Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
From: Mimi Zohar
Date: Wed Mar 24 2021 - 07:11:21 EST
On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote:
> On 2021/03/24 1:13, Mimi Zohar wrote:
> > On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote:
> >> On 2021/03/23 23:47, Mimi Zohar wrote:
> >>> Initially I also questioned making "integrity" an LSM. Perhaps it's
> >>> time to reconsider. For now, it makes sense to just fix the NULL
> >>> pointer dereferencing.
> >>
> >> Do we think calling panic() as "fix the NULL pointer dereferencing" ?
> >
> > Not supplying "integrity" as an "lsm=" option is a user error. There
> > are only two options - allow or deny the caller to proceed. If the
> > user is expecting the integrity subsystem to be properly working,
> > returning a NULL and allowing the system to boot (RFC patch version)
> > does not make sense. Better to fail early.
>
> What does the "user" mean? Those who load the vmlinux?
> Only the "root" user (so called administrators)?
> Any users including other than "root" user?
>
> If the user means those who load the vmlinux, that user is explicitly asking
> for disabling "integrity" for some reason. In that case, it is a bug if
> booting with "integrity" disabled is impossible.
>
> If the user means something other than those who load the vmlinux,
> is there a possibility that that user (especially non "root" users) is
> allowed to try to use "integrity" ? If processes other than global init
> process can try to use "integrity", wouldn't it be a DoS attack vector?
> Please explain in the descripotion why calling panic() does not cause
> DoS attack vector.
User in this case, is anyone rebooting the system and is intentionally
changing the default values, dropping the "integrity" option on the
boot command line.
Mimi