lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 5 Apr 2018 14:34:10 +0300
From:   Igor Stoppa <>
To:     Peter Dolding <>, Sargun Dhillon <>
CC:     linux-security-module <>,
        linux-kernel <>,
        Tetsuo Handa <>,
        Kees Cook <>,
        Casey Schaufler <>,
        James Morris <>,
        Stephen Smalley <>, <>,
Subject: Re: [PATCH v4 0/1] Safe LSM (un)loading, and immutable hooks

On 05/04/18 13:31, Peter Dolding wrote:
> On Thu, Apr 5, 2018 at 7:55 PM, Igor Stoppa <> wrote:


>> A) hooks that are either const or marked as RO after init
>> B) hooks that are writable for a short time, long enough to load
>> additional, non built-in modules, but then get locked down
>> I provided an example some time ago [1]
>> C) hooks that are unloadable (and therefore always attackable?)


>> Do you have any specific case in mind where this trade-off would be
>> acceptable?
> A useful case for loadable/unloadable LSM is development automate QA.

I did not consider this case, but I see the point.


> I would say normal production machines being able to swap LSM like
> this does not have much use.

yes, this is what I had in mind


> There is a shade of grey between something being a security hazard and
> something being a useful feature.

Maybe the problem I see is only in the naming: if what right now is
addressed as "mutable" were to be called in some other way that does not
imply that it's impossible to lock it down, then I think there wouldn't
be much of a problem anymore.

How about s/mutable/protectable/g ?

Then it could be a boot time parameter to decide if the "extra" hooks
should be protected or stay writable, for example for performing more
extensive testing.


Powered by blists - more mailing lists