Re: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down

From: Matthew Garrett
Date: Thu Aug 08 2019 - 14:31:24 EST

Next message: Paul Moore: "Re: [PATCH] fanotify, inotify, dnotify, security: add security hook for fs notifications"
Previous message: David Lechner: "Re: [PATCH v2 4/6] irqchip/irq-pruss-intc: Add helper functions to configure internal mapping"
In reply to: Jessica Yu: "Re: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down"
Next in thread: James Morris: "Re: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 8, 2019 at 3:01 AM Jessica Yu <jeyu@xxxxxxxxxx> wrote:
> If you're confident that a hard dependency is not the right approach,
> then perhaps we could add a comment in the Kconfig (You could take a
> look at the comment under MODULE_SIG_ALL in init/Kconfig for an
> example)? If someone is configuring the kernel on their own then it'd
> be nice to let them know, otherwise having a lockdown kernel without
> module signatures would defeat the purpose of lockdown no? :-)

James, what would your preference be here? Jessica is right that not
having CONFIG_MODULE_SIG enabled means lockdown probably doesn't work
as expected, but tying it to the lockdown LSM seems inappropriate when
another LSM could be providing lockdown policy and run into the same
issue. Should this just be mentioned in the CONFIG_MODULE_SIG Kconfig
help?

Next message: Paul Moore: "Re: [PATCH] fanotify, inotify, dnotify, security: add security hook for fs notifications"
Previous message: David Lechner: "Re: [PATCH v2 4/6] irqchip/irq-pruss-intc: Add helper functions to configure internal mapping"
In reply to: Jessica Yu: "Re: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down"
Next in thread: James Morris: "Re: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]