[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANA3KFWkYJ4kGjZ_9E1Qa4B=onyE5zNucPmX3RPQmcRL6esGqg@mail.gmail.com>
Date: Thu, 5 Apr 2018 22:28:30 +1000
From: Peter Dolding <oiaohm@...il.com>
To: Igor Stoppa <igor.stoppa@...wei.com>
Cc: Sargun Dhillon <sargun@...gun.me>,
linux-security-module <linux-security-module@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
Kees Cook <keescook@...omium.org>,
Casey Schaufler <casey@...aufler-ca.com>,
James Morris <jmorris@...ei.org>,
Stephen Smalley <sds@...ho.nsa.gov>,
Paul Moore <paul@...l-moore.com>, plautrba@...hat.com
Subject: Re: [PATCH v4 0/1] Safe LSM (un)loading, and immutable hooks
On Thu, Apr 5, 2018 at 9:34 PM, Igor Stoppa <igor.stoppa@...wei.com> wrote:
> On 05/04/18 13:31, Peter Dolding wrote:
>> On Thu, Apr 5, 2018 at 7:55 PM, Igor Stoppa <igor.stoppa@...wei.com> wrote:
>> There is a shade of grey between something being a security hazard and
>> something being a useful feature.
>
> Maybe the problem I see is only in the naming: if what right now is
> addressed as "mutable" were to be called in some other way that does not
> imply that it's impossible to lock it down, then I think there wouldn't
> be much of a problem anymore.
>
> How about s/mutable/protectable/g ?
>
> Then it could be a boot time parameter to decide if the "extra" hooks
> should be protected or stay writable, for example for performing more
> extensive testing.
>
Due to being a shades of grey area I would say kconfig 2 option and 1
boot time parameter.
Some kernels the ability to change LSM on fly should be fully disabled
in the build process.
The abplity to change LSM at runtime has limited valid usage cases so
even if the kernel is built with the ablity to change LSM at runtime
enabled it should still be off by default until enabled with boot time
parameter. So those who need the feature turn it on and those who
don't need it on cannot turn it on just by installing a kernel. For
systems that cannot use Linux kernel command line features to turn
stuff on and off a kernel configuration option to change the default
to on with warning in kernel configure. So 2 kconfig entries and 1
Kernel Boot Parameter. Of course when a feature like this is enabled
there should be a kernel message so its recorded in logs and is check
able if a feature like this that can lower security is turn on.
The ability to change LSM on fly i see the development usage cases.
I can not think of a single production system usage case for anyone
who is not a developer. I might be thinking way to narrow. Unless
someone else can find another use case I would suggest following what
I suggest how a feature like this is enabled.
Naming the feature what ever you think is suitable.
Peter Dolding
Powered by blists - more mailing lists