Hello. Since Linux 4.12-rc1 was released, I uploaded the latest files.
ccs-patch-1.8.5-20170515.tar.gz MD5:aaaa6509f183d52ab651768e0fe581ee akari-1.0.36-20170515.tar.gz MD5:cccc9e424e65bc403e4420cb4380a636 caitsith-patch-0.2-20170515.tar.gz MD5:2222d161166c97caf9abed06ee6c875b caitsith-tools-0.2-20170515.tar.gz MD5:9999c2346026c783c399933296f947ed Tetsuo Handa wrote: > Tetsuo Handa wrote: > > The array of "struct security_hook_list" which is used for LSM hooks is > > also subjected to this add "read only" attribute after initialization > > completed proposal. It might become difficult to load modules like AKARI > > which interrupts into LSM hooks. > > I think this change will be merged into 4.12-rc1. Therefore, it will become > impossible to load LKM based LSM modules unless you specify rodata=0 kernel > boot command line option if your kernel was not built with > CONFIG_SECURITY_WRITABLE_HOOKS=y. > > Although there seems to be an architecture-dependent method for temporarily > changing read-only memory to read-write and/or suppress exceptions caused by > trying to write to read-only memory, these files do not include such method. akari-1.0.36-20170515.tar.gz and caitsith-patch-0.2-20170515.tar.gz include a patch for x86 kernels for temporarily changing read-only memory to read-write, allowing x86 kernels built without CONFIG_SECURITY_WRITABLE_HOOKS=y to load LKM based LSM modules without specifying rodata=0 kernel boot command line option. Also, these files include a patch for non-x86 kernels for not to try to load if kernels are built without CONFIG_SECURITY_WRITABLE_HOOKS=y and rodata=0 was not specified, avoiding kernel oops. Also, risnic reported that LKM based LSM modules cannot be loaded if /proc/sys/kernel/kptr_restrict sysctl parameter is set to 2. Please report if you noticed something wrong. By the way, on 5th March 2017, a CTF game was held in an event titled "CyberColosseo x SecCon" ( http://2016.seccon.jp/news/#137 ). I gave a simple troubleshooting-like system-analyzing quiz using SSH shell session where operations are restricted by CaitSith. Since the VM will be useful as an example of how to configure CaitSith's policy configuration, I made a downloadable version. http://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/67303/SecCon20170305-CaitSith.zip MD5: 99bad6936d8cdeb37d0d6af99265a2ac This VM is configured for VMware Player 12 / 4 CPUs / 2048MB RAM. An IPv4 address will be assigned upon boot using DHCP service on the host network. SSH username and password are both "caitsith". _______________________________________________ tomoyo-users-en mailing list tomoyo-users-en@lists.osdn.me http://lists.osdn.me/mailman/listinfo/tomoyo-users-en