From: Mimi Zohar <zohar@linux.ibm.com>
To: Dmitry Vyukov <dvyukov@google.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: linux-integrity@vger.kernel.org, James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Eric Biggers <ebiggers@kernel.org>
Subject: Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
Date: Wed, 24 Mar 2021 07:49:17 -0400 [thread overview]
Message-ID: <ca2b63a47c2910072397d41448c46293750456f7.camel@linux.ibm.com> (raw)
In-Reply-To: <CACT4Y+Y+wzPytH7hMAn3O6zT0p2D4UyQwDbuKbUqc4REzPECkw@mail.gmail.com>
On Wed, 2021-03-24 at 12:37 +0100, Dmitry Vyukov wrote:
> On Wed, Mar 24, 2021 at 12:21 PM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >
> > On 2021/03/24 20:10, Mimi Zohar wrote:
> > > On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote:
> > >> On 2021/03/24 1:13, Mimi Zohar wrote:
> > >>> On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote:
> > >>>> On 2021/03/23 23:47, Mimi Zohar wrote:
> > >>>>> Initially I also questioned making "integrity" an LSM. Perhaps it's
> > >>>>> time to reconsider. For now, it makes sense to just fix the NULL
> > >>>>> pointer dereferencing.
> > >>>>
> > >>>> Do we think calling panic() as "fix the NULL pointer dereferencing" ?
> > >>>
> > >>> Not supplying "integrity" as an "lsm=" option is a user error. There
> > >>> are only two options - allow or deny the caller to proceed. If the
> > >>> user is expecting the integrity subsystem to be properly working,
> > >>> returning a NULL and allowing the system to boot (RFC patch version)
> > >>> does not make sense. Better to fail early.
> > >>
> > >> What does the "user" mean? Those who load the vmlinux?
> > >> Only the "root" user (so called administrators)?
> > >> Any users including other than "root" user?
> > >>
> > >> If the user means those who load the vmlinux, that user is explicitly asking
> > >> for disabling "integrity" for some reason. In that case, it is a bug if
> > >> booting with "integrity" disabled is impossible.
> > >>
> > >> If the user means something other than those who load the vmlinux,
> > >> is there a possibility that that user (especially non "root" users) is
> > >> allowed to try to use "integrity" ? If processes other than global init
> > >> process can try to use "integrity", wouldn't it be a DoS attack vector?
> > >> Please explain in the descripotion why calling panic() does not cause
> > >> DoS attack vector.
> > >
> > > User in this case, is anyone rebooting the system and is intentionally
> > > changing the default values, dropping the "integrity" option on the
> > > boot command line.
> >
> > OK. Then, I expect that the system boots instead of calling panic().
> > That user is explicitly asking for disabling "integrity" for some reason.
>
> That was actually my intention. The prebuilt kernel that I use for
> things has all LSMs enabled, but then I needed to try some workload
> with only 1 specific LSM, so I gave a different lsm= argument.
IMA/EVM is dependent on "integrity". Was your intention to also
disable IMA and EVM? If so, when disabling "integrity", don't load an
IMA policy.
Mimi
next prev parent reply other threads:[~2021-03-24 11:50 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-19 20:03 [RFC PATCH 1/2] ima: don't access a file's integrity status before an IMA policy is loaded Mimi Zohar
2021-03-19 20:03 ` [RFC PATCH 2/2] integrity: double check iint_cache was initialized Mimi Zohar
2021-03-22 7:10 ` Tetsuo Handa
2021-03-22 7:53 ` Dmitry Vyukov
2021-03-23 1:46 ` Tetsuo Handa
2021-03-23 12:09 ` Mimi Zohar
2021-03-23 13:37 ` Tetsuo Handa
2021-03-23 14:01 ` Tetsuo Handa
2021-03-23 14:47 ` Mimi Zohar
2021-03-23 15:14 ` Tetsuo Handa
2021-03-23 16:13 ` Mimi Zohar
2021-03-24 10:10 ` Tetsuo Handa
2021-03-24 11:10 ` Mimi Zohar
2021-03-24 11:20 ` Tetsuo Handa
2021-03-24 11:37 ` Dmitry Vyukov
2021-03-24 11:49 ` Mimi Zohar [this message]
2021-03-24 11:58 ` Dmitry Vyukov
2021-03-24 12:17 ` Mimi Zohar
2021-03-24 15:56 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ca2b63a47c2910072397d41448c46293750456f7.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).