lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 5 Apr 2018 14:34:10 +0300
From:   Igor Stoppa <igor.stoppa@...wei.com>
To:     Peter Dolding <oiaohm@...il.com>, Sargun Dhillon <sargun@...gun.me>
CC:     linux-security-module <linux-security-module@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        Kees Cook <keescook@...omium.org>,
        Casey Schaufler <casey@...aufler-ca.com>,
        James Morris <jmorris@...ei.org>,
        Stephen Smalley <sds@...ho.nsa.gov>, <paul@...l-moore.com>,
        <plautrba@...hat.com>
Subject: Re: [PATCH v4 0/1] Safe LSM (un)loading, and immutable hooks



On 05/04/18 13:31, Peter Dolding wrote:
> On Thu, Apr 5, 2018 at 7:55 PM, Igor Stoppa <igor.stoppa@...wei.com> wrote:

[...]

>> A) hooks that are either const or marked as RO after init
>>
>> B) hooks that are writable for a short time, long enough to load
>> additional, non built-in modules, but then get locked down
>> I provided an example some time ago [1]
>>
>> C) hooks that are unloadable (and therefore always attackable?)

[...]

>> Do you have any specific case in mind where this trade-off would be
>> acceptable?
>>
> 
> A useful case for loadable/unloadable LSM is development automate QA.

I did not consider this case, but I see the point.

[...]

> I would say normal production machines being able to swap LSM like
> this does not have much use.

yes, this is what I had in mind

[...]

> There is a shade of grey between something being a security hazard and
> something being a useful feature.

Maybe the problem I see is only in the naming: if what right now is
addressed as "mutable" were to be called in some other way that does not
imply that it's impossible to lock it down, then I think there wouldn't
be much of a problem anymore.

How about s/mutable/protectable/g ?

Then it could be a boot time parameter to decide if the "extra" hooks
should be protected or stay writable, for example for performing more
extensive testing.

--
igor

Powered by blists - more mailing lists