Yet another vision of Linux security | Endpoint Security Framework
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Thu Jun 20 14:59:25 UTC 2024
On 2024/06/20 23:28, Stephen Smalley wrote:
> Note that a number of the LSM hooks are called from interrupt or while
> holding locks and thus cannot sleep/block.
I think that that is because LSM hooks are intended for avoiding TOCTOU
problems. LSM hooks which TOMOYO checks permissions are allowed to
sleep/block, at the cost of giving up checking permissions for e.g.
sending signals.
Since I'm not an AV/EDR software developer, I can't say what hooks they
need. But history says that there was an attempt to use LSM hooks (and
the quality of an implementation which the source code is available was
too poor to recommend to customers). Analyzing vmcore suggests that recent
kernel code used by AV/EDR software tends to rewrite syscall tables.
I don't know the reason, but I think that that is because LSM framework
did not officially support loading LSM modules after boot, and LSM hooks
did not receive enough arguments needed by AV/EDR software. Thus, I guess
that adding security hooks into locations where locks are not yet held
would be helpful.
More information about the Linux-security-module-archive
mailing list