All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
	casey.schaufler@intel.com, linux-security-module@vger.kernel.org,
	jmorris@namei.org, keescook@chromium.org,
	john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
	linux-api@vger.kernel.org
Subject: Re: [PATCH v3 1/9] LSM: Identify modules by more than name
Date: Sun, 27 Nov 2022 22:52:52 -0500	[thread overview]
Message-ID: <CAHC9VhSza-P0hG_iSdW8MCAKaykUW5eLBkpg=bb4-D_=7-j3+Q@mail.gmail.com> (raw)
In-Reply-To: <94ac3c49-550b-c517-680f-ba653d568f72@digikod.net>

On Fri, Nov 25, 2022 at 11:30 AM Mickaël Salaün <mic@digikod.net> wrote:
> On 23/11/2022 21:15, Casey Schaufler wrote:
> > Create a struct lsm_id to contain identifying information
> > about Linux Security Modules (LSMs). At inception this contains
> > the name of the module and an identifier associated with the
> > security module. Change the security_add_hooks() interface to
> > use this structure. Change the individual modules to maintain
> > their own struct lsm_id and pass it to security_add_hooks().
> >
> > The values are for LSM identifiers are defined in a new UAPI
> > header file linux/lsm.h. Each existing LSM has been updated to
> > include it's LSMID in the lsm_id.
> >
> > The LSM ID values are sequential, with the oldest module
> > LSM_ID_CAPABILITY being the lowest value and the existing modules
> > numbered in the order they were included in the main line kernel.
> > This is an arbitrary convention for assigning the values, but
> > none better presents itself. The value 0 is defined as being invalid.
> > The values 1-99 are reserved for any special case uses which may
> > arise in the future.
> >
> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > ---
> >   include/linux/lsm_hooks.h    | 16 ++++++++++++++--
> >   include/uapi/linux/lsm.h     | 32 ++++++++++++++++++++++++++++++++
> >   security/apparmor/lsm.c      |  8 +++++++-
> >   security/bpf/hooks.c         | 13 ++++++++++++-
> >   security/commoncap.c         |  8 +++++++-
> >   security/landlock/cred.c     |  2 +-
> >   security/landlock/fs.c       |  2 +-
> >   security/landlock/ptrace.c   |  2 +-
> >   security/landlock/setup.c    |  6 ++++++
> >   security/landlock/setup.h    |  1 +
> >   security/loadpin/loadpin.c   |  9 ++++++++-
> >   security/lockdown/lockdown.c |  8 +++++++-
> >   security/safesetid/lsm.c     |  9 ++++++++-
> >   security/security.c          | 12 ++++++------
> >   security/selinux/hooks.c     |  9 ++++++++-
> >   security/smack/smack_lsm.c   |  8 +++++++-
> >   security/tomoyo/tomoyo.c     |  9 ++++++++-
> >   security/yama/yama_lsm.c     |  8 +++++++-
> >   18 files changed, 141 insertions(+), 21 deletions(-)
> >   create mode 100644 include/uapi/linux/lsm.h

...

> > diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> > new file mode 100644
> > index 000000000000..47791c330cbf
> > --- /dev/null
> > +++ b/include/uapi/linux/lsm.h
> > @@ -0,0 +1,32 @@
> > +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> > +/*
> > + * Linux Security Modules (LSM) - User space API
> > + *
> > + * Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
> > + * Copyright (C) 2022 Intel Corporation
> > + */
> > +
> > +#ifndef _UAPI_LINUX_LSM_H
> > +#define _UAPI_LINUX_LSM_H
> > +
> > +/*
> > + * ID values to identify security modules.
> > + * A system may use more than one security module.
> > + *
> > + * Values 1-99 are reserved for future use in special cases.
>
> This line should be removed unless justified. What could be special
> about IDs? The syscalls already have a "flags" argument, which is enough.
>
> > + */
> > +#define LSM_ID_INVALID               0
>
> Reserving 0 is good, but it doesn't deserve a dedicated declaration.
> LSM_ID_INVALID should be removed.
>
>
> > +#define LSM_ID_CAPABILITY    100
>
> This should be 1…

No.  Scratch that, make that an emphatic "No".

If you want to argue for a different reserved low-number range, e.g.
something with a nice power-of-2 limit, I'm okay with that, but as I
wrote earlier I feel strongly we need to have a low-number reserved
range for potential future uses.

-- 
paul-moore.com

  reply	other threads:[~2022-11-28  3:53 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20221123201552.7865-1-casey.ref@schaufler-ca.com>
2022-11-23 20:15 ` [PATCH v3 0/9] LSM: Three basic syscalls Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 1/9] LSM: Identify modules by more than name Casey Schaufler
2022-11-24  5:40     ` Greg KH
2022-11-25 16:19       ` Mickaël Salaün
2022-11-28  3:48         ` Paul Moore
2022-11-28  7:51           ` Greg KH
2022-11-28 12:49             ` Paul Moore
2022-11-28 19:07               ` Casey Schaufler
2022-11-25 16:30     ` Mickaël Salaün
2022-11-28  3:52       ` Paul Moore [this message]
2022-11-23 20:15   ` [PATCH v3 2/9] LSM: Identify the process attributes for each module Casey Schaufler
2022-11-25 16:41     ` Mickaël Salaün
2022-11-25 18:27       ` Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 3/9] LSM: Maintain a table of LSM attribute data Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 4/9] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 5/9] LSM: lsm_get_self_attr syscall for LSM self attributes Casey Schaufler
2022-11-25 13:54     ` kernel test robot
2022-12-04  2:16     ` kernel test robot
2022-11-23 20:15   ` [PATCH v3 6/9] LSM: Create lsm_module_list system call Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 7/9] LSM: lsm_set_self_attr syscall for LSM self attributes Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 8/9] LSM: wireup Linux Security Module syscalls Casey Schaufler
2022-11-27  9:50     ` kernel test robot
2022-11-23 20:15   ` [PATCH v3 9/9] LSM: selftests for Linux Security Module infrastructure syscalls Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhSza-P0hG_iSdW8MCAKaykUW5eLBkpg=bb4-D_=7-j3+Q@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=casey.schaufler@intel.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.