Received: by 10.213.65.68 with SMTP id h4csp2165319imn;
        Sun, 8 Apr 2018 21:25:36 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+7W4XPPsio1HE5WuTAMWAPH054h68W5Tv3EQVSC0KGfP4vZSPfpdzBjSMpAsp4BEJoi03T
X-Received: by 2002:a17:902:8a87:: with SMTP id p7-v6mr36162881plo.53.1523247936685;
        Sun, 08 Apr 2018 21:25:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523247936; cv=none;
        d=google.com; s=arc-20160816;
        b=qNRgBX3bGcVnoW8gVoNZznk/KZH94MFwgWSJ+UM5Pg/ZnCT++p3AI94hauPPFYsdr8
         x6PPbj50Eozt8vGXA4F6Y99y6VloovpQ1jw5WeZ4Exq+2Y2fEnFBuVGhYVu2YJFjIUT3
         n/AKdYWVxCAOSdp2uOAjfcjUDattEm1GdmbqG1F2Gc4h6muHTYUEcpDiCSZrXJh035Yj
         rzaeN9Ae9IP8Tku4KLehGsrodafqcdkWgKM307fVUD1ppcmvGa8GXV/u86ZVlv0cDJOQ
         1hWFKysNSLGDndWdUuGQcedQFa8MiB6BWhb7XNfEC6J9Fj2ErO+y54wbBPtqMfZNzBV3
         UIng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=afcKD05X+tbW/GxTDWDX28lz+2ocTBXDunjTTWv/A/s=;
        b=Ygiid7shco+WcxQz97dEdKklOyAc1w3hYmiWqX+Aw9mH787UrjrcJQzzmmeS91cupD
         mJ1tO8fp2UtJDMLiSXZ3WmyjEopYokxy6vm3IscGLP9TndFkM5V3m7OvQVbo9XtdBjvz
         Vvnmf1NLpYDJ9kB7WCUuBeR8/mh2ikrXbd5XAUfaHkU5N9diP0ccEUZRSDq3eXo0oyFT
         RWMl97qP5GLkCPFkT9rGGhPwqp8ekY6a0AlgTRbJFwDPMe1IUx9wnb6+kMNqkOhhN38w
         v8QhsNy3vGGHhmo2dDFNXW/j8b66HVjJofUaLio0r0C4YS5tAJ5kZQHVzFEjIvPPM8JH
         0UXA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b=Mr2sOLQU;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f64-v6si13703014plf.624.2018.04.08.21.24.59;
        Sun, 08 Apr 2018 21:25:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b=Mr2sOLQU;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751792AbeDIEW0 (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 9 Apr 2018 00:22:26 -0400
Received: from mail-wm0-f67.google.com ([74.125.82.67]:51937 "EHLO
        mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750895AbeDIEWW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Apr 2018 00:22:22 -0400
Received: by mail-wm0-f67.google.com with SMTP id u189so15574054wmd.1
        for <linux-kernel@vger.kernel.org>; Sun, 08 Apr 2018 21:22:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sargun.me; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=afcKD05X+tbW/GxTDWDX28lz+2ocTBXDunjTTWv/A/s=;
        b=Mr2sOLQUQHcCfR1NETrnM3BW2oIEhVKAEZP9QgIUOBD4qn9DoGk+0PmwVi/tA6u+p3
         hSzwzD3H8u0xcoj6dvGN2xTS9req36aE4iBXMI3uWXM5EtZk/6rIfasRHWrksP5XqOLa
         VqE+sdF3lISHw6KE0ziRUXVT7ox8DmIN3NY9A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=afcKD05X+tbW/GxTDWDX28lz+2ocTBXDunjTTWv/A/s=;
        b=KQSUFelVas2y2YTrjBJhhruxFYCljxXnLphtLAbchldE1p/nIMr11hVD0wrwq5mGTu
         h40Mo11WinieJW+iBoquriHQNxtzT3f4fFKMawzD3Od7HD3fUILD7YsoziiXlRNxLZUC
         jw9ctwnE4N3qvaAhwRFSwmPAfw4eqhmqXGT6N2yfuG/OHL1Z19Fwj+AEPRNi0iLUu8jT
         Aum/6nT/0KlmSUFc+III5HC2u34Ju3zcQiAx6Xj5vIFmQis9V2s8exyN0exC0qDNyRGN
         Wk70jdjF0h+sTRgaHnboaS4qv7Taf7HXYgUP3E/kwes8I4b0vEiUU/Q3hUZyIfi7W2dd
         x9JA==
X-Gm-Message-State: ALQs6tA4ZIiV2YbxcRnOBzoZBf/w8vDScZO32dRPRr+ySpFn2sw57ZH/
        CU9QVvEK5NWv0RkQqoVWksvRKmLdSY70xeuaFBWvbw==
X-Received: by 10.80.182.167 with SMTP id d36mr19892888ede.250.1523247741662;
 Sun, 08 Apr 2018 21:22:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.173.184 with HTTP; Sun, 8 Apr 2018 21:21:41 -0700 (PDT)
In-Reply-To: <201804090338.w393crfv005435@www262.sakura.ne.jp>
References: <20180408065916.GA2832@ircssh-2.c.rugged-nimbus-611.internal> <201804090338.w393crfv005435@www262.sakura.ne.jp>
From:   Sargun Dhillon <sargun@sargun.me>
Date:   Sun, 8 Apr 2018 21:21:41 -0700
Message-ID: <CAMp4zn8GOFk9EKCS9JaEsKayDZ+pLFORWBRHPaCCsN--EyvFVg@mail.gmail.com>
Subject: Re: [PATCH v5 1/1] security: Add mechanism to safely (un)load LSMs
 after boot time
To:     Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc:     LSM <linux-security-module@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        James Morris <jmorris@namei.org>,
        Peter Dolding <oiaohm@gmail.com>,
        Igor Stoppa <igor.stoppa@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Apr 8, 2018 at 8:38 PM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> Suggested changes on top of your patch:
>
>   Replace "struct hlist_head *head" in "struct security_hook_list" with
>   "const unsigned int offset" because there is no need to initialize with
>   address of the immutable/mutable chains.
>
>   Remove LSM_HOOK_INIT_MUTABLE() by embedding just offset (in bytes) from
>   head of "struct security_hook_heads" into "struct security_hook_list"->offset.
>
>   Make "struct security_hook_heads security_hook_heads" and
>   "struct security_hook_heads security_hook_heads_mutable" local variables.
>
>   Rename "struct security_hook_heads security_hook_heads" to
>   "struct security_hook_heads security_mutable_hook_heads" and mark it as
>   __ro_after_init.
>
>   Add the fourth argument to security_add_hooks() which specifies to which
>   chain (security_{mutable|immutable}_hook_heads) to connect.
>
>   Make all built-in LSM modules (except SELinux if
>   CONFIG_SECURITY_SELINUX_DISABLE=y) be connected to
>   security_immutable_hook_heads.
>
>   Rename __lsm_ro_after_init to __selinux_ro_after_init which is local to
>   SELinux.
>
>   Mark "struct security_hook_list"->hook const because it won't change.
>
>   Mark "struct security_hook_list"->lsm const because none of
>   security_add_hooks() callers are ready to modify the third argument.
>
>   Remove SECURITY_HOOK_COUNT and "struct security_hook_list"->owner and
>   the exception in randomize_layout_plugin.c because preventing module
>   unloading won't work as expected.
>

Rather than completely removing the unloading code, might it make
sense to add a BUG_ON or WARN_ON, in security_delete_hooks if
allow_unload_module is false, and owner is not NULL?