
       }
       return false;

Cheers,
Rusty.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ