From: THOBY Simon <Simon.THOBY@viveris.fr>
To: Igor Zhbanov <izh1979@gmail.com>
Cc: Igor Zhbanov <i.zhbanov@omp.ru>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH 1/1] NAX LSM: Add initial support support
Date: Fri, 13 Aug 2021 08:08:31 +0000 [thread overview]
Message-ID: <a41a0116-8d05-3aea-d979-090cdbb1d52f@viveris.fr> (raw)
In-Reply-To: <CAEUiM9ObZD=miina1NsP8Ohtv=byO=33Kp2XaeF8_RB_R_uC1Q@mail.gmail.com>
Hi Igor,
On 8/12/21 6:43 PM, Igor Zhbanov wrote:
> Hi Simon,
>
> Thanks for thorough review. Will post the corrected version soon.
>
>>> @@ -278,11 +279,11 @@ endchoice
>>>
>>> config LSM
>>> string "Ordered list of enabled LSMs"
>>> - default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
>>> - default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
>>> - default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
>>> - default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
>>> - default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
>>> + default "nax,landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
>>> + default "nax,landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
>>> + default "nax,landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
>>> + default "nax,landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
>>> + default "nax,landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
>>
>> I don't know the policy with regard to new LSMs, but enabling this one by default is maybe a bit violent?
>> That said, considering the default mode is SECURITY_NAX_MODE_LOG, this would just log kernel messages and
>> not break existing systems, so this shouldn't be a problem.
>
> I've just oriended on landlock and lockdown. They are handled in the similar
> way. But, yes, by default NAX module doesn't block anything.
> If you suggest not to do that, I can remove it.
If other LSMs are also enabled by default when added to the kernel, and keeping the idea that the default behavior
is warning-only (warning in a rate-limited fashion, as you rightfully did, so people running JIT engines as root
don't get their kernel log flooded with warnings), then I have no objection to that change.
>
>>> +__setup("nax_mode=", setup_mode);
>>> +
>>> +static int __init setup_quiet(char *str)
>>> +{
>>> + unsigned long val;
>>> +
>>> + if (!locked && !kstrtoul(str, 0, &val))
>>> + quiet = val ? 1 : 0;
>>
>> The order of the kernel parameters will have an impact on NAX behavior.
>>
>> "nax_mode=1 nax_locked=1" and "nax_locked=1 nax_mode=1" will end up with the same behavior.
>> in the first case the mode is enforced, in the second case it isn't (well unless you changed
>> the kernel configuration from the default) and it can't be enabled later either.
>>
>> Is that desired?
>
> Yes. The idea is that on boot you can set-up the proper options then block
> further changing (especially turning the module off).
> Initially it was implemented for sysctl parameters, so, you can change
> something in init-scripts, then lock. Then, I've extended it to command-line
> parameters.
> I can ignore "locked" flag in setup_* functions to defer locking to sysctl
> parsing. (Unless our command-line is glued by the bootloader from several
> parts, so we want to lock it as early as possible...).
>
I may have badly made my point (especially considering I made a lot of typos when writing
that mail, for which I would like to apologize).
My sentence
"nax_mode=1 nax_locked=1" and "nax_locked=1 nax_mode=1" will end up with the same behavior.
lacked the "not" word, and both options will NOT have the same behavior.
What I wanted to say was that I think both parameter should have the same behavior, and that
the ordering of the options shouldn't impact the end result, because order-dependent options
may confuse users.
For the matter of have a kernel commandline being the result of concatenations from multiple
sources, I think that if any attacker is able to alter part of the command line, they can
already write 'lsm=' to it and completely disable NAX, thus I'm not sure 'nax_locked' should
impact other setup_* functions.
I believe keeping the nax_locked parameter, but not checking for the 'locked' status in the other setup_*
functions should be enought, as sysctls writes will still be protected by the 'locked' variable.
> Thanks.
>
Thanks,
Simon
next prev parent reply other threads:[~2021-08-13 8:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-07 1:03 [PATCH 1/1] NAX LSM: Add initial support support Igor Zhbanov
2021-07-28 10:19 ` THOBY Simon
2021-08-10 4:52 ` J Freyensee
2021-08-12 14:47 ` THOBY Simon
2021-08-12 16:43 ` Igor Zhbanov
2021-08-13 8:08 ` THOBY Simon [this message]
2021-08-14 13:39 ` Igor Zhbanov
2021-08-16 7:39 ` THOBY Simon
2021-08-12 20:24 ` Igor Zhbanov
2021-08-13 7:47 ` THOBY Simon
2021-08-13 8:05 ` Igor Zhbanov
2021-08-13 8:23 ` THOBY Simon
2021-08-13 20:10 ` Igor Zhbanov
2021-08-16 7:31 ` THOBY Simon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a41a0116-8d05-3aea-d979-090cdbb1d52f@viveris.fr \
--to=simon.thoby@viveris.fr \
--cc=i.zhbanov@omp.ru \
--cc=izh1979@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).