Received: by 10.192.165.148 with SMTP id m20csp48356imm; Thu, 3 May 2018 14:37:24 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrEmVFbw7qOzzT3OYARSlWgVGKDt4MTDAp+XBXhRfl9vEP1M+YxNbpuZCFbWduxJqxD7p67 X-Received: by 10.98.157.90 with SMTP id i87mr24747476pfd.190.1525383444521; Thu, 03 May 2018 14:37:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525383444; cv=none; d=google.com; s=arc-20160816; b=cIQ89zQBs7WX9T8B8/jkkQDWOh+V8lm7rbW58AwHPi9tnRSPDenYDhLWHDm6UMKGDf zqCLc0j9vbFCvyckq1J1qFKDwEihxbmzvl3z/RSr4j1x9B8okrhmtxQaiRFzFXimkYHU 3Fuq9P8O/uQ6hly9uvh8gPQfVKJHEPFL0vqmEegVOblja7ht8kBkiiF8YbpFNop3Wgsz S2c01m2Gs+rZSmGa1VXQi7Joz+FOy1RkmeHSU+J4MlDzDoAfmxcGnzoBo/tZE+kvBQU7 NNquBeZrfDDC7RlHZiL+3bJlPeevAzvJOOtkBw8tB1QoalHJaZw31cGAzvIp9145M6RL alhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:content-transfer-encoding :mime-version:user-agent:message-id:in-reply-to:date:references:cc :to:from:arc-authentication-results; bh=kp7tmS66WN8jibl+pSY/gBc+c9v4rHaSVRurG3cVdVU=; b=oCVHbk2JvFGQdxHUmHWbLwZwdVoGSPlE/3mTnZIWv7CnDW5317XDnS9R02yw9pGJV1 /sa+TRHrGw9p+F6o6SEERtLtEG2yTl0K0Bfx+MEoJyyihrdynxciKMAvQ4gqJQuMOFhs UysyfFHTLyRPLG/ON2Ldkaa5yw3KzkQQtUACeTjrrA7iTT37L2Sy0BEdnAtR5OyApnCL PDY3dWxbI2HJ9JUHCyYzEd3b9ZGTXzwCL1FjPdcN98BG+ZmChrBLTvixviYLx+dEGE8z DanDyjl1H4wIxHHUo/BDXx6iTyKtNEA+tUnJMYiXxmBMN1Sq5CjlYfIQpcPNVTjg2I0h qHBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f123si14138822pfa.364.2018.05.03.14.37.10; Thu, 03 May 2018 14:37:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751344AbeECVgz convert rfc822-to-8bit (ORCPT + 99 others); Thu, 3 May 2018 17:36:55 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:47868 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751074AbeECVgv (ORCPT ); Thu, 3 May 2018 17:36:51 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fELuC-0002P7-L4; Thu, 03 May 2018 15:36:49 -0600 Received: from [97.119.174.25] (helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fELuB-0008I7-TV; Thu, 03 May 2018 15:36:48 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Mimi Zohar Cc: Casey Schaufler , David Howells , Matthew Garrett , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> <1523572911-16363-3-git-send-email-zohar@linux.vnet.ibm.com> <87h8nqglpx.fsf@xmission.com> <1525275904.5669.308.camel@linux.vnet.ibm.com> <87h8nospo5.fsf@xmission.com> <6203b1e4-70c3-6d0e-60e0-56c6e8f72ec9@schaufler-ca.com> <87y3h0pu72.fsf@xmission.com> <1525381619.3539.45.camel@linux.vnet.ibm.com> Date: Thu, 03 May 2018 16:36:40 -0500 In-Reply-To: <1525381619.3539.45.camel@linux.vnet.ibm.com> (Mimi Zohar's message of "Thu, 03 May 2018 17:06:59 -0400") Message-ID: <87lgd0o1zr.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=1fELuB-0008I7-TV;;;mid=<87lgd0o1zr.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=97.119.174.25;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19CCsA61K5b02R6zf4APxrEyy4Aqhm93tA= X-SA-Exim-Connect-IP: 97.119.174.25 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa06.xmission.com X-Spam-Level: ** X-Spam-Status: No, score=2.4 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,T_XMDrugObfuBody_08, XMNoVowels,XMSolicitRefs_0 autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] * 1.0 T_XMDrugObfuBody_08 obfuscated drug references * 0.1 XMSolicitRefs_0 Weightloss drug * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Mimi Zohar X-Spam-Relay-Country: X-Spam-Timing: total 303 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 3.7 (1.2%), b_tie_ro: 3.0 (1.0%), parse: 0.82 (0.3%), extract_message_metadata: 11 (3.7%), get_uri_detail_list: 2.2 (0.7%), tests_pri_-1000: 4.8 (1.6%), tests_pri_-950: 1.17 (0.4%), tests_pri_-900: 0.97 (0.3%), tests_pri_-400: 36 (11.9%), check_bayes: 35 (11.5%), b_tokenize: 15 (4.8%), b_tok_get_all: 9 (2.9%), b_comp_prob: 4.1 (1.4%), b_tok_touch_all: 4.9 (1.6%), b_finish: 0.66 (0.2%), tests_pri_0: 238 (78.4%), check_dkim_signature: 0.65 (0.2%), check_dkim_adsp: 2.8 (0.9%), tests_pri_500: 4.1 (1.3%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Mimi Zohar writes: > On Thu, 2018-05-03 at 11:42 -0500, Eric W. Biederman wrote: >> Casey Schaufler writes: >> >> > On 5/3/2018 8:51 AM, Eric W. Biederman wrote: >> >> Mimi Zohar writes: >> >> >> >>> On Wed, 2018-05-02 at 09:45 -0500, Eric W. Biederman wrote: >> >>>> Mimi Zohar writes: >> >>>> >> >>>>> Allow LSMs and IMA to differentiate between the kexec_load and >> >>>>> kexec_file_load syscalls by adding an "unnecessary" call to >> >>>>> security_kernel_read_file() in kexec_load. This would be similar to the >> >>>>> existing init_module syscall calling security_kernel_read_file(). >> >>>> Given the reasonable desire to load a policy that ensures everything >> >>>> has a signature I don't have fundamental objections. >> >>>> >> >>>> security_kernel_read_file as a hook seems an odd choice. At the very >> >>>> least it has a bad name because there is no file reading going on here. >> >>>> >> >>>> I am concerned that I don't see CONFIG_KEXEC_VERIFY_SIG being tested >> >>>> anywhere. Which means I could have a kernel compiled without that and I >> >>>> would be allowed to use kexec_file_load without signature checking. >> >>>> While kexec_load would be denied. >> >>>> >> >>>> Am I missing something here? >> >>> The kexec_file_load() calls kernel_read_file_from_fd(), which in turn >> >>> calls security_kernel_read_file().  So kexec_file_load and kexec_load >> >>> syscall would be using the same method for enforcing signature >> >>> verification. >> >> Having looked at your patches and the kernel a little more I think >> >> this should be a separate security hook that does not take a file >> >> parameter. >> >> >> >> Right now every other security module assumes !file is init_module. >> >> So I think this change has the potential to confuse other security >> >> modules, with the result of unintended policy being applied. >> >> >> >> So just for good security module hygeine I think this needs a dedicated >> >> kexec_load security hook. >> > >> > I would rather see the existing modules updated than a new >> > hook added. Too many hooks spoil the broth. Two hooks with >> > trivial differences just add to the clutter and make it harder >> > for non-lsm developers to figure out what to use in their >> > code. >> >> These are not non-trivial differences. There is absolutely nothing >> file related about kexec_load. Nor for init_module for that matter. >> >> If something is called security_kernel_read_file I think it is wholly >> appropriate for code that processes such a hook to assume file is >> non-NULL. >> >> When you have to dance a jig (which is what I see the security modules >> doing) to figure out who is calling a lsm hook for what purpose I think >> it is a maintenance problem waiting to happen and that the hook is badly >> designed. >> >> At this point I don't care what the lsm's do with the hooks but the >> hooks need to make sense for people outside of the lsm's and something >> about reading a file in a syscall that doesn't read files is complete >> and utter nonsense. > > Sure, we can define a wrapper around the security_kernel_read_file() > hook, calling it security_non-fd_syscall() or even > security_old_syscall(). I really don't see why you want to use the same hook. I just read through the code of all three users. None of them. Especially IMA shares any significant code between the !file case and the file case. Eric