From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Casey Schaufler <casey@schaufler-ca.com>,
paul@paul-moore.com, linux-security-module@vger.kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, stephen.smalley.work@gmail.com,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
mic@digikod.net
Subject: Re: [PATCH v15 01/11] LSM: Identify modules by more than name
Date: Sat, 21 Oct 2023 21:20:50 +0900 [thread overview]
Message-ID: <2fb1a8cd-88d0-40f0-b3d8-cfa8b71e7dd9@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <30d1110a-7583-4fa1-85c8-d6ce362f5ae2@schaufler-ca.com>
On 2023/10/21 4:52, Casey Schaufler wrote:
> On 10/5/2023 5:58 AM, Tetsuo Handa wrote:
>> On 2023/09/13 5:56, Casey Schaufler wrote:
>>> Create a struct lsm_id to contain identifying information about Linux
>>> Security Modules (LSMs). At inception this contains the name of the
>>> module and an identifier associated with the security module. Change
>>> the security_add_hooks() interface to use this structure. Change the
>>> individual modules to maintain their own struct lsm_id and pass it to
>>> security_add_hooks().
>> I came to worry about what purpose does the LSM ID value (or more precisely,
>> "struct lsm_id") is used for. If the LSM ID value is used for only switch
>> {reading,writing} /proc/self/attr/ of specific LSM module's information, only
>> LSM modules that use /proc/self/attr/ will need the LSM ID value.
>>
>> But this series uses "struct lsm_id" as one of arguments for security_add_hooks(),
>> and might be reused for different purposes.
>>
>> Then, BPF-based LSMs (which are not considered as in-tree LSM modules, for
>> only BPF hook is considered as in-tree LSM module) might receive unfavorable
>> treatment than non BPF-based LSMs?
>>
>> [PATCH v15 05/11] says
>>
>> Create a system call to report the list of Linux Security Modules
>> that are active on the system. The list is provided as an array
>> of LSM ID numbers.
>>
>> The calling application can use this list determine what LSM
>> specific actions it might take. That might include choosing an
>> output format, determining required privilege or bypassing
>> security module specific behavior.
>>
>> but, at least, name of BPF-based LSMs won't be shown up in lsm_list_modules()
>> compared to non BPF-based LSMs? Then, the calling application can't use this
>> list determine what BPF-based LSM specific actions it might take?
>
> That is correct. Just as knowing that your system is using SELinux won't
> tell you whether a specific action might be permitted because that's driven
> by the loaded policy, so too knowing that your system is using BPF won't
> tell you whether a specific action might be permitted because that's driven
> by the eBPF programs in place.
If the system call returning LSM ID value for SELinux but does not tell
the caller of that system call whether a specific action might be permitted,
what information does LSM ID value tell?
The patch description lacks relationship between LSM ID value and data.
In other words, why LSM ID values are needed (and are useful for doing what).
If the only information the caller can know from the LSM ID value were
what LSMs are enabled (i.e. the content of /sys/kernel/security/lsm ), why
bother to use LSM ID values? (Yes, integer comparison is faster than string
comparison. But that is not enough justification for not allowing out-of-tree
LSMs and eBPF-based access control mechanisms to have stable LSM ID values.)
What does "choosing an output format", "determining required privilege",
"bypassing security module specific behavior" mean? How can they choose
meaningful output format, determine appropriate privilege, bypass security
module specific behavior (if the only information the caller can know from
the LSM ID value were what LSMs are enabled) ?
> I wish we could stop people from saying "BPF-based LSM". BPF is the LSM. The
> eBPF programs that implement a "policy" are NOT a LSM. There needs to be a
> name for that, but LSM is not it.
My understanding is that "BPF is not an LSM module but infrastructure for using
LSM hooks".
Say, an access control implementation consists of two parts; "code" and "data".
The "code" is written by developers and is determined at compile time and is
interpreted by CPU, and the "data" is written by administrators and is interpreted
by "code". The "data" part can be either built-in (determined at compile time) or
loadable (configurable at run-time).
eBPF-based access control implementations (which can be loaded via bpf() system
call after boot) consists of "code" and "data". BPF will remain no-op unless
eBPF-based access control implementations are loaded via bpf() system call.
Thus, I believe that an eBPF-based access control implementation should be
considered as an LSM module (like SELinux etc.)
next prev parent reply other threads:[~2023-10-21 12:21 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230912205658.3432-1-casey.ref@schaufler-ca.com>
2023-09-12 20:56 ` [PATCH v15 00/11] LSM: Three basic syscalls Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 01/11] LSM: Identify modules by more than name Casey Schaufler
2023-09-15 11:32 ` Tetsuo Handa
2023-09-15 17:53 ` Casey Schaufler
2023-09-16 6:32 ` Tetsuo Handa
2023-09-17 16:38 ` Casey Schaufler
2023-09-20 10:20 ` Tetsuo Handa
2023-09-20 15:08 ` Kees Cook
2023-09-23 4:46 ` Tetsuo Handa
2023-09-24 1:58 ` Kees Cook
2023-09-24 11:06 ` Tetsuo Handa
2023-09-24 19:48 ` Kees Cook
2023-10-05 12:58 ` Tetsuo Handa
2023-10-20 19:52 ` Casey Schaufler
2023-10-21 12:20 ` Tetsuo Handa [this message]
2023-10-21 14:11 ` Casey Schaufler
2023-10-29 10:57 ` Tetsuo Handa
2023-10-29 18:00 ` Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 02/11] LSM: Maintain a table of LSM attribute data Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 03/11] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 04/11] LSM: syscalls for current process attributes Casey Schaufler
2023-10-03 14:09 ` Mickaël Salaün
2023-10-06 1:04 ` Paul Moore
2023-10-09 15:36 ` Mickaël Salaün
2023-10-09 16:04 ` Paul Moore
2023-10-10 9:14 ` Mickaël Salaün
2023-10-10 13:10 ` Paul Moore
2023-09-12 20:56 ` [PATCH v15 05/11] LSM: Create lsm_list_modules system call Casey Schaufler
2023-10-03 14:27 ` Mickaël Salaün
2024-03-12 10:16 ` Dmitry V. Levin
2024-03-12 13:25 ` Paul Moore
2024-03-12 15:27 ` Casey Schaufler
2024-03-12 17:06 ` Paul Moore
2024-03-12 17:44 ` Casey Schaufler
2024-03-12 18:09 ` Paul Moore
2024-03-12 18:28 ` Dmitry V. Levin
2024-03-12 21:50 ` Kees Cook
2024-03-12 22:06 ` Casey Schaufler
2024-03-12 22:06 ` Paul Moore
2024-03-12 22:17 ` Casey Schaufler
2024-03-12 23:17 ` Paul Moore
2023-09-12 20:56 ` [PATCH v15 06/11] LSM: wireup Linux Security Module syscalls Casey Schaufler
2023-10-03 14:27 ` Mickaël Salaün
2023-09-12 20:56 ` [PATCH v15 07/11] LSM: Helpers for attribute names and filling lsm_ctx Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-09-12 20:56 ` [PATCH v15 08/11] Smack: implement setselfattr and getselfattr hooks Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-10-20 19:40 ` Casey Schaufler
2023-10-20 19:42 ` Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 09/11] AppArmor: Add selfattr hooks Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 10/11] SELinux: " Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 11/11] LSM: selftests for Linux Security Module syscalls Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-10-12 22:07 ` [PATCH v15 00/11] LSM: Three basic syscalls Paul Moore
2023-10-13 21:55 ` Paul Moore
2023-10-16 12:04 ` Roberto Sassu
2023-10-16 15:06 ` Paul Moore
2023-10-17 7:01 ` Roberto Sassu
2023-10-17 15:58 ` Paul Moore
2023-10-17 16:07 ` Roberto Sassu
2023-10-18 9:31 ` Roberto Sassu
2023-10-18 13:09 ` Mimi Zohar
2023-10-18 14:14 ` Roberto Sassu
2023-10-18 16:35 ` Paul Moore
2023-10-18 20:10 ` Mimi Zohar
2023-10-18 20:40 ` Paul Moore
2023-10-19 7:45 ` Roberto Sassu
2023-10-20 16:36 ` Casey Schaufler
2023-10-19 8:49 ` Roberto Sassu
2023-11-13 4:03 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2fb1a8cd-88d0-40f0-b3d8-cfa8b71e7dd9@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.