Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3780136imm;
        Tue, 29 May 2018 13:34:49 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKljfYDioCoYSR6bEb4lEWQtG51v/12C+mRtwfYqaL28rMOPQ0mOaSIkodQRUbivU/Paf0g
X-Received: by 2002:a63:b041:: with SMTP id z1-v6mr106114pgo.397.1527626089798;
        Tue, 29 May 2018 13:34:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527626089; cv=none;
        d=google.com; s=arc-20160816;
        b=gaAE6N3Pa+twv67KDNdW58vYWKOAf0ylPDeiaNoRnTLql6BvWV9HHj46cOltsQxXVZ
         JvXZuOn94dz+EZWX8BZnaiGLJCX2M5BhDsN6+GoiZtzHhMyo7qCMywiREiYe3/jjCO4Y
         A8CgFhzNs1Iqieyc6uN5xs65KneTm3JGxxinBAC+lB2JLzms9KRrdne8IG3Y34fHL1dr
         kjMNQXdfWA0WD/dIsOYO/atekeofjgyGCOXQWKUlu8d/BBjTd/sOp+EgZqGGV5f16hIZ
         Y9B1aHKXDM8VMgNMJBWssTEnBeYZx+YeTjZ0Op2fpX9EaxfTT2jhtvfD0bTN70Pp8uuY
         B7MQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date
         :arc-authentication-results;
        bh=CDYK9iAEPMGavBI8dzWQ28kamJGacr7JqphQt0mWq+0=;
        b=0XSIsJ/OxCE4XTyI7YvrfW54NXq1mFPzv3Duij3rt3hnehVdA+uvpFPjN7soHlH1dA
         z0clJvs5/k9kiW0nu2FkDUf9L/b8gXSpLBH7zxQ7YksYM6c40A6u+up/LrrOTdfjJmJ5
         sgY34Wl2TsM4hHpUYAxHL5a3AJ/2X45VRontZ4/Uu5kdm5L6/Dcv3M0ha3bkx6cTV266
         DlnMyQDqmaOvjn6BUHJMjd30oyYK7OnU0UUDGCLa2o/t3/lc4hRAdgOAazmabgNvcD0O
         3rC/HvVa9A1RTAP5tzlYAQGIh1OpyEzvXq1x68e/XkBi1Icat6SnooDVkmCVbkH3I2kE
         XkxA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id bh1-v6si32297465plb.481.2018.05.29.13.34.35;
        Tue, 29 May 2018 13:34:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S966768AbeE2Uco (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Tue, 29 May 2018 16:32:44 -0400
Received: from namei.org ([65.99.196.166]:57578 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S966399AbeE2Ucm (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 May 2018 16:32:42 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id w4TKWGM2003738;
        Tue, 29 May 2018 20:32:16 GMT
Date:   Wed, 30 May 2018 06:32:16 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     "Eric W. Biederman" <ebiederm@xmission.com>
cc:     Mimi Zohar <zohar@linux.vnet.ibm.com>,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        kexec@lists.infradead.org, Andres Rodriguez <andresx7@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Kees Cook <keescook@chromium.org>,
        Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v3 1/7] security: rename security_kernel_read_file()
 hook
In-Reply-To: <871sdzy0nv.fsf@xmission.com>
Message-ID: <alpine.LRH.2.21.1805300629220.2647@namei.org>
References: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com> <1527160176-29269-2-git-send-email-zohar@linux.vnet.ibm.com> <87po1k2304.fsf@xmission.com> <alpine.LRH.2.21.1805260139030.11624@namei.org> <871sdzy0nv.fsf@xmission.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 25 May 2018, Eric W. Biederman wrote:

> James Morris <jmorris@namei.org> writes:
> 
> > On Thu, 24 May 2018, Eric W. Biederman wrote:
> >
> >> Below is where I suggest you start on sorting out these security hooks.
> >> - Adding a security_kernel_arg to catch when you want to allow/deny the
> >>   use of an argument to a syscall.  What security_kernel_file_read and
> >>   security_kernel_file_post_read have been abused for.
> >
> > NAK. This abstraction is too semantically weak.
> >
> > LSM hooks need to map to stronger semantics so we can reason about what 
> > the hook and the policy is supposed to be mediating.
> 
> I will take that as an extremely weak nack as all I did was expose the
> existing code and what the code is currently doing.  I don't see how you
> can NAK what is already being merged and used.

It's a strong NAK.

LSM is a logical API, it provides an abstraction layer for security 
policies to mediate kernel security behaviors.

Adding an argument to a syscall is not a security behavior.

Loading a firmware file is.

=
-- 
James Morris
<jmorris@namei.org>