[RFC PATCH v2 0/4] LSM: Officially support appending LSM hooks after boot.
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Tue Nov 21 13:03:31 UTC 2023
On 2023/11/21 7:52, Paul Moore wrote:
> On Mon, Nov 20, 2023 at 8:28 AM Tetsuo Handa
> <penguin-kernel at i-love.sakura.ne.jp> wrote:
>>
>> This functionality will be used by TOMOYO security module.
>>
>> In order to officially use an LSM module, that LSM module has to be
>> built into vmlinux. This limitation has been a big barrier for allowing
>> distribution kernel users to use LSM modules which the organization who
>> builds that distribution kernel cannot afford supporting [1]. Therefore,
>> I've been asking for ability to append LSM hooks from LKM-based LSMs so
>> that distribution kernel users can use LSMs which the organization who
>> builds that distribution kernel cannot afford supporting.
>
> It doesn't really matter for this discussion, but based on my days
> working for a Linux distro company I would be very surprised if a
> commercial distro would support a system running unapproved
> third-party kernel modules.
A commercial distro does not care about problems that are caused by
using kernel modules that are not included in that distro's kernels.
Those who supply kernel modules that are not included in that distro's
kernels (e.g. antivirus software vendors) care about problems that are
caused by using such kernel modules.
Kernel modules for hardware devices that are not included in that distro's
kernels can be appended after boot.
Kernel modules for filesystems that are not included in that distro's
kernels can be appended after boot.
If a commercial distro does not want to allow use of kernel modules that
are not included in that distro's kernels, that distro would enforce module
signature verification rather than disabling loadable module support.
Keeping loadable module support enabled is a balance that is important for
getting wider developers/users.
>
> We've talked a lot about this core problem and I maintain that it is
> still a disto problem and not something I'm really concerned about
> upstream.
LSM modules that are not built into vmlinux currently cannot be appended
after boot. Such asymmetry is strange and remains a big barrier.
You are not concerned about this asymmetry, but I am very much concerned.
Please give me feedback on not "I don't need it" but "how we can do it".
More information about the Linux-security-module-archive
mailing list