Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized

[Mimi Zohar <zohar@linux.ibm.com>]

On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote:
> On 2021/03/24 1:13, Mimi Zohar wrote:
> > On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote:
> >> On 2021/03/23 23:47, Mimi Zohar wrote:
> >>> Initially I also questioned making "integrity" an LSM.  Perhaps it's
> >>> time to reconsider.   For now, it makes sense to just fix the NULL
> >>> pointer dereferencing.
> >>
> >> Do we think calling panic() as "fix the NULL pointer dereferencing" ?
> > 
> > Not supplying "integrity" as an "lsm=" option is a user error.  There
> > are only two options - allow or deny the caller to proceed.   If the
> > user is expecting the integrity subsystem to be properly working,
> > returning a NULL and allowing the system to boot (RFC patch version)
> > does not make sense.   Better to fail early.
> 
> What does the "user" mean? Those who load the vmlinux?
> Only the "root" user (so called administrators)?
> Any users including other than "root" user?
> 
> If the user means those who load the vmlinux, that user is explicitly asking
> for disabling "integrity" for some reason. In that case, it is a bug if
> booting with "integrity" disabled is impossible.
> 
> If the user means something other than those who load the vmlinux,
> is there a possibility that that user (especially non "root" users) is
> allowed to try to use "integrity" ? If processes other than global init
> process can try to use "integrity", wouldn't it be a DoS attack vector?
> Please explain in the descripotion why calling panic() does not cause
> DoS attack vector.

User in this case, is anyone rebooting the system and is intentionally
changing the default values, dropping the "integrity" option on the
boot command line.

Mimi