From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D321C4321A for ; Thu, 27 Jun 2019 23:23:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 532992084B for ; Thu, 27 Jun 2019 23:23:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561677806; bh=kXB0eS8pT4D+hcUPC2PR+0kOliEd8dU5IchIN1Hskt8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:List-ID:From; b=biqztaqwPf6PVzPMZ/gJPL58pgn1ijmFdlPVG/U9aqcs+E6vGDtEVdgzAnzitLuAS BGxS7zluu+RJ8YgdhkWfz4h/4cHGc/rSvUby/t/MPGP01nRNYmDay+Zxu9wyEV0JtD vYvX/3b0IQc+QO8bnlAn+dFFGl/dzQTMcjX88hNQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726652AbfF0XXZ (ORCPT ); Thu, 27 Jun 2019 19:23:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:47464 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726579AbfF0XXY (ORCPT ); Thu, 27 Jun 2019 19:23:24 -0400 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E57FF21726 for ; Thu, 27 Jun 2019 23:23:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561677803; bh=kXB0eS8pT4D+hcUPC2PR+0kOliEd8dU5IchIN1Hskt8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Rzq1Mbzi52Cqr9tKPeg9PIx8m2rEDwxZVowrCg4wXtLlpuP3Jtc9v39mqsgGyUHQK B2+ijaiqQJoVHPKsrkPR0z6M98vReMp2FiiOoxvRob9yvo2r8Pc/wvGfzpI3jaEGyw a2EWhBxJIOcI/YW0Ql/gicAhLgjR8qyIc6OQWpyA= Received: by mail-wr1-f42.google.com with SMTP id p13so4276692wru.10 for ; Thu, 27 Jun 2019 16:23:22 -0700 (PDT) X-Gm-Message-State: APjAAAXaJemIUjLiVU69+y6I+oWS/DDMu32oLwibcy7kA868NHetQYRh Ugzfx7sNAaZAMhukSWo4RUiaOfd69ux9eybo6CYTrA== X-Google-Smtp-Source: APXvYqzjr/QH+PIoGqS71dCctuNtbCVXYhiRJONwF8d9fXg29Z5HH0Te+o3LGa7ZOuGFyx26xlvsCSwEDCX8Q8cBEy0= X-Received: by 2002:a5d:6a42:: with SMTP id t2mr5110416wrw.352.1561677801383; Thu, 27 Jun 2019 16:23:21 -0700 (PDT) MIME-Version: 1.0 References: <20190621011941.186255-1-matthewgarrett@google.com> <20190621011941.186255-25-matthewgarrett@google.com> <6E53376F-01BB-4795-BC02-24F9CAE00001@amacapital.net> In-Reply-To: From: Andy Lutomirski Date: Thu, 27 Jun 2019 16:23:10 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode To: Matthew Garrett Cc: Stephen Smalley , James Morris , Andy Lutomirski , linux-security@vger.kernel.org, LKML , Linux API , David Howells , Alexei Starovoitov , Network Development , Chun-Yi Lee , Daniel Borkmann , LSM List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 27, 2019 at 4:16 PM Matthew Garrett wrote: > > On Thu, Jun 27, 2019 at 1:16 PM Stephen Smalley wrote: > > That would only allow the LSM to further lock down the system above the > > lockdown level set at boot, not grant exemptions for specific > > functionality/interfaces required by the user or by a specific > > process/program. You'd have to boot with lockdown=none (or your > > lockdown=custom suggestion) in order for the LSM to allow anything > > covered by the integrity or confidentiality levels. And then the kernel > > would be unprotected prior to full initialization of the LSM, including > > policy load. > > > > It seems like one would want to be able to boot with lockdown=integrity > > to protect the kernel initially, then switch over to allowing the LSM to > > selectively override it. > > One option would be to allow modules to be "unstacked" at runtime, but > there's still something of a problem here - how do you ensure that > your userland can be trusted to load a new policy before it does so? > If you're able to assert that your early userland is trustworthy > (perhaps because it's in an initramfs that's part of your signed boot > payload), there's maybe an argument that most of the lockdown > integrity guarantees are unnecessary before handoff - just using the > lockdown LSM to protect against attacks via kernel parameters would be > sufficient. I think that, if you don't trust your system enough to avoid compromising itself before policy load, then your MAC policy is more or less dead in the water. It seems to be that it ought to be good enough to boot with lockdown=none and then have a real policy loaded along with the rest of the MAC policy. Or, for applications that need to be stricter, you accept that MAC policy can't override lockdown.