lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0001755a-6b2a-b13b-960c-eb0b065c8e3c@linux.microsoft.com>
Date:   Mon, 11 May 2020 11:03:31 -0700
From:   Deven Bowers <deven.desai@...ux.microsoft.com>
To:     Mickaël Salaün <mic@...ikod.net>,
        agk@...hat.com, axboe@...nel.dk, snitzer@...hat.com,
        jmorris@...ei.org, serge@...lyn.com, zohar@...ux.ibm.com,
        linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, dm-devel@...hat.com,
        linux-block@...r.kernel.org, jannh@...gle.com
Cc:     tyhicks@...ux.microsoft.com, pasha.tatashin@...een.com,
        sashal@...nel.org, jaskarankhurana@...ux.microsoft.com,
        nramas@...ux.microsoft.com, mdsakib@...ux.microsoft.com,
        linux-kernel@...r.kernel.org, corbet@....net
Subject: Re: [RFC PATCH v3 00/12] Integrity Policy Enforcement LSM (IPE)



On 5/10/2020 2:28 AM, Mickaël Salaün wrote:

[...snip]

>>
>> Additionally, rules are evaluated top-to-bottom. As a result, any
>> revocation rules, or denies should be placed early in the file to ensure
>> that these rules are evaluated before a rule with "action=ALLOW" is hit.
>>
>> IPE policy is designed to be forward compatible and backwards compatible,
>> thus any failure to parse a rule will result in the line being ignored,
>> and a warning being emitted. If backwards compatibility is not required,
>> the kernel commandline parameter and sysctl, ipe.strict_parse can be
>> enabled, which will cause these warnings to be fatal.
> 
> Ignoring unknown command may lead to inconsistent beaviors. To achieve
> forward compatibility, I think it would be better to never ignore
> unknown rule but to give a way to userspace to known what is the current
> kernel ABI. This could be done with a securityfs file listing the
> current policy grammar.
> 

That's a fair point. From a manual perspective, I think this is fine.
A human-user can interpret a grammar successfully on their own when new
syntax is introduced.

 From a producing API perspective, I'd have to think about it a bit 
more. Ideally, the grammar would be structured in such a way that the 
userland
interpreter of this grammar would not have to be updated once new syntax
is introduced, avoiding the need to update the userland binary. To do so
generically ("op=%s") is easy, but doesn't necessarily convey sufficient
information (what happens when a new "op" token is introduced?). I think
this may come down to regular expression representations of valid values
for these tokens, which worries me as regular expressions are incredibly
error-prone[1].

I'll see what I can come up with regarding this.


[1] 
https://blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ