[GIT PULL] selinux/selinux-pr-20250323
Linus Torvalds
torvalds at linux-foundation.org
Tue Mar 25 23:02:13 UTC 2025
On Sun, 23 Mar 2025 at 12:39, Paul Moore <paul at paul-moore.com> wrote:
>
> - Add additional SELinux access controls for kernel file reads/loads
>
> The SELinux kernel file read/load access controls were never updated
> beyond the initial kernel module support, this pull request adds
> support for firmware, kexec, policies, and x.509 certificates.
Honestly, is there a *reason* for this, or is this just some misguided
"for completeness" issue?
Because dammit, adding more complexity to the security rules isn't a
feature, and isn't security. It's just theater.
And it adds completely pointless extra cases making the different
cases use artificially different code.
The commit message doesn't actually make any mention of *why* any of
this would be a good idea.
I've pulled this, but honestly, I think all those new cases should be
removed, and if people object to us having "LOADING_MODULE" for other
kinds of reads, then I think the fix should be to just rename it to
"KERNEL_LOAD" or whatever.
Because dammit, this "make security interfaces more complicated just
because" needs to STOP.
We are literally wasting enormous amounts of time in the security
layers - I regularly see the lsm and selinux layers spending *more*
time on security than the actual operation takes because the security
people have written random code without taking performance into
account - and I need to see *reasons* for adding more crap in this
area, not "let's expand" with no actual reason given.
So I really think that commit needs to be either reverted or explained
very clearly why user policy _needs_ to care for the difference
between a module load and a firmware image load.
Because I think any such explanation is likely complete BS. The
difference between loading modules and loading firmware usually would
boil down to "different hardware does things differently". There's no
obvious reason why one should be considered different from another
from a security standpoint.
Linus
More information about the Linux-security-module-archive
mailing list