Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp799791ybb;
        Thu, 28 Mar 2019 12:25:02 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwVRvY4uwNzQeiw7vHWbnEKjJJha18jt929IPcDOIEvzP0qSkcGAwvlC3HiJS79Qnh1i6I+
X-Received: by 2002:a63:7444:: with SMTP id e4mr23243962pgn.261.1553801102323;
        Thu, 28 Mar 2019 12:25:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553801102; cv=none;
        d=google.com; s=arc-20160816;
        b=P1t630be4hJj2dHj9aP+168BGxm8Ef2S06pQMAnha23XuwI1KxcvLdc9i+JapfJF0J
         tjIZVXMpmaPUQd0Uj1w9uHXNLjS53bmOxaEkfj5hEenFqXWdRk3jAAnunJbY8vszDLxU
         7WVZW97XdcEcWSibcbcBxHpmNGSrrVaa3hhZEcpdwXRSyRY8mYqn3zxJW4IbfBCQpsdm
         ZEFg7/AwSo+Erwefvd0d6jrDKsSKFtftJXxuGxdQBaL29Za9hO6tRX9TjAeL5phFFFWp
         lNOUEnA2r+U9ZO8RqV9D+y8k9xrvvajuUym8Zso6fDZvBcSP/ApuDkDalE3DOedCBd4+
         lkiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=0gNVS/cbeg0YcNsiQe2Jr6MIRPm5F7Nz4qSxf54WRvo=;
        b=qJ1N4Q1gIEdWYrNqImy2jyBSuM3dC6B8Qis9Vplut8meRwwIfKm6bEO5cwdrLjnnBG
         gUHP2YVt9xJeu3hJNnIEfF9ONVU7EN0hBJ/fUYhaD07IDQb8zbqzsRbbVPe09TlDt43C
         pN+pkkxqQx1pK8WixfvWvtMyMFOnshW/76DXuDHgMZ8uQozp/HdOQHN5SS73NXxIK7Ab
         CElDQaSl4NrjCILGcJBVoq9RhhvKk3yV44lH301DMqTRm1f8qMO1XQMx40zz2QejLkQz
         MjW/ywR6BMrRKQVINctXrAzXYcLmov2Ge306blKc7TY1UCCQxEF2BSqLClLBZLJ+mG6r
         8xRw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a4si21147084pgq.471.2019.03.28.12.24.45;
        Thu, 28 Mar 2019 12:25:02 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726416AbfC1TYB (ORCPT <rfc822;sbrunau@gmail.com> + 99 others);
        Thu, 28 Mar 2019 15:24:01 -0400
Received: from namei.org ([65.99.196.166]:59092 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726045AbfC1TYA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Mar 2019 15:24:00 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x2SJNUR1002465;
        Thu, 28 Mar 2019 19:23:30 GMT
Date:   Fri, 29 Mar 2019 06:23:30 +1100 (AEDT)
From:   James Morris <jmorris@namei.org>
To:     Matthew Garrett <mjg59@google.com>
cc:     Andy Lutomirski <luto@kernel.org>,
        Stephen Hemminger <stephen@networkplumber.org>,
        Linux API <linux-api@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        David Howells <dhowells@redhat.com>,
        Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        Network Development <netdev@vger.kernel.org>,
        Chun-Yi Lee <jlee@suse.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Kees Cook <keescook@chromium.org>,
        Will Drewry <wad@chromium.org>
Subject: Re: [PATCH 23/27] bpf: Restrict kernel image access functions when
 the kernel is locked down
In-Reply-To: <CACdnJusbi1jB+G0wMcj43wNik9Fiv3QCc8v30ztrFWg5-P-0iQ@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1903290621350.1769@namei.org>
References: <20190325220954.29054-1-matthewgarrett@google.com> <20190325220954.29054-24-matthewgarrett@google.com> <20190325164221.5d8687bd@shemminger-XPS-13-9360> <CALCETrU=EqqRwyQGBT0=_N9-E_pBM53=z+WJrd9OzV7g6xJa0A@mail.gmail.com> <alpine.LRH.2.21.1903270523240.5235@namei.org>
 <CALCETrUZ+oP0xxNt4mwN=AZA+zvkkfPZiAsFmAuqUD48pOHbBg@mail.gmail.com> <alpine.LRH.2.21.1903281403540.27561@namei.org> <CACdnJusbi1jB+G0wMcj43wNik9Fiv3QCc8v30ztrFWg5-P-0iQ@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 28 Mar 2019, Matthew Garrett wrote:

> On Wed, Mar 27, 2019 at 8:15 PM James Morris <jmorris@namei.org> wrote:
> > OTOH, this seems like a combination of mechanism and policy. The 3 modes
> > are a help here, but I wonder if they may be too coarse grained still,
> > e.g. if someone wants to allow a specific mechanism according to their own
> > threat model and mitigations.
> 
> In general the interfaces blocked by these patches could also be
> blocked with an LSM, and I'd guess that people with more fine-grained
> requirements would probably take that approach.

So... I have to ask, why not use LSM for this in the first place?

Either with an existing module or perhaps a lockdown LSM?

> 
> > Secure boot gives you some assurance of the static state of the system at
> > boot time, and lockdown is certainly useful (with or without secure boot),
> > but it's not a complete solution to runtime kernel integrity protection by
> > any stretch of the imagination.  I'm concerned about it being perceived as
> > such.
> 
> What do you think the functionality gaps are in terms of ensuring
> kernel integrity (other than kernel flaws that allow the restrictions
> to be bypassed)?

I don't know of any non-flaw gaps.

-- 
James Morris
<jmorris@namei.org>