On Wed, May 8, 2024 at 3:00 AM KP Singh <kpsingh@xxxxxxxxxx> wrote:
> One idea here is that only LSM hooks with default_state = false can be toggled.
>
> This would also any ROPs that try to abuse this function. Maybe we can call "default_disabled" .toggleable (or dynamic)
>
> and change the corresponding LSM_INIT_TOGGLEABLE. Kees, Paul, this may be a fair middle ground?
Seems reasonable to me, although I think it's worth respinning to get
a proper look at it in context. Some naming bikeshedding below ...
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 4bd1d47bb9dc..5c0918ed6b80 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -117,7 +117,7 @@ struct security_hook_list {
> struct lsm_static_call *scalls;
> union security_list_options hook;
> const struct lsm_id *lsmid;
> - bool default_enabled;
> + bool toggleable;
> } __randomize_layout;
How about inverting the boolean and using something like 'fixed'
instead of 'toggleable'?
--
paul-moore.com
