Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp80124imm;
        Tue, 5 Jun 2018 15:27:16 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKIHFUyafKprFOjWmn8BeYsZocVLR8e10I1ER+v8nHCpoB7CuA8s4ETQ0vxMPUsIFjudnVVm
X-Received: by 2002:a62:418b:: with SMTP id g11-v6mr429347pfd.51.1528237636715;
        Tue, 05 Jun 2018 15:27:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528237636; cv=none;
        d=google.com; s=arc-20160816;
        b=SEff+KUaTVc01xmEmIibSX2sPfgkCTp9pYN+pPCbY0m3vh9OKOYv9c7v5f4ms5kHBM
         6h1zYheK3gAI5DIM9rIW9DWHXya52uMERSaXazt6az2go9gplEXcFKR1s+DxD1VJ/so7
         ZOl4DzUBt+bBFpzYWuDtn3c17TUxJavrntksAQ97MbjPVrmYk2lJv/xzsDUSa05hjfXO
         pVRjTAT/9rTI0PxEN4jSb9TpSL7CmtAXN9/udRy5pLipDFhDwFtytlcMNjjn5GrHaSPo
         FVPmzK0JpZUi4aoIDWPgeGxei6IssaWvuS/dpEOy0aC7TnTQ5ut4cLFCq+kUzh5OZb1U
         4ebg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=xiabNtobzUu5S+q5/km+03JlqVxIDXLIcAAsT6XE3k0=;
        b=Hx77Cy+IWvnVNclkYtoLa+61ATAB0qnaqe9zNDfD/379g8l8TT0T5h7pHVCo+4DFMx
         uoAYxSMfXkgDKZ76vjC7GhGzAfvBOp2ep78iX/7L7Ptrh1RTSbEdFWd9HipNl9FEU2Rd
         zAENMcR/Q0WIa0+X+k5xjR/ENekmaenglYpiRHkJimj9UOkKOEket9UBRu6lCLOjU5h2
         t7AofwN9XZ3JWKZ5v/zA2phA26Ap5o2vlmH6heMKpXxevkEZnfoj3TRWzdWYmKYBFeg3
         BYuPQ4z2SVETjVtUMAeLlgaVy4+63TsPVSM8r1Dco7Mzxmh24I7nvGLVKWdaJs4xNs7f
         36Kg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=PmMRarlU;
       dkim=fail header.i=@chromium.org header.s=google header.b=HzaOkr/5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a10-v6si47282955pfo.121.2018.06.05.15.27.02;
        Tue, 05 Jun 2018 15:27:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=PmMRarlU;
       dkim=fail header.i=@chromium.org header.s=google header.b=HzaOkr/5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752574AbeFEW0h (ORCPT <rfc822;zoe.song.ucas@gmail.com>
        + 99 others); Tue, 5 Jun 2018 18:26:37 -0400
Received: from mail-vk0-f65.google.com ([209.85.213.65]:36297 "EHLO
        mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752318AbeFEW0e (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Jun 2018 18:26:34 -0400
Received: by mail-vk0-f65.google.com with SMTP id o138-v6so2480587vkd.3
        for <linux-kernel@vger.kernel.org>; Tue, 05 Jun 2018 15:26:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=xiabNtobzUu5S+q5/km+03JlqVxIDXLIcAAsT6XE3k0=;
        b=PmMRarlUq+pYj2Nzu9X9c73G6Lrhw7XKroGDgQfFz55DVHLWlwSDgjEy0pm7W45hF/
         +b3l7IuIf/SmzGefEPzm0cD1ca2AADJ9Sexg4IIWuSSOeycCCKkUN6aoHdOBKzo4jWiI
         M9fPNFl9+UcwSu5D9n9waWk545FicJhdmbDxvh8Y4L/Kf30isavRhv8WqB9nwqfuozyU
         IWgDv6pjFlHyNKX6urNMH/eR6NfIaJuroH/3rM61G3rRpmigoXkqqvGGc4ho/gDkPqMF
         3Ti1WXEzP3lXAhLOknKxooyf9pcYekAs3s8OAgRtnsZC1I8PLG+v3eIE1l0dWyvFlEeK
         F0lg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=xiabNtobzUu5S+q5/km+03JlqVxIDXLIcAAsT6XE3k0=;
        b=HzaOkr/5rAvBQrMARrDnhhhl3C7mUCefH2GW+XcfsHmi7ijWv0ZwzfQXGiZV1mjjes
         fcVn1PF2BNUKVvKJf4jM0msYPGKai7TbfnaxcwKfOZ4Z9RL0oxcKNzRsBxDdEWlQvij9
         ZN51uLUmKOVG8Rant7T+9BiDz4V6p8t8iS3CE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=xiabNtobzUu5S+q5/km+03JlqVxIDXLIcAAsT6XE3k0=;
        b=tbfyvOFNLugPf/yi9YzOZ854WvwuXAFJGLSlHSi0G6wbWqnQH6UDl3gJCzyMKwLXOD
         cSJ78bqNydVkGD1d0IYtMH/LE3SoUUP/3A6NehVGonm9O3WZf6shYj/uvl7PJZ0133Wo
         IzYhJde7xqM5ruryZjhzkM+7ItYyey6WxKQrMecsA7BH74gMWTGJ1woQyOYk907wgeuf
         G5guNir6HD5GNEMwE8gqbxLIORa6bay2JuFaV/eorN0ZXgjOccl+EVtoRFdmILYg6A01
         QqkwLWATyYNH4PLU4l8LBuhrJiTjIMnXC6/CkD3CdGt8RKvz3hb82ewWfDB/11VI7nu9
         VSpQ==
X-Gm-Message-State: APt69E0+qNsQMb/YB2JmmWhO8qSqbAnSl1wHVgo0nKyZ3YY+Pruhk2sp
        Y7B/QHw39wS8bR3w+Hvk/wPn6DOd1ghWs7nezRlKjQ==
X-Received: by 2002:a1f:d285:: with SMTP id j127-v6mr351100vkg.7.1528237593654;
 Tue, 05 Jun 2018 15:26:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1f:a085:0:0:0:0:0 with HTTP; Tue, 5 Jun 2018 15:26:32 -0700 (PDT)
In-Reply-To: <1528234513.3557.16.camel@linux.vnet.ibm.com>
References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com>
 <1527616920-5415-9-git-send-email-zohar@linux.vnet.ibm.com>
 <CAHC9VhQL+CsqKL83fSZhjEZVSjKKfmLULvehXZ8SZhtK5xzLMQ@mail.gmail.com>
 <1527635645.3534.39.camel@linux.vnet.ibm.com> <CAHC9VhQQX-JAnV-6jEOsug-6siyO9mrNa=rYK9Whg-MYcfHxgA@mail.gmail.com>
 <1527780226.3427.20.camel@linux.vnet.ibm.com> <CAGXu5jLXSEWHorm6=h9+1cP-y8ZX2_ALcra6g9x7Tm-O0kU3DQ@mail.gmail.com>
 <1528234513.3557.16.camel@linux.vnet.ibm.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 5 Jun 2018 15:26:32 -0700
X-Google-Sender-Auth: bH_kFP1edTq5mO_-r2mxzjCAya4
Message-ID: <CAGXu5j+9P9HLvwC4WfHoxXsz7vYA_raStVDPzA=tNR9f9vr9=Q@mail.gmail.com>
Subject: Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc:     Paul Moore <paul@paul-moore.com>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        David Howells <dhowells@redhat.com>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        Eric Biederman <ebiederm@xmission.com>,
        Kexec Mailing List <kexec@lists.infradead.org>,
        Andres Rodriguez <andresx7@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Jeff Vander Stoep <jeffv@google.com>,
        Casey Schaufler <casey@schaufler-ca.com>,
        James Morris <jmorris@namei.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jun 5, 2018 at 2:35 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> On Tue, 2018-06-05 at 12:45 -0700, Kees Cook wrote:
>
>> And if you must have a separate enum, please change this to fail
>> closed instead of open (and mark the fall-through):
>>
>> int rc = -EPERM;
>>
>> switch (id) {
>> case LOADING_MODULE:
>>     rc = loadpin_read_file(NULL, READING_MODULE);
>>     /* Fall-through */
>> default:
>>     break;
>> }
>
> This will fail the sysfs firmware fallback loading and the kexec_load
> syscall without any message, as you have for init_module.  Is that
> what you want?

I'd prefer there be a full mapping of the enums so that everything
gets passed into loadpin_read_file() :)

Can the enum be shared or is that nonsensical?

-Kees

-- 
Kees Cook
Pixel Security