On Sat, Dec 9, 2023 at 3:28 AM Tetsuo Handa
<penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
>
> Commit 20510f2f4e2d ("security: Convert LSM into a static interface") has
> unexported register_security()/unregister_security(), with the reasoning
> that the ability to unload an LSM module is not required by in-tree users
> and potentially complicates the overall security architecture.
>
> After that commit, many LSM modules have been proposed and some of them
> have succeeded in becoming in-tree users. Also, Linux distributors started
> enabling some of in-tree LSM modules in their distribution kernels.
>
> But due to that commit, currently in order to officially use an LSM
> module, that LSM module has to be built into vmlinux. And this limitation
> has been a big barrier for allowing distribution kernel users to use LSM
> modules which the organization who builds that distribution kernel cannot
> afford supporting.
>
> Therefore, as one of in-tree users, I've been asking for ability to append
> LSM hooks from LKM-based LSMs (i.e. re-export register_security()) so that
> distribution kernel users can use LSMs which the organization who builds
> that distribution kernel cannot afford supporting.
>
> Paul Moore believes that we don't need to support appending LSM hooks from
> LKM-based LSMs because anyone who wants to use an LSM module can recompile
> distributor kernels with that LSM enabled. But recompiling kernels is not
> a viable option for regular developers/users [1]; the burden of
> distributing rebuilt kernels is not acceptable for individual LSM authors
> and majority of Linux users, and the risk of replacing known distributor's
> prebuilt kernels with unknown individual's rebuilt kernels is not
> acceptable for majority of distributor kernel users. If Endpoint Detection
> and Response software (including Antivirus software) could not be used
> without replacing distributor's prebuilt kernels, Linux would not have been
> chosen as a platform. Being able to use whatever functionality using
> prebuilt distribution kernel packages and prebuilt kernel-debuginfo
> packages is the mandatory baseline. Therefore, in order to unofficially use
> LSMs which are not built into vmlinux, I've been maintaining AKARI (which
> is a pure LKM version of TOMOYO) as an LKM-based LSM which can run on
> kernels between 2.6.0 and 6.6.
>
> I was planning to propose ability to append LSM hooks from LKM-based LSMs
> (i.e. re-export register_security()) so that distribution kernel users can
> use LSMs which the organization who builds that distribution kernel cannot
> afford supporting, after Casey Schaufler finishes his work for making it
> possible to enable arbitrary LSM combinations. But before Casey's work
> finishes, KP Singh started proposing "Reduce overhead of LSMs with static
> calls" which will make AKARI more difficult to run because it removes
> security_hook_heads. Therefore, reviving ability to officially append LSM
> hooks from LKM-based LSMs became an urgent matter.
>
> KP Singh suggested me to try eBPF programs because BPF LSM is enabled in
> distributor's prebuilt kernels. But the result was that eBPF is too
> restricted to emulate TOMOYO. Therefore, I still need ability to append
> LSM hooks from LKM-based LSMs.
>
> Since it seems that nobody has objection on not using an LSM module which
> calls LSM hooks in the LKM-based LSMs [2], this version directly appended
> the linked list into individual callbacks. KP Singh's "Reduce overhead of
> LSMs with static calls" proposal will replace security_hook_heads with
> array of static call slots, and mod_security_hook_heads will remain
> untouched.
>
> This patch implements only ability to add LSM modules after boot, for
> as far as we know, we haven't heard of requests for reviving the ability
> to remove LSM modules after boot.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
> Link: https://lkml.kernel.org/r/d759146e-5d74-4782-931b-adda33b125d4@xxxxxxxxxxxxxxxxxxx [1]
> Link: https://lkml.kernel.org/r/93b5e861-c1ec-417c-b21e-56d0c4a3ae79@xxxxxxxxxxxxxxxxxxx [2]
> ---
> include/linux/lsm_hooks.h | 9 +++
> security/security.c | 134 ++++++++++++++++++++++++++++++++++++++
> 2 files changed, 143 insertions(+)
My objections presented in the v2 revision of this patchset remain.
--
paul-moore.com
