Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp1559333rwi; Wed, 19 Oct 2022 12:12:16 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4hab8oL7U4IyTyjDMIzbv4l+vTy/n9A4WgyuElGLXj8JkOLs7iaDpVGfjyw5CyxOt7+CxC X-Received: by 2002:a17:902:b402:b0:179:e5b0:96d3 with SMTP id x2-20020a170902b40200b00179e5b096d3mr9838052plr.142.1666206735987; Wed, 19 Oct 2022 12:12:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666206735; cv=none; d=google.com; s=arc-20160816; b=pbOQSV2p/UicmDi9SdscsYVOISbR7adFn64pQakvQ77bAOo1Gtpyd5XBMupVrNj2KF tk6nEkjj1PvwHdAZT0grOfaMdtG6MtipmkG6SF3YRj7fptLumHN8Oj3RRx1/3/yeZ+S0 Zj+JXBJDe5TS8Tqdco/Hu09P+LrQlP1ExUlpKZusENlgBnekCEC40e8UQ04RzXiUPCwr 8c98/NUF0aOSnl2HzFyhbFZEa6RKSjAYQjh5MSllASaiD30HpnB16CLtR+hFL9EGhzK7 xCJVgZVpH4GECT6VjRRHlvaWW6raoYEH4uTcgWoMYW3XPuPeKAWNDZNvR1U9TTLeKE1a 5j9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=+PluJNC/fw1ja+vSikAWciLlJudd2H9uq25K8L6bfLo=; b=i45tE9mwyf6XbPVDhLAooTZ5K/R13DIouDF9zlfKfMd8R502q1sQIMVg9Nzf7Wik53 rSLLKGwMBZEKUEV1ZCloHvse3C46rCcFjHKR/XTpZfcpBm65sKbQ5PlurwkpiRwDvPjM nAbhRajtQckEXAUheGVAZ3Cd3sFm4ZBxcjtSoOHiAW5Yispznpqe3sz5HvvtWpXWNKRu IYlOQBF7KP0giCJJ1hDAkU6Pq2df3hnJKlq/aq6rxsIdgGc9fwD5rpveCsm/9Ju4YlZd brnUMLVdn8EXtZIew4Vt9pOGANpdLHBi+WsOKHWZQddqv4XjDJau/iVFBIAjtFy/PLwJ b0UA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="JVbVN/M0"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c13-20020a170902b68d00b0018040bdb798si18117802pls.242.2022.10.19.12.12.04; Wed, 19 Oct 2022 12:12:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="JVbVN/M0"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229932AbiJSSdv (ORCPT + 99 others); Wed, 19 Oct 2022 14:33:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46200 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229736AbiJSSds (ORCPT ); Wed, 19 Oct 2022 14:33:48 -0400 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 128151D20C5 for ; Wed, 19 Oct 2022 11:33:41 -0700 (PDT) Received: by mail-pl1-x62d.google.com with SMTP id c24so18060445pls.9 for ; Wed, 19 Oct 2022 11:33:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=+PluJNC/fw1ja+vSikAWciLlJudd2H9uq25K8L6bfLo=; b=JVbVN/M0Fs2iSpMzO8pxTylybZgs1ftEadUEBTex5hgbM9JU/8s8n6n2JYgjHxZ3oJ CyZ+U29uY9g2I1wwPJfmTspcn/u/rqgqHXljyZElyrahCuij5ApCn7rfqXasJyESsA0J PiCQvnJswac6hiC6Qyy3/NHr8MO8pFq3aIMIw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+PluJNC/fw1ja+vSikAWciLlJudd2H9uq25K8L6bfLo=; b=mPkKJKJUjfOzSAh1/Ip/YE7iUEwmTLADw28YJcV6p4pCavwhoZ4tBmFxyKK9HU15rp GHIHDWlkTVfGCRDdfXCFujq0An3HDLwD7d2FB2CJZL+7A0NWMI43bYcMzzIkgV5/tr/g RXrpkbyY/T7A4XJ6eY/3XFHce4bgti7DqbWgBVf30wCvDj8KkpvoUnyfkAhVeRiP1+Td cZRJowunnaRo4i+/KcueyU+qgjkcw2uxjHQn9AQxak5pqo5uPWcV1JsRoGauYp5Ub1cs 0fqf+VwRMVztTAtoSwh33o0yPiBNsQKJSpeSPPUTS9H4wP0GdqpbKTLcDXB41mSwJysB Iqkg== X-Gm-Message-State: ACrzQf31Hd+ybLS4gTFDjzVGPjHrrHKdgrvwUHjeWVW0eg9joMCvQRLb s30s8li8geXOK8dHmHdRlE2nlw== X-Received: by 2002:a17:902:e545:b0:184:2f27:b34 with SMTP id n5-20020a170902e54500b001842f270b34mr9543201plf.15.1666204420516; Wed, 19 Oct 2022 11:33:40 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k33-20020a635621000000b00460a5c6304dsm1967827pgb.67.2022.10.19.11.33.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Oct 2022 11:33:39 -0700 (PDT) Date: Wed, 19 Oct 2022 11:33:38 -0700 From: Kees Cook To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: Mimi Zohar , Paul Moore , James Morris , "Serge E. Hallyn" , Dmitry Kasatkin , linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM Message-ID: <202210191129.BFBF8035@keescook> References: <20221013222702.never.990-kees@kernel.org> <20221013223654.659758-1-keescook@chromium.org> <08a8b202-69b4-e154-28f5-337a898acf61@digikod.net> <202210141050.A8DF7D10@keescook> <0d2b9d34-2eda-8aa6-d596-eb1899645192@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <0d2b9d34-2eda-8aa6-d596-eb1899645192@digikod.net> X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 17, 2022 at 11:26:44AM +0200, Micka?l Sala?n wrote: > > On 14/10/2022 19:59, Kees Cook wrote: > > On Fri, Oct 14, 2022 at 04:40:01PM +0200, Micka?l Sala?n wrote: > > > This is not backward compatible > > > > Why? Nothing will be running LSM hooks until init finishes, at which > > point the integrity inode cache will be allocated. And ima and evm don't > > start up until lateinit. > > > > > , but can easily be fixed thanks to > > > DEFINE_LSM().order > > > > That forces the LSM to be enabled, which may not be desired? > > This is not backward compatible because currently IMA is enabled > independently of the "lsm=" cmdline, which means that for all installed > systems using IMA and also with a custom "lsm=" cmdline, updating the kernel > with this patch will (silently) disable IMA. Using ".order = > LSM_ORDER_FIRST," should keep this behavior. This isn't true. If "integrity" is removed from the lsm= line today, IMA will immediately panic: process_measurement(): integrity_inode_get(): if (!iint_cache) panic("%s: lsm=integrity required.\n", __func__); and before v5.12 (where the panic was added), it would immediately NULL deref. (And it took 3 years to even notice.) -- Kees Cook