linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* LSM hook for module loading and unloading
@ 2018-12-01 15:49 Tamir Carmeli
  2018-12-03 16:13 ` Casey Schaufler
  0 siblings, 1 reply; 4+ messages in thread
From: Tamir Carmeli @ 2018-12-01 15:49 UTC (permalink / raw)
  To: linux-security-module

Hi,
I believe that this is the right place to ask the question, but if it
isn't please let me know of a better forum to ask.

Is there a reason why LSM hooks for kernel module deletion and loading
don't exist? (for delete_module syscall and load_module kernel
function)

Is there some design problem I'm not aware of, or whether the
necessity hasn't come up from any of the mainline LSMs?

I'm considering to write such patch, and I'd like to hear reasons for
why it might be a bad idea.

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: LSM hook for module loading and unloading
  2018-12-01 15:49 LSM hook for module loading and unloading Tamir Carmeli
@ 2018-12-03 16:13 ` Casey Schaufler
  2018-12-03 22:23   ` Tamir Carmeli
  0 siblings, 1 reply; 4+ messages in thread
From: Casey Schaufler @ 2018-12-03 16:13 UTC (permalink / raw)
  To: Tamir Carmeli, linux-security-module

On 12/1/2018 7:49 AM, Tamir Carmeli wrote:
> Hi,
> I believe that this is the right place to ask the question, but if it
> isn't please let me know of a better forum to ask.

This is the right list.

> Is there a reason why LSM hooks for kernel module deletion and loading
> don't exist? (for delete_module syscall and load_module kernel
> function)

security_kernel_load_data() is the hook for loading.

> Is there some design problem I'm not aware of, or whether the
> necessity hasn't come up from any of the mainline LSMs?

No one has seen the need for a hook during unload.

> I'm considering to write such patch, and I'd like to hear reasons for
> why it might be a bad idea.

To what end? Look at the Loadpin security module in security/loadpin
for one approach to protecting module loading.

> Thanks.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: LSM hook for module loading and unloading
  2018-12-03 16:13 ` Casey Schaufler
@ 2018-12-03 22:23   ` Tamir Carmeli
  2018-12-04  1:51     ` Casey Schaufler
  0 siblings, 1 reply; 4+ messages in thread
From: Tamir Carmeli @ 2018-12-03 22:23 UTC (permalink / raw)
  To: casey; +Cc: linux-security-module

Thanks for the reference for loadpin - I didn't know this module before.

I understand that unloading a module is a pretty far-fetched security
risk. I have one use case I think might be worth a shot: An exploit in
the module unloading flow or in a vulnerable process that unloads a
module enables an attacker to unload one of the iptable_filter modules
before some user space process adds an ip filter, and by that, enables
network traffic that otherwise would have been blocked.

Again, this is pretty far fetched, but an attacker that unloads a
module that contributes to the system security might hurt the system
security.
On Mon, Dec 3, 2018 at 6:13 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 12/1/2018 7:49 AM, Tamir Carmeli wrote:
> > Hi,
> > I believe that this is the right place to ask the question, but if it
> > isn't please let me know of a better forum to ask.
>
> This is the right list.
>
> > Is there a reason why LSM hooks for kernel module deletion and loading
> > don't exist? (for delete_module syscall and load_module kernel
> > function)
>
> security_kernel_load_data() is the hook for loading.
>
> > Is there some design problem I'm not aware of, or whether the
> > necessity hasn't come up from any of the mainline LSMs?
>
> No one has seen the need for a hook during unload.
>
> > I'm considering to write such patch, and I'd like to hear reasons for
> > why it might be a bad idea.
>
> To what end? Look at the Loadpin security module in security/loadpin
> for one approach to protecting module loading.
>
> > Thanks.
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: LSM hook for module loading and unloading
  2018-12-03 22:23   ` Tamir Carmeli
@ 2018-12-04  1:51     ` Casey Schaufler
  0 siblings, 0 replies; 4+ messages in thread
From: Casey Schaufler @ 2018-12-04  1:51 UTC (permalink / raw)
  To: Tamir Carmeli; +Cc: linux-security-module

On 12/3/2018 2:23 PM, Tamir Carmeli wrote:
> Thanks for the reference for loadpin - I didn't know this module before.
>
> I understand that unloading a module is a pretty far-fetched security
> risk. I have one use case I think might be worth a shot: An exploit in
> the module unloading flow or in a vulnerable process that unloads a
> module enables an attacker to unload one of the iptable_filter modules
> before some user space process adds an ip filter, and by that, enables
> network traffic that otherwise would have been blocked.

How would a security module detect this case?

> Again, this is pretty far fetched, but an attacker that unloads a
> module that contributes to the system security might hurt the system
> security.

Without a user for the hook there'd be no reason to incorporate
it. I would suggest that if you can come up with an way to detect
and then prevent the attack you should look into adding that to
loadpin.


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-12-04  1:51 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-01 15:49 LSM hook for module loading and unloading Tamir Carmeli
2018-12-03 16:13 ` Casey Schaufler
2018-12-03 22:23   ` Tamir Carmeli
2018-12-04  1:51     ` Casey Schaufler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).