From: Joshua Brindle <brindle@quarksecurity.com>
To: "Roberts, William C" <william.c.roberts@intel.com>
Cc: "Paul Moore" <paul@paul-moore.com>,
"Luis R. Rodriguez" <mcgrof@suse.com>,
"Takashi Iwai" <tiwai@suse.de>,
"Ming Lei" <ming.lei@canonical.com>,
"David Howells" <dhowells@redhat.com>,
"Peter Jones" <pjones@redhat.com>,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Matthew Garrett" <mjg59@srcf.ucam.org>,
"Kees Cook" <keescook@chromium.org>,
"Vojtech Pavlík" <vojtech@suse.com>,
"Seth Forshee" <seth.forshee@canonical.com>,
"james.l.morris@oracle.com" <james.l.morris@oracle.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Johannes Berg" <johannes@sipsolutions.net>,
"Joey Lee" <jlee@suse.de>, "Kyle McMartin" <kyle@kernel.org>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"David Woodhouse" <dwmw2@infradead.org>
Subject: Re: Linux Firmware Signing
Date: Tue, 01 Sep 2015 16:46:36 -0400 [thread overview]
Message-ID: <55E60EAC.5010602@quarksecurity.com> (raw)
In-Reply-To: <476DC76E7D1DF2438D32BFADF679FC560105E5D3@ORSMSX103.amr.corp.intel.com>
Roberts, William C wrote:
>> From: owner-linux-security-module@vger.kernel.org [mailto:owner-linux-
>> security-module@vger.kernel.org] On Behalf Of Joshua Brindle
>> Sent: Tuesday, September 1, 2015 7:13 AM
>> To: Paul Moore
>> Cc: Luis R. Rodriguez; Takashi Iwai; Ming Lei; David Howells; Peter Jones;
>> selinux@tycho.nsa.gov; Schaufler, Casey; Stephen Smalley; Matthew Garrett;
>> Kees Cook; Vojtech Pavlík; Seth Forshee; james.l.morris@oracle.com; Dmitry
>> Kasatkin; Johannes Berg; Joey Lee; Kyle McMartin; linux-
>> wireless@vger.kernel.org; linux-kernel@vger.kernel.org; Andy Lutomirski; linux-
>> security-module@vger.kernel.org; Greg Kroah-Hartman; Vitaly Kuznetsov; David
>> Woodhouse
>> Subject: Re: Linux Firmware Signing
>>
>> Paul Moore wrote:
>> <snip>
>>> Yes, there are lots of way we could solve the signed policy format
>>> issue, I just don't have one in mind at this moment. Also, to be
>>> honest, there are enough limitations to signing SELinux policies that
>>> this isn't very high onmy personal SELinux priority list.
>
> Yes I would say this is low on my end. Especially if we can kill off
> Reloadable policy support on Android, my need for this goes away 100%.
>
I'm not sure who "we" is as you are the only person I've heard
advocating for removing that support.
>> The fact that there are so many userspace specific parts of the policy that never
>> make it into the kernel precludes any meaningful verification anyway.
>
> Yes and no. On Android, if I was able to load a policy I could grant myself capabilities that
> We're not possible via the userspace portions, i.e. relabeling, etc. Granted, not checking the
> userspace portions Is not great. In an ideal world, everything is checked. However, the main
> reason to doing it in the kernel is where you want your trust to be. For instance, If I trust that
> userspace Loader, then I need to trust that + the kernel. In the case of verifying the policy signature
> In the kernel, I need to trust only the kernel.
Especially on Android, userspace files are very important. Changing
seapp_contexts or property_contexts can easily get you a privilege
escalation to let you do whatever. Checking only the kernel binary is a
half-solution and should not even be considered.
>
> As far as the desktop environment, I claim ignorance and have no input there.
>
>> And SELinux already has a mechanism for raising the integrity of a process to do
>> things like signature checking in userspace, the domain transition. If someone
>> wants validation of the SELinux policy they just need to eliminate every domains
>> ability to load policy except for a trusted policy loader that does signature
>> checking.
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
>> the body of a message to majordomo@vger.kernel.org More majordomo info at
>> http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-09-01 20:46 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20150824210234.GI8051@wotan.suse.de>
[not found] ` <476DC76E7D1DF2438D32BFADF679FC5601057D32@ORSMSX103.amr.corp.intel.com>
[not found] ` <20150824225713.GJ8051@wotan.suse.de>
[not found] ` <CAGXu5jLDHCgygaVNHpuvszN6SXNKAjRW83q3-D2ZfRpO4uAmdw@mail.gmail.com>
[not found] ` <476DC76E7D1DF2438D32BFADF679FC5601058E78@ORSMSX103.amr.corp.intel.com>
[not found] ` <CAGXu5jJuwPfnQhu9u4-90UkmjWTBF_GLpJ7J1VaaT2D0d_-Mhg@mail.gmail.com>
[not found] ` <1440462367.2737.4.camel@linux.vnet.ibm.com>
[not found] ` <CALCETrXWBBdOKz-fSdM7YVu_sWQbA3YsHPeZAkRmtj+eawqZGQ@mail.gmail.com>
[not found] ` <1440464705.2737.36.camel@linux.vnet.ibm.com>
[not found] ` <14540.1440599584@warthog.procyon.org.uk>
2015-08-26 23:26 ` Linux Firmware Signing Luis R. Rodriguez
2015-08-27 2:35 ` Paul Moore
2015-08-27 19:36 ` Luis R. Rodriguez
2015-08-27 23:46 ` Paul Moore
2015-08-27 10:38 ` David Howells
2015-08-27 10:57 ` David Woodhouse
2015-08-27 21:29 ` Luis R. Rodriguez
2015-08-27 23:54 ` Mimi Zohar
2015-08-29 2:16 ` Luis R. Rodriguez
2015-08-31 14:18 ` Mimi Zohar
2015-08-31 16:05 ` David Woodhouse
2015-08-31 16:45 ` Mimi Zohar
2015-09-02 0:00 ` Luis R. Rodriguez
2015-09-01 23:43 ` Luis R. Rodriguez
2015-09-02 3:08 ` Kees Cook
2015-09-02 3:44 ` Mimi Zohar
2015-09-02 15:28 ` Kees Cook
2015-09-02 16:45 ` Mimi Zohar
2015-09-02 17:36 ` Austin S Hemmelgarn
2015-09-02 23:54 ` Mimi Zohar
2015-09-03 0:18 ` Luis R. Rodriguez
2015-08-27 23:56 ` Paul Moore
2015-08-28 11:20 ` Roberts, William C
2015-08-28 22:26 ` Paul Moore
2015-08-29 2:03 ` Luis R. Rodriguez
2015-09-01 2:52 ` Paul Moore
2015-09-01 14:12 ` Joshua Brindle
2015-09-01 20:08 ` Roberts, William C
2015-09-01 20:46 ` Joshua Brindle [this message]
2015-09-01 22:21 ` Eric Paris
2015-08-29 1:56 ` Luis R. Rodriguez
2015-09-01 20:20 ` Kees Cook
2015-09-02 0:09 ` Luis R. Rodriguez
2015-09-02 3:35 ` Mimi Zohar
2015-09-02 18:46 ` Luis R. Rodriguez
2015-09-02 20:54 ` Kees Cook
2015-09-02 21:37 ` Luis R. Rodriguez
2015-09-03 21:14 ` Kees Cook
2015-09-30 20:34 ` Luis R. Rodriguez
2015-09-03 0:05 ` Mimi Zohar
2015-09-03 0:29 ` Luis R. Rodriguez
2015-09-03 3:00 ` Mimi Zohar
2015-08-27 19:37 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55E60EAC.5010602@quarksecurity.com \
--to=brindle@quarksecurity.com \
--cc=casey.schaufler@intel.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=jlee@suse.de \
--cc=johannes@sipsolutions.net \
--cc=keescook@chromium.org \
--cc=kyle@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mcgrof@suse.com \
--cc=ming.lei@canonical.com \
--cc=mjg59@srcf.ucam.org \
--cc=paul@paul-moore.com \
--cc=pjones@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=seth.forshee@canonical.com \
--cc=tiwai@suse.de \
--cc=vkuznets@redhat.com \
--cc=vojtech@suse.com \
--cc=william.c.roberts@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).