LKML Archive on
help / color / mirror / Atom feed
From: Stephen Smalley <>
To: James Morris <>
Cc: Andy Lutomirski <>,
	Matthew Garrett <>,
	LSM List <>,
	Linux Kernel Mailing List <>
Subject: Re: [RFC] Turn lockdown into an LSM
Date: Wed, 22 May 2019 16:03:23 -0400	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 5/22/19 3:19 PM, James Morris wrote:
> On Wed, 22 May 2019, Stephen Smalley wrote:
>> That seems to violate the intent of lockdown as I understood it, and
>> turns security_is_locked_down() into a finer-grained capable() call.
>> Also, if I understand correctly, this could only be done if one were to
>> disable the lockdown module in the lsm list, since the security
>> framework will return non-zero (i.e. the operation is locked down) if
>> any module that implements the hook returns non-zero; LSM is
>> "restrictive". At that point SELinux or the other LSM would be the sole
>> arbiter of lockdown decisions. SELinux or the other LSM also wouldn't
>> have access to the kernel_locked_down level unless that was exported in
>> some manner from the lockdown module.  Not sure how to compose these.
> Right, I was envisaging the LSM replacing the default.
> i.e. the default is tristate OR fine grained LSM policy.
> They could in theory be composed restrictively, but this is likely not
> useful given the coarse grained default policy.  All the LSM could do is
> either further restrict none or integrity.
> We'd need to figure out how to avoid confusing users in the case where
> multiple LSMs are registered for the hooks, possibly by having the
> lockdown LSM gate this and update the securityfs lockdown node with
> something like "lsm:smack".

Some kind of transition from the lockdown module to other security 
modules might be needed, e.g. you might need to start with 
lockdown=integrity to protect the kernel up to the point where a policy 
is loaded, then hand off to SELinux or another security module to handle 
further requests.

      parent reply	other threads:[~2019-05-22 20:03 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-21 22:40 Matthew Garrett
2019-05-21 22:40 ` [RFC 1/2] security: Support early LSMs Matthew Garrett
2019-05-21 22:40 ` [RFC 2/2] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-05-22  2:48   ` James Morris
2019-05-22  2:40 ` [RFC] Turn lockdown into an LSM James Morris
2019-05-22 16:48   ` Matthew Garrett
2019-05-22 17:08     ` Andy Lutomirski
2019-05-22 18:05       ` James Morris
2019-05-22 18:30       ` Stephen Smalley
2019-05-22 19:19         ` James Morris
2019-05-22 19:57           ` Casey Schaufler
2019-05-22 20:03           ` Stephen Smalley [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \
    --subject='Re: [RFC] Turn lockdown into an LSM' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).