[RFC PATCH v2 0/4] LSM: Officially support appending LSM hooks after boot.

Paul Moore paul at paul-moore.com
Wed Nov 22 04:41:16 UTC 2023


On Tue, Nov 21, 2023 at 8:03 AM Tetsuo Handa
<penguin-kernel at i-love.sakura.ne.jp> wrote:
> On 2023/11/21 7:52, Paul Moore wrote:
> > On Mon, Nov 20, 2023 at 8:28 AM Tetsuo Handa
> > <penguin-kernel at i-love.sakura.ne.jp> wrote:
> >>
> >> This functionality will be used by TOMOYO security module.
> >>
> >> In order to officially use an LSM module, that LSM module has to be
> >> built into vmlinux. This limitation has been a big barrier for allowing
> >> distribution kernel users to use LSM modules which the organization who
> >> builds that distribution kernel cannot afford supporting [1]. Therefore,
> >> I've been asking for ability to append LSM hooks from LKM-based LSMs so
> >> that distribution kernel users can use LSMs which the organization who
> >> builds that distribution kernel cannot afford supporting.
> >
> > It doesn't really matter for this discussion, but based on my days
> > working for a Linux distro company I would be very surprised if a
> > commercial distro would support a system running unapproved
> > third-party kernel modules.
>
> A commercial distro does not care about problems that are caused by
> using kernel modules that are not included in that distro's kernels.

My experience has taught me otherwise.

> If a commercial distro does not want to allow use of kernel modules that
> are not included in that distro's kernels, that distro would enforce module
> signature verification rather than disabling loadable module support.
> Keeping loadable module support enabled is a balance that is important for
> getting wider developers/users.

We don't currently support LSMs as dynamically loadable kernel modules
and if the only reasons for doing so are either to A) support
out-of-tree LSMs or B) avoid having to recompile a kernel (to hack an
unsupported LSM into a distro kernel) I have to say (yet again) that I
am not interested.

> > We've talked a lot about this core problem and I maintain that it is
> > still a disto problem and not something I'm really concerned about
> > upstream.
>
> LSM modules that are not built into vmlinux currently cannot be appended
> after boot. Such asymmetry is strange and remains a big barrier.
>
> You are not concerned about this asymmetry, but I am very much concerned.
> Please give me feedback on not "I don't need it" but "how we can do it".

I thought my feedback has been clear up to this point, but perhaps I
need to be more direct.  At this point in time I am not interested in
supporting dynamically loaded LSM kernel modules if the only reasons
are to support out-of-tree LSMs or users who want to hack unsupported
LSMs into pre-built distro kernels; both of these use cases can be
solved today by compiling your own kernel.

As with the other threads involving this topic, I'm going to refrain
from any further comments until I see a new discussion point.

--
paul-moore.com



More information about the Linux-security-module-archive mailing list