Re: [RFC] Turn lockdown into an LSM

[Stephen Smalley]

On 5/22/19 3:19 PM, James Morris wrote:
> On Wed, 22 May 2019, Stephen Smalley wrote:
>
> > That seems to violate the intent of lockdown as I understood it, and
> > turns security_is_locked_down() into a finer-grained capable() call.
> > Also, if I understand correctly, this could only be done if one were to
> > disable the lockdown module in the lsm list, since the security
> > framework will return non-zero (i.e. the operation is locked down) if
> > any module that implements the hook returns non-zero; LSM is
> > "restrictive". At that point SELinux or the other LSM would be the sole
> > arbiter of lockdown decisions. SELinux or the other LSM also wouldn't
> > have access to the kernel_locked_down level unless that was exported in
> > some manner from the lockdown module.  Not sure how to compose these.
>
> Right, I was envisaging the LSM replacing the default.
>
> i.e. the default is tristate OR fine grained LSM policy.
>
> They could in theory be composed restrictively, but this is likely not
> useful given the coarse grained default policy.  All the LSM could do is
> either further restrict none or integrity.
>
> We'd need to figure out how to avoid confusing users in the case where
> multiple LSMs are registered for the hooks, possibly by having the
> lockdown LSM gate this and update the securityfs lockdown node with
> something like "lsm:smack".

Some kind of transition from the lockdown module to other security 
modules might be needed, e.g. you might need to start with 
lockdown=integrity to protect the kernel up to the point where a policy 
is loaded, then hand off to SELinux or another security module to handle 
further requests.