From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758391AbdDRXkj (ORCPT ); Tue, 18 Apr 2017 19:40:39 -0400 Received: from mail-it0-f46.google.com ([209.85.214.46]:35384 "EHLO mail-it0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758370AbdDRXkg (ORCPT ); Tue, 18 Apr 2017 19:40:36 -0400 MIME-Version: 1.0 In-Reply-To: References: <20170328234650.19695-1-mic@digikod.net> <20170328234650.19695-5-mic@digikod.net> <9a69055a-b4cf-00b0-da5e-2e45ff88059c@digikod.net> From: Kees Cook Date: Tue, 18 Apr 2017 16:40:34 -0700 X-Google-Sender-Auth: Ui_BiP-OYASLmtVKy4LTPSHzaqE Message-ID: Subject: Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem To: Casey Schaufler Cc: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , LKML , Alexei Starovoitov , Andy Lutomirski , Arnaldo Carvalho de Melo , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Matthew Garrett , Michael Kerrisk , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Will Drewry , "kernel-hardening@lists.openwall.com" , Linux API , linux-security-module , Network Development Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v3INeqai009209 On Tue, Apr 18, 2017 at 4:16 PM, Casey Schaufler wrote: > On 4/18/2017 3:44 PM, Mickaël Salaün wrote: >> On 19/04/2017 00:17, Kees Cook wrote: >>> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote: >>>> +void __init landlock_add_hooks(void) >>>> +{ >>>> + pr_info("landlock: Version %u", LANDLOCK_VERSION); >>>> + landlock_add_hooks_fs(); >>>> + security_add_hooks(NULL, 0, "landlock"); >>>> + bpf_register_prog_type(&bpf_landlock_type); >>> I'm confused by the separation of hook registration here. The call to >>> security_add_hooks is with count=0 is especially weird. Why isn't this >>> just a single call with security_add_hooks(landlock_hooks, >>> ARRAY_SIZE(landlock_hooks), "landlock")? >> Yes, this is ugly with the new security_add_hooks() with three arguments >> but I wanted to split the hooks definition in multiple files. > > Why? I'll buy a good argument, but there are dangers in > allowing multiple calls to security_add_hooks(). > >> >> The current security_add_hooks() use lsm_append(lsm, &lsm_names) which >> is not exported. Unfortunately, calling multiple security_add_hooks() >> with the same LSM name would register multiple names for the same LSM… >> Is it OK if I modify this function to not add duplicated entries? > > It may seem absurd, but it's conceivable that a module might > have two hooks it wants called. My example is a module that > counts the number of times SELinux denies a process access to > things (which needs to be called before and after SELinux in > order to detect denials) and takes "appropriate action" if > too many denials occur. It would be weird, wonky and hackish, > but that never stopped anybody before. If ends up being sane and clear, I'm fine with allowing multiple calls. -Kees -- Kees Cook Pixel Security