Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable early LSM support for lockdown #1279

Merged
merged 1 commit into from
Jan 13, 2021
Merged

enable early LSM support for lockdown #1279

merged 1 commit into from
Jan 13, 2021

Conversation

bcressey
Copy link
Contributor

@bcressey bcressey commented Jan 13, 2021
edited
Loading

Issue number:
N/A

Description of changes:
Initialize the lockdown LSM early, in case a custom build specifies lockdown=integrity or similar on the kernel command line.

This also ensures that the lockdown LSM is consulted for policy decisions, which it previously was not because it was not listed in CONFIG_LSM.

Testing done:
Verified that unsigned kernel modules cannot be loaded after enabling "integrity" mode:

$ apiclient -u /settings -m PATCH -d '{"kernel": {"lockdown": "integrity"}}'
$ apiclient -u /tx/commit_and_apply -m POST

$ sudo insmod test.ko
insmod: ERROR: could not insert module test.ko: Operation not permitted

$ sudo dmesg|grep -i lockdown
[   38.282301] Kernel is locked down from securityfs; see man kernel_lockdown.7
[   81.111626] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
kernel: enable early LSM support for lockdown
34b1e36 
This fixes an issue where the Lockdown LSM wasn't actually consulted
for security decisions, because it does not appear in the CONFIG_LSM
list.

As an alternative, we could override CONFIG_LSM to add lockdown:

  CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,
              selinux,smack,tomoyo,apparmor"

However, then that list would need to be maintained when updating the
kernel, or any new LSMs would be quietly ignored.

Enabling early LSM support resolves the issue, and makes it possible
for custom builds to specify the desired lockdown state on the kernel
command line.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey bcressey merged commit 17a0ec7 into bottlerocket-os:develop Jan 13, 2021
@bcressey bcressey deleted the fix-lockdown-config branch January 13, 2021 05:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@etungsten etungsten etungsten approved these changes

@webern webern webern approved these changes

@tjkirch tjkirch Awaiting requested review from tjkirch

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcressey @webern @etungsten