On Tue, Jun 09, 2020 at 08:22:13AM +0900, Tetsuo Handa wrote: > On 2020/06/09 1:23, Alexei Starovoitov wrote: > > On Sun, Jun 07, 2020 at 11:31:05AM +0900, Tetsuo Handa wrote: > >> On 2020/06/07 10:49, Alexei Starovoitov wrote: > >>> So you're right that for most folks user space is the > >>> answer. But there are cases where kernel has to have these things before > >>> systemd starts. > >> > >> Why such cases can't use init= kernel command line argument? > >> The program specified via init= kernel command line argument can do anything > >> before systemd (a.k.a. global init process) starts. > >> > >> By the way, from the LSM perspective, doing a lot of things before global init > >> process starts is not desirable, for access decision can be made only after policy > >> is loaded (which is generally when /sbin/init on a device specified via root= > >> kernel command line argument becomes ready). Since > >> fork_usermode_blob((void *) "#!/bin/true\n", 12, info) is possible, I worry that > >> the ability to start userspace code is abused for bypassing dentry/inode-based > >> permission checks. > > > > bpf_lsm is that thing that needs to load and start acting early. > > It's somewhat chicken and egg. fork_usermode_blob() will start a process > > that will load and apply security policy to all further forks and execs. > > fork_usermode_blob() would start a process in userspace, but early in the boot > stage means that things in the kernel might not be ready to serve for userspace > processes (e.g. we can't open a shared library before a filesystem containing > that file becomes ready, we can't mount a filesystem before mount point becomes > ready, we can't access mount point before a device that contains that directory > becomes ready). > > TOMOYO LSM module uses call_usermodehelper() from tomoyo_load_policy() in order to > load and apply security policy. What is so nice with fork_usermode_blob() compared > to existing call_usermodehelper(), at the cost of confusing LSM modules by allowing > file-less execve() request from fork_usermode_blob() ? For the same reason you did commit 0e4ae0e0dec6 ("TOMOYO: Make several options configurable.") Quoting your words from that commit: "To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for activating access control without calling external policy loader program."