Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in... | linux-api

[PATCH V33 00/30] Lockdown as an LSM · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 01/30] security: Support early LSMs · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 01/30] security: Support early LSMs · Kees Cook <hidden> · 2019-06-21
Re: [PATCH V33 01/30] security: Support early LSMs · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 01/30] security: Support early LSMs · Andy Lutomirski <luto@kernel.org> · 2019-06-21
Re: [PATCH V33 01/30] security: Support early LSMs · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 03/30] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 03/30] security: Add a static lockdown policy LSM · Kees Cook <hidden> · 2019-06-21
Re: [PATCH V33 03/30] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 03/30] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 03/30] security: Add a static lockdown policy LSM · Mimi Zohar <zohar@linux.ibm.com> · 2019-06-21
[PATCH V33 07/30] Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 06/30] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 10/30] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 11/30] uswsusp: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 14/30] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 15/30] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 16/30] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 18/30] Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 19/30] Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 21/30] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 21/30] x86/mmiotrace: Lock down the testmmiotrace module · Steven Rostedt <rostedt@goodmis.org> · 2019-06-26
[PATCH V33 23/30] Lock down tracing and perf kprobes when in confidentiality mode · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@kernel.org> · 2019-06-21
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · James Morris <jmorris@namei.org> · 2019-06-26
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@amacapital.net> · 2019-06-27
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Stephen Smalley <hidden> · 2019-06-27
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · James Morris <jmorris@namei.org> · 2019-06-27
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Stephen Smalley <hidden> · 2019-06-27
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-27
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@kernel.org> · 2019-06-27
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@kernel.org> · 2019-06-27
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-28
Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@kernel.org> · 2019-06-29
[PATCH V33 27/30] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 27/30] lockdown: Print current->comm in restriction messages · Kees Cook <hidden> · 2019-06-21
[PATCH V33 30/30] efi: Restrict efivar_ssdt_load when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 29/30] tracefs: Restrict tracefs when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 29/30] tracefs: Restrict tracefs when the kernel is locked down · Steven Rostedt <rostedt@goodmis.org> · 2019-06-26
Re: [PATCH V33 29/30] tracefs: Restrict tracefs when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-26
[PATCH V33 28/30] debugfs: Restrict debugfs when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 26/30] kexec: Allow kexec_file() with appropriate IMA policy when locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 25/30] Lock down perf when in confidentiality mode · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 22/30] Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 20/30] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 17/30] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 13/30] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 12/30] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 09/30] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 08/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 05/30] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
[PATCH V33 04/30] Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 04/30] Enforce module signatures if the kernel is locked down · Kees Cook <hidden> · 2019-06-21
[PATCH V33 02/30] security: Add a "locked down" LSM hook · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V33 02/30] security: Add a "locked down" LSM hook · Kees Cook <hidden> · 2019-06-21
Re: [PATCH V33 02/30] security: Add a "locked down" LSM hook · Matthew Garrett <hidden> · 2019-06-21

Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode

From: James Morris <jmorris@namei.org>
Date: 2019-06-27 18:08:10
Also in: linux-security-module, lkml, netdev

On Thu, 27 Jun 2019, Stephen Smalley wrote:

There are two scenarios where finer-grained distinctions make sense:

- Users may need to enable specific functionality that falls under the
umbrella of "confidentiality" or "integrity" lockdown.  Finer-grained lockdown
reasons free them from having to make an all-or-nothing choice between lost
functionality or no lockdown at all.

Agreed. This will be used for more than just UEFI secure boot on desktops, 
e.g. embedded systems using verified boot, where finer grained policy will 
be needed for what are sometimes very specific use-cases (which may be 
also covered by other mitigations).

This can be supported directly by the
lockdown module without any help from SELinux or other security modules; we
just need the ability to specify these finer-grained lockdown levels via the
boot parameters and securityfs nodes.

If the lockdown LSM implements fine grained policy (rather than the simple 
coarse grained policy), I'd suggest adding a new lockdown level of 
'custom' which by default enables all hooks but allows selective 
disablement via params/sysfs.

This would be simpler than telling users to use a different lockdown LSM 
for this.

- Different processes/programs may need to use different sets of functionality
restricted via lockdown confidentiality or integrity categories.  If we have
to allow all-or-none for the set of interfaces/functionality covered by the
generic confidentiality or integrity categories, then we'll end up having to
choose between lost functionality or overprivileged processes, neither of
which is optimal.

Is it truly the case that everything under the "confidentiality" category
poses the same level of risk to kernel confidentiality, and similarly for
everything under the "integrity" category?  If not, then being able to
distinguish them definitely has benefit.

Good question. We can't know the answer to this unless we know how an 
attacker might leverage access.

The value here IMHO is more in allowing tradeoffs to be made by system 
designers vs. disabling lockdown entirely.

I'm still not clear though on how/if this will compose with or be overridden
by other security modules.  We would need some means for another security
module to take over lockdown decisions once it has initialized (including
policy load), and to be able to access state that is currently private to the
lockdown module, like the level.

Why not utilize stacking (restrictively), similarly to capabilities?


-- 
James Morris
[off-list ref]

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help