All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Kees Cook <keescook@chromium.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	James Morris <jmorris@namei.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
	Paul Moore <paul@paul-moore.com>
Subject: Re: [kernel-hardening] Re: [RFC PATCH 2/4] security: mark nf ops in SELinux and Smack as __ro_after_init
Date: Mon, 13 Feb 2017 14:01:13 -0800	[thread overview]
Message-ID: <2395a11c-3583-d98a-5e63-ff1b6fe44d43@schaufler-ca.com> (raw)
In-Reply-To: <CAGXu5j+BoPiy_YNgS4MC9vue8UDWZ5bwhpCO=bnvbgucsNGeqQ@mail.gmail.com>

On 2/13/2017 1:49 PM, Kees Cook wrote:
> On Mon, Feb 13, 2017 at 1:32 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 2/13/2017 1:03 PM, Stephen Smalley wrote:
>>> On Mon, 2017-02-13 at 09:29 -0800, Kees Cook wrote:
>>>> On Mon, Feb 13, 2017 at 3:29 AM, Tetsuo Handa
>>>> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>>>> James Morris wrote:
>>>>>> Both SELinux and Smack register Netfilter operations during init,
>>>>>> which then don't change.  Mark these ops as __ro_after_init.
>>>>>>
>>>>>> Signed-off-by: James Morris <james.l.morris@oracle.com>
>>>>> This patch breaks CONFIG_SECURITY_SELINUX_DISABLE=y +
>>>>> SELINUX=disabled in /etc/selinux/config case,
>>>>> doesn't it? Although I heard that SELinux is planning to remove
>>>>> CONFIG_SECURITY_SELINUX_DISABLE,
>>>>> CONFIG_SECURITY_SELINUX_DISABLE is valid as of current linux-
>>>>> security.git#next .
>>>> We could fold that removal into this series?
>>> I'm personally in favor of removing it, but that support was originally
>>> requested by the Fedora distro folks on the grounds that it is too
>>> painful to manage kernel boot parameters on some platforms, and
>>> therefore they needed an alternative to booting with selinux=0 on the
>>> kernel command line.  The documented way to disable SELinux on such
>>> distros is through the use of /etc/selinux/config SELINUX=disabled,
>>> which relies on this mechanism.  So you'd have to work through removal
>>> with the distro folks.
>>>
>>> Maybe in the interim we could just wrap the ro-after-init markings
>>> under a conditional dependent on !CONFIG_SECURITY_SELINUX_DISABLE so
>>> that systems (e.g. Android) that do not rely on this feature could
>>> benefit.
>> If we changed CONFIG_SECURITY_SELINUX_DISABLE to
>> CONFIG_SECURITY_DYNAMIC_MODULES and put the __ro_after_init
>> under !CONFIG_SECURITY_DYNAMIC_MODULES we solve both the
>> current and potential future issues.
> Something like...
>
> #ifdef CONFIG_SECURITY_DYNAMIC_LSM
> # define lsm_ro_after_init __ro_after_init
> # define lsm_const         const
> #else
> # define lsm_ro_after_init
> # define lsm_const
> #endif
>
> ?

That's more elaborate than I was thinking, but sure.
I was going to put ifdefs in the respective declarations,
but this may be more in line with modern tastes.

>
> -Kees
>

  reply	other threads:[~2017-02-13 22:01 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-13  5:33 [kernel-hardening] [RFC PATCH 2/4] security: mark nf ops in SELinux and Smack as __ro_after_init James Morris
2017-02-13 11:29 ` [kernel-hardening] " Tetsuo Handa
2017-02-13 17:29   ` Kees Cook
2017-02-13 21:03     ` Stephen Smalley
2017-02-13 21:32       ` Casey Schaufler
2017-02-13 21:49         ` Kees Cook
2017-02-13 22:01           ` Casey Schaufler [this message]
2017-02-13 22:05           ` [kernel-hardening] Re: [RFC PATCH 2/4] security: mark nf ops inSELinux " Tetsuo Handa
2017-02-13 22:09             ` Kees Cook
2017-02-13 22:15               ` [kernel-hardening] Re: [RFC PATCH 2/4] security: mark nf ops in SELinux " Tetsuo Handa
2017-02-13 22:26         ` James Morris
2017-02-14  1:58           ` Casey Schaufler
2017-02-14  2:46             ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2395a11c-3583-d98a-5e63-ff1b6fe44d43@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.