Received: by 10.192.165.148 with SMTP id m20csp44242imm; Thu, 3 May 2018 14:31:51 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoHkmXODjPYLeZEHqEaEkbqCfIsf6e2Vs8bZZhoaX0auzpNU+ploXyseY49hQZ0KpQLLMw6 X-Received: by 2002:a63:705d:: with SMTP id a29-v6mr20565504pgn.202.1525383111793; Thu, 03 May 2018 14:31:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525383111; cv=none; d=google.com; s=arc-20160816; b=KJLWWq/p7XEH80ZUkZIxuAEEgAFlkwVYDcpKXZW7+CBkgoIA/p0AyddHA85nvBLol7 vi3i5kjWbFU6sV0852DPNOD6PqxdtUVa/UCAN7GOiRBe+jxlr5FER/vZdSsYhu7Y5vIJ N0tFPCPXPalzF45aA3C2CzKVevJk+cv5Pi5aGMJhxtq6b2OVJRWZN8XXaMP4W6+NmyEv lR+kPecW2UZM4ktMUNAS8aFuE71t1PmpnAHZazlFZBPctiu+GpaCA40gRd6fEnDa2HQ9 SezQJexUkzIaFOqM89JakrfT5GWRaP0GUdnqYlv780N7PINq+EvbeQt6XiJwQKvM/mvx +Rnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=TSaE9bIiSOHtfZHFksnYYvwgBSLrOcZ17pMpdeuj1FM=; b=IB1WSJSv/0oRzI3fSNw/ouXt5EwemnqhgvSVvav/2tSQLj87EiUqISZJjEoc+Bm/n/ innIn0xT+E+a+gVCLyXRjDAGsWkxIyw0OR218lIPn71f5LfwMB8BFS11Ry7I5LZ8sU4Q 3n+p7PcjPQMwpxK580LhC/lGe3aJ7qs8OTQnliQnpeP6hkXqESvTy9f0oHA4iz9Ti8gN JsylIEXHeFIBCSKj114PO7Uk6AhK4V4yv7hX8gXfg2sdDNZJo6SvxnetRZakEdl4EmIb WShD6/Vn2cEphCps1QwkzyIR4t9ECWv7jhkNEWcSRN5jGO1oKganapsAZUUlf1Atlgl2 ittw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bh5-v6si13777339plb.599.2018.05.03.14.31.37; Thu, 03 May 2018 14:31:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751240AbeECVb1 (ORCPT + 99 others); Thu, 3 May 2018 17:31:27 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:58940 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751126AbeECVbY (ORCPT ); Thu, 3 May 2018 17:31:24 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w43LNhUf010023 for ; Thu, 3 May 2018 17:31:24 -0400 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0b-001b2d01.pphosted.com with ESMTP id 2hr8xjb3w5-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 03 May 2018 17:31:23 -0400 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 3 May 2018 22:31:22 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 3 May 2018 22:31:18 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w43LVHMj21561468; Thu, 3 May 2018 21:31:17 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 59FEA11C050; Thu, 3 May 2018 22:22:51 +0100 (BST) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3254D11C052; Thu, 3 May 2018 22:22:50 +0100 (BST) Received: from localhost.localdomain (unknown [9.80.107.24]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 3 May 2018 22:22:50 +0100 (BST) Subject: Re: [PATCH 0/3] kexec: limit kexec_load syscall From: Mimi Zohar To: "Eric W. Biederman" , Kees Cook Cc: David Howells , Matthew Garrett , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Date: Thu, 03 May 2018 17:31:15 -0400 In-Reply-To: <87r2mso5up.fsf@xmission.com> References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> <87r2mso5up.fsf@xmission.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18050321-0012-0000-0000-000005D1B510 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18050321-0013-0000-0000-0000194EDE66 Message-Id: <1525383075.3539.67.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-03_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805030185 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [Cc'ing Kees and kernel-hardening] On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > In environments that require the kexec kernel image to be signed, prevent > > using the kexec_load syscall. In order for LSMs and IMA to differentiate > > between kexec_load and kexec_file_load syscalls, this patch set adds a > > call to security_kernel_read_file() in kexec_load_check(). > > Having thought about it some more this justification for these changes > does not work. The functionality of kexec_load is already root-only. > So in environments that require the kernel image to be signed just don't > use kexec_load. Possibly even compile kexec_load out to save space > because you will never need it. You don't need a new security hook to > do any of that. Userspace is a very fine mechanism for being the > instrument of policy. True, for those building their own kernel, they can disable the old syscalls.  The concern is not for those building their own kernels, but for those using stock kernels.   By adding an LSM hook here in the kexec_load syscall, as opposed to an IMA specific hook, other LSMs can piggy back on top of it.  Currently, both load_pin and SELinux are gating the kernel module syscalls based on security_kernel_read_file. If there was a similar option for the kernel image, I'm pretty sure other LSMs would use it. From an IMA perspective, there needs to be some method for only allowing signed code to be loaded, executed, etc. - kernel modules, kernel image/initramfs, firmware, policies. > If you don't trust userspace that needs to be spelled out very clearly. > You need to talk about what your threat models are. > > If the only justification is so that that we can't boot windows if > someone hacks into userspace it has my nack because that is another kind > of complete non-sense. The usecase is the ability to gate the kexec_load usage in stock kernels. > > Given that you are not trusting userspace this changeset also probably > needs to have the kernel-hardening list cc'd. Because the only possible > justification I can imagine for something like this is kernel-hardening. Sure, Cc'ing linux-hardening and Kees. Mimi