Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Nov 2021 12:29:14 -0800
From: Kees Cook <keescook@...omium.org>
To: Casey Schaufler <casey@...aufler-ca.com>
Cc: Alexander Popov <alex.popov@...ux.com>,
	Steven Rostedt <rostedt@...dmis.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Lukas Bulwahn <lukas.bulwahn@...il.com>,
	Jonathan Corbet <corbet@....net>,
	Paul McKenney <paulmck@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Peter Zijlstra <peterz@...radead.org>,
	Joerg Roedel <jroedel@...e.de>, Maciej Rozycki <macro@...am.me.uk>,
	Muchun Song <songmuchun@...edance.com>,
	Viresh Kumar <viresh.kumar@...aro.org>,
	Robin Murphy <robin.murphy@....com>,
	Randy Dunlap <rdunlap@...radead.org>,
	Lu Baolu <baolu.lu@...ux.intel.com>, Petr Mladek <pmladek@...e.com>,
	Luis Chamberlain <mcgrof@...nel.org>, Wei Liu <wl@....org>,
	John Ogness <john.ogness@...utronix.de>,
	Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
	Alexey Kardashevskiy <aik@...abs.ru>,
	Christophe Leroy <christophe.leroy@...roup.eu>,
	Jann Horn <jannh@...gle.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Mark Rutland <mark.rutland@....com>,
	Andy Lutomirski <luto@...nel.org>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	Will Deacon <will@...nel.org>, Ard Biesheuvel <ardb@...nel.org>,
	Laura Abbott <labbott@...nel.org>,
	David S Miller <davem@...emloft.net>,
	Borislav Petkov <bp@...en8.de>, Arnd Bergmann <arnd@...db.de>,
	Andrew Scull <ascull@...gle.com>, Marc Zyngier <maz@...nel.org>,
	Jessica Yu <jeyu@...nel.org>, Iurii Zaikin <yzaikin@...gle.com>,
	Rasmus Villemoes <linux@...musvillemoes.dk>,
	Wang Qing <wangqing@...o.com>, Mel Gorman <mgorman@...e.de>,
	Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
	Andrew Klychkov <andrew.a.klychkov@...il.com>,
	Mathieu Chouquet-Stringer <me@...hieu.digital>,
	Daniel Borkmann <daniel@...earbox.net>,
	Stephen Kitt <steve@....org>, Stephen Boyd <sboyd@...nel.org>,
	Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
	Mike Rapoport <rppt@...nel.org>,
	Bjorn Andersson <bjorn.andersson@...aro.org>,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	linux-hardening@...r.kernel.org,
	"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
	linux-arch <linux-arch@...r.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	linux-fsdevel <linux-fsdevel@...r.kernel.org>, notify@...nel.org,
	main@...ts.elisa.tech, safety-architecture@...ts.elisa.tech,
	devel@...ts.elisa.tech, Shuah Khan <shuah@...nel.org>
Subject: Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter

On Thu, Nov 18, 2021 at 10:30:32AM -0800, Casey Schaufler wrote:
> On 11/18/2021 9:32 AM, Kees Cook wrote:
> > On Tue, Nov 16, 2021 at 11:00:23AM -0800, Casey Schaufler wrote:
> > > On 11/16/2021 10:41 AM, Kees Cook wrote:
> > > > On Tue, Nov 16, 2021 at 12:12:16PM +0300, Alexander Popov wrote:
> > > > > What if the Linux kernel had a LSM module responsible for error handling policy?
> > > > > That would require adding LSM hooks to BUG*(), WARN*(), KERN_EMERG, etc.
> > > > > In such LSM policy we can decide immediately how to react on the kernel error.
> > > > > We can even decide depending on the subsystem and things like that.
> > > > That would solve the "atomicity" issue the WARN tracepoint solution has,
> > > > and it would allow for very flexible userspace policy.
> > > > 
> > > > I actually wonder if the existing panic_on_* sites should serve as a
> > > > guide for where to put the hooks. The current sysctls could be replaced
> > > > by the hooks and a simple LSM.
> > > Do you really want to make error handling a "security" issue?
> > > If you add security_bug(), security_warn_on() and the like
> > > you're begging that they be included in SELinux (AppArmor) policy.
> > > BPF, too, come to think of it. Is that what you want?
> > Yeah, that is what I was thinking. This would give the LSM a view into
> > kernel state, which seems a reasonable thing to do. If system integrity
> > is compromised, an LSM may want to stop trusting things.
> 
> How are you planning to communicate the security relevance of the
> warning to the LSM? I don't think that __FILE__, __LINE__ or __func__
> is great information to base security policy on. Nor is a backtrace.

I think that would be part of the design proposal. Initially, the known
parts are "warn or bug" and "pid".

> > A dedicated error-handling LSM could be added for those hooks that
> > implemented the existing default panic_on_* sysctls, and could expand on
> > that logic for other actions.
> 
> I can see having an interface like LSM for choosing a bug/warn policy.
> I worry about expanding the LSM hook list for a case where I would
> hope no existing LSM would use them, and the new LSM doesn't use any
> of the existing hooks.

Yeah, I can see that, though we've got a history of the "specialized"
hooks getting used by other LSMs. (e.g. loadpin's stuff got hooked up to
other LSMs, etc.)

-- 
Kees Cook

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.