Re: [PATCH v4 0/1] Safe LSM (un)loading, and immutable hooks
From: Igor Stoppa
Date: Thu Apr 05 2018 - 07:34:28 EST
On 05/04/18 13:31, Peter Dolding wrote:
> On Thu, Apr 5, 2018 at 7:55 PM, Igor Stoppa <igor.stoppa@xxxxxxxxxx> wrote:
[...]
>> A) hooks that are either const or marked as RO after init
>>
>> B) hooks that are writable for a short time, long enough to load
>> additional, non built-in modules, but then get locked down
>> I provided an example some time ago [1]
>>
>> C) hooks that are unloadable (and therefore always attackable?)
[...]
>> Do you have any specific case in mind where this trade-off would be
>> acceptable?
>>
>
> A useful case for loadable/unloadable LSM is development automate QA.
I did not consider this case, but I see the point.
[...]
> I would say normal production machines being able to swap LSM like
> this does not have much use.
yes, this is what I had in mind
[...]
> There is a shade of grey between something being a security hazard and
> something being a useful feature.
Maybe the problem I see is only in the naming: if what right now is
addressed as "mutable" were to be called in some other way that does not
imply that it's impossible to lock it down, then I think there wouldn't
be much of a problem anymore.
How about s/mutable/protectable/g ?
Then it could be a boot time parameter to decide if the "extra" hooks
should be protected or stay writable, for example for performing more
extensive testing.
--
igor