Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter

[PATCH v2 0/2] Introduce the pkill_on_warn parameter · Alexander Popov <hidden> · 2021-10-27
[PATCH v2 1/2] bug: do refactoring allowing to add a warning handling action · Alexander Popov <hidden> · 2021-10-27
[PATCH v2 2/2] sysctl: introduce kernel.pkill_on_warn · Alexander Popov <hidden> · 2021-10-27
Re: [PATCH v2 2/2] sysctl: introduce kernel.pkill_on_warn · Steven Rostedt <rostedt@goodmis.org> · 2021-11-12
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Alexander Popov <hidden> · 2021-11-12
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Linus Torvalds <torvalds@linux-foundation.org> · 2021-11-12
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Alexander Popov <hidden> · 2021-11-13
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Linus Torvalds <torvalds@linux-foundation.org> · 2021-11-13
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Marco Elver <elver@google.com> · 2021-11-14
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Lukas Bulwahn <lukas.bulwahn@gmail.com> · 2021-11-15
Re: [ELISA Safety Architecture WG] [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Gabriele Paoloni <hidden> · 2021-11-15
Re: [ELISA Safety Architecture WG] [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Alexander Popov <hidden> · 2021-11-16
Re: [ELISA Safety Architecture WG] [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Lukas Bulwahn <lukas.bulwahn@gmail.com> · 2021-11-16
Re: [ELISA Safety Architecture WG] [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Petr Mladek <pmladek@suse.com> · 2021-11-16
Re: [ELISA Safety Architecture WG] [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Lukas Bulwahn <lukas.bulwahn@gmail.com> · 2021-11-16
Re: [ELISA Safety Architecture WG] [PATCH v2 0/2] Introduce the pkill_on_warn parameter · James Bottomley <James.Bottomley@HansenPartnership.com> · 2021-11-16
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Steven Rostedt <rostedt@goodmis.org> · 2021-11-15
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Kees Cook <hidden> · 2021-11-15
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Alexander Popov <hidden> · 2021-11-16
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Kees Cook <hidden> · 2021-11-16
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-16
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Kees Cook <hidden> · 2021-11-18
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-18
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Kees Cook <hidden> · 2021-11-18
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · James Bottomley <James.Bottomley@HansenPartnership.com> · 2021-11-16
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Marco Elver <elver@google.com> · 2021-11-20
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Steven Rostedt <rostedt@goodmis.org> · 2021-11-22
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Christophe Leroy <hidden> · 2021-11-16
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Alexander Popov <hidden> · 2021-11-16
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Lukas Bulwahn <lukas.bulwahn@gmail.com> · 2021-11-16
Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter · Kaiwan N Billimoria <hidden> · 2021-11-15

From: Kees Cook <hidden>
Date: 2021-11-18 20:29:27
Also in: linux-arch, linux-fsdevel, linux-hardening, lkml

On Thu, Nov 18, 2021 at 10:30:32AM -0800, Casey Schaufler wrote:

On 11/18/2021 9:32 AM, Kees Cook wrote:

quoted

On Tue, Nov 16, 2021 at 11:00:23AM -0800, Casey Schaufler wrote:

quoted

On 11/16/2021 10:41 AM, Kees Cook wrote:

quoted

On Tue, Nov 16, 2021 at 12:12:16PM +0300, Alexander Popov wrote:

quoted

What if the Linux kernel had a LSM module responsible for error handling policy?
That would require adding LSM hooks to BUG*(), WARN*(), KERN_EMERG, etc.
In such LSM policy we can decide immediately how to react on the kernel error.
We can even decide depending on the subsystem and things like that.

That would solve the "atomicity" issue the WARN tracepoint solution has,
and it would allow for very flexible userspace policy.

I actually wonder if the existing panic_on_* sites should serve as a
guide for where to put the hooks. The current sysctls could be replaced
by the hooks and a simple LSM.

Do you really want to make error handling a "security" issue?
If you add security_bug(), security_warn_on() and the like
you're begging that they be included in SELinux (AppArmor) policy.
BPF, too, come to think of it. Is that what you want?

Yeah, that is what I was thinking. This would give the LSM a view into
kernel state, which seems a reasonable thing to do. If system integrity
is compromised, an LSM may want to stop trusting things.

How are you planning to communicate the security relevance of the
warning to the LSM? I don't think that __FILE__, __LINE__ or __func__
is great information to base security policy on. Nor is a backtrace.

I think that would be part of the design proposal. Initially, the known
parts are "warn or bug" and "pid".

quoted

A dedicated error-handling LSM could be added for those hooks that
implemented the existing default panic_on_* sysctls, and could expand on
that logic for other actions.

I can see having an interface like LSM for choosing a bug/warn policy.
I worry about expanding the LSM hook list for a case where I would
hope no existing LSM would use them, and the new LSM doesn't use any
of the existing hooks.

Yeah, I can see that, though we've got a history of the "specialized"
hooks getting used by other LSMs. (e.g. loadpin's stuff got hooked up to
other LSMs, etc.)

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help