Re: [PATCH V33 01/30] security: Support early LSMs
From: Matthew Garrett
Date: Fri Jun 21 2019 - 15:28:00 EST
On Thu, Jun 20, 2019 at 10:23 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote:
>
> On Thu, Jun 20, 2019 at 6:22 PM Matthew Garrett
> <matthewgarrett@xxxxxxxxxx> wrote:
> >
> > The lockdown module is intended to allow for kernels to be locked down
> > early in boot - sufficiently early that we don't have the ability to
> > kmalloc() yet. Add support for early initialisation of some LSMs, and
> > then add them to the list of names when we do full initialisation later.
>
> I'm confused. What does it even mean to lock down the kernel before
> we're ready to run userspace code? We can't possibly be attacked by
> user code before there is any to attack us.
Certain kernel parameters can be disabled by lockdown, so we want to
have policy available before that parsing happens.