From: Casey Schaufler <casey@schaufler-ca.com> To: Kees Cook <keescook@chromium.org> Cc: James Morris <jmorris@namei.org>, John Johansen <john.johansen@canonical.com>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>, "Schaufler, Casey" <casey.schaufler@intel.com>, LSM <linux-security-module@vger.kernel.org>, LKLM <linux-kernel@vger.kernel.org> Subject: Re: [PATCH 16/18] LSM: Allow arbitrary LSM ordering Date: Mon, 17 Sep 2018 10:13:26 -0700 [thread overview] Message-ID: <8f0bd39b-29a6-325d-4558-d9f484249c22@schaufler-ca.com> (raw) In-Reply-To: <CAGXu5jJ71RLGh0nDgOaN3vCXFGE0poXFU2Gb9o+20aO+AEdOvw@mail.gmail.com> On 9/17/2018 9:24 AM, Kees Cook wrote: > On Mon, Sep 17, 2018 at 8:06 AM, Casey Schaufler <casey@schaufler-ca.com> wrote: >>> The trailing comma thing gets us some compatibility, but we still have >>> to decide which things should be exclusive-via-"security=" since with >>> blob-sharing it already becomes possible to do selinux + tomoyo. >>> >>> The -$lsm style may make it hard to sensibly order any unspecified >>> LSMs. I guess it could just fall back to "follow builtin ordering of >>> unspecified LSMs" (unless someone had, maybe, "-all"). >> That's why I'm not especially happy with either one. >> >>> so, if builtin ordering after blob-sharing is >>> capability,integrity,yama,loadpin,{selinux,apparmor,smack},tomoyo >>> >>> security=apparmor is capability,apparmor,integrity,yama,loadpin,tomoyo >> I would expect capability,integrity,yama,loadpin,apparmor to reflect >> today's behavior. > If that's desired then we have to declare tomoyo as "exclusive" even > though it doesn't use blobs. But then what happens in the extreme > stacking case? Do we add "lsm.extreme=1" to change how security= is > parsed? TOMOYO uses the cred blob pointer. When the blob is shared TOMOYO has to be allocated a pointer size chunk to store the pointer in. Smack has the same behavior on file blobs. >>> security=yama,smack,-all is capability,yama,smack >> Yes >> >>> security=loadpin,selinux,yama,-integrity is >>> capability,loadpin,selinux,yama,tomoyo >> I think that the negation should only apply to >> integrity, yama and loadpin. All blob-using modules >> must be explicitly stated if you want to use them. > What about tomoyo, though? It's presently considered a major LSM (i.e. > security=tomoyo disables the other majors), but it doesn't use blobs. > >>> Whatever we design, it needs to handle both the blob-sharing >>> near-future, and have an eye towards "extreme stacking" in the >>> some-day future. In both cases, the idea of a "major" LSM starts to >>> get very very hazy. >> Long term the only distinction is "minor" and blob using. So long as >> there's a way to enforce incompatibility (i.e. not Smack and SELinux) >> in the sorter term we can adopt that mindset already. > Given that tomoyo doesn't share blobs and integrity doesn't register > hooks, how would they be considered in that world? Or rather, what > distinguishes a "minor" LSM? It seems there are three cases: uses > blobs with sharing, uses blobs without sharing, uses no blobs. What > happens if an LSM grows a feature that needs blob sharing? If "uses no > blobs" should be considered "shares blobs", then there is no > distinction between "minor" and "blob sharing". Today the distinction is based on how the module registers hooks. Modules that use blobs (including TOMOYO) use security_module_enable() and those that don't just use security_add_hooks(). The "pick one" policy is enforced in security_module_enable(), which is why you can have as many non-blob users as you like. You could easily have a non-blob using module that was exclusive simply by using security_module_enable(). In the stacking case you could have integrity_init() call security_module_enable() but not security_add_hooks(). You wouldn't want to do that without stacking configured, because that would make integrity exclusive. >>> As for how we classify things, based on hooks... >>> >>> now: >>> always: capability >>> major: selinux,apparmor,smack,tomoyo >>> minor: yama,loadpin >>> init-only: integrity >>> >>> blob-sharing: >>> always: capability >>> exclusive: selinux,apparmor,smack >>> sharing: tomoyo,integrity,yama,loadpin >>> >>> extreme: >>> always: capability >>> sharing: selinux,apparmor,smack,tomoyo,integrity,yama,loadpin >>> >>> The most special are capability (unconditional, run first) and >>> integrity (init-only, no security_add_hooks() call). >>> >>> Can we classify things as MAC and non-MAC for "major" vs "minor"? SARA >>> and Landlock aren't MAC (and neither is integrity), or should we do >>> the "-$lsm" thing instead? >> I don't like using MAC because the use of the module isn't the issue, >> it's the interfaces used. As ugly as it is, I like the -$lsm better. > Agreed on MAC. And yes, I think -$lsm is best here. Should we overload > "security=" or add "lsm.stacking="? Keep security=$lsm with the existing exclusive behavior. Add lsm=$lsm1,...,$lsmN which requires a full list of modules If you want to be fancy (I don't!) you could add lsm.add=$lsm1,...,$lsmN which adds the modules to the stack lsm.delete=$lsm1,...,$lsmN which deletes modules from the stack
WARNING: multiple messages have this Message-ID (diff)
From: casey@schaufler-ca.com (Casey Schaufler) To: linux-security-module@vger.kernel.org Subject: [PATCH 16/18] LSM: Allow arbitrary LSM ordering Date: Mon, 17 Sep 2018 10:13:26 -0700 [thread overview] Message-ID: <8f0bd39b-29a6-325d-4558-d9f484249c22@schaufler-ca.com> (raw) In-Reply-To: <CAGXu5jJ71RLGh0nDgOaN3vCXFGE0poXFU2Gb9o+20aO+AEdOvw@mail.gmail.com> On 9/17/2018 9:24 AM, Kees Cook wrote: > On Mon, Sep 17, 2018 at 8:06 AM, Casey Schaufler <casey@schaufler-ca.com> wrote: >>> The trailing comma thing gets us some compatibility, but we still have >>> to decide which things should be exclusive-via-"security=" since with >>> blob-sharing it already becomes possible to do selinux + tomoyo. >>> >>> The -$lsm style may make it hard to sensibly order any unspecified >>> LSMs. I guess it could just fall back to "follow builtin ordering of >>> unspecified LSMs" (unless someone had, maybe, "-all"). >> That's why I'm not especially happy with either one. >> >>> so, if builtin ordering after blob-sharing is >>> capability,integrity,yama,loadpin,{selinux,apparmor,smack},tomoyo >>> >>> security=apparmor is capability,apparmor,integrity,yama,loadpin,tomoyo >> I would expect capability,integrity,yama,loadpin,apparmor to reflect >> today's behavior. > If that's desired then we have to declare tomoyo as "exclusive" even > though it doesn't use blobs. But then what happens in the extreme > stacking case? Do we add "lsm.extreme=1" to change how security= is > parsed? TOMOYO uses the cred blob pointer. When the blob is shared TOMOYO has to be allocated a pointer size chunk to store the pointer in. Smack has the same behavior on file blobs. >>> security=yama,smack,-all is capability,yama,smack >> Yes >> >>> security=loadpin,selinux,yama,-integrity is >>> capability,loadpin,selinux,yama,tomoyo >> I think that the negation should only apply to >> integrity, yama and loadpin. All blob-using modules >> must be explicitly stated if you want to use them. > What about tomoyo, though? It's presently considered a major LSM (i.e. > security=tomoyo disables the other majors), but it doesn't use blobs. > >>> Whatever we design, it needs to handle both the blob-sharing >>> near-future, and have an eye towards "extreme stacking" in the >>> some-day future. In both cases, the idea of a "major" LSM starts to >>> get very very hazy. >> Long term the only distinction is "minor" and blob using. So long as >> there's a way to enforce incompatibility (i.e. not Smack and SELinux) >> in the sorter term we can adopt that mindset already. > Given that tomoyo doesn't share blobs and integrity doesn't register > hooks, how would they be considered in that world? Or rather, what > distinguishes a "minor" LSM? It seems there are three cases: uses > blobs with sharing, uses blobs without sharing, uses no blobs. What > happens if an LSM grows a feature that needs blob sharing? If "uses no > blobs" should be considered "shares blobs", then there is no > distinction between "minor" and "blob sharing". Today the distinction is based on how the module registers hooks. Modules that use blobs (including TOMOYO) use security_module_enable() and those that don't just use security_add_hooks(). The "pick one" policy is enforced in security_module_enable(), which is why you can have as many non-blob users as you like. You could easily have a non-blob using module that was exclusive simply by using security_module_enable(). In the stacking case you could have integrity_init() call security_module_enable() but not security_add_hooks(). You wouldn't want to do that without stacking configured, because that would make integrity exclusive. ? >>> As for how we classify things, based on hooks... >>> >>> now: >>> always: capability >>> major: selinux,apparmor,smack,tomoyo >>> minor: yama,loadpin >>> init-only: integrity >>> >>> blob-sharing: >>> always: capability >>> exclusive: selinux,apparmor,smack >>> sharing: tomoyo,integrity,yama,loadpin >>> >>> extreme: >>> always: capability >>> sharing: selinux,apparmor,smack,tomoyo,integrity,yama,loadpin >>> >>> The most special are capability (unconditional, run first) and >>> integrity (init-only, no security_add_hooks() call). >>> >>> Can we classify things as MAC and non-MAC for "major" vs "minor"? SARA >>> and Landlock aren't MAC (and neither is integrity), or should we do >>> the "-$lsm" thing instead? >> I don't like using MAC because the use of the module isn't the issue, >> it's the interfaces used. As ugly as it is, I like the -$lsm better. > Agreed on MAC. And yes, I think -$lsm is best here. Should we overload > "security=" or add "lsm.stacking="? Keep security=$lsm with the existing exclusive behavior. Add lsm=$lsm1,...,$lsmN which requires a full list of modules If you want to be fancy (I don't!) you could add lsm.add=$lsm1,...,$lsmN which adds the modules to the stack lsm.delete=$lsm1,...,$lsmN which deletes modules from the stack
next prev parent reply other threads:[~2018-09-17 17:13 UTC|newest] Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-09-16 0:30 [PATCH 00/18] LSM: Prepare for explict LSM ordering Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 01/18] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 02/18] LSM: Rename .security_initcall section to .lsm_info Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 03/18] LSM: Remove initcall tracing Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 04/18] LSM: Convert from initcall to struct lsm_info Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 05/18] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 06/18] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 07/18] LSM: Add minor LSM initialization loop Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 1:27 ` Jann Horn 2018-09-16 1:27 ` Jann Horn 2018-09-16 1:49 ` Kees Cook 2018-09-16 1:49 ` Kees Cook 2018-09-16 0:30 ` [PATCH 08/18] integrity: Initialize as LSM_TYPE_MINOR Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 09/18] LSM: Record LSM name in struct lsm_info Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 10/18] LSM: Plumb visibility into optional "enabled" state Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 11/18] LSM: Lift LSM selection out of individual LSMs Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 1:32 ` Jann Horn 2018-09-16 1:32 ` Jann Horn 2018-09-16 1:47 ` Kees Cook 2018-09-16 1:47 ` Kees Cook 2018-09-16 0:30 ` [PATCH 12/18] LSM: Introduce ordering details in struct lsm_info Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 13/18] LoadPin: Initialize as LSM_TYPE_MINOR Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 14/18] Yama: " Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 15/18] capability: " Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 16/18] LSM: Allow arbitrary LSM ordering Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 18:49 ` Casey Schaufler 2018-09-16 18:49 ` Casey Schaufler 2018-09-16 23:00 ` Kees Cook 2018-09-16 23:00 ` Kees Cook 2018-09-17 0:46 ` Tetsuo Handa 2018-09-17 0:46 ` Tetsuo Handa 2018-09-17 15:06 ` Casey Schaufler 2018-09-17 15:06 ` Casey Schaufler 2018-09-17 16:24 ` Kees Cook 2018-09-17 16:24 ` Kees Cook 2018-09-17 17:13 ` Casey Schaufler [this message] 2018-09-17 17:13 ` Casey Schaufler 2018-09-17 18:14 ` Kees Cook 2018-09-17 18:14 ` Kees Cook 2018-09-17 19:23 ` Casey Schaufler 2018-09-17 19:23 ` Casey Schaufler 2018-09-17 19:55 ` John Johansen 2018-09-17 19:55 ` John Johansen 2018-09-17 21:57 ` Casey Schaufler 2018-09-17 21:57 ` Casey Schaufler 2018-09-17 22:36 ` John Johansen 2018-09-17 22:36 ` John Johansen 2018-09-17 23:10 ` Mickaël Salaün 2018-09-17 23:20 ` Kees Cook 2018-09-17 23:20 ` Kees Cook 2018-09-17 23:26 ` John Johansen 2018-09-17 23:26 ` John Johansen 2018-09-17 23:28 ` Kees Cook 2018-09-17 23:28 ` Kees Cook 2018-09-17 23:40 ` Casey Schaufler 2018-09-17 23:40 ` Casey Schaufler 2018-09-17 23:30 ` Casey Schaufler 2018-09-17 23:30 ` Casey Schaufler 2018-09-17 23:47 ` Mickaël Salaün 2018-09-18 0:00 ` Casey Schaufler 2018-09-18 0:00 ` Casey Schaufler 2018-09-17 23:25 ` John Johansen 2018-09-17 23:25 ` John Johansen 2018-09-17 23:25 ` Casey Schaufler 2018-09-17 23:25 ` Casey Schaufler 2018-09-18 0:00 ` Kees Cook 2018-09-18 0:00 ` Kees Cook 2018-09-18 0:24 ` Casey Schaufler 2018-09-18 0:24 ` Casey Schaufler 2018-09-18 0:45 ` Kees Cook 2018-09-18 0:45 ` Kees Cook 2018-09-18 0:57 ` Casey Schaufler 2018-09-18 0:57 ` Casey Schaufler 2018-09-18 0:59 ` Kees Cook 2018-09-18 0:59 ` Kees Cook 2018-09-18 1:08 ` John Johansen 2018-09-18 1:08 ` John Johansen 2018-09-17 19:35 ` John Johansen 2018-09-17 19:35 ` John Johansen 2018-09-16 0:30 ` [PATCH 17/18] LSM: Provide init debugging Kees Cook 2018-09-16 0:30 ` Kees Cook 2018-09-16 0:30 ` [PATCH 18/18] LSM: Don't ignore initialization failures Kees Cook 2018-09-16 0:30 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=8f0bd39b-29a6-325d-4558-d9f484249c22@schaufler-ca.com \ --to=casey@schaufler-ca.com \ --cc=casey.schaufler@intel.com \ --cc=jmorris@namei.org \ --cc=john.johansen@canonical.com \ --cc=keescook@chromium.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=paul@paul-moore.com \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=sds@tycho.nsa.gov \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.