From: Paul Moore <paul@paul-moore.com> To: keescook@chromium.org Cc: casey@schaufler-ca.com, linux-security-module@vger.kernel.org, James Morris <jmorris@namei.org>, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, Stephen Smalley <sds@tycho.nsa.gov>, linux-fsdevel@vger.kernel.org, adobriyan@gmail.com, casey.schaufler@intel.com Subject: Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock Date: Thu, 13 Sep 2018 09:16:39 -0400 [thread overview] Message-ID: <CAHC9VhQN0wq0zZS5BYU9jBomaWvCaJ_BqJjHF3AT7FG8Z0nLDQ@mail.gmail.com> (raw) In-Reply-To: <CAGXu5jLONSfPHYYYTLSma-+arVHSQKaEWb9JxpOn6TNKtyLNhw@mail.gmail.com> On Thu, Sep 13, 2018 at 12:19 AM Kees Cook <keescook@chromium.org> wrote: > On Tue, Sep 11, 2018 at 9:42 AM, Casey Schaufler <casey@schaufler-ca.com> wrote: > > Two proposed security modules require the ability to > > share security blobs with existing "major" security modules. > > These modules, S.A.R.A and LandLock, provide significantly > > different services than SELinux, Smack or AppArmor. Using > > either in conjunction with the existing modules is quite > > reasonable. S.A.R.A requires access to the cred blob, while > > LandLock uses the cred, file and inode blobs. > > > > The use of the cred, file and inode blobs has been > > abstracted in preceding patches in the series. This > > patch teaches the affected security modules how to access > > the part of the blob set aside for their use in the case > > where blobs are shared. The configuration option > > CONFIG_SECURITY_STACKING identifies systems where the > > blobs may be shared. > > > > The mechanism for selecting which security modules are > > active has been changed to allow non-conflicting "major" > > security modules to be used together. At this time the > > TOMOYO module can safely be used with any of the others. > > The two new modules would be non-conflicting as well. > > > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > > --- > > Documentation/admin-guide/LSM/index.rst | 14 +++-- > > include/linux/lsm_hooks.h | 2 +- > > security/Kconfig | 81 +++++++++++++++++++++++++ > > security/apparmor/include/cred.h | 8 +++ > > security/apparmor/include/file.h | 9 ++- > > security/apparmor/include/lib.h | 4 ++ > > security/apparmor/lsm.c | 8 ++- > > security/security.c | 30 ++++++++- > > security/selinux/hooks.c | 3 +- > > security/selinux/include/objsec.h | 18 +++++- > > security/smack/smack.h | 19 +++++- > > security/smack/smack_lsm.c | 17 +++--- > > security/tomoyo/common.h | 12 +++- > > security/tomoyo/tomoyo.c | 3 +- > > 14 files changed, 200 insertions(+), 28 deletions(-) ... > > diff --git a/security/Kconfig b/security/Kconfig > > index 22f7664c4977..ed48025ae9e0 100644 > > --- a/security/Kconfig > > +++ b/security/Kconfig > > @@ -36,6 +36,28 @@ config SECURITY_WRITABLE_HOOKS > > bool > > default n > > > > +config SECURITY_STACKING > > + bool "Security module stacking" > > + depends on SECURITY > > + help > > + Allows multiple major security modules to be stacked. > > + Modules are invoked in the order registered with a > > + "bail on fail" policy, in which the infrastructure > > + will stop processing once a denial is detected. Not > > + all modules can be stacked. SELinux, Smack and AppArmor are > > + known to be incompatible. User space components may > > + have trouble identifying the security module providing > > + data in some cases. > > + > > + If you select this option you will have to select which > > + of the stackable modules you wish to be active. The > > + "Default security module" will be ignored. The boot line > > + "security=" option can be used to specify that one of > > + the modules identifed for stacking should be used instead > > + of the entire stack. > > + > > + If you are unsure how to answer this question, answer N. > > I don't see a good reason to make this a config. Why shouldn't this > always be enabled? I do. From a user perspective it is sometimes difficult to determine the reason behind a failed operation; its is a DAC based denial, the LSM, or some other failure? Stacking additional LSMs has the potential to make this worse. The boot time configuration adds to the complexity. I think we should leave this decision to the individual distros so that they can make their own decision on LSM stacking based on the savviness of their user base and the quality of their support infrastructure. -- paul moore www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: paul@paul-moore.com (Paul Moore) To: linux-security-module@vger.kernel.org Subject: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock Date: Thu, 13 Sep 2018 09:16:39 -0400 [thread overview] Message-ID: <CAHC9VhQN0wq0zZS5BYU9jBomaWvCaJ_BqJjHF3AT7FG8Z0nLDQ@mail.gmail.com> (raw) In-Reply-To: <CAGXu5jLONSfPHYYYTLSma-+arVHSQKaEWb9JxpOn6TNKtyLNhw@mail.gmail.com> On Thu, Sep 13, 2018 at 12:19 AM Kees Cook <keescook@chromium.org> wrote: > On Tue, Sep 11, 2018 at 9:42 AM, Casey Schaufler <casey@schaufler-ca.com> wrote: > > Two proposed security modules require the ability to > > share security blobs with existing "major" security modules. > > These modules, S.A.R.A and LandLock, provide significantly > > different services than SELinux, Smack or AppArmor. Using > > either in conjunction with the existing modules is quite > > reasonable. S.A.R.A requires access to the cred blob, while > > LandLock uses the cred, file and inode blobs. > > > > The use of the cred, file and inode blobs has been > > abstracted in preceding patches in the series. This > > patch teaches the affected security modules how to access > > the part of the blob set aside for their use in the case > > where blobs are shared. The configuration option > > CONFIG_SECURITY_STACKING identifies systems where the > > blobs may be shared. > > > > The mechanism for selecting which security modules are > > active has been changed to allow non-conflicting "major" > > security modules to be used together. At this time the > > TOMOYO module can safely be used with any of the others. > > The two new modules would be non-conflicting as well. > > > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > > --- > > Documentation/admin-guide/LSM/index.rst | 14 +++-- > > include/linux/lsm_hooks.h | 2 +- > > security/Kconfig | 81 +++++++++++++++++++++++++ > > security/apparmor/include/cred.h | 8 +++ > > security/apparmor/include/file.h | 9 ++- > > security/apparmor/include/lib.h | 4 ++ > > security/apparmor/lsm.c | 8 ++- > > security/security.c | 30 ++++++++- > > security/selinux/hooks.c | 3 +- > > security/selinux/include/objsec.h | 18 +++++- > > security/smack/smack.h | 19 +++++- > > security/smack/smack_lsm.c | 17 +++--- > > security/tomoyo/common.h | 12 +++- > > security/tomoyo/tomoyo.c | 3 +- > > 14 files changed, 200 insertions(+), 28 deletions(-) ... > > diff --git a/security/Kconfig b/security/Kconfig > > index 22f7664c4977..ed48025ae9e0 100644 > > --- a/security/Kconfig > > +++ b/security/Kconfig > > @@ -36,6 +36,28 @@ config SECURITY_WRITABLE_HOOKS > > bool > > default n > > > > +config SECURITY_STACKING > > + bool "Security module stacking" > > + depends on SECURITY > > + help > > + Allows multiple major security modules to be stacked. > > + Modules are invoked in the order registered with a > > + "bail on fail" policy, in which the infrastructure > > + will stop processing once a denial is detected. Not > > + all modules can be stacked. SELinux, Smack and AppArmor are > > + known to be incompatible. User space components may > > + have trouble identifying the security module providing > > + data in some cases. > > + > > + If you select this option you will have to select which > > + of the stackable modules you wish to be active. The > > + "Default security module" will be ignored. The boot line > > + "security=" option can be used to specify that one of > > + the modules identifed for stacking should be used instead > > + of the entire stack. > > + > > + If you are unsure how to answer this question, answer N. > > I don't see a good reason to make this a config. Why shouldn't this > always be enabled? I do. From a user perspective it is sometimes difficult to determine the reason behind a failed operation; its is a DAC based denial, the LSM, or some other failure? Stacking additional LSMs has the potential to make this worse. The boot time configuration adds to the complexity. I think we should leave this decision to the individual distros so that they can make their own decision on LSM stacking based on the savviness of their user base and the quality of their support infrastructure. -- paul moore www.paul-moore.com
next prev parent reply other threads:[~2018-09-13 13:16 UTC|newest] Thread overview: 117+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-09-11 16:26 [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock Casey Schaufler 2018-09-11 16:26 ` Casey Schaufler 2018-09-11 16:41 ` [PATCH 01/10] procfs: add smack subdir to attrs Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-11 23:45 ` Ahmed S. Darwish 2018-09-11 23:45 ` Ahmed S. Darwish 2018-09-12 0:01 ` Casey Schaufler 2018-09-12 0:01 ` Casey Schaufler 2018-09-12 22:57 ` Kees Cook 2018-09-12 22:57 ` Kees Cook 2018-09-11 16:41 ` [PATCH 02/10] Smack: Abstract use of cred security blob Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-12 23:04 ` Kees Cook 2018-09-12 23:04 ` Kees Cook 2018-09-11 16:41 ` [PATCH 03/10] SELinux: " Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-12 23:10 ` Kees Cook 2018-09-12 23:10 ` Kees Cook 2018-09-11 16:41 ` [PATCH 04/10] LSM: Infrastructure management of the " Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-12 23:53 ` Kees Cook 2018-09-12 23:53 ` Kees Cook 2018-09-13 19:01 ` Casey Schaufler 2018-09-13 19:01 ` Casey Schaufler 2018-09-13 21:12 ` Kees Cook 2018-09-13 21:12 ` Kees Cook 2018-09-11 16:41 ` [PATCH 05/10] SELinux: Abstract use of file " Casey Schaufler 2018-09-11 16:41 ` Casey Schaufler 2018-09-12 23:54 ` Kees Cook 2018-09-12 23:54 ` Kees Cook 2018-09-11 16:42 ` [PATCH 06/10] LSM: Infrastructure management of the " Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 0:00 ` Kees Cook 2018-09-13 0:00 ` Kees Cook 2018-09-11 16:42 ` [PATCH 07/10] SELinux: Abstract use of inode " Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 0:23 ` Kees Cook 2018-09-13 0:23 ` Kees Cook 2018-09-11 16:42 ` [PATCH 08/10] Smack: " Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 0:24 ` Kees Cook 2018-09-13 0:24 ` Kees Cook 2018-09-11 16:42 ` [PATCH 09/10] LSM: Infrastructure management of the inode security Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 0:30 ` Kees Cook 2018-09-13 0:30 ` Kees Cook 2018-09-11 16:42 ` [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock Casey Schaufler 2018-09-11 16:42 ` Casey Schaufler 2018-09-13 4:19 ` Kees Cook 2018-09-13 4:19 ` Kees Cook 2018-09-13 13:16 ` Paul Moore [this message] 2018-09-13 13:16 ` Paul Moore 2018-09-13 15:19 ` Kees Cook 2018-09-13 15:19 ` Kees Cook 2018-09-13 19:12 ` Paul Moore 2018-09-13 19:12 ` Paul Moore 2018-09-13 20:58 ` Jordan Glover 2018-09-13 20:58 ` Jordan Glover 2018-09-13 20:58 ` Jordan Glover 2018-09-13 21:50 ` Paul Moore 2018-09-13 21:50 ` Paul Moore 2018-09-13 22:04 ` Jordan Glover 2018-09-13 22:04 ` Jordan Glover 2018-09-13 22:04 ` Jordan Glover 2018-09-13 23:01 ` Casey Schaufler 2018-09-13 23:01 ` Casey Schaufler 2018-09-13 21:01 ` Kees Cook 2018-09-13 21:01 ` Kees Cook 2018-09-13 21:38 ` Paul Moore 2018-09-13 21:38 ` Paul Moore 2018-09-13 21:51 ` Kees Cook 2018-09-13 21:51 ` Kees Cook 2018-09-13 23:06 ` Kees Cook 2018-09-13 23:06 ` Kees Cook 2018-09-13 23:32 ` John Johansen 2018-09-13 23:32 ` John Johansen 2018-09-13 23:51 ` Kees Cook 2018-09-13 23:51 ` Kees Cook 2018-09-14 0:03 ` Casey Schaufler 2018-09-14 0:03 ` Casey Schaufler 2018-09-14 0:06 ` Kees Cook 2018-09-14 0:06 ` Kees Cook 2018-09-13 23:51 ` Casey Schaufler 2018-09-13 23:51 ` Casey Schaufler 2018-09-13 23:57 ` Kees Cook 2018-09-13 23:57 ` Kees Cook 2018-09-14 0:08 ` Casey Schaufler 2018-09-14 0:08 ` Casey Schaufler 2018-09-14 0:19 ` Kees Cook 2018-09-14 0:19 ` Kees Cook 2018-09-14 15:57 ` Casey Schaufler 2018-09-14 15:57 ` Casey Schaufler 2018-09-14 20:05 ` Kees Cook 2018-09-14 20:05 ` Kees Cook 2018-09-14 20:47 ` Casey Schaufler 2018-09-14 20:47 ` Casey Schaufler 2018-09-14 18:18 ` James Morris 2018-09-14 18:18 ` James Morris 2018-09-14 18:23 ` John Johansen 2018-09-14 18:23 ` John Johansen 2018-09-14 0:03 ` Kees Cook 2018-09-14 0:03 ` Kees Cook 2018-09-14 2:42 ` Paul Moore 2018-09-14 2:42 ` Paul Moore 2018-09-11 20:43 ` [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock James Morris 2018-09-11 20:43 ` James Morris 2018-09-12 21:29 ` James Morris 2018-09-12 21:29 ` James Morris 2018-09-16 16:54 ` Salvatore Mesoraca 2018-09-16 16:54 ` Salvatore Mesoraca 2018-09-16 17:25 ` Casey Schaufler 2018-09-16 17:25 ` Casey Schaufler 2018-09-16 17:45 ` Salvatore Mesoraca 2018-09-16 17:45 ` Salvatore Mesoraca 2018-09-18 7:44 ` Mickaël Salaün 2018-09-18 15:23 ` Casey Schaufler 2018-09-18 15:23 ` Casey Schaufler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAHC9VhQN0wq0zZS5BYU9jBomaWvCaJ_BqJjHF3AT7FG8Z0nLDQ@mail.gmail.com \ --to=paul@paul-moore.com \ --cc=adobriyan@gmail.com \ --cc=casey.schaufler@intel.com \ --cc=casey@schaufler-ca.com \ --cc=jmorris@namei.org \ --cc=john.johansen@canonical.com \ --cc=keescook@chromium.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=sds@tycho.nsa.gov \ --cc=selinux@tycho.nsa.gov \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.