A security-module hook for user-namespace creation

> > CVE-2017-6074

> This is BS. Basically, "you can use SELinux to prohibit loading of modules". You can also just delete them, it's not a mitigation.

Not having read any of the background stuff but ... how does deleting modules protect against an attacker dropping a module onto your system?

Mind you, I believe you can also build your kernel with the "load module" code missing, no? Perfect for gentoo users like me :-)

Cheers,
Wol

>> CVE-2014-7169
>
> This doesn't prevent the exploit that allows the attacker to run arbirtrary code, but it prevents this arbitrary code from gaining root right away. Assuming no other exploits.

of course it can't stop or fix every flaw/CVE in an application, but it did do its job of containing said flaw and prevented it from becoming a root exploit. Yes there could be another way to elevate to root that is always a possibility unless you can mathematically prove otherwise, but it did stop this one.

> > CVE-2017-6074
>
> This is BS. Basically, "you can use SELinux to prohibit loading of modules". You can also just delete them, it's not a mitigation.

Yes it is. Sure there are other ways to block modules from loading: building the kernel without module support, lockdown (also an LSM), loadpin (also an LSM). What SELinux brings is context, where some services are still allowed to load modules, because the broader solutions don't work for some environments.

> > CVE-2019-5736
>
> This was the only real non-trivial one from your list, and in this case the proper fix is to use user namespaces.

The proper fix is always to patch/rewrite the software to remove the vulnerability, that doesn't take away from SELinux doing its job here.

> All in all, very few exploits are truly prevented by SELinux. It sometimes makes it harder for attacker to gain wider access.

Security is about layers and making it harder for an attacker is a win. No SELinux won't fix programs that have exploits in them, but neither do user namespaces.

It would seem odd to not issue a fix just because Debian has a default LSM-using setup since it supports not using an LSM. I don't think that is evidence that LSMs don't serve a purpose myself. I say that as someone that uses SELinux on Fedora normally, but it broke logging in on one machine recently…so is in Permissive mode until I track down the problem.

> So as far as Debian is concerned, LSM do not seems to reduce the number of security updates.

This isn't the purpose of LSM. It is to mitigate or reduce the severity of vulnerability for end users. Distributions may choose to downgrade the severity of the issue based on the mitigations available by default however they won't be able to negate their responsibility to issue updates regardless. This isn't specific to LSM, if say, Firefox sandboxing stops a vulnerability from being exploited currently, Mozilla isn't going to just ignore the vulnerability, they will still patch it anyway.

As @rahulsundaram mentions below that isn't what the LSM is supposed to do. When vulnerabilities are found you still want to fix them regardless if they are stopped or mitigated by an LSM or any other hardening or security techniques.

LSMs can however stop, mitigate or contain an exploit reducing severity of a vulnerability, and hence reducing the priority of fixing a given CVE.