Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp7776591yba; Thu, 2 May 2019 16:21:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqw2e80ine9781MznFHGUg+iRr1mz8Har7aGzkXUvNXfaDNRBatteGp6yDesH33U51+t+eKR X-Received: by 2002:a63:8242:: with SMTP id w63mr6691799pgd.169.1556839288423; Thu, 02 May 2019 16:21:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556839288; cv=none; d=google.com; s=arc-20160816; b=Qfj+1jda8E1c233zTicB56PUgTU2HeIVpqL94p/nxiyXLGiJGaTJ+pq5cycwyw9GAK hmv1/RhBs+coSJE65/ctVCh9Ad+Zx+qensXIhj9et65S3KIH8Hbw67nmlRJbKlQVrujY Ms+LNYGzj3d69fTmizeP8euRXJ6DcseA1pvkj+Gl4ckUdac5vrAY2bBKn8jooPlRyEBm cj2CeEQBw/F6WHPD6CkfahiMj0fwNl1vz5s2tdcZbLZr21ElcOAFppEc2eGflWHLYhIe 3SHr6geMqgN1zihd5ANhsNDdsyFL3FKv9oZwCvbmHjnrGRuhvSZeHn0IpS7RsPtrwK6C AESg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=Z8RxUHj9YR/uwlZJFl2jfZQQmSwB9q1sipyydcPpoKM=; b=SUjmoG/aT1SCKetGAqrFw1gueTDGvFGjh6XdssQ2JACpaojqxF+4XKE+TWSzuK0QCg NI8UzD4HiXzdLOsA1CDBHmL5OAM421uko7iSIU7RCQIh+QvQXHpK7jJMFWH7/KfpZhNg vPp3jDWDvB+z9mro8JmuAcI8ef34JLXPJ+Oc+RZv/NROCGwsLl/YvR2zobOaM9HXw1uu estn2YNDSMq6nrcn/he4/bniSDqW0PttNR9FAoJMCggHKS1HZ4hTehmd8zURa5D4fL5R 1MQ4+h6okcOvS8CxebeQAryeAGVhTPpe0PbjGpvSNA7X+c0qWhiJAE+Z4Gl6wyz5iE82 eJ/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j12si416098pgp.118.2019.05.02.16.21.12; Thu, 02 May 2019 16:21:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726373AbfEBXT4 (ORCPT + 99 others); Thu, 2 May 2019 19:19:56 -0400 Received: from namei.org ([65.99.196.166]:37112 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726022AbfEBXT4 (ORCPT ); Thu, 2 May 2019 19:19:56 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x42NJnjw008283; Thu, 2 May 2019 23:19:49 GMT Date: Fri, 3 May 2019 09:19:49 +1000 (AEST) From: James Morris To: Matthew Garrett cc: LSM List , Linux Kernel Mailing List , David Howells , Linux API , Andy Lutomirski Subject: Re: [PATCH V32 01/27] Add the ability to lock down access to the running kernel image In-Reply-To: Message-ID: References: <20190404003249.14356-1-matthewgarrett@google.com> <20190404003249.14356-2-matthewgarrett@google.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2 May 2019, Matthew Garrett wrote: > On Thu, May 2, 2019 at 2:07 PM James Morris wrote: > > One possible direction is to (as previously mentioned) assign IDs to each > > callsite and be able to check this ID against a simple policy array > > (allow/deny). The default policy choices could be reduced to 'all' or > > 'none' during kconfig, and allow a custom policy to be loaded later if > > desired. > > Ok. My primary concern around this is that it's very difficult to use > correctly in anything other than the "all" or "none" modes. If a new > kernel feature is added with integrated lockdown support, if an admin > is simply setting the flags of things they wish to block then this > will be left enabled - and may violate the admin's expectations around > integrity. On the other hand, if an admin is simply setting the flags > of things they wish to permit, then adding lockdown support to an > existing kernel feature may result in that feature suddenly being > disabled, which may also violate the admin's expectations around the > flags providing a stable set of behaviour. Understood. Most uses will likely be either a distro or an embedded system, who I'm assuming would provide a useful policy by default, and perhaps a high-level abstraction for modification. > Given that, would you prefer such a policy expression to look like? Perhaps a write-once policy, injected from userspace during early boot? The policy could be simply a list of: lockdown_feature true|false > > > Within the policy check hook, we could add a new LSM hook, which would > > allow an LSM to restrictively override the lockdown policy with its own > > Ok, that makes sense. If we take this approach, does there need to be > a separate policy mechanism at all? Users who want fine-grained > control would be able to set the behaviour to "None" and then use > their choice of LSM to express more fine-grained control. Right, and there could be a stackable LSM which just does fine-grained policy (per above). > > > This doesn't really address the completeness / maintenance issue (i.e. "do > > we have everything covered and how do we ensure this on an ongoing > > basis?", and "what will this new lockdown feature break?"), although it > > should make it easier to add new lockdown callsites as they don't have to > > be enabled by the user. > > I can start on this. Cool! -- James Morris