Received: by 10.213.65.68 with SMTP id h4csp1827071imn;
        Thu, 5 Apr 2018 04:36:12 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49cL56WTBggTHwaOzWd5Aw4cYgDBci+Yvh51FPp9CMA6KNtgRyJB9pNTA+xh8l62NN1YhzW
X-Received: by 10.101.98.72 with SMTP id q8mr14469596pgv.338.1522928172211;
        Thu, 05 Apr 2018 04:36:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522928172; cv=none;
        d=google.com; s=arc-20160816;
        b=RTbkCokv/vhnPVaqJhJm1L9Exhn0fSLZHsljLD0Yzc7JMMd/GIhlzXuRtojLbKUwAg
         YbBhWGkktNH3IXrZHLj2awzTNXhtoSQ2TCepsLhGPuO8u9kMdFZtZ3OUWIXeKz50T2sn
         NNcNC5DHHC8UQVjbKA+Hsv8I4bb6humhTu/CD+sPKf8q0lazokPs1+c3RYasu2Zzjnwx
         Bav0FinwcfnVkqpD1/FMYOFJzog/5GWjJiXFktO5edYpMSiNrXsa9bwpld7TxZLeuwRv
         MpC+ckYNeKp5WL2sCZH4cpB1M8YQ01W/4LmBcs4DZ2m6LMSTwXMgshoxZZNelS+nKGsx
         uw9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=a0KejTYbaS34JeohXMQVH6Kd+Bg6RhomGsLaRxK/dIE=;
        b=UwrOjjrUrPuqDr22gyI80iFvu5nODQbAfXWjJpJwrUwChnIHz9B/UAVVeiqsVkJOcS
         Ib7S6/5BcnIbhXAi1kI3tk6gL0xF1S9OxqHg4xMLWcee/VPhhox+xkUl1PhhADqCILmU
         Y5IdtIpnA8kmaMdeytwbo+kdBP/Ejajj6HKI4k1d7J5ZNwjoh7K2bh4SqXPDxPgvQBrS
         frpF1kCqklhrK1oGKVrNHhaZt38zhmqBYT2ofSanS9YfInJWUGTpBsyc6JHrq8k9DY6k
         rgK1iz1csFhPYQj0pqwCfM88K3Aj9fEebIFAHKyRrNl6UPgXMNSFdXcVRz6MGfojR8eK
         hDzw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r11si5913977pff.160.2018.04.05.04.35.58;
        Thu, 05 Apr 2018 04:36:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752030AbeDELeW (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Thu, 5 Apr 2018 07:34:22 -0400
Received: from lhrrgout.huawei.com ([194.213.3.17]:34330 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751967AbeDELeL (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Apr 2018 07:34:11 -0400
Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.107])
        by Forcepoint Email with ESMTP id 583C2ECAF6B4A;
        Thu,  5 Apr 2018 12:34:08 +0100 (IST)
Received: from [10.122.225.51] (10.122.225.51) by smtpsuk.huawei.com
 (10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.382.0; Thu, 5 Apr
 2018 12:34:06 +0100
Subject: Re: [PATCH v4 0/1] Safe LSM (un)loading, and immutable hooks
To:     Peter Dolding <oiaohm@gmail.com>, Sargun Dhillon <sargun@sargun.me>
CC:     linux-security-module <linux-security-module@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        Kees Cook <keescook@chromium.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        James Morris <jmorris@namei.org>,
        Stephen Smalley <sds@tycho.nsa.gov>, <paul@paul-moore.com>,
        <plautrba@redhat.com>
References: <cover.1522560550.git.sargun@sargun.me>
 <911d9855-cd45-26f0-90eb-563db899d5ee@huawei.com>
 <CANA3KFX_sVhqvV7C0kR1nkLijiwWc286KcPBfY94LOe=YKGBwg@mail.gmail.com>
From:   Igor Stoppa <igor.stoppa@huawei.com>
Message-ID: <63eaa2d5-3662-2240-15fb-ab2227b6903a@huawei.com>
Date:   Thu, 5 Apr 2018 14:34:10 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CANA3KFX_sVhqvV7C0kR1nkLijiwWc286KcPBfY94LOe=YKGBwg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.122.225.51]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 05/04/18 13:31, Peter Dolding wrote:
> On Thu, Apr 5, 2018 at 7:55 PM, Igor Stoppa <igor.stoppa@huawei.com> wrote:

[...]

>> A) hooks that are either const or marked as RO after init
>>
>> B) hooks that are writable for a short time, long enough to load
>> additional, non built-in modules, but then get locked down
>> I provided an example some time ago [1]
>>
>> C) hooks that are unloadable (and therefore always attackable?)

[...]

>> Do you have any specific case in mind where this trade-off would be
>> acceptable?
>>
> 
> A useful case for loadable/unloadable LSM is development automate QA.

I did not consider this case, but I see the point.

[...]

> I would say normal production machines being able to swap LSM like
> this does not have much use.

yes, this is what I had in mind

[...]

> There is a shade of grey between something being a security hazard and
> something being a useful feature.

Maybe the problem I see is only in the naming: if what right now is
addressed as "mutable" were to be called in some other way that does not
imply that it's impossible to lock it down, then I think there wouldn't
be much of a problem anymore.

How about s/mutable/protectable/g ?

Then it could be a boot time parameter to decide if the "extra" hooks
should be protected or stay writable, for example for performing more
extensive testing.

--
igor