lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 2 Apr 2024 23:42:30 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Paul Moore <paul@...l-moore.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
	Roberto Sassu <roberto.sassu@...weicloud.com>,
	linux-integrity@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, linux-cifs@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [GIT PULL] security changes for v6.9-rc3

On Tue, Apr 02, 2024 at 05:36:30PM -0400, Paul Moore wrote:

> >         1) location of that hook is wrong.  It's really "how do we catch
> > file creation that does not come through open() - yes, you can use
> > mknod(2) for that".  It should've been after the call of vfs_create(),
> > not the entire switch.  LSM folks have a disturbing fondness of inserting
> > hooks in various places, but IMO this one has no business being where
> > they'd placed it.
> 
> I know it's everyone's favorite hobby to bash the LSM and LSM devs,
> but it's important to note that we don't add hooks without working
> with the associated subsystem devs to get approval.  In the cases
> where we don't get an explicit ACK, there is an on-list approval, or
> several ignored on-list attempts over weeks/months/years.  We want to
> be good neighbors.
> 
> Roberto's original patch which converted from the IMA/EVM hook to the
> LSM hook was ACK'd by the VFS folks.
> 
> Regardless, Roberto if it isn't obvious by now, just move the hook
> back to where it was prior to v6.9-rc1.

The root cause is in the too vague documentation - it's very easy to
misread as "->mknod() must call d_instantiate()", so the authors of
that patchset and reviewers of the same had missed the subtlety
involved.  No arguments about that.

Unkind comments about the LSM folks' tendency to shove hooks in
places where they make no sense had been brought by many things,
the most recent instance being this:
	However, I thought, since we were promoting it as an LSM hook,
	we should be as generic possible, and support more usages than
	what was needed for IMA.
(https://lore.kernel.org/all/3441a4a1140944f5b418b70f557bca72@huawei.com/)

I'm not blaming Roberto - that really seems to be the general attitude
around LSM;  I've seen a _lot_ of "it doesn't matter if it makes any sense,
somebody might figure out some use for the data we have at that point in
control flow, eventually if not now" kind of responses over the years.
IME asking what this or that hook is for and what it expects from the objects
passed to it gets treated as invalid question.  Which invites treating
hooks as black boxes...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ