On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote: > On 2021/03/24 1:13, Mimi Zohar wrote: > > On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: > >> On 2021/03/23 23:47, Mimi Zohar wrote: > >>> Initially I also questioned making "integrity" an LSM. Perhaps it's > >>> time to reconsider. For now, it makes sense to just fix the NULL > >>> pointer dereferencing. > >> > >> Do we think calling panic() as "fix the NULL pointer dereferencing" ? > > > > Not supplying "integrity" as an "lsm=" option is a user error. There > > are only two options - allow or deny the caller to proceed. If the > > user is expecting the integrity subsystem to be properly working, > > returning a NULL and allowing the system to boot (RFC patch version) > > does not make sense. Better to fail early. > > What does the "user" mean? Those who load the vmlinux? > Only the "root" user (so called administrators)? > Any users including other than "root" user? > > If the user means those who load the vmlinux, that user is explicitly asking > for disabling "integrity" for some reason. In that case, it is a bug if > booting with "integrity" disabled is impossible. > > If the user means something other than those who load the vmlinux, > is there a possibility that that user (especially non "root" users) is > allowed to try to use "integrity" ? If processes other than global init > process can try to use "integrity", wouldn't it be a DoS attack vector? > Please explain in the descripotion why calling panic() does not cause > DoS attack vector. User in this case, is anyone rebooting the system and is intentionally changing the default values, dropping the "integrity" option on the boot command line. Mimi
