All of lore.kernel.org
 help / color / mirror / Atom feed
From: John Johansen <john.johansen@canonical.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Stephen Smalley <stephen.smalley@gmail.com>,
	James Morris <jmorris@namei.org>,
	linux-integrity@vger.kernel.org,
	LSM List <linux-security-module@vger.kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/5] LSM: Define SELinux function to measure security state
Date: Tue, 16 Jun 2020 01:38:55 -0700	[thread overview]
Message-ID: <2359b728-656e-1599-5931-7d7e97625de1@canonical.com> (raw)
In-Reply-To: <1592243068.11061.155.camel@linux.ibm.com>

On 6/15/20 10:44 AM, Mimi Zohar wrote:
> (Cc'ing John)
> 
> On Mon, 2020-06-15 at 10:33 -0700, Casey Schaufler wrote:
>> On 6/15/2020 9:45 AM, Lakshmi Ramasubramanian wrote:
>>> On 6/15/20 4:57 AM, Stephen Smalley wrote:
>>>
>>> Hi Stephen,
>>>
>>> Thanks for reviewing the patches.
>>>
>>>>> +void security_state_change(char *lsm_name, void *state, int state_len)
>>>>> +{
>>>>> +       ima_lsm_state(lsm_name, state, state_len);
>>>>> +}
>>>>> +
>>>>
>>>> What's the benefit of this trivial function instead of just calling
>>>> ima_lsm_state() directly?
>>>
>>> One of the feedback Casey Schaufler had given earlier was that calling an IMA function directly from SELinux (or, any of the Security Modules) would be a layering violation.
>>
>> Hiding the ima_lsm_state() call doesn't address the layering.
>> The point is that SELinux code being called from IMA (or the
>> other way around) breaks the subsystem isolation. Unfortunately,
>> it isn't obvious to me how you would go about what you're doing
>> without integrating the subsystems.
> 
> Casey, I'm not sure why you think there is a layering issue here.
>  There were multiple iterations of IMA before it was upstreamed.  One
> iteration had separate integrity hooks(LIM).  Only when the IMA calls
> and the security hooks are co-located, are they combined, as requested
> by Linus.
> 
I don't see the layering violation here either, Casey has already
responded and I don't have anything to add

> There was some AppArmour discussion about calling IMA directly, but I
> haven't heard about it in a while or seen the patch.
> 
its lower priority than other work. I think calling IMA directly has use
cases but must be done very carefully, and well reviewed. I have would
have more concerns with IMA calling directly into the various LSMs.


  parent reply	other threads:[~2020-06-16  8:39 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-13  2:41 [PATCH 0/5] LSM: Measure security module state Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 1/5] IMA: Add LSM_STATE func to measure LSM data Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 3/5] LSM: Add security_state function pointer in lsm_info struct Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 4/5] LSM: Define SELinux function to measure security state Lakshmi Ramasubramanian
2020-06-15 11:57   ` Stephen Smalley
2020-06-15 12:15     ` Stephen Smalley
2020-06-15 16:45     ` Lakshmi Ramasubramanian
2020-06-15 17:33       ` Casey Schaufler
2020-06-15 17:44         ` Mimi Zohar
2020-06-15 23:18           ` Casey Schaufler
2020-06-16  0:44             ` Mimi Zohar
2020-06-16  8:38           ` John Johansen [this message]
2020-06-15 20:31       ` Stephen Smalley
2020-06-13  2:41 ` [PATCH 5/5] LSM: Define workqueue for measuring security module state Lakshmi Ramasubramanian
2020-06-15 13:33   ` Stephen Smalley
2020-06-15 14:59     ` Mimi Zohar
2020-06-15 15:47       ` Stephen Smalley
2020-06-15 16:10         ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2359b728-656e-1599-5931-7d7e97625de1@canonical.com \
    --to=john.johansen@canonical.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=stephen.smalley.work@gmail.com \
    --cc=stephen.smalley@gmail.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.