On Thu, Sep 10, 2020 at 11:18 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > * Ben Cotton: > > > https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable > > > > == Summary == > > Remove support for SELinux runtime disable so that the LSM hooks can > > be hardened via read-only-after-initialization protections. > > > > Migrate users to using ''selinux=0'' if they want to disable SELinux. > > > > == Owner == > > * Name: [[User:plautrba| Petr Lautrbach]] > > * Email: plautrba@xxxxxxxxxx > > * Name: [[User:omos| Ondrej Mosnacek]] > > * Email: omosnace@xxxxxxxxxx > > > > > > == Detailed Description == > > Support for SELinux runtime disable via ''/etc/selinux/config'' was > > originally developed to make it easier for Linux distributions to > > support architectures where adding parameters to the kernel command > > line was difficult. > > Unfortunately, supporting runtime disable meant we had to make some > > security trade-offs when it comes to the kernel LSM hooks. > > > > Marking the kernel LSM hooks as read only provides some very nice > > security benefits, but it does mean that we can no longer disable > > SELinux at runtime. > > Could the static_call framework be used instead for this? > > <https://lore.kernel.org/lkml/cover.1547073843.git.jpoimboe@xxxxxxxxxx/> AFAIK the static_call framework is about mitigating the performance impact of indirect calls (basically function pointers), while this proposal is about allowing the security hook function pointers to be marked read-only after all built-in kernel modules have been initialized (IOW after the hook lists have been set up based on the kernel cmdline), which means an attacker wouldn't be able to neutralize the hooks by overwriting the function pointers. So unless I misunderstand something, these are two orthogonal solutions to different problems - you would still have the possibility to overwrite the hook calls after (only) converting to static_call and also this proposal doesn't solve the indirect-call performance problem. BTW, there has been an RFC patch for switching LSM hooks to use static_call, but the result is quite ugly-looking code, unfortunately: https://lore.kernel.org/linux-security-module/20200820164753.3256899-1-jackmanb@xxxxxxxxxxxx/ -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
