Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4888809imm;
        Wed, 30 May 2018 14:11:14 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKI1xcN7jmkpmF+6nEOvDNrpW32kNiQ9cY0itwp+z/yO7pLwnb/3YZrKa84Fp6UrQspnJbNi
X-Received: by 2002:a65:49cb:: with SMTP id t11-v6mr3345880pgs.218.1527714674749;
        Wed, 30 May 2018 14:11:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527714674; cv=none;
        d=google.com; s=arc-20160816;
        b=Jd832z8HctDBQt7a9KcFJYyw8758uQ0qp1SczyaUgpMjoAwd78FNb8j9BodKXcJoie
         r3Tk9Jk0es186y6QDCNqreSPuJV7SKCbT1105kn6E1Exg5JCmyuYgXk6Za80XHgP9YrV
         zJSHsOWcp6QB8rI7eaGBml7g50qE8HKYFii4J1RZrUj+9grS5d2Jm+z07WyqQas7sBfo
         kvFUgYYZj15yfX6dMD310BdcDeVidgbOrSst7WHYjekYB3pKCZyjCeS2Ah4NWXgXFxam
         nhoKCOs7IswMif1ccBNEtlxkcvxtp/PjVvcNhe3ynetuE2BzZrHoyde6xggd/eBnhIkM
         iVLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=LvuA9SIY3I3DnxJbNQQpd6WQRL7f/tYtZ0UnVUH4Rbs=;
        b=FtSht5DzBWtrwn3We9qJ9jlPAswwdTApAyOmCEOJH7uyxpJuM8IvPlEklx+dRSlNgo
         UT7OSwG8m4+wDXBL/hTtV6gNwA9KAVv80dAP+sLvHXedYTO5XKc2tiGJgj2uidz/CMoL
         HIVu0bYDC4Ix8RgsztuKWwxYYebe5HeISyFkN7xNb7FCcVGad+ujAZ+TNtxR0YtMjJQM
         xPBYC5YM+Ojkzo1xudlAddWtXydsdVh4XepJEtDXv1G9QBsTclRBs0KVpufEWEuDyCcj
         z45njeClffbyM4j6n0ihTaRC9if3KlW1huLMS4TDzMWn4k9DsXW8cPZXW42pdzLKd4XW
         EgPw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T8YE+Tp1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w10-v6si8248196ply.482.2018.05.30.14.11.01;
        Wed, 30 May 2018 14:11:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T8YE+Tp1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753659AbeE3VJI (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 30 May 2018 17:09:08 -0400
Received: from mail-lf0-f66.google.com ([209.85.215.66]:33102 "EHLO
        mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753307AbeE3VJC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 May 2018 17:09:02 -0400
Received: by mail-lf0-f66.google.com with SMTP id y20-v6so6450631lfy.0
        for <linux-kernel@vger.kernel.org>; Wed, 30 May 2018 14:09:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=LvuA9SIY3I3DnxJbNQQpd6WQRL7f/tYtZ0UnVUH4Rbs=;
        b=T8YE+Tp1XLV51ut+7LRFXNahBkMffYzGPcROdSSqzSWA/x3CQTnJ9YrB0eN3Uvvq7m
         4uiCZjBAjmmH3xpJL6frFSPlN8P67kzGT+ktfF/YztfMX5u1vfU3M/Mbqk9xr/tY2Cnx
         n2SUlPB0xc/53wnen86/Ug3Y0z3hc3I6E2V/GGK5avWNli2pPLDB07d9AW6VngTiwteV
         W5YOrYsPhDx8MElHpgPdCKZAgb7s5B8W2pyuCrdOcQY0UkII1M50s7qcBYRzrkAXOzEI
         0CVMc97eh9AUPDS2P2FfpTNO1YdRxHF4qDa5Xnl0R4YpJnVFgsmExuFGHbndKRT+gTzo
         822Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=LvuA9SIY3I3DnxJbNQQpd6WQRL7f/tYtZ0UnVUH4Rbs=;
        b=jHV6eZbA1A7rZMi6fo6LSbUmb7eKk//7JN6w/s5EkewRST+IsbFp6gQdjuoj6F5ovJ
         GgDbb44YEFcKkbqDxDafAC3EZnXQjTRGojMyoR/JCkpF+41Wj8CBFLP6KnQql1M/s1Qn
         ynt/yCQ95gcrOCSne9zBelJtVDEINOxTFhZRyhjpyfihRkNROEdZP75c3nUrhNG+8YDW
         NM06YbgrMdGgxBIzcvzpibuTzuV7RL9laO4PnxUhWggbHWsinqJIWwMW0Go226lpCby3
         vfe04dSzQX2dLfmTD9B1Vhz+2MuicWdxP0+37aUb1aGG80Dm224Kuca82PZKd7I/RCh8
         zFVg==
X-Gm-Message-State: ALKqPwdf99UYJE6PSA1B3TXvM7MUtyuq+duXka772PCfIWQRKdJFA+mC
        vNfjSd+YKKndblb5mu1067uW2j5qbyEPGvQXj+wN
X-Received: by 2002:a2e:29cf:: with SMTP id p76-v6mr3402958ljp.12.1527714540949;
 Wed, 30 May 2018 14:09:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Wed, 30 May 2018 14:09:00
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <8736y9lw08.fsf@xmission.com>
References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com>
 <1527616920-5415-9-git-send-email-zohar@linux.vnet.ibm.com>
 <CAHC9VhQL+CsqKL83fSZhjEZVSjKKfmLULvehXZ8SZhtK5xzLMQ@mail.gmail.com> <8736y9lw08.fsf@xmission.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 30 May 2018 17:09:00 -0400
Message-ID: <CAHC9VhTL=jT+agnm5M5p7rRETSL4V+eu+fZ=7iooLdmRvoJcsA@mail.gmail.com>
Subject: Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     Mimi Zohar <zohar@linux.vnet.ibm.com>,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        kexec@lists.infradead.org, Andres Rodriguez <andresx7@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Jeff Vander Stoep <jeffv@google.com>,
        Casey Schaufler <casey@schaufler-ca.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, May 29, 2018 at 10:25 PM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
>> On Tue, May 29, 2018 at 2:02 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>>> Both the init_module and finit_module syscalls call either directly
>>> or indirectly the security_kernel_read_file LSM hook.  This patch
>>> replaces the direct call in init_module with a call to the new
>>> security_kernel_load_data hook and makes the corresponding changes in
>>> SELinux and IMA.
>>>
>>> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>>> Cc: Jeff Vander Stoep <jeffv@google.com>
>>> Cc: Paul Moore <paul@paul-moore.com>
>>> Cc: Casey Schaufler <casey@schaufler-ca.com>
>>> ---
>>>  kernel/module.c                   |  2 +-
>>>  security/integrity/ima/ima_main.c | 24 ++++++++++--------------
>>>  security/selinux/hooks.c          | 26 ++++++++++++++++++++------
>>>  3 files changed, 31 insertions(+), 21 deletions(-)

...

>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 02ebd1585eaf..e02186470fc5 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -4018,12 +4018,6 @@ static int selinux_kernel_module_from_file(struct file *file)
>>>         u32 sid = current_sid();
>>>         int rc;
>>>
>>> -       /* init_module */
>>> -       if (file == NULL)
>>> -               return avc_has_perm(&selinux_state,
>>> -                                   sid, sid, SECCLASS_SYSTEM,
>>> -                                       SYSTEM__MODULE_LOAD, NULL);
>>> -
>>>         /* finit_module */
>>>
>>>         ad.type = LSM_AUDIT_DATA_FILE;
>>> @@ -4043,6 +4037,25 @@ static int selinux_kernel_module_from_file(struct file *file)
>>>                                 SYSTEM__MODULE_LOAD, &ad);
>>>  }
>>>
>>> +static int selinux_kernel_load_data(enum kernel_load_data_id id)
>>> +{
>>> +       u32 sid;
>>> +       int rc = 0;
>>> +
>>> +       switch (id) {
>>> +       case LOADING_MODULE:
>>> +               sid = current_sid();
>>> +
>>> +               /* init_module */
>>> +               return avc_has_perm(&selinux_state, sid, sid, SECCLASS_SYSTEM,
>>> +                                   SYSTEM__MODULE_LOAD, NULL);
>>> +       default:
>>> +               break;
>>> +       }
>>> +
>>> +       return rc;
>>> +}
>>
>> I'm not a fan of the duplication here.
>
> There are a couple of fundamental and strong differences here.
>
> selinux_kernel_load_data only has the current_sid to work with.
>
> selinux_module_data_from_file is all about the logic of how
> to get fsec or isec from the file and from the inode.
>
> For selinux and for every other lsm that uses the hooks that difference
> of whether or not you have a file leads to different logic and different
> code.  There is no meaningful sharing between the two cases.
>
> In selinux all of the meaningful sharing happens with calls to
> avc_has_perm(... SYSTEM__MODULE_LOAD, ...);
>
> So as far as I can see talking about duplication is unfounded there is
> none.

The duplication is the system:module_load access check (look at the
avc_has_perm() calls in selinux_kernel_module_from_file().  I believe
there is a readability/maintainability advantage to keeping them in
one function, and I would like it to stay that way.  If these
particular LSM hook(s) ever became performance critical (e.g. many
invocations a second) then I could see the value in separating them
out to eliminating some conditionals/branching, but as far as I can
tell that is not a problem at present.

I'm guessing your concern is more about the LSM hooks themselves and
not the individual implementations, in which case please see my last
response to Mimi.  I'm not opposed to two separate LSM hooks, I just
want to avoid moving the system:module_load checks out of
selinux_kernel_module_from_file(); which is independent of the number
of LSM hooks.

-- 
paul moore
www.paul-moore.com