Received: by 10.213.65.68 with SMTP id h4csp4403998imn; Tue, 10 Apr 2018 14:28:09 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/7EYRna2Iq63ziglw0WJoWEfAnvKgKzaY6CslZ06xPbzE6t5XpyUkL6Udth/9jamzcWBWk X-Received: by 2002:a17:902:8a82:: with SMTP id p2-v6mr1559124plo.91.1523395689515; Tue, 10 Apr 2018 14:28:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523395689; cv=none; d=google.com; s=arc-20160816; b=k2db9S50NqFjzOjsJGbumtShUoxeC7sv7sBj6OgtTEdB/qVQlpHX3BvBdIDoGhciwe m6qMk2W/vnGLTNHhVJg/qMg2mXKN4CO4HSuTL6rpammMn9CTfPv6A0PCkfEsF0DhCUfI hPDnUNwOBiGcZ3kIMHDQnfHtGIvxfjmdoGq7qaDnqSENxV07KmoWqqXzOcuOh9JBrfhS FJlruVrQ3BhFqwlyVt5AiN6NgpMFgSaT5UrVaourfTXlIlwHR3CnjQk4tslqDGrSEuzu Zo/xwAKgSYTQ6sLYfVboNrrNOlVSMv/dmleaxj7jn4PtqiNoVuzJfzF7cfC0QE5ELTSD MVqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=wGcev9qNavkhKY9JXM5jRdxlD3xPdGQEz6WQHSZIjPA=; b=ErtGqvTSr+mpXnMy8fqId2BEaA92QYu4jjgd+4ZlBcS8cJmTLley04Dz7LEouy5sGe 0OMn7UIewWuGCgkGxvTVVrsvllZpWEyZ4Z2U4g3jHE3eQdnF/hwY47Zcts++HGO9TBT0 lV3IDF5qXaIneNoKZUN04FYN13aASeMMB+BfySA+Uqsvun8w9Qi9CMp3hGWblnfHfFqh ELTIw21vzX3cj1h90l+sbUtgYpzhYrmemjgilb0ZcIc8DPvRchWa1r133emB+WXfPGv2 bUc8w3C+6zn2LIFb5+EPcAjSaovlTMSg4C4PVoZKQy/pci9A2VPJaUwBSqAszkgf0hrb WLnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=NiatxknH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v10si2351631pgf.833.2018.04.10.14.27.32; Tue, 10 Apr 2018 14:28:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=NiatxknH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752484AbeDJVYp (ORCPT + 99 others); Tue, 10 Apr 2018 17:24:45 -0400 Received: from mail-wm0-f50.google.com ([74.125.82.50]:34494 "EHLO mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751799AbeDJVYn (ORCPT ); Tue, 10 Apr 2018 17:24:43 -0400 Received: by mail-wm0-f50.google.com with SMTP id w2so23223965wmw.1 for ; Tue, 10 Apr 2018 14:24:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wGcev9qNavkhKY9JXM5jRdxlD3xPdGQEz6WQHSZIjPA=; b=NiatxknH6IZUuXa+uLODtvEWbkxPmscKya6xrs+jRchvN4ForjHdeqvUllM1Fe+yX1 yyDdHyC6WLPI4mi4FcNfP6yxMjVSWmFpTEERXMzY6Oo7llhfAY+phBSULfeT6OJkoXJn 5VkwR2/b+zgK2CHWtYuHDnqH+XEmK9597Tlfk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wGcev9qNavkhKY9JXM5jRdxlD3xPdGQEz6WQHSZIjPA=; b=L5+/lHIyZjaDLyaFtFJxNqEjW67Xv2R70rysg2cdP1c5DzJGspV3u/i2QwNmGScM+j jphXGpYw1KFPC8A3Md10SXvdVtRfBDQa/2ixyhsrYMAuBUDPB0Csfiy2F9w76J1+gDNr PIiNguojexrqm/1i4GRspVjm6oKlasL2G7usGKX9AKGlcSgY9g33VTLBbJyqSUZJR1qX tbpuQ3v9WehX5bf2kkxbaV5cLsHEkV1c+IGHpTloYMPDliWettk8N+iWD1ZHRjvBH4Le KIYZQC3Gd9HnWXEiZHsTgaLm6t4SDJ+TjGOPVTHmOmWstQAhWgPv3HT4DVIQlh4LGQom aLHw== X-Gm-Message-State: ALQs6tBajSiom0D0kgqtwVHW6xLaxkabsl5T+/EW3DD+jijd9AAap0Ny UYzSWiBnrq/RyXaFnai1AhHqeqkQZjTo4dk5e0oc4g== X-Received: by 10.80.182.167 with SMTP id d36mr5808854ede.250.1523395482435; Tue, 10 Apr 2018 14:24:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.173.184 with HTTP; Tue, 10 Apr 2018 14:24:02 -0700 (PDT) In-Reply-To: <201804090525.w395P1qS044316@www262.sakura.ne.jp> References: <201804090338.w393crfv005435@www262.sakura.ne.jp> <201804090525.w395P1qS044316@www262.sakura.ne.jp> From: Sargun Dhillon Date: Tue, 10 Apr 2018 14:24:02 -0700 Message-ID: Subject: Re: [PATCH v5 1/1] security: Add mechanism to safely (un)load LSMs after boot time To: Tetsuo Handa , Paul Moore Cc: LSM , LKML , Casey Schaufler , James Morris , Peter Dolding , Igor Stoppa Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 8, 2018 at 10:25 PM, Tetsuo Handa wrote: > Sargun Dhillon wrote: >> > Remove SECURITY_HOOK_COUNT and "struct security_hook_list"->owner and >> > the exception in randomize_layout_plugin.c because preventing module >> > unloading won't work as expected. >> > >> >> Rather than completely removing the unloading code, might it make >> sense to add a BUG_ON or WARN_ON, in security_delete_hooks if >> allow_unload_module is false, and owner is not NULL? > > Do we need to check ->owner != NULL? Although it will be true that > SELinux's ->owner == NULL and LKM-based LSM module's ->owner != NULL, > I think we unregister SELinux before setting allow_unload_module to false. > Thus, rejecting delete_security_hooks() if allow_unload_module == false will > be sufficient. SELinux might want to call panic() if delete_security_hooks() > did not unregister due to allow_unload_module == false. Also, > allow_unload_module would be renamed to allow_unregister_module. > > By the way, please don't use BUG_ON() or WARN_ON() because syzbot would hit > and call panic() because syzbot runs tests with panic_on_warn == true. I think my primary question is for the SELinux folks -- what do you think the behaviour should be? If allow_unload_modules / allow_unregister_module is set, do you want to be able to call security_delete_hooks? What do you think the right action should be if it fails?