lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Oct 2022 15:13:34 -0400 From: Mimi Zohar <zohar@...ux.ibm.com> To: Kees Cook <keescook@...omium.org>, Mickaël Salaün <mic@...ikod.net> Cc: Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, linux-security-module@...r.kernel.org, linux-integrity@...r.kernel.org, KP Singh <kpsingh@...nel.org>, Casey Schaufler <casey@...aufler-ca.com>, John Johansen <john.johansen@...onical.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM On Wed, 2022-10-19 at 11:33 -0700, Kees Cook wrote: > On Mon, Oct 17, 2022 at 11:26:44AM +0200, Mickaël Salaün wrote: > > > > On 14/10/2022 19:59, Kees Cook wrote: > > > On Fri, Oct 14, 2022 at 04:40:01PM +0200, Mickaël Salaün wrote: > > > > This is not backward compatible > > > > > > Why? Nothing will be running LSM hooks until init finishes, at which > > > point the integrity inode cache will be allocated. And ima and evm don't > > > start up until lateinit. > > > > > > > , but can easily be fixed thanks to > > > > DEFINE_LSM().order > > > > > > That forces the LSM to be enabled, which may not be desired? > > > > This is not backward compatible because currently IMA is enabled > > independently of the "lsm=" cmdline, which means that for all installed > > systems using IMA and also with a custom "lsm=" cmdline, updating the kernel > > with this patch will (silently) disable IMA. Using ".order = > > LSM_ORDER_FIRST," should keep this behavior. > > This isn't true. If "integrity" is removed from the lsm= line today, IMA > will immediately panic: > > process_measurement(): > integrity_inode_get(): > if (!iint_cache) > panic("%s: lsm=integrity required.\n", __func__); > > and before v5.12 (where the panic was added), it would immediately NULL > deref. (And it took 3 years to even notice.) Most people were/are still using the "security=" boot command line option, not "lsm=". This previously wasn't a problem with "security=", but became a problem with "lsm=". I should have been aware of the change from "security=" to "lsm=", but unfortunately wasn't. It took me totally by surprise. All of sudden "integrity" went from being a common IMA/EVM resource to an LSM. The correct solution would have been to move it a different initcall. (It's not too late to fix it.) -- thanks, Mimi
Powered by blists - more mailing lists