From: Andy Lutomirski <luto@kernel.org>
To: Matthew Garrett <mjg59@google.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
Andy Lutomirski <luto@kernel.org>,
linux-security@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Network Development <netdev@vger.kernel.org>,
Chun-Yi Lee <jlee@suse.com>,
Daniel Borkmann <daniel@iogearbox.net>,
LSM List <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode
Date: Thu, 27 Jun 2019 16:23:10 -0700 [thread overview]
Message-ID: <CALCETrU7JVH7LR3d_=s-O=b2bjevTLw2rSm5g50UjaUB2PTY5A@mail.gmail.com> (raw)
In-Reply-To: <CACdnJuuG8cR7h9v3pNcBKsxyckAzpKuBJs1GQxsz77jk5DRoQA@mail.gmail.com>
On Thu, Jun 27, 2019 at 4:16 PM Matthew Garrett <mjg59@google.com> wrote:
>
> On Thu, Jun 27, 2019 at 1:16 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > That would only allow the LSM to further lock down the system above the
> > lockdown level set at boot, not grant exemptions for specific
> > functionality/interfaces required by the user or by a specific
> > process/program. You'd have to boot with lockdown=none (or your
> > lockdown=custom suggestion) in order for the LSM to allow anything
> > covered by the integrity or confidentiality levels. And then the kernel
> > would be unprotected prior to full initialization of the LSM, including
> > policy load.
> >
> > It seems like one would want to be able to boot with lockdown=integrity
> > to protect the kernel initially, then switch over to allowing the LSM to
> > selectively override it.
>
> One option would be to allow modules to be "unstacked" at runtime, but
> there's still something of a problem here - how do you ensure that
> your userland can be trusted to load a new policy before it does so?
> If you're able to assert that your early userland is trustworthy
> (perhaps because it's in an initramfs that's part of your signed boot
> payload), there's maybe an argument that most of the lockdown
> integrity guarantees are unnecessary before handoff - just using the
> lockdown LSM to protect against attacks via kernel parameters would be
> sufficient.
I think that, if you don't trust your system enough to avoid
compromising itself before policy load, then your MAC policy is more
or less dead in the water. It seems to be that it ought to be good
enough to boot with lockdown=none and then have a real policy loaded
along with the rest of the MAC policy. Or, for applications that need
to be stricter, you accept that MAC policy can't override lockdown.
next prev parent reply other threads:[~2019-06-27 23:23 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-21 1:19 [PATCH V33 00/30] Lockdown as an LSM Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 01/30] security: Support early LSMs Matthew Garrett
2019-06-21 3:21 ` Kees Cook
2019-06-21 19:26 ` Matthew Garrett
2019-06-21 5:23 ` Andy Lutomirski
2019-06-21 19:27 ` Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 02/30] security: Add a "locked down" LSM hook Matthew Garrett
2019-06-21 3:23 ` Kees Cook
2019-06-21 19:29 ` Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 03/30] security: Add a static lockdown policy LSM Matthew Garrett
2019-06-21 3:44 ` Kees Cook
2019-06-21 19:37 ` Matthew Garrett
2019-06-21 21:04 ` Matthew Garrett
2019-06-21 22:31 ` Mimi Zohar
2019-06-21 1:19 ` [PATCH V33 04/30] Enforce module signatures if the kernel is locked down Matthew Garrett
2019-06-21 3:46 ` Kees Cook
2019-06-21 1:19 ` [PATCH V33 05/30] Restrict /dev/{mem,kmem,port} when " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 06/30] kexec_load: Disable at runtime if " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 07/30] Copy secure_boot flag in boot params across kexec reboot Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 08/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 09/30] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 10/30] hibernate: Disable when " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 11/30] uswsusp: " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 12/30] PCI: Lock down BAR access " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 13/30] x86: Lock down IO port " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 14/30] x86/msr: Restrict MSR " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 15/30] ACPI: Limit access to custom_method " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 16/30] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 17/30] acpi: Disable ACPI table override if the kernel is " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 18/30] Prohibit PCMCIA CIS storage when " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 19/30] Lock down TIOCSSERIAL Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 20/30] Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 21/30] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett
2019-06-26 12:46 ` Steven Rostedt
2019-06-21 1:19 ` [PATCH V33 22/30] Lock down /proc/kcore Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 23/30] Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett
2019-06-21 5:22 ` Andy Lutomirski
2019-06-21 20:05 ` Matthew Garrett
2019-06-26 20:22 ` James Morris
2019-06-27 0:57 ` Andy Lutomirski
2019-06-27 14:35 ` Stephen Smalley
2019-06-27 18:06 ` James Morris
2019-06-27 20:16 ` Stephen Smalley
2019-06-27 23:16 ` Matthew Garrett
2019-06-27 23:23 ` Andy Lutomirski [this message]
2019-06-27 23:27 ` Andy Lutomirski
2019-06-28 18:47 ` Matthew Garrett
2019-06-29 23:47 ` Andy Lutomirski
2019-06-21 1:19 ` [PATCH V33 25/30] Lock down perf when " Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 26/30] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 27/30] lockdown: Print current->comm in restriction messages Matthew Garrett
2019-06-21 4:09 ` Kees Cook
2019-06-21 1:19 ` [PATCH V33 28/30] debugfs: Restrict debugfs when the kernel is locked down Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 29/30] tracefs: Restrict tracefs " Matthew Garrett
2019-06-26 13:07 ` Steven Rostedt
2019-06-26 19:39 ` Matthew Garrett
2019-06-21 1:19 ` [PATCH V33 30/30] efi: Restrict efivar_ssdt_load " Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrU7JVH7LR3d_=s-O=b2bjevTLw2rSm5g50UjaUB2PTY5A@mail.gmail.com' \
--to=luto@kernel.org \
--cc=alexei.starovoitov@gmail.com \
--cc=daniel@iogearbox.net \
--cc=dhowells@redhat.com \
--cc=jlee@suse.com \
--cc=jmorris@namei.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-security@vger.kernel.org \
--cc=mjg59@google.com \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).