Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp835301ybb; Thu, 28 Mar 2019 13:10:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqzBVnwiDkUAmTcCJXs15VGi82v0+BnqsB+okrMH5iDwNK16JDxb5XJUfujWsNt7D7oZ1Qz5 X-Received: by 2002:aa7:85d9:: with SMTP id z25mr32718463pfn.31.1553803802806; Thu, 28 Mar 2019 13:10:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553803802; cv=none; d=google.com; s=arc-20160816; b=VAJV6J4/WqS4sfyWR9i6+zLEhSeipmlfdEnNu8OhYXBgqV54sCzlNj0vqND4ihn2vN GQnmKylHn88jfNmfe1c0hpPI43Gk0Xs10jI4Q2eZKyk915y3PJ5AZwmd8JV1DOw/ZuDQ ygLMK6YIwrYh1aI+RtWbPVaHStbEOcKCMFG9z5+TrHWP9UwQBwW5f63itYyO3Rb2951p s+eBkmpMJCHqJwpP8HKdyb1OEENgsUxSp3JBCKTKD0a89Sp2816Q7Nf7foxyh7sIWme4 +p4pdBZR01g8qRHarE/2bRJvbgqeB311fVgQfOEWFMVX2Gxhw168ja1dbfx6bYUxsJ8V ME4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=KXa4aw3Kp05X/TfkEO7Kz/YGOX0pHLxbS3qn41bra2I=; b=1EdMvENyW/dtwIQQqDnRoAJFJ5RVnNgRFLDadMv4K+wWHr6tNq13iLggOcFeNip8Wt hNQrAu2Q3icr3zj6GbbgkzLBd1lDGSFKeYMt3EyI4CM6GwyI6m+D0YqTZQgsRKK2rjb+ rbvgcvMKiId3mINKk4RkU9vo2bBSmk7cNFZCa0VBQEjGlvXAB3IJJ95Quz7e4w68tJQL cyHhu8oax5lT2SPhPHZJ+l03YlRLVdAT3/++hNX4E2Asfn0uL1iK3Wc2NXt/G6w7osjE l5HMKf1KhZkxg6iDchy57jkBldi9puDhcHOLkB6qciSHW15PpTJWNPt35wkwH45VpxJu 9gUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=F8htFQGL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33si28008plg.3.2019.03.28.13.09.36; Thu, 28 Mar 2019 13:10:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=F8htFQGL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726302AbfC1UI4 (ORCPT + 99 others); Thu, 28 Mar 2019 16:08:56 -0400 Received: from mail-it1-f193.google.com ([209.85.166.193]:51099 "EHLO mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726136AbfC1UIx (ORCPT ); Thu, 28 Mar 2019 16:08:53 -0400 Received: by mail-it1-f193.google.com with SMTP id m137so279954ita.0 for ; Thu, 28 Mar 2019 13:08:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KXa4aw3Kp05X/TfkEO7Kz/YGOX0pHLxbS3qn41bra2I=; b=F8htFQGLOx8rOJ/PUrM899ncSK9ex/eqiOBDGKlu12kUTENuN9iQZ92nBpzaNk2zFp 1RwoZGwVTs/DZuulS/L3/VaU/w3OMD4XYEsM0UqT7O2LC57mfI/WwHkV/WjVJTEKtSd3 JGwmDreClRvFPz2t6deVlyPEnxBKwTgpEpQFgvacdJ1aeUvcgPPpLPb6iRmwPe3rA9Zg 9qC+Q+a5s/OBcmk7RuFoanA+5YuXH3eev8evCg4fRar8g2dJ82u3Hupb5Txyqhoeq8i0 FD3LoAQdNrwZJ61h0cQapbPCTB49qqtLi8ecc8qx72ySVzBiG3IqoHXopXAKCpL8K/XF QRDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KXa4aw3Kp05X/TfkEO7Kz/YGOX0pHLxbS3qn41bra2I=; b=ueC2ai+z/oiIbVGwryDe+Cd07n9ERTg0sZjFV2ah80XA4qQtvz0Lp6OOllbkEh/5yH hJndkvn25LENU0wil53KzZB+6dOLbNQqeX+5VlIpPm5Vjf2hJwSoEX6uzzz5j3LnhL6d hD7k/ExLVDuTOhYOQGNv1Mzlsj8W0vrDCX7IOWuTDaw+/Qiq+2tcq4sAU7M51VsKW/RV OA6pjkXalJQMJgLyPY8vgx4YZ9OXNwhTG9c3ykfHgEC2hjQY9fi3D0qxreQQz+fbcRRD uMY17kWS43rJ22hPh+YPyk9ztFdEC7WSEI8OkvGN6YPP6jU9vSRjrbqhqQQnQHIezwzT AuMg== X-Gm-Message-State: APjAAAXwgpVqtbvYjp66zOAJOHuQ90vHlVJImCHP1JHcgwC3ZpSSErb6 32FwUq9NbNXk6QQ+AZreOKBgKO5h0HoJnBwafxk68A== X-Received: by 2002:a24:4e91:: with SMTP id r139mr1578477ita.118.1553803731483; Thu, 28 Mar 2019 13:08:51 -0700 (PDT) MIME-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> <20190325220954.29054-24-matthewgarrett@google.com> <20190325164221.5d8687bd@shemminger-XPS-13-9360> In-Reply-To: From: Matthew Garrett Date: Thu, 28 Mar 2019 13:08:39 -0700 Message-ID: Subject: Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down To: James Morris Cc: Andy Lutomirski , Stephen Hemminger , Linux API , LSM List , LKML , David Howells , Alexei Starovoitov , Network Development , Chun-Yi Lee , Daniel Borkmann , Kees Cook , Will Drewry Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 28, 2019 at 12:23 PM James Morris wrote: > > On Thu, 28 Mar 2019, Matthew Garrett wrote: > > > On Wed, Mar 27, 2019 at 8:15 PM James Morris wrote: > > > OTOH, this seems like a combination of mechanism and policy. The 3 modes > > > are a help here, but I wonder if they may be too coarse grained still, > > > e.g. if someone wants to allow a specific mechanism according to their own > > > threat model and mitigations. > > > > In general the interfaces blocked by these patches could also be > > blocked with an LSM, and I'd guess that people with more fine-grained > > requirements would probably take that approach. > > So... I have to ask, why not use LSM for this in the first place? > > Either with an existing module or perhaps a lockdown LSM? Some of it isn't really achievable that way - for instance, enforcing module or kexec signatures. We have other mechanisms that can be used to enable that which could be done at the more fine-grained level, but a design goal was to make it possible to automatically enable a full set of integrity protections under specified circumstances.