Received: by 10.223.164.202 with SMTP id h10csp395719wrb;
        Thu, 30 Nov 2017 00:51:49 -0800 (PST)
X-Google-Smtp-Source: AGs4zMb2WMDTs0GdWfMXT9EqnvfMNx5JTldpD0kkx6YEh2p5Wa4ET+jFfCeoNty7FgqBdrinFdGY
X-Received: by 10.84.194.226 with SMTP id h89mr1838098pld.248.1512031909552;
        Thu, 30 Nov 2017 00:51:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1512031909; cv=none;
        d=google.com; s=arc-20160816;
        b=nUSxR4SQWhVD3wTptLfI8nLB7suYJBZi+Vm0S79yUwyWlcKkashjJ6aixGVlNAl0YS
         p7jnlQeugwq3YRis8uNvLl1xfBeqn7fjemH+NWHqZOznu7uffymR7BVywlw3Kit2ZZDC
         ZeXyF1kZ03i4v3XHuRA8FC/605rwdjorLOU2FVJX7xPmLgkJ7nTie3m67YBtYM5/VSX1
         CP7cwxqqc/8h83Vwa+tUQk0pN2HSsNbsCEgGn9TOZj2/BJ8ByfuqpKyTkxHeKKKD4dlJ
         Mi+2GjBVgk9kG+Yj6iTwv3Ykp/SlgyJUhi4scDwteM1FJPZFIA/sNiU62q7uUnFb68Jz
         6+Pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=6EJGCHAVemOq2mdfwK+2mBbYvEZMFhsbsTnV0TMs6zM=;
        b=IYE+lWbtb3EMlTti/1AAf4cJq5z+hCnm3J3qPiapvioebZxiOyhqxJD1KxqVTxPDyC
         2tjhpujKM42kpOQzKRojIFGeopgWNJD8Bw7zaZQp2WPmMv3zdmKIrnriuWvmK8obMGS2
         MoM3EiUXUQ7tgecEkgMa7G0i6kewP8OkZbx7hOXa1B+L61s4+CU+F+vRsWoesdtpfsoa
         y3UxZfZH08SDuOkOwaY/Og1QaHNd6OC5Mh0bDdHxhAVNfO9G2pnTbCGEoWmJ+d1XhNZH
         bg+YrOqDJvMFkF7v1LDY+8l5+pLB6VPhVN+Wry0VV0uBq/aKYpR0CqNmQdeIn3sSDhHC
         PeOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=bD7Efeou;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r10si2659480pgp.66.2017.11.30.00.51.36;
        Thu, 30 Nov 2017 00:51:49 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=bD7Efeou;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752143AbdK3Iub (ORCPT <rfc822;alexandre.munsch.linux@gmail.com>
        + 99 others); Thu, 30 Nov 2017 03:50:31 -0500
Received: from mail-qt0-f195.google.com ([209.85.216.195]:36057 "EHLO
        mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751396AbdK3Iu3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Nov 2017 03:50:29 -0500
Received: by mail-qt0-f195.google.com with SMTP id a16so7839336qtj.3;
        Thu, 30 Nov 2017 00:50:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=6EJGCHAVemOq2mdfwK+2mBbYvEZMFhsbsTnV0TMs6zM=;
        b=bD7EfeouNGWKvg5USi0/2OrwKHwALAYKovLsta8HFqvLMGEV312JspNigfKsoOOmLk
         uM95W8vbeFJhALRV7QfoIP2XlSBVGM8Ifl84/lG4TQGiyNRUzyAwZjZikwJJtAZ8VKBV
         aqdONKV7EEzViR44THwFf+7FfjBtpyv6CpJnn3mmNyKHXhIrsLfr461uuNd9m4RsnfUc
         ebeoTi9yJ60NWEUQWSWEAmzG0p9U66QO/HaLFy2al5Zmz18keoHtuqoEyjzAq2gzsS+o
         UsDtKNDGvg//rKYCnrXXxT4lfCx+MOoXMKsRzCpHyXTSG8fJUu1dpRtp0D14KwqrmhA2
         KLkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=6EJGCHAVemOq2mdfwK+2mBbYvEZMFhsbsTnV0TMs6zM=;
        b=XxVsErddnyP3OIQL5MVZo7KcZXHO+T/kjpP9S2NhCZOsR7qNipXSumXqam+6Aar6rZ
         q6mzYdDhJqIeIcGCQd58P7JdQ30AXK9rwhnxlf9M0KiNa1u0H5/qJs7k7WeKaQlueHUi
         Zr1ApD2pX+KrmDhpfYCIVUqPWcDvkQ7uKNpWfICB1974INhCl+fTnnNflGI7pyCiDLEh
         FVsG+iyD0GnaN6gID5WeV85HQF4OeymMakgEzD9mHBv/WbSMpF1dbUufXALuF3znG237
         laRa4uVSmyudU6RnEDG+E+OecnmqN6CeYamvpaMaUA025cCJMw9snA65QVn8NKLAPAlW
         odmw==
X-Gm-Message-State: AKGB3mLMFAHLB5Rn5Ot1mYLBCfjTr3fQYDawBJoPLG+8HOTGXDMG0f5a
        7HuXPzkH5XRGo1t5gvInkDSpPRWVVXJfBgC1ajk=
X-Received: by 10.200.36.9 with SMTP id c9mr2625619qtc.182.1512031828300; Thu,
 30 Nov 2017 00:50:28 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.31.132 with HTTP; Thu, 30 Nov 2017 00:50:27 -0800 (PST)
In-Reply-To: <1512024677.1374.168.camel@gmail.com>
References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com>
 <1511803118-2552-6-git-send-email-tixxdz@gmail.com> <CA+55aFxfO1i1LS9dPTTCf50ovWPXcq6BE9mKiq_FxWSm4iE8Mg@mail.gmail.com>
 <CAEiveUcvKbuJMB5801jdRosxYn+CZ4E=pfvXNrhuOrXXbw4ZBQ@mail.gmail.com>
 <CA+55aFzx2eM+wVrjQEfkE-G8E9OVLcdo6vk0fDMwZNu2sh1oCQ@mail.gmail.com>
 <1100603534.56586.1511871419952@ichabod.co-bxl> <20171128193243.4fymnjk7fplqw62x@thunk.org>
 <CAGXu5jLtBjLSe5mbe5sYSao1o67ezkkQq_u3md9646rRfi3cCQ@mail.gmail.com>
 <CA+55aFzvaFR1skBFKwT1QPnKqxaLqCuq33FCuYz8DP7MjKkgNg@mail.gmail.com>
 <CAGXu5j+OzbUAcqVBuC8QoY-ZiA9Xw6Uf9kzfzpx9MQHQ1LtxVQ@mail.gmail.com>
 <CA+55aFz0t7cCkePJQ1w44Kw_g5nns1tYJLUOL7f-c7vriqkFig@mail.gmail.com>
 <708003731.69563.1511905898471@ichabod.co-bxl> <CA+55aFzxFQeyk6Mrk50=jzevHpZ78BXz_9nHcHabMWBdM6RC6A@mail.gmail.com>
 <CA+55aFyybavkF8ccQKJsoVAF+MG=J5=e9PxXKU=J_hqCQRZnug@mail.gmail.com>
 <CAGXu5jLU8LqTYM9SYQADeH9wm2npVu4AEuSqvYqi3S+qtjC-Qw@mail.gmail.com>
 <CA+55aFwDfBnMVGfBVkrFFr26tp1y8CUpSf154AuXH+sWyeY5FA@mail.gmail.com>
 <CAGXu5j+Tv4KHytjOtBvG9e53o-pG7h5DjZZkATXbado-HAbKHw@mail.gmail.com>
 <CA+55aFxiDKfe6VCM+aV2OgnkzMpP+iz+rn2k25_Qa_QLex=pPQ@mail.gmail.com>
 <CAGXu5jJQnokKL2MdbQgOhBJ_RMHVvsw4u27Ds=4Jq3Ys=mjtRg@mail.gmail.com>
 <CA+55aFzi3Qj7zOrriRvrX5F4QDWMhkNQ7Qh-0FSCZsG4qk61zg@mail.gmail.com> <1512024677.1374.168.camel@gmail.com>
From:   Djalal Harouni <tixxdz@gmail.com>
Date:   Thu, 30 Nov 2017 09:50:27 +0100
Message-ID: <CAEiveUdgm_n-TUYGCtw_Zf24TJXrdrsFjcU8_S1M2qQUmHG+KA@mail.gmail.com>
Subject: Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use
 request_module_cap() to load 'netdev-%s' modules
To:     Daniel Micay <danielmicay@gmail.com>
Cc:     Linus Torvalds <torvalds@linux-foundation.org>,
        Kees Cook <keescook@chromium.org>,
        Jessica Yu <jeyu@kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        "kernel-hardening@lists.openwall.com" 
        <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Nov 30, 2017 at 7:51 AM, Daniel Micay <danielmicay@gmail.com> wrote:
[...]
> Lots of potential module attack surface also gets eliminated by default
> via their SELinux whitelists for /dev, /sys, /proc, debugfs, ioctl
> commands, etc. The global seccomp whitelist might be relevant in some
> cases too.

In embedded systems we can't maintain a SELinux policy, distro man
power hardly manage. We have abstracted seccomp etc, but the kernel
inherited the difficult multiplex things, plus all other paths that
trigger this.


> Android devices like to build everything into the kernel too, so even if
> they weren't using a module this feature wouldn't usually help them. It
> would need to work like this existing sysctl:
>
>     net.ipv4.tcp_available_congestion_control = cubic reno lp
>
> i.e. whitelists for functionality offered by the modules, not just
> whether they can be loaded.

Yes, but it is hard to maintain a whitelist policy, the code is hardly
maintained... if you include everything you should have an LSM policy
or something like that, and compiling kernels is expert thing.
Otherwise IMHO the kernel should provide default secure behaviour on
how to load or add new functionality to the running one. From a user
perspective, a switch "yes/no" that a privileged entity will
*understand* and assume is what should be there, and the switch or
flag as discussed here is local to processes, the sysctl will be
removed. IMO it should come from userspace point of view, cause as an
example the sysctl:

net.ipv4.tcp_available_congestion_control = cubic reno lp

Is kernel thing, too technical, userspace developers, admins or
privileged entity will not understand what cubic or reno mean. Doing
the same per functionality directly like this seems to much of a
burden compared to the use case. The kernel maybe can do this to
advance the art of the networking stack and for advanced cases, but in
IMHO a sane default behaviour + an abstracted process/sandbox flag
"yes/no" for most others, userspace developers and humans is what
should be provided and we need the kernel to help here.

It seems that Linus and kees agreed on this direction which allows me
to follow up.

Thanks!


-- 
tixxdz

From 1585472912577388156@xxx Thu Nov 30 06:53:16 +0000 2017
X-GM-THRID: 1585240629942062556
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread