From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751821AbeECQFd (ORCPT ); Thu, 3 May 2018 12:05:33 -0400 Received: from sonic304-28.consmr.mail.gq1.yahoo.com ([98.137.68.209]:37340 "EHLO sonic304-28.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751612AbeECQFa (ORCPT ); Thu, 3 May 2018 12:05:30 -0400 X-YMail-OSG: f74tyFsVM1k9AVvM9.MdAH.b62pBPaVoIGzEWK_q1B2pz6eahue7ZO6APupdeN4 otByih1jZthQLmJ8q9S.keoHnk71atWSL8DKCJMwkIqPq.J87JV_AWnikYF9.gR72pbiwc0Z4VNR pjmIuuu.qQeSO51Vsz_BAc_NptgYcZTcMSKnhihLDG5upTaUMl1Qca_8Cr.QTkiI.1XWyFVNZ2SS ZXsnAPc5_zPadJm8kjq85sfapa3iZ1HZAmZfSEAesqzMWA0CJ3cPx.9AjmMr8_VHKxvDAaosaZON lfdL_.QqBUgz6Xaiak8VcCTqusommDbpdWNHBEPegnyDYxZDfOSX.8l_JAZm2x51xsJlJbbv0N7F VElhOu3bl2RjcLwFumQG6mxvlZ16DpAxQrEHcSTy7wrO9nONnGn.4dnbAa_zvrSv.7bvNGEn5OGR IHXdX4y7o9AdZOvseHi7kTte_A1HsoHvBSXYBFic2Cq3IKFPcRtLG5kDx25HwtilXHHRyaiCnjrZ oDP2zmTP46oiunmt9.fbxeHgdXDNk6JgsBIkBf7im4Tz3jBccz2A5BSaJVTFKpQl5iyCUoNQhKuZ TEuDQWKeQ_g1LqKrb7I4QDfv0A7bHvw9zgkO4eRnJAg6J5QeThERIsCaNrWb4LBfgaXmzIeDHtCe YcMcBCP3bCZiMpGbz_aT4f2iN.uJOYXzRgxg5 Subject: Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall To: "Eric W. Biederman" , Mimi Zohar Cc: David Howells , Matthew Garrett , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> <1523572911-16363-3-git-send-email-zohar@linux.vnet.ibm.com> <87h8nqglpx.fsf@xmission.com> <1525275904.5669.308.camel@linux.vnet.ibm.com> <87h8nospo5.fsf@xmission.com> From: Casey Schaufler Message-ID: <6203b1e4-70c3-6d0e-60e0-56c6e8f72ec9@schaufler-ca.com> Date: Thu, 3 May 2018 09:05:22 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <87h8nospo5.fsf@xmission.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/3/2018 8:51 AM, Eric W. Biederman wrote: > Mimi Zohar writes: > >> On Wed, 2018-05-02 at 09:45 -0500, Eric W. Biederman wrote: >>> Mimi Zohar writes: >>> >>>> Allow LSMs and IMA to differentiate between the kexec_load and >>>> kexec_file_load syscalls by adding an "unnecessary" call to >>>> security_kernel_read_file() in kexec_load. This would be similar to the >>>> existing init_module syscall calling security_kernel_read_file(). >>> Given the reasonable desire to load a policy that ensures everything >>> has a signature I don't have fundamental objections. >>> >>> security_kernel_read_file as a hook seems an odd choice. At the very >>> least it has a bad name because there is no file reading going on here. >>> >>> I am concerned that I don't see CONFIG_KEXEC_VERIFY_SIG being tested >>> anywhere. Which means I could have a kernel compiled without that and I >>> would be allowed to use kexec_file_load without signature checking. >>> While kexec_load would be denied. >>> >>> Am I missing something here? >> The kexec_file_load() calls kernel_read_file_from_fd(), which in turn >> calls security_kernel_read_file().  So kexec_file_load and kexec_load >> syscall would be using the same method for enforcing signature >> verification. > Having looked at your patches and the kernel a little more I think > this should be a separate security hook that does not take a file > parameter. > > Right now every other security module assumes !file is init_module. > So I think this change has the potential to confuse other security > modules, with the result of unintended policy being applied. > > So just for good security module hygeine I think this needs a dedicated > kexec_load security hook. I would rather see the existing modules updated than a new hook added. Too many hooks spoil the broth. Two hooks with trivial differences just add to the clutter and make it harder for non-lsm developers to figure out what to use in their code. From mboxrd@z Thu Jan 1 00:00:00 1970 From: casey@schaufler-ca.com (Casey Schaufler) Date: Thu, 3 May 2018 09:05:22 -0700 Subject: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall In-Reply-To: <87h8nospo5.fsf@xmission.com> References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> <1523572911-16363-3-git-send-email-zohar@linux.vnet.ibm.com> <87h8nqglpx.fsf@xmission.com> <1525275904.5669.308.camel@linux.vnet.ibm.com> <87h8nospo5.fsf@xmission.com> Message-ID: <6203b1e4-70c3-6d0e-60e0-56c6e8f72ec9@schaufler-ca.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On 5/3/2018 8:51 AM, Eric W. Biederman wrote: > Mimi Zohar writes: > >> On Wed, 2018-05-02 at 09:45 -0500, Eric W. Biederman wrote: >>> Mimi Zohar writes: >>> >>>> Allow LSMs and IMA to differentiate between the kexec_load and >>>> kexec_file_load syscalls by adding an "unnecessary" call to >>>> security_kernel_read_file() in kexec_load. This would be similar to the >>>> existing init_module syscall calling security_kernel_read_file(). >>> Given the reasonable desire to load a policy that ensures everything >>> has a signature I don't have fundamental objections. >>> >>> security_kernel_read_file as a hook seems an odd choice. At the very >>> least it has a bad name because there is no file reading going on here. >>> >>> I am concerned that I don't see CONFIG_KEXEC_VERIFY_SIG being tested >>> anywhere. Which means I could have a kernel compiled without that and I >>> would be allowed to use kexec_file_load without signature checking. >>> While kexec_load would be denied. >>> >>> Am I missing something here? >> The kexec_file_load() calls kernel_read_file_from_fd(), which in turn >> calls security_kernel_read_file(). ?So kexec_file_load and kexec_load >> syscall would be using the same method for enforcing signature >> verification. > Having looked at your patches and the kernel a little more I think > this should be a separate security hook that does not take a file > parameter. > > Right now every other security module assumes !file is init_module. > So I think this change has the potential to confuse other security > modules, with the result of unintended policy being applied. > > So just for good security module hygeine I think this needs a dedicated > kexec_load security hook. I would rather see the existing modules updated than a new hook added. Too many hooks spoil the broth. Two hooks with trivial differences just add to the clutter and make it harder for non-lsm developers to figure out what to use in their code. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sonic304-28.consmr.mail.gq1.yahoo.com ([98.137.68.209]:44229 "EHLO sonic304-28.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751621AbeECQFa (ORCPT ); Thu, 3 May 2018 12:05:30 -0400 Subject: Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall To: "Eric W. Biederman" , Mimi Zohar Cc: David Howells , Matthew Garrett , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> <1523572911-16363-3-git-send-email-zohar@linux.vnet.ibm.com> <87h8nqglpx.fsf@xmission.com> <1525275904.5669.308.camel@linux.vnet.ibm.com> <87h8nospo5.fsf@xmission.com> From: Casey Schaufler Message-ID: <6203b1e4-70c3-6d0e-60e0-56c6e8f72ec9@schaufler-ca.com> Date: Thu, 3 May 2018 09:05:22 -0700 MIME-Version: 1.0 In-Reply-To: <87h8nospo5.fsf@xmission.com> Content-Type: text/plain; charset=utf-8 Sender: linux-integrity-owner@vger.kernel.org List-ID: On 5/3/2018 8:51 AM, Eric W. Biederman wrote: > Mimi Zohar writes: > >> On Wed, 2018-05-02 at 09:45 -0500, Eric W. Biederman wrote: >>> Mimi Zohar writes: >>> >>>> Allow LSMs and IMA to differentiate between the kexec_load and >>>> kexec_file_load syscalls by adding an "unnecessary" call to >>>> security_kernel_read_file() in kexec_load. This would be similar to the >>>> existing init_module syscall calling security_kernel_read_file(). >>> Given the reasonable desire to load a policy that ensures everything >>> has a signature I don't have fundamental objections. >>> >>> security_kernel_read_file as a hook seems an odd choice. At the very >>> least it has a bad name because there is no file reading going on here. >>> >>> I am concerned that I don't see CONFIG_KEXEC_VERIFY_SIG being tested >>> anywhere. Which means I could have a kernel compiled without that and I >>> would be allowed to use kexec_file_load without signature checking. >>> While kexec_load would be denied. >>> >>> Am I missing something here? >> The kexec_file_load() calls kernel_read_file_from_fd(), which in turn >> calls security_kernel_read_file(). So kexec_file_load and kexec_load >> syscall would be using the same method for enforcing signature >> verification. > Having looked at your patches and the kernel a little more I think > this should be a separate security hook that does not take a file > parameter. > > Right now every other security module assumes !file is init_module. > So I think this change has the potential to confuse other security > modules, with the result of unintended policy being applied. > > So just for good security module hygeine I think this needs a dedicated > kexec_load security hook. I would rather see the existing modules updated than a new hook added. Too many hooks spoil the broth. Two hooks with trivial differences just add to the clutter and make it harder for non-lsm developers to figure out what to use in their code. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from sonic304-28.consmr.mail.gq1.yahoo.com ([98.137.68.209]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fEGjm-0006VK-5T for kexec@lists.infradead.org; Thu, 03 May 2018 16:05:44 +0000 Subject: Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com> <1523572911-16363-3-git-send-email-zohar@linux.vnet.ibm.com> <87h8nqglpx.fsf@xmission.com> <1525275904.5669.308.camel@linux.vnet.ibm.com> <87h8nospo5.fsf@xmission.com> From: Casey Schaufler Message-ID: <6203b1e4-70c3-6d0e-60e0-56c6e8f72ec9@schaufler-ca.com> Date: Thu, 3 May 2018 09:05:22 -0700 MIME-Version: 1.0 In-Reply-To: <87h8nospo5.fsf@xmission.com> Content-Language: en-US List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: "Eric W. Biederman" , Mimi Zohar Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Matthew Garrett , David Howells , linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org T24gNS8zLzIwMTggODo1MSBBTSwgRXJpYyBXLiBCaWVkZXJtYW4gd3JvdGU6Cj4gTWltaSBab2hh ciA8em9oYXJAbGludXgudm5ldC5pYm0uY29tPiB3cml0ZXM6Cj4KPj4gT24gV2VkLCAyMDE4LTA1 LTAyIGF0IDA5OjQ1IC0wNTAwLCBFcmljIFcuIEJpZWRlcm1hbiB3cm90ZToKPj4+IE1pbWkgWm9o YXIgPHpvaGFyQGxpbnV4LnZuZXQuaWJtLmNvbT4gd3JpdGVzOgo+Pj4KPj4+PiBBbGxvdyBMU01z IGFuZCBJTUEgdG8gZGlmZmVyZW50aWF0ZSBiZXR3ZWVuIHRoZSBrZXhlY19sb2FkIGFuZAo+Pj4+ IGtleGVjX2ZpbGVfbG9hZCBzeXNjYWxscyBieSBhZGRpbmcgYW4gInVubmVjZXNzYXJ5IiBjYWxs IHRvCj4+Pj4gc2VjdXJpdHlfa2VybmVsX3JlYWRfZmlsZSgpIGluIGtleGVjX2xvYWQuICBUaGlz IHdvdWxkIGJlIHNpbWlsYXIgdG8gdGhlCj4+Pj4gZXhpc3RpbmcgaW5pdF9tb2R1bGUgc3lzY2Fs bCBjYWxsaW5nIHNlY3VyaXR5X2tlcm5lbF9yZWFkX2ZpbGUoKS4KPj4+IEdpdmVuIHRoZSByZWFz b25hYmxlIGRlc2lyZSB0byBsb2FkIGEgcG9saWN5IHRoYXQgZW5zdXJlcyBldmVyeXRoaW5nCj4+ PiBoYXMgYSBzaWduYXR1cmUgSSBkb24ndCBoYXZlIGZ1bmRhbWVudGFsIG9iamVjdGlvbnMuCj4+ Pgo+Pj4gc2VjdXJpdHlfa2VybmVsX3JlYWRfZmlsZSBhcyBhIGhvb2sgc2VlbXMgYW4gb2RkIGNo b2ljZS4gIEF0IHRoZSB2ZXJ5Cj4+PiBsZWFzdCBpdCBoYXMgYSBiYWQgbmFtZSBiZWNhdXNlIHRo ZXJlIGlzIG5vIGZpbGUgcmVhZGluZyBnb2luZyBvbiBoZXJlLgo+Pj4KPj4+IEkgYW0gY29uY2Vy bmVkIHRoYXQgSSBkb24ndCBzZWUgQ09ORklHX0tFWEVDX1ZFUklGWV9TSUcgYmVpbmcgdGVzdGVk Cj4+PiBhbnl3aGVyZS4gIFdoaWNoIG1lYW5zIEkgY291bGQgaGF2ZSBhIGtlcm5lbCBjb21waWxl ZCB3aXRob3V0IHRoYXQgYW5kIEkKPj4+IHdvdWxkIGJlIGFsbG93ZWQgdG8gdXNlIGtleGVjX2Zp bGVfbG9hZCB3aXRob3V0IHNpZ25hdHVyZSBjaGVja2luZy4KPj4+IFdoaWxlIGtleGVjX2xvYWQg d291bGQgYmUgZGVuaWVkLgo+Pj4KPj4+IEFtIEkgbWlzc2luZyBzb21ldGhpbmcgaGVyZT8KPj4g VGhlIGtleGVjX2ZpbGVfbG9hZCgpIGNhbGxzIGtlcm5lbF9yZWFkX2ZpbGVfZnJvbV9mZCgpLCB3 aGljaCBpbiB0dXJuCj4+IGNhbGxzIHNlY3VyaXR5X2tlcm5lbF9yZWFkX2ZpbGUoKS4gwqBTbyBr ZXhlY19maWxlX2xvYWQgYW5kIGtleGVjX2xvYWQKPj4gc3lzY2FsbCB3b3VsZCBiZSB1c2luZyB0 aGUgc2FtZSBtZXRob2QgZm9yIGVuZm9yY2luZyBzaWduYXR1cmUKPj4gdmVyaWZpY2F0aW9uLgo+ IEhhdmluZyBsb29rZWQgYXQgeW91ciBwYXRjaGVzIGFuZCB0aGUga2VybmVsIGEgbGl0dGxlIG1v cmUgSSB0aGluawo+IHRoaXMgc2hvdWxkIGJlIGEgc2VwYXJhdGUgc2VjdXJpdHkgaG9vayB0aGF0 IGRvZXMgbm90IHRha2UgYSBmaWxlCj4gcGFyYW1ldGVyLgo+Cj4gUmlnaHQgbm93IGV2ZXJ5IG90 aGVyIHNlY3VyaXR5IG1vZHVsZSBhc3N1bWVzICFmaWxlIGlzIGluaXRfbW9kdWxlLgo+IFNvIEkg dGhpbmsgdGhpcyBjaGFuZ2UgaGFzIHRoZSBwb3RlbnRpYWwgdG8gY29uZnVzZSBvdGhlciBzZWN1 cml0eQo+IG1vZHVsZXMsIHdpdGggdGhlIHJlc3VsdCBvZiB1bmludGVuZGVkIHBvbGljeSBiZWlu ZyBhcHBsaWVkLgo+Cj4gU28ganVzdCBmb3IgZ29vZCBzZWN1cml0eSBtb2R1bGUgaHlnZWluZSBJ IHRoaW5rIHRoaXMgbmVlZHMgYSBkZWRpY2F0ZWQKPiBrZXhlY19sb2FkIHNlY3VyaXR5IGhvb2su CgpJIHdvdWxkIHJhdGhlciBzZWUgdGhlIGV4aXN0aW5nIG1vZHVsZXMgdXBkYXRlZCB0aGFuIGEg bmV3Cmhvb2sgYWRkZWQuIFRvbyBtYW55IGhvb2tzIHNwb2lsIHRoZSBicm90aC4gVHdvIGhvb2tz IHdpdGgKdHJpdmlhbCBkaWZmZXJlbmNlcyBqdXN0IGFkZCB0byB0aGUgY2x1dHRlciBhbmQgbWFr ZSBpdCBoYXJkZXIKZm9yIG5vbi1sc20gZGV2ZWxvcGVycyB0byBmaWd1cmUgb3V0IHdoYXQgdG8g dXNlIGluIHRoZWlyCmNvZGUuIAoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fCmtleGVjIG1haWxpbmcgbGlzdAprZXhlY0BsaXN0cy5pbmZyYWRlYWQub3Jn Cmh0dHA6Ly9saXN0cy5pbmZyYWRlYWQub3JnL21haWxtYW4vbGlzdGluZm8va2V4ZWMK