Re: [RFC] Turn lockdown into an LSM

From: Stephen Smalley
Date: Wed May 22 2019 - 16:06:23 EST


On 5/22/19 3:19 PM, James Morris wrote:
On Wed, 22 May 2019, Stephen Smalley wrote:

That seems to violate the intent of lockdown as I understood it, and
turns security_is_locked_down() into a finer-grained capable() call.
Also, if I understand correctly, this could only be done if one were to
disable the lockdown module in the lsm list, since the security
framework will return non-zero (i.e. the operation is locked down) if
any module that implements the hook returns non-zero; LSM is
"restrictive". At that point SELinux or the other LSM would be the sole
arbiter of lockdown decisions. SELinux or the other LSM also wouldn't
have access to the kernel_locked_down level unless that was exported in
some manner from the lockdown module. Not sure how to compose these.

Right, I was envisaging the LSM replacing the default.

i.e. the default is tristate OR fine grained LSM policy.

They could in theory be composed restrictively, but this is likely not
useful given the coarse grained default policy. All the LSM could do is
either further restrict none or integrity.

We'd need to figure out how to avoid confusing users in the case where
multiple LSMs are registered for the hooks, possibly by having the
lockdown LSM gate this and update the securityfs lockdown node with
something like "lsm:smack".

Some kind of transition from the lockdown module to other security modules might be needed, e.g. you might need to start with lockdown=integrity to protect the kernel up to the point where a policy is loaded, then hand off to SELinux or another security module to handle further requests.