Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp766467ybm;
        Wed, 22 May 2019 11:08:07 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwJCldIpeY+pRmueLYFoo3sJpflel3/UwT+WNgQkIR3Z0uW9NeIJ+KXvK3yB3O6IKkpkVRM
X-Received: by 2002:a17:902:e492:: with SMTP id cj18mr33854860plb.341.1558548487207;
        Wed, 22 May 2019 11:08:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558548487; cv=none;
        d=google.com; s=arc-20160816;
        b=lX4++zGtK6li8kb9A6L1IOPl0jrySyF9onIyB5R04WZsnGZ++mMhuAos9o0Q4b35D3
         fWqx/+eYZMZttX9obkXK+JDwdwc+AwBi2lECZWkvvY0WhW5WAj3X5KQOIC/+H1GAGNmP
         E88aoz1IQMZS1dp+VXV8bRCwgihZQbZlCKWYr7AGqMo3psIIfCpuPwISGfp/pjoeLjIo
         6w4GipXa39cI38Etv9U2POuzhph3BT9AadqgUBthaA9QkF42L4A2o5TrKZXakCLdS0FW
         2PvTZWvB7ZCU6V5QLKsO5zpbo7LL932EVuDUrlxAE/DC8arO3c6fZENzav2hvLtJZ3SH
         ZZkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=hmvY/xCiN43y6F/kDISMDGfoREUojwejGvvFj73bVlQ=;
        b=wgMBUccffLk1JyEe/yEucl2qkcvSYrHkTydjabiLpIkTgJ4j4o4OD4TbvpOpm/tEEF
         lzYbXqR5D2K/Gpwc3aFbw7+3b4vThQfrVXo1scWOOuQWa/TA2CS5UXeE0G+jBSmA84cx
         YtMJqiCS750apztwy4wbTqQc1WOLEqCLTdMusQi3zrfMJYHogpZceBvwPLQy/eWwm0pb
         hsGkKi6jMSX2EAxgFZgZakn3UDpcGV5/h8Y5UFCeioLCJn+T/FQEymgD858tTWGech59
         qfK7y+YQhtyl7KhaIVws6Q5q6cVpVNsB0o8TWTD+zISyjDGlTSrGrbFsHVCVZmoB/5Aj
         6SaQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f34si26988922plf.258.2019.05.22.11.07.51;
        Wed, 22 May 2019 11:08:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729547AbfEVSGB (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Wed, 22 May 2019 14:06:01 -0400
Received: from namei.org ([65.99.196.166]:33826 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729506AbfEVSGB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 May 2019 14:06:01 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x4MI5u4R019801;
        Wed, 22 May 2019 18:05:56 GMT
Date:   Thu, 23 May 2019 04:05:56 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Andy Lutomirski <luto@kernel.org>
cc:     Matthew Garrett <mjg59@google.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Turn lockdown into an LSM
In-Reply-To: <CALCETrVow8U=xhQdJt8kSMX16Lf0Mstf3+QxY4iz4DHVp=PYWA@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1905230343390.18826@namei.org>
References: <20190521224013.3782-1-matthewgarrett@google.com> <alpine.LRH.2.21.1905221203070.3967@namei.org> <CACdnJuuTR=Ut4giPKC=kdxgY9yPv8+3PZyEzuxvON3Jr_92XnQ@mail.gmail.com> <CALCETrVow8U=xhQdJt8kSMX16Lf0Mstf3+QxY4iz4DHVp=PYWA@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 22 May 2019, Andy Lutomirski wrote:

> And I still think it would be nice to have some credible use case for
> a more fine grained policy than just the tri-state.  Having a lockdown
> policy of "may not violate kernel confidentiality except using
> kprobes" may be convenient, but it's also basically worthless, since
> kernel confidentiality is gone.

This is an important point, but there's also "can't use any lockdown 
features because the admin might need to use kprobes".  I mention a 
use-case below.

I think it's fine (and probably preferred) to keep the default behavior 
tri-state and allow LSMs to implement finer-grained policies.

> All this being said, I do see one big benefit for LSM integration:
> SELinux or another LSM could allow certain privileged tasks to bypass
> lockdown.  

Some environments _need_ a "break glass" option, and a well-defined policy
(e.g. an SELinux domain which can only be entered via serial console, with
2FA or JIT credentials) to selectively un-lock the kernel lockdown in  
production would mean the difference between having a fleet of millions of
nodes 99.999% locked down vs 0%.

> This seems fine, except that there's potential nastiness
> where current->cred isn't actually a valid thing to look at in the
> current context.

Right.

Can we identify any such cases in the current patchset?

One option would be for the LSM to assign a default (untrusted/unknown) 
value for the subject and then apply policy as needed (e.g. allow or deny 
these).

> So I guess my proposal is: use LSM, but make the hook very coarse
> grained: int security_violate_confidentiality(const struct cred *) and
> int security_violate_integrity(const struct cred *).

Perhaps security_kernel_unlock_*



-- 
James Morris
<jmorris@namei.org>