Received: by 10.192.165.148 with SMTP id m20csp104102imm; Thu, 3 May 2018 15:51:43 -0700 (PDT) X-Google-Smtp-Source: AB8JxZofBydQjytouSit6LH1YAAjmUCiW5gzR/pCMuf74OQ8Ie5UGrviZntG6nbB4m8J0qB0hVfE X-Received: by 2002:a63:6185:: with SMTP id v127-v6mr20333620pgb.441.1525387903830; Thu, 03 May 2018 15:51:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525387903; cv=none; d=google.com; s=arc-20160816; b=zGOEQsRA2ljVy329b+PjuPp8NAhdCEHNy15eBiwPLt86Vn82L/ac27tYuZZhiMJZK6 4ZqXoauPf3vTZN5VvWgBsu7uBAgYazahCc11mTJHNk3rZRsq78LF/7w9F/4FqU2MZkIP k4w6zerXiaMjyN8U8oYtgOnq+afX+1RXZHsSWgwse+lLYOZSEmrWEWdvd0DSNlc9UrIB jvjYFrAxLXbS24g8TBYGEtxAnqbsmOTE5CSpMt28tQwN5O1ejIL7HvH3FnSTEvm0osU9 Tkr8HD8Qinqy9Gcr7j+xnpwRcSH7J8d7HMCk1cDgyShGVPamnxS8R4dCbkgGUXI/We2V 3ToQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=m0Beylik7Mrh9zoRGQxhTRvST+5ZO+VuzqmLQzPisPY=; b=MYY42S56ya1LF3+MnRP18g/964zD83VF97kGHoIVU+jeg/ujk5z2NWSrpTrpZhM5Aq HGfc6ovYZbvfmeqwHBamunkvGj+QtqNjOOB9IRh28CRfQNJC3ABeO3NMGCAW9PzuC/Bn A9wIIU4aB5dhhOsbMoh2Gx7bz5rIlN+GH1+GCNRsuNPz5UXpu8mRoerKyZ8WxW6QU+a9 CUdr0sp04b/+LJCRXFZcU6KG4DJYiwD14XvYuFg8jf26ui74K48vpz8DYk2KVAc6up5R pALbVY+rzobQHlDJXrqirWfDmU3/D8oq7rb4HxBSWTEFdrgNQGr8AOXXJoFyjG19Oh+p c7Vg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=SEfTLlBZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h8-v6si14745613pls.502.2018.05.03.15.51.29; Thu, 03 May 2018 15:51:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=SEfTLlBZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751301AbeECWvS (ORCPT + 99 others); Thu, 3 May 2018 18:51:18 -0400 Received: from mail-it0-f68.google.com ([209.85.214.68]:33940 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751116AbeECWvQ (ORCPT ); Thu, 3 May 2018 18:51:16 -0400 Received: by mail-it0-f68.google.com with SMTP id c5-v6so3287358itj.1 for ; Thu, 03 May 2018 15:51:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m0Beylik7Mrh9zoRGQxhTRvST+5ZO+VuzqmLQzPisPY=; b=SEfTLlBZ5xLon+CENfl17NU4GYXU08Kq2VLRxgxcuaYMWzREF55ovjOi31I2nEzzuD tXIF563aj0SnGz6Z8PQEHqXRZXwENt7OtpzaWJC+1HErK40L0vxbIGz96ZBhqBSdrvff XMjFk212NORqJTmKgZp14xAmjD7f0s8L+fC17Gu58ACjZ3Go+NbYEdvV6NcnLjnC3ol8 43pn9RO+akJKBNsmiK+UfS67pgwk6xN6ShHxcfd/1RyUppIjiHUCxD3fahchx63f2DFR 2jCr0qzOaXMx4G3RVGrAIwK0sVEqOpTbP2MEaIMkTGG8D0S2fT57Gy9661EVc4hCav9/ xV5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m0Beylik7Mrh9zoRGQxhTRvST+5ZO+VuzqmLQzPisPY=; b=ohDLicirobk+ETLPZMRoXBI6Z2XjhAeGSa7AD1Xkk4xXAOPrYMJMd+EtYzR6p/+V9r J0oyShbeFoVzJ7l83XgJup/Z4cPuplQFOyf6eFDufJs2ILZxnr+Kv2E+vWFOWEYEaQBL jiDBWFSvnvhIV8/apURjnJW8uo9udow4tZPu6NXOg4bdVCX5Y42ryfVEnLseIadPE4vm dZ3pre2QJiiArr1PzWo9m1M8ATqYaH0lj/jv+0Xoj+e3Q+Tk7DpRsuQt8YD25XVCy2zx fOqI955eIzxfy3HEYSzj7AhPYMBKkHs91tfGlh6Si0YovThhqft9s6ylMxMbEOrwqpFt g2zg== X-Gm-Message-State: ALQs6tAIjpPrme5Jd7zem8mXBqn75r16R/7Q9WLf2cZj21PzX32SzWg6 BxFAbJGxG/iaNjaChcMvfrky9Sx5rJHkSjiiMT0OPw== X-Received: by 2002:a24:4151:: with SMTP id x78-v6mr19671841ita.0.1525387875684; Thu, 03 May 2018 15:51:15 -0700 (PDT) MIME-Version: 1.0 References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> <87r2mso5up.fsf@xmission.com> <876044l7tr.fsf@xmission.com> In-Reply-To: <876044l7tr.fsf@xmission.com> From: Matthew Garrett Date: Thu, 03 May 2018 22:51:05 +0000 Message-ID: Subject: Re: [PATCH 0/3] kexec: limit kexec_load syscall To: ebiederm@xmission.com Cc: Mimi Zohar , David Howells , linux-integrity , LSM List , kexec@lists.infradead.org, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 3, 2018 at 2:59 PM Eric W. Biederman wrote: > Matthew Garrett writes: > > kexec_load gives root arbitrary power to modify the running kernel image, > > including the ability to disable enforcement of module signatures. > No. It does absolutely nothing to the running kernel image. > Combined with reboot(..., LINUX_REBOOT_CMD_KEXE, ...) it does allow > booting something different. It is argubably a little more efficient > than writing to a file to direct the bootloader to boot something > different and then calling reboot. But it is not fundamentally > different. It absolutely does - https://mjg59.dreamwidth.org/28746.html gives an example. The payload just needs to return. > > Given > > that it weakens other security mechanisms that are designed to prevent root > > from disabling them, it makes sense to allow the imposition of an > > equivalent restriction. > Say what. You are saying a lot of words without any specifics. Not a > specific threat mode. Not which security mecahnisms you are worried > about weakening. Not what classes of problems you are trying to defend > against. I have a kernel configured with module.sig_enforce enabled - root is unable to load kernel modules that are unsigned, and since sig_enforce is bool_enable_only, root is unable to flip that back. Any number of security models may be implemented with that assumption. However, root still has access to kexec_load(), and can therefore kexec into a dummy payload that flips that byte back to 0 and permits loading unsigned module code. There may well be other mechanisms that permit root to gain arbitrary ability to modify kernel code. My argument is that we should treat those as bugs, not use their existence as a justification for leaving open known cases.