Received: by 10.213.65.68 with SMTP id h4csp1768671imn; Thu, 5 Apr 2018 03:32:53 -0700 (PDT) X-Google-Smtp-Source: AIpwx48UCQZmAndqNJxbrF1sfYvkauP0ZHLE08PGW8+UCitEItnOb8nezrN82M5rJNvRbTwn4mYT X-Received: by 2002:a17:902:850c:: with SMTP id bj12-v6mr22618179plb.110.1522924373434; Thu, 05 Apr 2018 03:32:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522924373; cv=none; d=google.com; s=arc-20160816; b=xYtTfjz6TbtDH/xHJBieYFb6VOkAqanRsrdHMxmJUG7MLxY/kk19MKMEYmjDc0OD1X bOiDvEGnk1f5JztGAkunu8L83Sl051JvFG5z6jYln9INYtiWSOLlLQMwDRMnx8aCkr5j XTRBWg0PFVc5xMavV8RR1oiw2wI15YTKiSC8F2UEo90XWZcaJ6bkyXSTMh+KKBOxBP2f lio7YzvRyKJktCEOJz63givJtf8OtGTkOAkDp0WwJpY0YRIiFxB2/a2k4qYqk20+uEk5 Ysd5FFb+Bdy+45H5/gixyh5Efj3QUCnjpZmtMdDXkInaShpBcXDcC4zn3wrrjoljeObL 9RRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=61TrEPqdFCWJ4Dlc8lLkRroKTcv1/rYWRhsmGjkG1o4=; b=kCauxdQRbjNsm6PM2bZmCsLJV9c9pNsv+sJZFFcmodkvDCDrev6qnTHRs+X0cEL8Zr ryGbF2iopxwU9TPxgYvOuvd1wUgdQJ9vvLIRjxLfXuE4NtY+7V3nwHoI+TiIaK90kN3m cQHeIgfJOS9C66AzIdXviA+YmIf7FHjUZrLMNse+ZtWp3Vn9lbJkxmNToQYOf3gsRJ3H /3bn9ZgDuWbwH8yqiHd454stdlQoT42VOXAYo6nW3s7fcCFaRL35RIzmk9vYEVUvMR2h GKJ6Y5y1mJMkX0in7qfvxR6fbYgOafVU2qDi3ovX3nsyBcSTBRrkPhqSOs3ABdbQecNS P2ng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dXHIUj88; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 102-v6si5373824pla.230.2018.04.05.03.32.39; Thu, 05 Apr 2018 03:32:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dXHIUj88; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751412AbeDEKbZ (ORCPT + 99 others); Thu, 5 Apr 2018 06:31:25 -0400 Received: from mail-wm0-f42.google.com ([74.125.82.42]:53241 "EHLO mail-wm0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751097AbeDEKbX (ORCPT ); Thu, 5 Apr 2018 06:31:23 -0400 Received: by mail-wm0-f42.google.com with SMTP id g8so4364214wmd.2; Thu, 05 Apr 2018 03:31:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=61TrEPqdFCWJ4Dlc8lLkRroKTcv1/rYWRhsmGjkG1o4=; b=dXHIUj88oGlNUKFO3rXEmOZyQpFU9mfF8Cqipjg7bNb5cHodovbrZwwIGh2XyGrMZU jTG3V2yNMgwh8w1KgEt3gfq9c7oONeD+ydeoPF0z082NPtKudr2NP6yz8ECp5/6WgaqS DbdYvZkhQuAhGeGj58aSm8DYG6YaX/3k+7uYDWoCC8q3woNO6rVMsdiGsjRhZ3XRLhOM TEHJ0fVFqkbg6mKw3d/5C4wfpt3QfcafhIIvFQ5UvyxmCLSLPC61AW4kETF9Idk7IuDb eI0ODwQhpIeulRL19k9KZ+qHjAT5PSFf4VkIUavY5EoFfjEZ9glhIWEyTCAVU4fcTAmU FQqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=61TrEPqdFCWJ4Dlc8lLkRroKTcv1/rYWRhsmGjkG1o4=; b=Bk3fKqkN1tld5nRqUx58s1vmQujYy7my+ncpref2SSjeIfIoo0AFvPeEuqu7fB3RA0 iQtSdMSEGt7ZH3WSXtastUhqJKqXf8yipls733YpuAjj5mRdEsVKuesQoexGWSq7twVL RlMGTuN6baMCJPFatddltDG8+6yk3zju7+JtEuFzPCN6pkpGAzgBT8U4ZSrNV3c/1fwW x/kEDpa3ml2I117hhG7btP1hn3o1Qti3fGd2HPcIGZhk6/geEp9bkSjTmmnBtAWAc0GE ag9Wp1j9ffDoJ4Wyp8o2ISfDjgBF/g4gGUK8cjeYqFphsGtaswetWVFB6NmJ2byosSwE OaRQ== X-Gm-Message-State: ALQs6tCQoMo/snaszsHQQGjmH/MYHk9ipuwolRujT//m9jVyGRW9bINP EZv9FBc767cZ1EUJSxsDdRsH6cJWAem01SfBvp4M2w== X-Received: by 10.28.126.11 with SMTP id z11mr9316671wmc.128.1522924282190; Thu, 05 Apr 2018 03:31:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.151.36 with HTTP; Thu, 5 Apr 2018 03:31:21 -0700 (PDT) In-Reply-To: <911d9855-cd45-26f0-90eb-563db899d5ee@huawei.com> References: <911d9855-cd45-26f0-90eb-563db899d5ee@huawei.com> From: Peter Dolding Date: Thu, 5 Apr 2018 20:31:21 +1000 Message-ID: Subject: Re: [PATCH v4 0/1] Safe LSM (un)loading, and immutable hooks To: Igor Stoppa Cc: Sargun Dhillon , linux-security-module , linux-kernel , Tetsuo Handa , Kees Cook , Casey Schaufler , James Morris , Stephen Smalley , paul@paul-moore.com, plautrba@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 5, 2018 at 7:55 PM, Igor Stoppa wrote: > On 01/04/18 08:41, Sargun Dhillon wrote: >> The biggest security benefit of this patchset is the introduction of >> read-only hooks, even if some security modules have mutable hooks. >> Currently, if you have any LSMs with mutable hooks it will render all heads, and >> list nodes mutable. These are a prime place to attack, because being able to >> manipulate those hooks is a way to bypass all LSMs easily, and to create a >> persistent, covert channel to intercept nearly all calls. >> >> >> If LSMs have a model to be unloaded, or are compled as modules, they should mark >> themselves mutable at compile time, and use the LSM_HOOK_INIT_MUTABLE macro >> instead of the LSM_HOOK_INIT macro, so their hooks are on the mutable >> chain. > > > I'd rather consider these types of hooks: > > A) hooks that are either const or marked as RO after init > > B) hooks that are writable for a short time, long enough to load > additional, non built-in modules, but then get locked down > I provided an example some time ago [1] > > C) hooks that are unloadable (and therefore always attackable?) > > Maybe type-A could be dropped and used only as type-B, if it's > acceptable that type-A hooks are vulnerable before lock-down of type-B > hooks. > > I have some doubts about the usefulness of type-C, though. > The benefit I see htat it brings is that it avoids having to reboot when > a mutable LSM is changed, at the price of leaving it attackable. > > Do you have any specific case in mind where this trade-off would be > acceptable? > A useful case for loadable/unloadable LSM is development automate QA. So you have built a new program and you you want to test it against a list of different LSM configurations without having to reboot the system. So a run testsuite with LSM off then enabled LSM1 run testsuite again disable LSM1 enable LSM2. run testsuite disable LSM2... Basically repeating process. I would say normal production machines being able to swap LSM like this does not have much use. Sometimes for productivity it makes sense to be able to breach security. The fact you need to test with LSM disabled to know if any of the defects you are seeing is LSM configuration related that instance is already in the camp of non secure anyhow.. There is a shade of grey between something being a security hazard and something being a useful feature. If development people are not testing that LSM configuration are clean because they don't really have enough machined to boot up individual instances with each LSM and this results in broken LSM configuration being shipped resulting in end users turning LSM off completely. Then a little security risk from providing unload-able LSM hooks when particularly requested is not that high really. With all the different LSM options how do application/distribution makers validate all the different LSM configurations effectively is a question that does need to be answered. In answering this question allowing this form of compromised security as a option might be quite a valid move. Peter Dolding