[RFC] Turn lockdown into an LSM
Stephen Smalley
sds at tycho.nsa.gov
Wed May 22 20:03:23 UTC 2019
On 5/22/19 3:19 PM, James Morris wrote:
> On Wed, 22 May 2019, Stephen Smalley wrote:
>
>> That seems to violate the intent of lockdown as I understood it, and
>> turns security_is_locked_down() into a finer-grained capable() call.
>> Also, if I understand correctly, this could only be done if one were to
>> disable the lockdown module in the lsm list, since the security
>> framework will return non-zero (i.e. the operation is locked down) if
>> any module that implements the hook returns non-zero; LSM is
>> "restrictive". At that point SELinux or the other LSM would be the sole
>> arbiter of lockdown decisions. SELinux or the other LSM also wouldn't
>> have access to the kernel_locked_down level unless that was exported in
>> some manner from the lockdown module. Not sure how to compose these.
>
> Right, I was envisaging the LSM replacing the default.
>
> i.e. the default is tristate OR fine grained LSM policy.
>
> They could in theory be composed restrictively, but this is likely not
> useful given the coarse grained default policy. All the LSM could do is
> either further restrict none or integrity.
>
> We'd need to figure out how to avoid confusing users in the case where
> multiple LSMs are registered for the hooks, possibly by having the
> lockdown LSM gate this and update the securityfs lockdown node with
> something like "lsm:smack".
Some kind of transition from the lockdown module to other security
modules might be needed, e.g. you might need to start with
lockdown=integrity to protect the kernel up to the point where a policy
is loaded, then hand off to SELinux or another security module to handle
further requests.
More information about the Linux-security-module-archive
mailing list