From: Andy Lutomirski <firstname.lastname@example.org> To: Matthew Garrett <email@example.com> Cc: Stephen Smalley <firstname.lastname@example.org>, James Morris <email@example.com>, Andy Lutomirski <firstname.lastname@example.org>, email@example.com, LKML <firstname.lastname@example.org>, Linux API <email@example.com>, David Howells <firstname.lastname@example.org>, Alexei Starovoitov <email@example.com>, Network Development <firstname.lastname@example.org>, Chun-Yi Lee <email@example.com>, Daniel Borkmann <firstname.lastname@example.org>, LSM List <email@example.com> Subject: Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode Date: Thu, 27 Jun 2019 16:23:10 -0700 Message-ID: <CALCETrU7JVH7LR3d_=s-O=b2bjevTLw2rSm5g50UjaUB2PTY5A@mail.gmail.com> (raw) In-Reply-To: <CACdnJuuG8cR7h9v3pNcBKsxyckAzpKuBJs1GQxsz77jk5DRoQA@mail.gmail.com> On Thu, Jun 27, 2019 at 4:16 PM Matthew Garrett <firstname.lastname@example.org> wrote: > > On Thu, Jun 27, 2019 at 1:16 PM Stephen Smalley <email@example.com> wrote: > > That would only allow the LSM to further lock down the system above the > > lockdown level set at boot, not grant exemptions for specific > > functionality/interfaces required by the user or by a specific > > process/program. You'd have to boot with lockdown=none (or your > > lockdown=custom suggestion) in order for the LSM to allow anything > > covered by the integrity or confidentiality levels. And then the kernel > > would be unprotected prior to full initialization of the LSM, including > > policy load. > > > > It seems like one would want to be able to boot with lockdown=integrity > > to protect the kernel initially, then switch over to allowing the LSM to > > selectively override it. > > One option would be to allow modules to be "unstacked" at runtime, but > there's still something of a problem here - how do you ensure that > your userland can be trusted to load a new policy before it does so? > If you're able to assert that your early userland is trustworthy > (perhaps because it's in an initramfs that's part of your signed boot > payload), there's maybe an argument that most of the lockdown > integrity guarantees are unnecessary before handoff - just using the > lockdown LSM to protect against attacks via kernel parameters would be > sufficient. I think that, if you don't trust your system enough to avoid compromising itself before policy load, then your MAC policy is more or less dead in the water. It seems to be that it ought to be good enough to boot with lockdown=none and then have a real policy loaded along with the rest of the MAC policy. Or, for applications that need to be stricter, you accept that MAC policy can't override lockdown.
next prev parent reply index Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <firstname.lastname@example.org> 2019-06-21 1:19 ` Matthew Garrett 2019-06-21 5:22 ` Andy Lutomirski 2019-06-21 20:05 ` Matthew Garrett 2019-06-26 20:22 ` James Morris 2019-06-27 0:57 ` Andy Lutomirski 2019-06-27 14:35 ` Stephen Smalley 2019-06-27 18:06 ` James Morris 2019-06-27 20:16 ` Stephen Smalley 2019-06-27 23:16 ` Matthew Garrett 2019-06-27 23:23 ` Andy Lutomirski [this message] 2019-06-27 23:27 ` Andy Lutomirski 2019-06-28 18:47 ` Matthew Garrett 2019-06-29 23:47 ` Andy Lutomirski
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CALCETrU7JVH7LR3d_=s-O=b2bjevTLw2rSm5g50UjaUB2PTY5A@mail.gmail.com' \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Netdev Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \ firstname.lastname@example.org email@example.com public-inbox-index netdev Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.netdev AGPL code for this site: git clone https://public-inbox.org/ public-inbox