Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4880822imm; Wed, 30 May 2018 14:01:47 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJmg30r19hWBIkNpgFQs/xAjU6PO3aQIskE9FDDKZGnGniB8Pby6l6PTafJ6zWBZdEKhXDY X-Received: by 2002:a63:9041:: with SMTP id a62-v6mr3352044pge.191.1527714107041; Wed, 30 May 2018 14:01:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527714107; cv=none; d=google.com; s=arc-20160816; b=aToaQL+aKQzio2Cij3kHINeVqnrc/bouqMmuCS04IXbZg4jKMOFItIILae0ivBj928 B8QxmD5kaMj2+M7Bxc+bQz7G5C6K4+LIGPruIE3p4Y9CvIzqQIH8T6YlD8yS0XD52XN8 PLWf18akumsVfEZ7NvxfIFOu+4OumIrqCAISvEfrFNuY/D9nXw873QLxToWX57u8Pph1 MafZxKm9vlJdZ8T4jh2mw2QfafTUpcPCP/Kp1lnzoo3VazAKDRWehQH0qwcVs5vxhCGM AU01XyD8f4b/M+HnqBqZ85R4J17UqEtb9wjDP4oN6QWajVj/yaOKwkcXRRqpjN52/hRW 7KTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=BNar8L+09k9w4+20nqjlNYTLAFBQK1QMxK7JEPmpBgg=; b=Y6JFiWIOSbDuFG0VkJT8egybpFco00gHLSfDqwA/xCIYRHmobFIYO9kxZFkyrIT4k7 PDKsDy9iksyQfTTHIG6ccs7nT2gr4YW7AhORbF+BavtvfnVXhvXq8Tjmn6PlyKUB3da5 Z0Xrr9Cw+MTByCKrmdQ7hMTYxwUrRbNQiLdKlLiVMeFkoWx32UJwtWL59UBRLcLWI7v5 XeK+kNjeCm0rsDWj6U7rM5vJi+ArN6u7E4skv3W9pozerd3mOqUwVg9P7TH8ORTYV3ix ubD8KE4sAhlrF4QQgqYUaoBfjgdus+I8URtQmXGu8FOV+SAsZkxfeL7Fw/89sYI371es pCRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=vfytkEzU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t128-v6si28563902pgt.368.2018.05.30.14.01.32; Wed, 30 May 2018 14:01:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=vfytkEzU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932451AbeE3VAN (ORCPT + 99 others); Wed, 30 May 2018 17:00:13 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:41336 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932222AbeE3VAH (ORCPT ); Wed, 30 May 2018 17:00:07 -0400 Received: by mail-lf0-f68.google.com with SMTP id d24-v6so6422411lfa.8 for ; Wed, 30 May 2018 14:00:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BNar8L+09k9w4+20nqjlNYTLAFBQK1QMxK7JEPmpBgg=; b=vfytkEzUx3P2F3MPnbggKAxDlh0WlvUlU4RYp065dekppOvhvI7K3/Zp05VV/zKw0r GJOtKXgZt4LAxcZaSJk0cG4lbdVWHyPujUCcPeuFY306xDnFwYyRBQ9i14wU39A42Gox G8+IGYOfxDsXZFU68i/EJu7m6FSO8YaTVxz3VDv8QRuRzK8WIRp932+6QgL1Zjye/l33 COysZMC1Z+oLeT9uSH+ro//zxvhPXQ+qQPXZBnv5g7cClNAjMs/IjX7FRfWeFTQ4Lqph F87WHW3N2MHhPEF4IhHqfI/hsoJmQmrvk64BtiuD8YUVy0d/bTVbHQqbmftZFCFmQqpa Sv3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BNar8L+09k9w4+20nqjlNYTLAFBQK1QMxK7JEPmpBgg=; b=TheddcaMMjO7d/wlYTY9ausa0oIKq1184S24ULjhtB5MWfO4dQCo2NGLb0sTeYWeN3 sSAZQM/0i3iKL7wS2ETADwua11eEPuQnOIOoFP0SSvCOkEo/sagHEGgQTWVjw3L2GtCj 21qynoUtOVMIrCbXgOOJ9zlXPBWoXONAYrd69Ioq7wIdrDM0e50RKEs5GaUCZVBDzSBe OacZ3PLRvC7in0HE963x7eUXraGpKOXc3VBJEVcJXIbpaJLAYwL4y6yX9Ii8EvnsYKmf Kyn1Gg/uG9C05mKmu0b5zOcDDUNxD5YjembXCXGJMRBXyY1/dT/dTE+4H/qplNiYhbKj 0/Hg== X-Gm-Message-State: ALKqPweJKbzoPZvKdkidHTVXqbe7/RD5ZCVugwTwrDJs2Ymn00CcILKN WUiUmrLtti+WUGt4yGU1Pcd69mzQp5gVUYEcUXa4 X-Received: by 2002:a19:a70f:: with SMTP id q15-v6mr2547496lfe.39.1527714005342; Wed, 30 May 2018 14:00:05 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Wed, 30 May 2018 14:00:04 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <1527635645.3534.39.camel@linux.vnet.ibm.com> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-9-git-send-email-zohar@linux.vnet.ibm.com> <1527635645.3534.39.camel@linux.vnet.ibm.com> From: Paul Moore Date: Wed, 30 May 2018 17:00:04 -0400 Message-ID: Subject: Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Jeff Vander Stoep , Casey Schaufler Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 29, 2018 at 7:14 PM, Mimi Zohar wrote: > On Tue, 2018-05-29 at 18:39 -0400, Paul Moore wrote: > [...] >> > @@ -4043,6 +4037,25 @@ static int selinux_kernel_module_from_file(struct file *file) >> > SYSTEM__MODULE_LOAD, &ad); >> > } >> > >> > +static int selinux_kernel_load_data(enum kernel_load_data_id id) >> > +{ >> > + u32 sid; >> > + int rc = 0; >> > + >> > + switch (id) { >> > + case LOADING_MODULE: >> > + sid = current_sid(); >> > + >> > + /* init_module */ >> > + return avc_has_perm(&selinux_state, sid, sid, SECCLASS_SYSTEM, >> > + SYSTEM__MODULE_LOAD, NULL); >> > + default: >> > + break; >> > + } >> > + >> > + return rc; >> > +} >> >> I'm not a fan of the duplication here. If we must have a new LSM hook >> for this, can we at least have it call >> selinux_kernel_module_from_file() so we have all the kernel module >> loading logic/controls in one function? Yes, I understand there are >> differences between init_module() and finit_module() but I like >> handling them both in one function as we do today. > > There's some disagreement as to whether we really need two LSM hooks. > This sounds like you would prefer a single LSM hook, not the two that > this patch set introduces. > > We need to come to some consensus. (Comments appreciated in 0/8.) My comments were intentionally made on the SELinux specific code and not the LSM generic code/hooks. As the LSM hook code must not make any assumptions about the underlying LSM implementations, it may make sense to have two different hooks. However as far as the SELinux code is concerned I would rather keep the access controls in one function as mentioned above. From a purely selfish SELinux perspective I would prefer a single hook, but if others feel two hooks are better, that's fine with me too. >> > static int selinux_kernel_read_file(struct file *file, >> > enum kernel_read_file_id id) >> > { >> > @@ -6950,6 +6963,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { >> > LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), >> > LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), >> > LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), >> > + LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), >> > LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), >> > LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), >> > LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), >> > -- >> > 2.7.5 -- paul moore www.paul-moore.com