LoadPin old-api-denied
Kees Cook
keescook at chromium.org
Fri Mar 29 19:39:10 UTC 2019
On Fri, Mar 29, 2019 at 11:01 AM Martin Townsend
<mtownsend1973 at gmail.com> wrote:
>
> On Fri, Mar 29, 2019 at 5:26 PM Martin Townsend <mtownsend1973 at gmail.com> wrote:
> >
> > Hi,
> >
> > I'm seeing the following message when trying to load some backported
> > kernel modules:
> > Mar 29 16:24:09 mach-cw-rnet-ppm-1840 kernel: LoadPin: kernel-module
> > old-api-denied obj=<unknown> pid=340 cmdline="modprobe compat"
> >
> > I have other kernel modules that were built out of tree and these load
> > fine, the only difference I can see is that they are loaded via
> > /etc/modules-load.d
> >
> > I've read through the loadpin docs and it states that it will only
> > allow modules that are from the main root filesystem and that
> > filesystem is read-only. I've checked and both of these are true for
> > the failing module. I've read through the source code and there's a
> > comment above the code path that loadpin is taking where the file
> > pointer is NULL.
> > /* This handles the older init_module API that has a NULL file. */
> > if (!file) {
> >
> > I'm not 100% sure what this means, but could it be that
> > modprobe/insmod are using this older init_module API? if so how can I
> > get around this, I need to manually insert these modules at an
> > appropriate time during boot?
> >
> > Any help greatly appreciated,
> >
> > Martin.
>
> After sending this I then found this post:
> https://lwn.net/Articles/519010/
>
> So I think I need to write some C code to use finit_module so I will try this.
It sounds like you have a mix of finit_module and init_module? Also,
if you're not intending to enforce loadpinning, you can also either
boot with "loadpin.enforce=0" or build with
CONFIG_SECURITY_LOADPIN_ENFORCE unset.
-Kees
--
Kees Cook
More information about the Linux-security-module-archive
mailing list