Re: [PATCH] LoadPin: Ignore the "contents" argument of the LSM hooks
From: Paul Moore
Date: Thu Dec 15 2022 - 15:16:26 EST
On Tue, Dec 13, 2022 at 11:06 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Mon, Dec 12, 2022 at 03:13:19PM -0600, Serge E. Hallyn wrote:
> > On Fri, Dec 09, 2022 at 11:54:57AM -0800, Kees Cook wrote:
> > > LoadPin only enforces the read-only origin of kernel file reads. Whether
> > > or not it was a partial read isn't important. Remove the overly
> > > conservative checks so that things like partial firmware reads will
> > > succeed (i.e. reading a firmware header).
> > >
> > > Fixes: 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook")
> > > Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
> > > Cc: James Morris <jmorris@xxxxxxxxx>
> > > Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx>
> >
> > Acked-by: Serge Hallyn <serge@xxxxxxxxxx>
> >
> > Seems reasonable.
>
> Thanks!
>
> > So the patch which introduced this was
> > 2039bda1f: LSM: Add "contents" flag to kernel_read_file hook
> > It sounds like the usage of @contents which it added to ima still
> > makes sense. But what about the selinux_kernel_read_file() one?
>
> I think those continue to make sense since those LSM may be sensitive to
> the _content_ (rather than the _origin_) of the file.
Agreed. When @contents is false SELinux does a permission check
between the calling process and itself, but when @contents is true it
performs a check between the calling process and the file being read.
--
paul-moore.com