Received: by 10.213.65.68 with SMTP id h4csp2212648imn;
        Sun, 8 Apr 2018 22:39:49 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/6uGrEcuWGPbVhIX2tSFCgd75jOhQRxUqyfuu28zssF3lpOz9EIRaqjO2UIhGRowoliD+8
X-Received: by 10.99.121.77 with SMTP id u74mr23689941pgc.89.1523252389260;
        Sun, 08 Apr 2018 22:39:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523252389; cv=none;
        d=google.com; s=arc-20160816;
        b=CWr7Zh5jCkE1zEiBgj9XJqK+88nGv/Uk4ndNM7xsiQSVN/Pu+1qx2IFsWDhQu+2kd/
         smD+cnMAF20YxQFOjqdSodFvLZ35x+OJtqpalwFXm0vIhlW3QZmjOdtnM+IBiJuM/VpR
         lllIDMP5turO/RmgfuMlvO1M6cEQkcAGS0cFRe8hlZivGQA4zrmEXu74JjVPYnrOw7M0
         gAZp5T6HNRfQIwLoqzI+gCS7s7g/3xLCcL2qHsn7NenuAUfuTrFimVG3/1fmP7wRjis/
         x9Yxb4AnrfR6mEMTCjjmTML66sbnwUEoEtm6C9j4gEfjKT/4Mg675SIJ5vTE4F81QYNQ
         FcIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :references:date:mime-version:cc:to:from:subject:message-id
         :arc-authentication-results;
        bh=yumLUvk3PHcVvs9+/Nv7ZCpepWDQ5UTTIyTm5PGON7g=;
        b=yZh6w5tjRikoD5mcbRPMPFHx9k00JiZlFZhauvj+d4L5nXNXjwh1NWTbpchr02A3Qo
         NwATjVIxD2A4mJqnVd9MMaa5gFjM7xmvTNx3xlxns0snBRSkZbd0PxvXgmSPoXu5SHI9
         lu7WYF9pW6jAedgD143COLi/gHTHBRs0V0bltqOnp5iWt5LinbRrelrUD/yIT1rT5F2W
         5xtexO7FvJUlowrWLB4P/vA9yNvhesy/jAohTsJ5MxEi64cMAtuj8IpvfqgL8gDyqQCw
         zg6P+0VB09rLuHgfV8xzcfE756A+QMQvhe2g+3plp4DTty9sAl2bM0TYLkx8eWaE0BMY
         c5oA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a84si12198739pfl.154.2018.04.08.22.39.12;
        Sun, 08 Apr 2018 22:39:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752278AbeDIFZT (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 9 Apr 2018 01:25:19 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:56876 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751507AbeDIFZS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Apr 2018 01:25:18 -0400
Received: from fsav405.sakura.ne.jp (fsav405.sakura.ne.jp [133.242.250.104])
        by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w395P10c044325;
        Mon, 9 Apr 2018 14:25:01 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav405.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav405.sakura.ne.jp);
 Mon, 09 Apr 2018 14:25:01 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav405.sakura.ne.jp)
Received: from www262.sakura.ne.jp (localhost [127.0.0.1])
        by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w395P1mP044317;
        Mon, 9 Apr 2018 14:25:01 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: (from i-love@localhost)
        by www262.sakura.ne.jp (8.14.5/8.14.5/Submit) id w395P1qS044316;
        Mon, 9 Apr 2018 14:25:01 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Message-Id: <201804090525.w395P1qS044316@www262.sakura.ne.jp>
X-Authentication-Warning: www262.sakura.ne.jp: i-love set sender to penguin-kernel@i-love.sakura.ne.jp using -f
Subject: Re: [PATCH v5 1/1] security: Add mechanism to safely (un)load LSMs after
 boot time
From:   Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To:     Sargun Dhillon <sargun@sargun.me>
Cc:     LSM <linux-security-module@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        James Morris <jmorris@namei.org>,
        Peter Dolding <oiaohm@gmail.com>,
        Igor Stoppa <igor.stoppa@huawei.com>
MIME-Version: 1.0
Date:   Mon, 09 Apr 2018 14:25:01 +0900
References: <201804090338.w393crfv005435@www262.sakura.ne.jp> <CAMp4zn8GOFk9EKCS9JaEsKayDZ+pLFORWBRHPaCCsN--EyvFVg@mail.gmail.com>
In-Reply-To: <CAMp4zn8GOFk9EKCS9JaEsKayDZ+pLFORWBRHPaCCsN--EyvFVg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Sargun Dhillon wrote:
> >   Remove SECURITY_HOOK_COUNT and "struct security_hook_list"->owner and
> >   the exception in randomize_layout_plugin.c because preventing module
> >   unloading won't work as expected.
> >
> 
> Rather than completely removing the unloading code, might it make
> sense to add a BUG_ON or WARN_ON, in security_delete_hooks if
> allow_unload_module is false, and owner is not NULL?

Do we need to check ->owner != NULL? Although it will be true that
SELinux's ->owner == NULL and LKM-based LSM module's ->owner != NULL,
I think we unregister SELinux before setting allow_unload_module to false.
Thus, rejecting delete_security_hooks() if allow_unload_module == false will
be sufficient. SELinux might want to call panic() if delete_security_hooks()
did not unregister due to allow_unload_module == false. Also,
allow_unload_module would be renamed to allow_unregister_module.

By the way, please don't use BUG_ON() or WARN_ON() because syzbot would hit
and call panic() because syzbot runs tests with panic_on_warn == true.