Re: [GIT PULL] selinux/selinux-pr-20250323

From: Jeffrey Vander Stoep
Date: Thu Mar 27 2025 - 04:59:58 EST

Next message: Lukas Zapolskas: "Re: [RFC v2 8/8] drm/panthor: Expose the panthor perf ioctls"
Previous message: Uwe Kleine-König: "Re: [PATCH v11 2/3] pwm: Add Allwinner's D1/T113-S3/R329 SoCs PWM support"
In reply to: Linus Torvalds: "Re: [GIT PULL] selinux/selinux-pr-20250323"
Next in thread: Linus Torvalds: "Re: [GIT PULL] selinux/selinux-pr-20250323"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 27, 2025 at 5:10 AM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> On Wed, 26 Mar 2025 at 20:28, Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
> >
> > That is not quite right. If you look at commit 581dd6983034 [1], when
> > a firmware is about to be loaded, the kernel credentials are used.
>
> Ahh, that's good, at least there's no "random state" to check.
>
> But it does still mean that the security check is pointless - there
> aren't any other credentials that would validly be used for firmware
> loading, so what was the point of checking them again?

The value here isn't so much about checking the source context
"kernel", but rather about checking the target context and enforcing
that firmware can only come from trusted filesystems. So even a
compromised privileged process that sets firmware_class.path cannot
cause the kernel to load firmware from an arbitrary source.

These restrictions reduce our reliance on (1) individual component
manufacturers (e.g. NFC chips) implementing signature verification
correctly in their firmware loading procedure, or (2) the fallout for
the Android ecosystem if a component manufacturer's private key leaks
because even firmware signed with the leaked key will not be trusted
if it doesn't come from the trusted filesystem signed by the Android
device manufacturer. Leaked keys is a very real problem. Restrictions
like those added here can significantly reduce the severity of such
incidences.

With this, we can write policies for Android devices that enforce that
firmware only comes from trusted filesystems. For example:

allow kernel vendor_file:system firmware_load;

You could even imagine a more lenient rule that allows any domain to
load firmware, just so long as it comes from a trusted filesystem. For
example:

allow domain vendor_file:system firmware_load;

We can then create tests that prevent rules from being added that
attempt to load firmware from untrusted locations. For example:
neverallow * ~vendor_file:system firmware_load;

Such tests are quite important for preventing device manufacturers
from adding insecure policies that would allow firmware loading from
untrusted sources.

>
> In fact, the commit you point to was made exactly *because* the kind
> of pointless and wrong security checks that I'm complaining about were
> done, wasn't it?
>
> Linus
>

Next message: Lukas Zapolskas: "Re: [RFC v2 8/8] drm/panthor: Expose the panthor perf ioctls"
Previous message: Uwe Kleine-König: "Re: [PATCH v11 2/3] pwm: Add Allwinner's D1/T113-S3/R329 SoCs PWM support"
In reply to: Linus Torvalds: "Re: [GIT PULL] selinux/selinux-pr-20250323"
Next in thread: Linus Torvalds: "Re: [GIT PULL] selinux/selinux-pr-20250323"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]