Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1513942ybp; Fri, 11 Oct 2019 15:45:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqxuXk3pAL0txrILh3jAak6CmRASW9lFa8URHl54egGK+02OMPK9e21DgmP8g5JVZxaMD9Zw X-Received: by 2002:aa7:db59:: with SMTP id n25mr16342042edt.288.1570833933523; Fri, 11 Oct 2019 15:45:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570833933; cv=none; d=google.com; s=arc-20160816; b=y3179VNK4hY8tOYtmLm29X4VWQY5zNWwNvRDvtgp6znkbt1LI2o4ztCi0RbdvvUL+8 XY5wWizNXiEIbEdkO5doUldUFYpA3zgMWLjtAvuBQJRbZj6h86sXxoP7zqhz2moXD36s sVb5mqQqwfBmejjRF6PYTKTz6Fkwxw7M1NcTbYHF8mv4M3yni/JL6sj1v9rxJA7Y+rZz p0tkda3MuBt4Q0ckKV0bEwx+x3z5NsNoZNroYTGYS/trUnR4bwcMDYbr29lAyWZ2Hsyz bpom4R2aaIWr/bnTAi8kfjdsvTkvOvwLXPTqeSOgJ4D0ntS1SOlU2ojTu12pF0PoWkML UVwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=bf14MYrKwsLX9Axz/D0dxYTQ7mUVcfs0Gwf/9g7xuAs=; b=gL8DwZ7O5bx7Ep4jORdHjlURA1KRTBpyRmwMrj3lzOHLx0rCceJji7SupVSNn1PN+k g4cSHejO/3AT6v4lHswVQ699Ml5EnYD/EVvwqAfjzPONjQrPOBylqLf8grZrGKsWuJHU hhhfXg8n4cc9Kot8vqA/NpnySq+vkWuxYbPiDO5VpOhubPd3GhDVeqSPopqGmUjpAKGI A7f9DWJ3UrfXh/mnRFIvnY3pOQPf082v1LEvCwxNz1NEgzV4iVlOe3TstmyghgpgCfWB pG2Nyvc+JBsb9syWioO09Z7t3OflX2t4twPU9leF+9O9RfkZri0QxTsN5KsORfEIQM09 b4FQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id jx20si6021155ejb.291.2019.10.11.15.45.09; Fri, 11 Oct 2019 15:45:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729267AbfJKW1w (ORCPT + 99 others); Fri, 11 Oct 2019 18:27:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:38322 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726706AbfJKW1w (ORCPT ); Fri, 11 Oct 2019 18:27:52 -0400 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6BDA7218AC; Fri, 11 Oct 2019 22:27:50 +0000 (UTC) Date: Fri, 11 Oct 2019 18:27:48 -0400 From: Steven Rostedt To: Florian Weimer Cc: Linus Torvalds , LKML , Matthew Garrett , James Morris James Morris , LSM List , Linux API , Ben Hutchings , Al Viro Subject: Re: [PATCH] tracefs: Do not allocate and free proxy_ops for lockdown Message-ID: <20191011182748.23d6de31@gandalf.local.home> In-Reply-To: <87tv8f9cr7.fsf@mid.deneb.enyo.de> References: <20191011135458.7399da44@gandalf.local.home> <20191011143610.21bcd9c0@gandalf.local.home> <87tv8f9cr7.fsf@mid.deneb.enyo.de> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 11 Oct 2019 23:46:20 +0200 Florian Weimer wrote: > * Steven Rostedt: > > > Once locked down is set, can it ever be undone without rebooting? > > I think this is the original intent with such patches, yes. But then > reality interferes and people add some escape hatch, so that it's > possible again to load arbitrary kernel modules. And for servers, you > can't have a meaningful physical presence check, so you end up with a > lot of complexity for something that offers absolutely zero gains in > security. > > The other practical issue is that general-purpose Linux distributions > cannot prevent kernel downgrades, so even if there's a > cryptographically signed chain from the firmware to the kernel, you > can boot last year's kernel, use a root-to-ring-0 exploit to disable > its particular implementation of lockdown, and then kexec the real > kernel with lockdown disabled. > > I'm sure that kernel lockdown has applications somewhere, but for > general-purpose distributions (who usually want to support third-party > kernel modules), it's an endless source of problems that wouldn't > exist without it. I just decided to keep the two separate. The tracing_disable is permanent (unless you actually do something that writes into kernel memory to change the variable). When set, there's nothing to clear it. Thus, I decided not to couple that with lockdown, and let the lockdown folks do whatever they damn well please ;-) -- Steve