| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACdnJuskoACijaifrNQhqRtr07uPN7LT8m=FNgcxgJRiwDLVkw@mail.gmail.com>
Date: Tue, 26 Mar 2019 13:19:10 -0700
From: Matthew Garrett <mjg59@...gle.com>
To: James Morris <jmorris@...ei.org>
Cc: Andy Lutomirski <luto@...nel.org>,
Stephen Hemminger <stephen@...workplumber.org>,
Linux API <linux-api@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
David Howells <dhowells@...hat.com>,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
Network Development <netdev@...r.kernel.org>,
Chun-Yi Lee <jlee@...e.com>,
Daniel Borkmann <daniel@...earbox.net>,
Kees Cook <keescook@...omium.org>,
Will Drewry <wad@...omium.org>
Subject: Re: [PATCH 23/27] bpf: Restrict kernel image access functions when
the kernel is locked down
On Tue, Mar 26, 2019 at 11:57 AM James Morris <jmorris@...ei.org> wrote:
> - Assign an ID to each lockdown point
> - Implement a policy mechanism where each ID is mapped to 0 or 1
> - Allow this policy to be specified statically or dynamically
One of the problems with this approach is what the default behaviour
should be when a new feature is added. If an admin fails to notice
that there's now a new policy element, they run the risk of kernel
integrity being compromised via the new feature even if the rest of
the kernel is locked down.
Powered by blists - more mailing lists