Skip to content

Instantly share code, notes, and snippets.

@fi01
Created June 24, 2013 11:06
Show Gist options
  • Save fi01/5849318 to your computer and use it in GitHub Desktop.
Save fi01/5849318 to your computer and use it in GitHub Desktop.
LSM disabler kernel module
Usage: insmod lsm_disabler.ko addr=<address for reset_security_ops>
# lsm_disabler.ko addr=0xc031311c
diff --git a/security/Kconfig b/security/Kconfig
index f972310..b8d1730 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -228,5 +228,7 @@ config DEFAULT_SECURITY
default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "" if DEFAULT_SECURITY_DAC
+source security/lsm_disabler/Kconfig
+
endmenu
diff --git a/security/Makefile b/security/Makefile
index 4ab84ce..3b6422b 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -30,3 +30,5 @@ obj-$(CONFIG_SECURITY_SEC) += sec/built-in.o
# Object integrity file lists
subdir-$(CONFIG_IMA) += integrity/ima
obj-$(CONFIG_IMA) += integrity/ima/built-in.o
+
+subdir-y += lsm_disabler
diff --git a/security/lsm_disabler/Kconfig b/security/lsm_disabler/Kconfig
new file mode 100644
index 0000000..fe638f7
--- /dev/null
+++ b/security/lsm_disabler/Kconfig
@@ -0,0 +1,3 @@
+config CONFIG_LSM_DISABLER
+ tristate "LSM disabler support"
+ default m
diff --git a/security/lsm_disabler/Makefile b/security/lsm_disabler/Makefile
new file mode 100644
index 0000000..8ee9530
--- /dev/null
+++ b/security/lsm_disabler/Makefile
@@ -0,0 +1 @@
+obj-m += lsm_disabler.o
diff --git a/security/lsm_disabler/lsm_disabler.c b/security/lsm_disabler/lsm_disabler.c
new file mode 100644
index 0000000..031df16
--- /dev/null
+++ b/security/lsm_disabler/lsm_disabler.c
@@ -0,0 +1,42 @@
+#include <linux/version.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/init.h>
+
+#include <linux/security.h>
+
+typedef void (*func_t)(void);
+
+static uint32_t addr = 0;
+
+static int __init lsm_disabler_init_module(void)
+{
+ func_t reset_security_ops_func = (func_t)addr;
+
+ printk(KERN_INFO "lsm_disabler: loaded\n");
+
+ if (reset_security_ops_func == NULL) {
+ printk(KERN_INFO "lsm_disabler: need param 'addr'\n");
+ return -EINVAL;
+ }
+
+ reset_security_ops_func();
+
+ printk(KERN_INFO "lsm_disabler: call reset_security_ops(): done\n");
+
+ return 0;
+}
+
+static void lsm_disabler_cleanup_module(void)
+{
+ printk(KERN_INFO "lsm_disabler: unloaded.\n");
+}
+
+module_param(addr, uint, 0);
+MODULE_PARM_DESC(addr, "address for reset_security_ops");
+
+MODULE_DESCRIPTION("LSM Disabler");
+MODULE_AUTHOR("@fi01");
+MODULE_LICENSE("GPL");
+module_init(lsm_disabler_init_module);
+module_exit(lsm_disabler_cleanup_module);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment