TOMOYO's pull request for v6.12

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Mon Oct 7 11:00:31 UTC 2024 

On 2024/10/06 20:14, Simon Thoby wrote:
>> It is sad that the LSM community does not like e.g. loadable LSM modules despite
>> writable variables are not a practical attack vector for my customers...
>>
> 
> The difficulty is that the LSM community need to think of what's best for all users,
> and that include users where the writable static calls may be an exploitable path.

I explained how __ro_after_init linked-list can be made writable only while registering
callbacks at https://lkml.kernel.org/r/5b09909b-fe43-4a9c-b9a7-2e1122b2cdb6@I-love.SAKURA.ne.jp .
What is the reason this approach can't be applied to __ro_after_init static calls?

I don't think that the LSM framework will forever never allow adding callbacks after
the __init phase. This is a matter of deciding whether the LSM framework allows
"making read-only a bit later the __init phase" (or "making writable only while
registering callbacks"). And if we decide to implement it, then we can write a
proper API.



>> Going back to tomoyo.ko seen from my customers point of view.
>>
>> Advantage of building TOMOYO into vmlinux is that the procedure for
>> communicating with managers/developers/operators becomes simple.
>>
>> Advantage of building TOMOYO as tomoyo.ko is that users can update only
>> tomoyo.ko (thanks to KABI in RHEL kernels) when a bug is found in TOMOYO.
>> Minimizing possible code changes helps minimizing cost for updating packages.
>> But secure boot / module signing (not a topic to consider for current
>> environment, but possibly becomes a topic to consider for future environment)
>> needs to be taken into account.
> 
> Finally, I must admit that I know nearly nothing of both TOMOYO and BPF-LSM.
> Nevertheless, for your tracing needs (this may not work well for enforcing a
> policy, but I kind of inferred from your emails that you were mostly interested
> in tracing/debugging capabilities), may you could reproduce the necessary functionalities
> of TOMOYO via BPF-LSM?

I already considered using BPF-LSM. My conclusion is that BPF-LSM is too
restricted to mimic TOMOYO's tracing capability.

More information about the Linux-security-module-archive mailing list