From: Kees Cook <keescook@chromium.org> To: Casey Schaufler <casey@schaufler-ca.com> Cc: Paul Moore <paul@paul-moore.com>, linux-security-module <linux-security-module@vger.kernel.org>, James Morris <jmorris@namei.org>, LKML <linux-kernel@vger.kernel.org>, SE Linux <selinux@tycho.nsa.gov>, John Johansen <john.johansen@canonical.com>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Stephen Smalley <sds@tycho.nsa.gov>, "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>, Alexey Dobriyan <adobriyan@gmail.com>, "Schaufler, Casey" <casey.schaufler@intel.com> Subject: Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock Date: Fri, 14 Sep 2018 13:05:07 -0700 [thread overview] Message-ID: <CAGXu5jL2LjPhLsx2bQJQdj4GraTDakYTqb3fqUbWGrOfUsW8=w@mail.gmail.com> (raw) In-Reply-To: <2bc5e4f5-8429-6843-f255-8fab6dacf39b@schaufler-ca.com> On Fri, Sep 14, 2018 at 8:57 AM, Casey Schaufler <casey@schaufler-ca.com> wrote: > On 9/13/2018 5:19 PM, Kees Cook wrote: >> We already have the minor LSMs that cannot change order. > > Are you saying that we don't have a mechanism to change > the order, or that they wouldn't work right in a different > order? Well, there's the capability module that has to be > first. I just meant their order is explicit in security.c. >> They aren't >> part of security= parsing either. > > True, but there's no reason now that we couldn't change that. > Except for capability. Hmm. Right, we have at least one that MUST be first (and must not be disabled). >> Should "blob-sharing" LSMs be like major LSMs or minor LSMs? > > I like the idea of changing the minor modules to do the full > registration process. That would make them all the same. > Except for capability. In any case, the "blob-sharing" LSMs > need to do the full registration process to account for their > blobs sizes, and that brings the "major" behavior along with it. I agree. I'm working on some clean-ups that I'll send out soon, though I'm worried about some of the various boot-time options... >> If someone is booting with "security=selinux,tomoyo" and then SARA >> lands upstream, does that person have to explicitly add "sara" to >> their boot args, since they're doing a non-default list of LSMs? > > Yes. security= is explicit. > >> (I actually prefer the answer being "yes" here, FWIW, I just want to >> nail down the expectations.) > > For now let's leave the minor (capability, yama, loadpin) as they are, > and require all new modules of any flavor to use full registration. I would even be fine to convert yama and loadpin. > We could consider something like > > security=$lsm # Stack with $lsm at priority 2 - Existing behavior > $lsm.stacked=N # Add $lsm to the stack at priority N. Delete if N == 0 > > It's OK to specify "selinux.stacked=2" and "sara.stacked=2". Which gets > called first is left up to the system to decide. Whatever the behavior is > gets documented. Capability will always be first and have priority 1. > It's OK to specify "smack.stacked=1". I'm less excited about this kind of stacking priority, but, whatever the case, I think my cleanups may help with whatever we decide. > The default stack is determined by CONFIG_SECURITY_$lsm_STACKED at > build time. CONFIG_SECURITY_$lsm_STACKED changes from a boolean to > an integer value to establish the default hook order. > > /sys/kernel/security/lsm reports the modules in hook call order. Didn't I send a patch to new-line terminate this list? I always get annoyed when I "cat" it. ;) > /sys/kernel/security/lsm-stack reports the list with the hook call priority > > capability:1,yama:1,selinux:1,sara:5,landlack:17 > > If stacking is not configured $lsm.stacked=0 is treated as security=none. > For other values of N $lsm.stacked=N is treated as security=$lsm. I feel like "order" is bad enough. Can we avoid adding "priority"? -Kees -- Kees Cook Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook) To: linux-security-module@vger.kernel.org Subject: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock Date: Fri, 14 Sep 2018 13:05:07 -0700 [thread overview] Message-ID: <CAGXu5jL2LjPhLsx2bQJQdj4GraTDakYTqb3fqUbWGrOfUsW8=w@mail.gmail.com> (raw) In-Reply-To: <2bc5e4f5-8429-6843-f255-8fab6dacf39b@schaufler-ca.com> On Fri, Sep 14, 2018 at 8:57 AM, Casey Schaufler <casey@schaufler-ca.com> wrote: > On 9/13/2018 5:19 PM, Kees Cook wrote: >> We already have the minor LSMs that cannot change order. > > Are you saying that we don't have a mechanism to change > the order, or that they wouldn't work right in a different > order? Well, there's the capability module that has to be > first. I just meant their order is explicit in security.c. >> They aren't >> part of security= parsing either. > > True, but there's no reason now that we couldn't change that. > Except for capability. Hmm. Right, we have at least one that MUST be first (and must not be disabled). >> Should "blob-sharing" LSMs be like major LSMs or minor LSMs? > > I like the idea of changing the minor modules to do the full > registration process. That would make them all the same. > Except for capability. In any case, the "blob-sharing" LSMs > need to do the full registration process to account for their > blobs sizes, and that brings the "major" behavior along with it. I agree. I'm working on some clean-ups that I'll send out soon, though I'm worried about some of the various boot-time options... >> If someone is booting with "security=selinux,tomoyo" and then SARA >> lands upstream, does that person have to explicitly add "sara" to >> their boot args, since they're doing a non-default list of LSMs? > > Yes. security= is explicit. > >> (I actually prefer the answer being "yes" here, FWIW, I just want to >> nail down the expectations.) > > For now let's leave the minor (capability, yama, loadpin) as they are, > and require all new modules of any flavor to use full registration. I would even be fine to convert yama and loadpin. > We could consider something like > > security=$lsm # Stack with $lsm at priority 2 - Existing behavior > $lsm.stacked=N # Add $lsm to the stack at priority N. Delete if N == 0 > > It's OK to specify "selinux.stacked=2" and "sara.stacked=2". Which gets > called first is left up to the system to decide. Whatever the behavior is > gets documented. Capability will always be first and have priority 1. > It's OK to specify "smack.stacked=1". I'm less excited about this kind of stacking priority, but, whatever the case, I think my cleanups may help with whatever we decide. > The default stack is determined by CONFIG_SECURITY_$lsm_STACKED at > build time. CONFIG_SECURITY_$lsm_STACKED changes from a boolean to > an integer value to establish the default hook order. > > /sys/kernel/security/lsm reports the modules in hook call order. Didn't I send a patch to new-line terminate this list? I always get annoyed when I "cat" it. ;) > /sys/kernel/security/lsm-stack reports the list with the hook call priority > > capability:1,yama:1,selinux:1,sara:5,landlack:17 > > If stacking is not configured $lsm.stacked=0 is treated as security=none. > For other values of N $lsm.stacked=N is treated as security=$lsm. I feel like "order" is bad enough. Can we avoid adding "priority"? -Kees -- Kees Cook Pixel Security
next prev parent reply other threads:[~2018-09-14 20:05 UTC|newest] Thread overview: 117+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-09-11 16:26 [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock Casey Schaufler 2018-09-11 16:26 ` Casey Schaufler 2018-09-11 16:41 ` [PATCH 01/10] procfs: add smack subdir to attrs Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-11 23:45 ` Ahmed S. Darwish 2018-09-11 23:45 ` Ahmed S. Darwish 2018-09-12 0:01 ` Casey Schaufler 2018-09-12 0:01 ` Casey Schaufler 2018-09-12 22:57 ` Kees Cook 2018-09-12 22:57 ` Kees Cook 2018-09-11 16:41 ` [PATCH 02/10] Smack: Abstract use of cred security blob Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-12 23:04 ` Kees Cook 2018-09-12 23:04 ` Kees Cook 2018-09-11 16:41 ` [PATCH 03/10] SELinux: " Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-12 23:10 ` Kees Cook 2018-09-12 23:10 ` Kees Cook 2018-09-11 16:41 ` [PATCH 04/10] LSM: Infrastructure management of the " Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-12 23:53 ` Kees Cook 2018-09-12 23:53 ` Kees Cook 2018-09-13 19:01 ` Casey Schaufler 2018-09-13 19:01 ` Casey Schaufler 2018-09-13 21:12 ` Kees Cook 2018-09-13 21:12 ` Kees Cook 2018-09-11 16:41 ` [PATCH 05/10] SELinux: Abstract use of file " Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-12 23:54 ` Kees Cook 2018-09-12 23:54 ` Kees Cook 2018-09-11 16:42 ` [PATCH 06/10] LSM: Infrastructure management of the " Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 0:00 ` Kees Cook 2018-09-13 0:00 ` Kees Cook 2018-09-11 16:42 ` [PATCH 07/10] SELinux: Abstract use of inode " Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 0:23 ` Kees Cook 2018-09-13 0:23 ` Kees Cook 2018-09-11 16:42 ` [PATCH 08/10] Smack: " Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 0:24 ` Kees Cook 2018-09-13 0:24 ` Kees Cook 2018-09-11 16:42 ` [PATCH 09/10] LSM: Infrastructure management of the inode security Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 0:30 ` Kees Cook 2018-09-13 0:30 ` Kees Cook 2018-09-11 16:42 ` [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 4:19 ` Kees Cook 2018-09-13 4:19 ` Kees Cook 2018-09-13 13:16 ` Paul Moore 2018-09-13 13:16 ` Paul Moore 2018-09-13 15:19 ` Kees Cook 2018-09-13 15:19 ` Kees Cook 2018-09-13 19:12 ` Paul Moore 2018-09-13 19:12 ` Paul Moore 2018-09-13 20:58 ` Jordan Glover 2018-09-13 20:58 ` Jordan Glover 2018-09-13 20:58 ` Jordan Glover 2018-09-13 21:50 ` Paul Moore 2018-09-13 21:50 ` Paul Moore 2018-09-13 22:04 ` Jordan Glover 2018-09-13 22:04 ` Jordan Glover 2018-09-13 22:04 ` Jordan Glover 2018-09-13 23:01 ` Casey Schaufler 2018-09-13 23:01 ` Casey Schaufler 2018-09-13 21:01 ` Kees Cook 2018-09-13 21:01 ` Kees Cook 2018-09-13 21:38 ` Paul Moore 2018-09-13 21:38 ` Paul Moore 2018-09-13 21:51 ` Kees Cook 2018-09-13 21:51 ` Kees Cook 2018-09-13 23:06 ` Kees Cook 2018-09-13 23:06 ` Kees Cook 2018-09-13 23:32 ` John Johansen 2018-09-13 23:32 ` John Johansen 2018-09-13 23:51 ` Kees Cook 2018-09-13 23:51 ` Kees Cook 2018-09-14 0:03 ` Casey Schaufler 2018-09-14 0:03 ` Casey Schaufler 2018-09-14 0:06 ` Kees Cook 2018-09-14 0:06 ` Kees Cook 2018-09-13 23:51 ` Casey Schaufler 2018-09-13 23:51 ` Casey Schaufler 2018-09-13 23:57 ` Kees Cook 2018-09-13 23:57 ` Kees Cook 2018-09-14 0:08 ` Casey Schaufler 2018-09-14 0:08 ` Casey Schaufler 2018-09-14 0:19 ` Kees Cook 2018-09-14 0:19 ` Kees Cook 2018-09-14 15:57 ` Casey Schaufler 2018-09-14 15:57 ` Casey Schaufler 2018-09-14 20:05 ` Kees Cook [this message] 2018-09-14 20:05 ` Kees Cook 2018-09-14 20:47 ` Casey Schaufler 2018-09-14 20:47 ` Casey Schaufler 2018-09-14 18:18 ` James Morris 2018-09-14 18:18 ` James Morris 2018-09-14 18:23 ` John Johansen 2018-09-14 18:23 ` John Johansen 2018-09-14 0:03 ` Kees Cook 2018-09-14 0:03 ` Kees Cook 2018-09-14 2:42 ` Paul Moore 2018-09-14 2:42 ` Paul Moore 2018-09-11 20:43 ` [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock James Morris 2018-09-11 20:43 ` James Morris 2018-09-12 21:29 ` James Morris 2018-09-12 21:29 ` James Morris 2018-09-16 16:54 ` Salvatore Mesoraca 2018-09-16 16:54 ` Salvatore Mesoraca 2018-09-16 17:25 ` Casey Schaufler 2018-09-16 17:25 ` Casey Schaufler 2018-09-16 17:45 ` Salvatore Mesoraca 2018-09-16 17:45 ` Salvatore Mesoraca 2018-09-18 7:44 ` Mickaël Salaün 2018-09-18 15:23 ` Casey Schaufler 2018-09-18 15:23 ` Casey Schaufler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAGXu5jL2LjPhLsx2bQJQdj4GraTDakYTqb3fqUbWGrOfUsW8=w@mail.gmail.com' \ --to=keescook@chromium.org \ --cc=adobriyan@gmail.com \ --cc=casey.schaufler@intel.com \ --cc=casey@schaufler-ca.com \ --cc=jmorris@namei.org \ --cc=john.johansen@canonical.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=paul@paul-moore.com \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=sds@tycho.nsa.gov \ --cc=selinux@tycho.nsa.gov \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.