Received: by 10.192.165.156 with SMTP id m28csp1211125imm; Wed, 11 Apr 2018 14:41:05 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+y1T1ix/PpXQmD3qf9KId46b+cSgr8DL+qCcY7cV8tcCANg+XD/cANOymgWJvN+6DeUh9s X-Received: by 10.99.54.65 with SMTP id d62mr4625902pga.225.1523482865306; Wed, 11 Apr 2018 14:41:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523482865; cv=none; d=google.com; s=arc-20160816; b=ZxmMgPf+5csuRrIFBsH/evNjaQAN1AL5YsUebNLhSTD6dJss2J5osCp19S3aaZe5QF rEMl9aj3F+cQ5ACXJ20iTeKQC03Sw7/YDX9oLnrNG0/BjKaGKIOvGLB8WoAQU4ydOm5Z rE8EN2jMXJtyaOikIwmVsbfPs8wT1x9ZKll6zBDp28sgJosvY2JjYwfNNZGshBaVPnje fnivQdaCKVAAsttiX0K8E7AnBCqijPLid8Dnum4qQf0O7r5uF6qrULmPp7OMFhwiGjcC ltQxs0MR/oJ0zwmHKJysvIQjRxXdlEveEwn5Q2dSm1zHo/n1eEx7YQMsAFj38BKB20Zt XQhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=NSGN+3W9ja1jpMpABt/bWA9DkOkY4SwVIF4DMpHYPCY=; b=mawLM65OaaEOmn3JIZNRpxNtk88kR1sBnV4+lZrQu3O0/5/tANxPHUAoZScaz9mos4 V+++xMiCRPGKbguyGlx/nqZO/S2hx2Kc87vJ+vB7u0xYADO/GrA23rZQoxeald6tLgFB z9bCv73nsqQZBm8xbFpIad+sx2NeYv2eQUx8qCLmXyLUYytM0yKNyG5TMuEKu08oYLzM L+06pese3GBPNucbJBpl2ifXG3IEaWqSWqNL9UnfWI6kYJjRT4daltJPV06v+DcVNR60 0Vv4PH5rZrC2XSmyeXr1y6XclldGck22Lbj3PW3qfwSovW6akJlrXT+BznJv13p2e/lQ deGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=DL5CEiiZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o27si1303363pgn.428.2018.04.11.14.40.27; Wed, 11 Apr 2018 14:41:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=DL5CEiiZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753317AbeDKVgp (ORCPT + 99 others); Wed, 11 Apr 2018 17:36:45 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:38672 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752662AbeDKVgo (ORCPT ); Wed, 11 Apr 2018 17:36:44 -0400 Received: by mail-lf0-f65.google.com with SMTP id u3-v6so4720041lff.5 for ; Wed, 11 Apr 2018 14:36:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NSGN+3W9ja1jpMpABt/bWA9DkOkY4SwVIF4DMpHYPCY=; b=DL5CEiiZh2ZsOubNaH7sGpTREVF9K4ph1M+8z5UAmPDI4ShlmqOH5SDBmMqS1I7RBa XQjqfUM6XHzsKMmgIX2CpV729KdMnm4nhcrDyKgcX5DJn8Y7dY7VkjazSiQB1JFBw+JA 8wDQ3wEDtp7MoN6iQi4NioE7HvtcBoK3SG/9Wd4k1NzwrAdsEwCZfpPQ2GL30+ZAFulW gXiZ9eYIJkzv+UR6HuwidGP+6Ei8VsIxs/VnxsQUrK/Mm2+DIcWe+6iUdHa4okZ9Ciax ENtAiKb3eLu9bEfhZtGtX5KxjKtIyG0hlbUKXd/kJAdEdVWLVcHf6Sleptj005bnaycF 4seQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NSGN+3W9ja1jpMpABt/bWA9DkOkY4SwVIF4DMpHYPCY=; b=iv5vf10HhgB27+08ARfffveashihDOJF2BSO2uHtF8x8Dy4FRn4nVPLEtwTadXNmaP wYawvZljnENEFhOBvZK8HMQL5Bmr6WuZX84UxRWytCWDEO1qEO04U/eqSagl9BJJRrFK 4GlabbIsVIUR1bvjRn1rdxKICeCDviAkIpTC9e7sEmii3tuhj/3MAVB1zKDQaBMEr7kF wtIHV9ZN/2toND85dBJKXXVA+m6cX0qdJXtt+DPHoXLqjOygeR68tbBuJSiRgzX5Kf+d z1GGduQlkNLV4Yxh5yfkBsVB0IK4t1f4s/W14xbCnogvk4j4vbqLjswF2XzgyV3A2zEY ukdA== X-Gm-Message-State: ALQs6tBksEgnEqFta/CZPEfA1w+o1kPKSfRERU1+qT6r1kP9hwt1Nmj3 0j25fTk3TOsgWhfoBxTgC9fBBPeFjIP9liLs8mxd X-Received: by 2002:a19:b588:: with SMTP id g8-v6mr3903010lfk.90.1523482602351; Wed, 11 Apr 2018 14:36:42 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a5c3:0:0:0:0:0 with HTTP; Wed, 11 Apr 2018 14:36:41 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <9cacbdfa-d224-189b-1e79-155a81f3dcdf@tycho.nsa.gov> References: <201804090338.w393crfv005435@www262.sakura.ne.jp> <201804090525.w395P1qS044316@www262.sakura.ne.jp> <9cacbdfa-d224-189b-1e79-155a81f3dcdf@tycho.nsa.gov> From: Paul Moore Date: Wed, 11 Apr 2018 17:36:41 -0400 Message-ID: Subject: Re: [PATCH v5 1/1] security: Add mechanism to safely (un)load LSMs after boot time To: Stephen Smalley Cc: Sargun Dhillon , Tetsuo Handa , LSM , LKML , Casey Schaufler , James Morris , Peter Dolding , Igor Stoppa Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 11, 2018 at 10:17 AM, Stephen Smalley wrote: > On 04/10/2018 05:24 PM, Sargun Dhillon wrote: >> On Sun, Apr 8, 2018 at 10:25 PM, Tetsuo Handa >> wrote: >>> Sargun Dhillon wrote: >>>>> Remove SECURITY_HOOK_COUNT and "struct security_hook_list"->owner and >>>>> the exception in randomize_layout_plugin.c because preventing module >>>>> unloading won't work as expected. >>>>> >>>> >>>> Rather than completely removing the unloading code, might it make >>>> sense to add a BUG_ON or WARN_ON, in security_delete_hooks if >>>> allow_unload_module is false, and owner is not NULL? >>> >>> Do we need to check ->owner != NULL? Although it will be true that >>> SELinux's ->owner == NULL and LKM-based LSM module's ->owner != NULL, >>> I think we unregister SELinux before setting allow_unload_module to false. >>> Thus, rejecting delete_security_hooks() if allow_unload_module == false will >>> be sufficient. SELinux might want to call panic() if delete_security_hooks() >>> did not unregister due to allow_unload_module == false. Also, >>> allow_unload_module would be renamed to allow_unregister_module. >>> >>> By the way, please don't use BUG_ON() or WARN_ON() because syzbot would hit >>> and call panic() because syzbot runs tests with panic_on_warn == true. >> >> I think my primary question is for the SELinux folks -- what do you >> think the behaviour should be? If allow_unload_modules / >> allow_unregister_module is set, do you want to be able to call >> security_delete_hooks? What do you think the right >> action should be if it fails? > > The one that avoids breakage for existing users ;) > > I personally am in favor of killing SELinux support for runtime disable aka > CONFIG_SECURITY_SELINUX_DISABLE; the only reason it exists is that Red Hat > originally insisted that bootloader configuration is too painful to modify/update on > certain platforms and therefore the selinux=0 boot parameter is insufficient > as a mechanism for disabling SELinux. I too would like to remove the SELinux runtime disable code, and we have looked at it briefly but there are a number of userspace/bootloader upgrade concerns that need to be addressed first (some of the issues have been captured in the BZ linked below). Unfortunately it isn't as trivial a chance as it would initially appear. * https://bugzilla.redhat.com/show_bug.cgi?id=1430944 > However, we can't break existing users. Userspace should still attempt to proceed > even if runtime disable fails, just with SELinux left in permissive mode and no > policy loaded. That generally should work, but does retain the performance overhead > of the SELinux hook function processing, unlike a real disable. > > I don't think we particularly care about allow_unload_modules / allow_unregister_module > since there is no existing userspace or configurations relying on it. -- paul moore www.paul-moore.com