Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4565871img; Tue, 26 Mar 2019 11:58:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqw6qKLgeyZOrwiveeQkGrZeu8fsR/g1HeyIBkWuzjmb8KyNk20GgHET1T1k3v0gB2h4xcxw X-Received: by 2002:a65:5049:: with SMTP id k9mr17471883pgo.229.1553626708211; Tue, 26 Mar 2019 11:58:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553626708; cv=none; d=google.com; s=arc-20160816; b=aoOU9cvOtelnh5ekfMUGY948jBkb2R7fb9zFPX91+N7JVTNczyFn8kFhl0LtiVi9M2 iaFPia9mZeSB7PRIj2VhpECfcuWzEYbENr64hxvH2tl66dsG5qVJdAIGhH4cGt41bh/d RfCktekNfDxlT/cWcNnnBpYYc8zZ9oqGCjD/TbHBsYyXbeT6r4MabSPyZWNh1cFzeQbB LZKluQbi7mfa6CJiAgA20qA3vvnLalz/GgK5cNCyunAM9Rw6IBIbyJL7//YFj7NiFehm We0qT+M7/eHef9XLwxFp45gie/wbh7oByhq57T+1FVEpedGljxi+uu8fTxOleNxBn2X3 AF2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=CAQ2Mn9O2kJDiMY8wyOroDAaQC/lRsQUJb+JRZyF1BI=; b=g3dQe3/t/5IUZ+vgRQhpgtpdCnxeyBEVde6eSqHemW/enJ+kKTxHHZ6Bw7jv0jYw72 BS+dgr8wP769dqt81Dd5o5rdMmodYJsJa6zEzXGvxpjolH1T6Tes44KFHVl7nk5YYsiW Dc1tLjaxxlbt1eSaMjOs0Y8xFkCAY2p7J4HwODb+me66i0qPsYJtKJ1O0UljUEDy5Eq0 YPHhVw7U1S6wEtKD0VicWMHW7pP6C4bPuq7C3Vkuf6uyqeGz7x/pdJP6KJ80ynmSd/U+ kuGqo0FPV98/NMrxe94ntItCIlUi8NNLUuuLOSdhCglSYB9IYG61ubBcJzON3Wi4lBPe sW9A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cm8si18060170plb.47.2019.03.26.11.58.12; Tue, 26 Mar 2019 11:58:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732513AbfCZS5g (ORCPT + 99 others); Tue, 26 Mar 2019 14:57:36 -0400 Received: from namei.org ([65.99.196.166]:58702 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726175AbfCZS5f (ORCPT ); Tue, 26 Mar 2019 14:57:35 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x2QIv7YY007246; Tue, 26 Mar 2019 18:57:07 GMT Date: Wed, 27 Mar 2019 05:57:07 +1100 (AEDT) From: James Morris To: Andy Lutomirski cc: Stephen Hemminger , Linux API , Matthew Garrett , LSM List , LKML , David Howells , Alexei Starovoitov , Network Development , Chun-Yi Lee , Daniel Borkmann , Kees Cook , Will Drewry Subject: Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down In-Reply-To: Message-ID: References: <20190325220954.29054-1-matthewgarrett@google.com> <20190325220954.29054-24-matthewgarrett@google.com> <20190325164221.5d8687bd@shemminger-XPS-13-9360> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 25 Mar 2019, Andy Lutomirski wrote: > A while back, I suggested an approach to actually make this stuff > mergeable: submit a patch series that adds lockdown mode, enables it > by command line option (and maybe sysctl) *only* and has either no > effect or only a token effect. Then we can add actual features to > lockdown mode one at a time and review them separately. This makes sense to me. > > And I'm going to complain loudly unless two things change about this > whole thing: > > 1. Lockdown mode becomes three states, not a boolean. The states are: > no lockdown, best-effort-to-protect-kernel-integrity, and > best-effort-to-protect-kernel-secrecy-and-integrity. And this BPF > mess illustrates why: most users will really strongly object to > turning off BPF when they actually just want to protect kernel > integrity. And as far as I know, things like Secure Boot policy will > mostly care about integrity, not secrecy, and tracing and such should > work on a normal locked-down kernel. So I think we need this knob. Another approach would be to make this entirely policy based: - Assign an ID to each lockdown point - Implement a policy mechanism where each ID is mapped to 0 or 1 - Allow this policy to be specified statically or dynamically So, kernel_is_locked_down("ioperm") becomes kernel_is_locked_down(LOCKDOWN_IOPERM) and this function checks e.g. if (lockdown_polcy[id]) { fail or warn; } Thoughts? > 2. All the proponents of this series, and the documentation, needs to > document that it's best effort. There will always be security bugs, > and there will always be things we miss. Right. Maintaining this feature will be an ongoing effort, and if its not actively maintained, it will bitrot and become useless. -- James Morris