Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4216635yba; Mon, 29 Apr 2019 15:59:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqzRaU5bS34q7CEg3IOA5P2AMAXVXf/wGGerh9OJo+L3hBXCoSqYc4W60eziZ0MblOr/Jx4e X-Received: by 2002:a62:6e05:: with SMTP id j5mr66743261pfc.5.1556578761420; Mon, 29 Apr 2019 15:59:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556578761; cv=none; d=google.com; s=arc-20160816; b=u97UQBhVvP2jxywgZbmATz7goVdWs1GKb6zTqwaHkVXXdIB5QyWAheWvamXUuTSW17 kpf8ak3j5KtbAzswDKqpPjZUNPKMerurqmrdixwuS5drN9WCfVzMVkfh4mwXIYNnUP4u mTIt6gvwh1NtDQRYRNq09vQ2XRJseah5t1GnnWhtMEd2yuuFlMmweYcuPVQ52AhmrZi9 kIMFFUBZJ0CXeUOc1ePQU73ZNybDYJ/uSFAsQv/XVO4hREPjFtYjk1eljBOmPazB3RXd Ls3TVYWodYkMtbAsS/cRc/CJw7J6P+H/jmbtsguFYpkdYmKQyyVJACvquaXsPAE5zijp ktaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=gygjGy0Tx6m/3bovClGd2rLBa0pi6fNkHAIxfSZ8kUM=; b=vBerMsAylQ6zM3Y2x+C995+e2f9jD6aTfyT2k3Im0WJdvRFF54faXKy03kspFfKMVn /AYfBd2XQVtMxysZS7vNat6gQaF8eApaswKQlIH3ehYPjpp2BI7S6bg2LSG9yAmAID/U Bm1MIipcKgKk72DpVIMO6uUdTFC3/zvnL7U+YbxUULTjQf68Pb1w4ZWI7tIPxjIPlutP uF6bP5LLLhJNCN29ShZbEM9zNVE8QlXb11ymXiWHcpAWkvvksz1zvqCdLNM8v7pxlolQ Icwlh1D14pG1J29A0cqDb1PAHoMd/XJGNo7kIQmg0W0uR82ThL20WFsT1xXUxKwDh+Oz 0E8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=AF2He1xZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g4si36467028plb.168.2019.04.29.15.59.06; Mon, 29 Apr 2019 15:59:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=AF2He1xZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729709AbfD2W45 (ORCPT + 99 others); Mon, 29 Apr 2019 18:56:57 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:37263 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729620AbfD2W45 (ORCPT ); Mon, 29 Apr 2019 18:56:57 -0400 Received: by mail-io1-f68.google.com with SMTP id a23so10537037iot.4 for ; Mon, 29 Apr 2019 15:56:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gygjGy0Tx6m/3bovClGd2rLBa0pi6fNkHAIxfSZ8kUM=; b=AF2He1xZrzkq68YRqvXpoaCfGbxnrVNa2SJu9UdF1Z6AYKHNfcloWp1li3hqdeB8Yw MMLLDS6kIn076fI1Wk86rvhdrAp3CTIc33eVG/u/H06seb031gy2PyWw/pSUSCpXqcs4 QHWbCKbbkFGOAuP4i2ubnx/2+0b5W+Z3rkMYDMSUq1gvH1tfWVKTYKsR2k7Kmc91wGlR P5edMWkg5ant75Z611KNqa0EZJGvVW9z+435VcX94/x/UQIxv6XKzHiP+mMarsqSwTVQ le5Aa1ygiTZrQTZWiRMmP7I+cjqXXVUxk9fgBwc7Mmcgsum9SlhUFBYDXshYBzqR4xyK 569A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gygjGy0Tx6m/3bovClGd2rLBa0pi6fNkHAIxfSZ8kUM=; b=BaHYBwtiKPJubEvF+yoDcdDcgQW5kNmBqw+0rQ7+QRTE/2+MrivT6u7Xl09F8l1yvH dMgIqvpzj5DOuEk8ZkcuPzDpEnKHuJWh7dyHKnTPrSDWM1q5JxmLU4imKKYVoeT7WKrT QrQOlNXEbzTaC2d8WIMTN59f7EgJ7kAX48jEG+9qqmQ0kGovCMpuYpuM3VTI0RVc0HwP RIiK+cAZYsVVUbLqtXA/HxfeN6fgTWDIZi8yomU6uYmA0U2ZUqGcvw46W3jsqjL67nfM YJTlwCWOrJNLtvj4jy7GicEXjV4U/YBebfIo1/a60GEg2wulgPBEM2NPTem1NG2JNwnA n5Hg== X-Gm-Message-State: APjAAAU5jIVugEur+LESTkXHdCZyH0b0gIjlYVqBNUlQ/9uU9VT8qnmF pTtVnItnVqYazd46hMgeWX28u54jqkemSMHitcSZ/tN1lIY= X-Received: by 2002:a6b:e20e:: with SMTP id z14mr6314345ioc.169.1556578615904; Mon, 29 Apr 2019 15:56:55 -0700 (PDT) MIME-Version: 1.0 References: <20190404003249.14356-1-matthewgarrett@google.com> <20190404003249.14356-2-matthewgarrett@google.com> In-Reply-To: <20190404003249.14356-2-matthewgarrett@google.com> From: Matthew Garrett Date: Mon, 29 Apr 2019 15:56:44 -0700 Message-ID: Subject: Re: [PATCH V32 01/27] Add the ability to lock down access to the running kernel image To: James Morris Cc: LSM List , Linux Kernel Mailing List , David Howells , Linux API , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi James, What's the best way forward with this? I'm still not entirely clear on how it can be implemented purely as an LSM, but if you have ideas on what sort of implementation you'd prefer I'm happy to work on that.