On Sat, Sep 25, 2021 at 5:07 PM Chris PeBenito <pebenito@xxxxxxxx> wrote:
> On 9/24/21 11:12 AM, Stephen Smalley wrote:
> > On Fri, Sep 24, 2021 at 10:22 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >>> On Thu, Sep 23, 2021 at 5:18 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >>>> The original SELinux lockdown implementation in 59438b46471a
> >>>> ("security,lockdown,selinux: implement SELinux lockdown") used the
> >>>> current task's credentials as both the subject and object in the
> >>>> SELinux lockdown hook, selinux_lockdown(). Unfortunately that
> >>>> proved to be incorrect in a number of cases as the core kernel was
> >>>> calling the LSM lockdown hook in places where the credentials from
> >>>> the "current" task_struct were not the correct credentials to use
> >>>> in the SELinux access check.
> >>>>
> >>>> Attempts were made to resolve this by adding a credential pointer
> >>>> to the LSM lockdown hook as well as suggesting that the single hook
> >>>> be split into two: one for user tasks, one for kernel tasks; however
> >>>> neither approach was deemed acceptable by Linus.
> >>>>
> >>>> In order to resolve the problem of an incorrect SELinux domain being
> >>>> used in the lockdown check, this patch makes the decision to perform
> >>>> all of the lockdown access control checks against the
> >>>> SECINITSID_KERNEL domain. This is far from ideal, but it is what
> >>>> we have available to us at this point in time.
>
> > Can we get Linux distro and Android folks to speak as to whether they
> > consider the check in this reduced form to still be useful or whether
> > we should just remove it altogether?
>
> FWIW, I think the check should be removed.
/me punches another voting card
Thanks Chris. Unless we hear a rather compelling case from the
Android folks I think we've got our answer.
Jeff, or any of the other Android folks, now is the time to speak up
on this. If I don't hear from any of you guys within the next few
days I think we'll rip out the SELinux lockdown hook.
--
paul moore
www.paul-moore.com
