Re: [PATCH 00/12] One more attempt at useful kernel lockdown

[Matthew Garrett <matthew.garrett@nebula.com>]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 2790 bytes --]

On Mon, 2013-09-09 at 16:19 -0700, David Lang wrote:
> On Mon, 9 Sep 2013, Matthew Garrett wrote:
> > Having thought about this, the answer is no. It presents exactly the
> > same problem as capabilities do - the set can never be meaningfully
> > extended. If an application sets only the bits it knows about, and if a
> > new security-sensitive feature is added to the kernel, the feature will
> > be left enabled and the system will be insecure. Alternatively, if an
> > application sets all the bits regardless of whether it knows them or
> > not, it may enable a lockdown feature that it otherwise required.
> 
> In this case you are no less secure than you were before the feature was added, 
> you just can't take advantage of the new feature without updating userspace.

No. Say someone adds an additional lockdown bit to forbid raw access to
mounted block devices. The "Turn everything off" approach now means that
I won't be able to perform raw access to mounted block devices, even if
that's something that my use case relies on.

> > The only way this is useful is if all the bits are semantically
> > equivalent, and in that case there's no point in having anything other
> > than a single bit. Users who want a more fine-grained interface should
> > use one of the existing mechanisms for doing so - leave the kernel open
> > and impose the security policy from userspace using either capabilities
> > or selinux.
> 
> so if you only have a single bit, how do you deal with the case where that bit 
> locks down something that's required? (your reason for not just setting all bits 
> in the first approach)

Because that bit is well-defined, and if anything is added to it that
doesn't match that definition then it's a bug.

> your arguments don't seem self consistent.

You don't seem to have been paying attention to the past 12 months of
discussion.

> If I'm building a kiosk PC (or voting machine), I want to disable a lot of 
> things that I could not get away with disabling on a generic laptop. Are we 
> going to have Securelevel, ReallySecurelevel, ReallyReallySecurelevel, etc? or 
> can we accept that security is not binary and allow users to disable features 
> in a more granualar way?

Anything more granular means that you trust your userspace, and if you
trust your userspace then you can already set up a granular policy using
the existing tools for that job. So just use the existing tools.

> And if SELinux can do the job, what is the reason for creating this new option?

Because you can't embed an unmodifiable selinux policy in the kernel.

-- 
Matthew Garrett <matthew.garrett@nebula.com>
ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥