Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3123121yba; Mon, 8 Apr 2019 11:37:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqwcp4KD67SjDYzSdUqrvJTrC8BqsEO+UHeSsB/IT9weB2eIzrnZhVxbsZOUQt3QjPP/eLyc X-Received: by 2002:a62:6490:: with SMTP id y138mr31466283pfb.230.1554748675551; Mon, 08 Apr 2019 11:37:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554748675; cv=none; d=google.com; s=arc-20160816; b=Y+s6aioyietCeuv1XW7sNEJB7hC1QnfhOAnwJ7ej5ftIK0nqq1gk3FXWb+IEJ2B1wR 230y061xaad8SGDFKqhc5QxnHWYkEnT9UsyikIIHeLvPwvPn7uF6x4NpQabWAdjfqmSq l9jZm2avMD14R2qRmwhssgcMjYYjS9vtnxMJi2675BUCnuQ+KFy3rRi3eTlGI7KBgcEW XSzye5ZMexwpq3ZxuNE2H1nJhFvjlWM/++14uE0lfmhq5Tw2x7E6O2vz/b/hV0JB7oKg evSknvLH/HyGe9d1yD1crpES8Gis7d1vTjxpvd0VJUS2/80xd7k2DPNeAInBd/ZrzI8a XuIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=SFkD/PegX130Roia1EM+1l7LEFA+D+0PxdCR3h8muNQ=; b=sr7fQQ//I6ePFCuZXVf4qWxgtXA9Qxs/8bTADLapLqTTnliZN5dxtvcDj01aj2fbFE YrZ7ISPdS43bOoWeoyc7sp7dxAhZr56sPoiXc3pLTQhSVSOJtUV9S4TbXXz79KvpzpoW jcD7OI/kueAWRnmpgipu4E7FukSmE4aW+rW2lAMB/2zVlmycpcEsSvsY59+eMxliPNcG WKQoDr0snUunTFg2UUTq86js5LToqasI1kwivbFY+XoJ4GhlwGEQagleLjtjK+VU/reH e8+nakXllyk6VAzRESMgExDagYsYfBZkkRX7zveAoajq61gxKp85neugAzHmFBiJIvvS 2e7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=MNNGH9ib; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t4si22892820pgu.544.2019.04.08.11.37.40; Mon, 08 Apr 2019 11:37:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=MNNGH9ib; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727445AbfDHRZr (ORCPT + 99 others); Mon, 8 Apr 2019 13:25:47 -0400 Received: from mail-vs1-f66.google.com ([209.85.217.66]:46168 "EHLO mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726880AbfDHRZo (ORCPT ); Mon, 8 Apr 2019 13:25:44 -0400 Received: by mail-vs1-f66.google.com with SMTP id e2so8067969vsc.13 for ; Mon, 08 Apr 2019 10:25:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SFkD/PegX130Roia1EM+1l7LEFA+D+0PxdCR3h8muNQ=; b=MNNGH9ibp+2NhoUqD1a6aPTrnfV9XljQZVKcdkhdCskUhDQy8NT07CRxmLxChbh+dI VB/naX4kQUKYcmcWN54EYcJbEn8eaJ9GDza1+H1HjbOwn3L4tJ+muyuVWi3j5Wmf89nK GhO5MwQfO9WhlRSQNNdGKU/OoJ2EBo//a+o+o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SFkD/PegX130Roia1EM+1l7LEFA+D+0PxdCR3h8muNQ=; b=Agj1bP4JL93HmYkB+ozx4eI+0dSpps+S5JBpr3CCSvcLM7e3cZ7UdBCal6A9gmbemg 89q27SaXaHDk9P2UaKlNZsf040X57VjYcSyCvzBH/4QDaAGDATJutTCzwUAkXr5ABsnv C2FLJtzeoxWhpvUZCbEhjcLUmI2VPYtJlZn6idzZ9mtkNlM/+GrwHZphlTcb9fA7BoQm GnNkRSb0s6/+HuGlIOq27XCf6vn2Np/O3HooTYG2AcXXeIvy8PU+FOb46M0126LM0iVv RrJ4/cs+v7IMW/JgxKTRjUKxZaiuU5YovUo5hMLbvjnVS0is7ZXxbdQqJcyXaxwz7DH9 icig== X-Gm-Message-State: APjAAAWqxeZfAFr4ARJpsiQk9T/SSarK35qcmxgXZkbY+Vd5fovCtMVo jW1PYongeXfn6nI6mZjfK+b0JzYOmAM= X-Received: by 2002:a67:fb19:: with SMTP id d25mr15859225vsr.36.1554744342328; Mon, 08 Apr 2019 10:25:42 -0700 (PDT) Received: from mail-vs1-f49.google.com (mail-vs1-f49.google.com. [209.85.217.49]) by smtp.gmail.com with ESMTPSA id q190sm11062395vkd.50.2019.04.08.10.25.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Apr 2019 10:25:41 -0700 (PDT) Received: by mail-vs1-f49.google.com with SMTP id w13so8103518vsc.4 for ; Mon, 08 Apr 2019 10:25:41 -0700 (PDT) X-Received: by 2002:a67:76c7:: with SMTP id r190mr18005932vsc.196.1554744340551; Mon, 08 Apr 2019 10:25:40 -0700 (PDT) MIME-Version: 1.0 References: <20190408160706.GA18786@beast> <73c80352-ded1-626b-0eb0-a9481165f25d@canonical.com> In-Reply-To: <73c80352-ded1-626b-0eb0-a9481165f25d@canonical.com> From: Kees Cook Date: Mon, 8 Apr 2019 10:25:28 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] apparmor: Restore Y/N in /sys for apparmor's "enabled" To: John Johansen Cc: James Morris , David Rheinsberg , "Serge E. Hallyn" , linux-security-module , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 8, 2019 at 9:58 AM John Johansen wrote: > > +/* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */ > > +static int param_set_aaintbool(const char *val, const struct kernel_param *kp) > > +{ > > + struct kernel_param kp_local; > > + bool value; > > + int error; > > + > > + if (apparmor_initialized) > > + return -EPERM; > > + > This isn't sufficient/correct. apparmor_initialized is only set after > apparmor has gone through and completed initialization. However if > apparmor is not selected as one of the LSMs to enable, then this check > won't stop apparmor_enabled from being set post boot. > > However with the apparmor_enabled param being 0444 and the > apparmor_enabled_setup() fn handling boot cmdline do with even need > the set parameter fn? Yup, that's true. I've gone and tested this, and yes, the 0444 is sufficient to protect the logic here (even if root chmods the inode). So the test here is redundant. However, very early in the threads about LSM boot cmdline enabling it was made clear that "apparmor.enabled=..." needed to stay working, which means the "set" op is still needed. (But I'm happy to do whatever you want here -- I was just trying to keep the functionality as it was.) Should I send a v2 without the "initialized" check or is this okay to leave as-is with the redundant check? -- Kees Cook