From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4CE5C47082 for ; Sun, 6 Jun 2021 02:12:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B945361108 for ; Sun, 6 Jun 2021 02:12:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230173AbhFFCNL (ORCPT ); Sat, 5 Jun 2021 22:13:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60630 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230111AbhFFCNK (ORCPT ); Sat, 5 Jun 2021 22:13:10 -0400 Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 12872C061767 for ; Sat, 5 Jun 2021 19:11:15 -0700 (PDT) Received: by mail-ed1-x536.google.com with SMTP id cb9so15860713edb.1 for ; Sat, 05 Jun 2021 19:11:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nOTcniWTVc9slYXWLxXSv1uRyKmcmZRO+63M/pSzE/U=; b=cwZ2lIKKIQuoesuejMOtqIBw38LWmdJQRco7DTpm+On7hiyFzSIynCDa52d+sLCIqB 2zP8pj4E3rGCuqfhnJ5MRag1NFm53lXVMwQKVQbdijwfbaxWRtV4bmYjHioSZXD6kkwg Dlj3L7D4QLBXl9X//0lK2mPz5kWslHUxKRvcBa2juD05DpNuxQp//Z0f+OYjTO6stdwc EZHN0Y1DxgOncdZ7gzfETOgtK9k4bhYfZebdAtgUMPDxU3VJkT9f7Tfuk6EcJw0zLdbF FqFv+pxxBNtA2aX39hOynje/H5TcETj5t1HDzA84k39g9uwCsZz2riUv/7IvQm3jw6Tq ydjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nOTcniWTVc9slYXWLxXSv1uRyKmcmZRO+63M/pSzE/U=; b=MVwF01qbYVMEI3lA/J8BeDgf+9uYI4n6YBJArmrsLDh5F5Rh9MHz6mCtf1UzSl75nS hykvjas9JwK/RFz6EEQYiNr7ZUpY4KUJyeV1YDmlyIX2zqR7UazeTpZitzChRy0GhwVa nHHXUyFdm94Je2iv3BK24527pBETUf1vA/ou7DpJg4hnHMTDNPUli2r6m5qapU+6P6sr +dpKSw2mF39YefsPcOAckR29di4hL7OjawG0MnjNhizEP56F6PoRjImNV6Bcb21vWGiR 6y4XjnfIX4JHn7aEfoFR/0bkJ1CAPnkhngLiI5isMQsiuVLxDOtdq7yVYZGOvcwUsBS/ 4I/g== X-Gm-Message-State: AOAM532/+oOlNrJ2hBWFvRfIoSIqEDdEZz94+Mf8shdKyVbSj8Gg9pYL CBC3R32ivWggmgrROG3Lt84zQHoFzi0595C73z0cQ+pr0Q== X-Google-Smtp-Source: ABdhPJwLR1qKiHaU3a0P90iLeTPVN3ZXpgSHJmVvViAS0IGrSqN4ECheDNlb9g/W/t2kLVz7Gr1DZIJGJ5G/2AgcIkk= X-Received: by 2002:a05:6402:348f:: with SMTP id v15mr1175334edc.135.1622945471846; Sat, 05 Jun 2021 19:11:11 -0700 (PDT) MIME-Version: 1.0 References: <20210517092006.803332-1-omosnace@redhat.com> <01135120-8bf7-df2e-cff0-1d73f1f841c3@iogearbox.net> <2e541bdc-ae21-9a07-7ac7-6c6a4dda09e8@iogearbox.net> <3ca181e3-df32-9ae0-12c6-efb899b7ce7a@iogearbox.net> <64552a82-d878-b6e6-e650-52423153b624@schaufler-ca.com> In-Reply-To: From: Paul Moore Date: Sat, 5 Jun 2021 22:11:00 -0400 Message-ID: Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks To: Linus Torvalds Cc: Casey Schaufler , Alexei Starovoitov , Daniel Borkmann , Ondrej Mosnacek , LSM List , James Morris , Steven Rostedt , Ingo Molnar , Stephen Smalley , SElinux list , ppc-dev , Linux-Fsdevel , bpf , Network Development , LKML , Jiri Olsa , Alexei Starovoitov , Andrii Nakryiko , "David S. Miller" , Jakub Kicinski Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jun 5, 2021 at 2:17 PM Linus Torvalds wrote: > On Sat, Jun 5, 2021 at 11:11 AM Casey Schaufler wrote: > > > > You have fallen into a common fallacy. The fact that the "code runs" > > does not assure that the "system works right". In the security world > > we face this all the time, often with performance expectations. In this > > case the BPF design has failed [..] > > I think it's the lockdown patches that have failed. They did the wrong > thing, they didn't work, > > The report in question is for a regression. > > THERE ARE NO VALID ARGUMENTS FOR REGRESSIONS. To think I was worried we might end this thread without a bit of CAPS LOCK, whew! :) I don't think anyone in this discussion, even Casey's last comment, was denying that there was a problem. The discussion and the disagreements were about what a "proper" fix would be, and how one might implement that fix; of course there were different ideas of "proper" and implementations vary even when people agree, so things were a bit of a mess. If you want to get upset and shouty, I think there are a few things spread across the subsystems involved that would be worthy targets, but to say that Casey, myself, or anyone else who plays under security/ denied the problem in this thread is not fair, or correct, in my opinion. > Honestly, security people need to understand that "not working" is not > a success case of security. It's a failure case. I can't pretend to know what all of the "security people" are thinking, but I can say with a good degree of certainty that my goal is not to crash, panic, kill, or otherwise disable a user's system. When it comes to things like the LSM hooks, my goal is to try and make sure we have the right hooks in the right places so that admins and users have the tools they need to control access to their data and systems in the way that they choose. Sometimes this puts us at odds with other subsystems in the kernel, we saw that in this thread, but that's to be expected anytime you have competing priorities. The important part is that eventually we figure out some way to move forward, and the fact that we are still all making progress and putting out new kernel releases is proof that we are finding a way. That's what matters to me, and if I was forced to guess, I would imagine that matters quite a lot to most of us here. -- paul moore www.paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89FD9C47082 for ; Sun, 6 Jun 2021 02:11:49 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BBF30610C9 for ; Sun, 6 Jun 2021 02:11:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BBF30610C9 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4FyKkW0KL2z3bsg for ; Sun, 6 Jun 2021 12:11:47 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.a=rsa-sha256 header.s=20150623 header.b=cwZ2lIKK; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=paul-moore.com (client-ip=2a00:1450:4864:20::533; helo=mail-ed1-x533.google.com; envelope-from=paul@paul-moore.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.a=rsa-sha256 header.s=20150623 header.b=cwZ2lIKK; dkim-atps=neutral Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4FyKjx6zsSz2ym4 for ; Sun, 6 Jun 2021 12:11:16 +1000 (AEST) Received: by mail-ed1-x533.google.com with SMTP id w21so15730898edv.3 for ; Sat, 05 Jun 2021 19:11:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nOTcniWTVc9slYXWLxXSv1uRyKmcmZRO+63M/pSzE/U=; b=cwZ2lIKKIQuoesuejMOtqIBw38LWmdJQRco7DTpm+On7hiyFzSIynCDa52d+sLCIqB 2zP8pj4E3rGCuqfhnJ5MRag1NFm53lXVMwQKVQbdijwfbaxWRtV4bmYjHioSZXD6kkwg Dlj3L7D4QLBXl9X//0lK2mPz5kWslHUxKRvcBa2juD05DpNuxQp//Z0f+OYjTO6stdwc EZHN0Y1DxgOncdZ7gzfETOgtK9k4bhYfZebdAtgUMPDxU3VJkT9f7Tfuk6EcJw0zLdbF FqFv+pxxBNtA2aX39hOynje/H5TcETj5t1HDzA84k39g9uwCsZz2riUv/7IvQm3jw6Tq ydjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nOTcniWTVc9slYXWLxXSv1uRyKmcmZRO+63M/pSzE/U=; b=oUX5yxhnDdtxZhD0RBLuZFqNkUvtDYuKYYftqZJWIW3/WObt2Kc3mO7zTW/e7WPEXA /l8nXIPtPRlHoZhdPrXOjy6HeeW1l720wqTUdErEwFn6+uOn1UKoxH2VttimyFm9yh/M JQzSiNBq23B/EYo4NFyEAxutuUdJntH3fCfT94RDMg3yzUF8j3dynEqBikzMHN5xzsrO SIQK1xO0xYL2T4jZilN1OByS3z+vkNtQDEVOL0Rhqt96WvPeP7OOAmLmg5/FYxiOz4r1 66AdgB6oRsx6vXCnuBVTmwmsowqCjf18E+vz0Wy6iPGQcwymV6UpX+A1MKliI3EqOn+L Xpfg== X-Gm-Message-State: AOAM532jeZ6PpggIKCwkAqA8lWIG3xBj7iNBxVO1kE82YJIxQYWqffU1 hKppTVATuHS7fnQu0dHsJXCeeBoIh7Cgq+Gv6p5Z X-Google-Smtp-Source: ABdhPJwLR1qKiHaU3a0P90iLeTPVN3ZXpgSHJmVvViAS0IGrSqN4ECheDNlb9g/W/t2kLVz7Gr1DZIJGJ5G/2AgcIkk= X-Received: by 2002:a05:6402:348f:: with SMTP id v15mr1175334edc.135.1622945471846; Sat, 05 Jun 2021 19:11:11 -0700 (PDT) MIME-Version: 1.0 References: <20210517092006.803332-1-omosnace@redhat.com> <01135120-8bf7-df2e-cff0-1d73f1f841c3@iogearbox.net> <2e541bdc-ae21-9a07-7ac7-6c6a4dda09e8@iogearbox.net> <3ca181e3-df32-9ae0-12c6-efb899b7ce7a@iogearbox.net> <64552a82-d878-b6e6-e650-52423153b624@schaufler-ca.com> In-Reply-To: From: Paul Moore Date: Sat, 5 Jun 2021 22:11:00 -0400 Message-ID: Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks To: Linus Torvalds Content-Type: text/plain; charset="UTF-8" X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jiri Olsa , Alexei Starovoitov , Daniel Borkmann , "David S. Miller" , SElinux list , Network Development , Stephen Smalley , Andrii Nakryiko , James Morris , Steven Rostedt , Ondrej Mosnacek , Linux-Fsdevel , LSM List , Ingo Molnar , Casey Schaufler , Jakub Kicinski , bpf , ppc-dev , Alexei Starovoitov , LKML Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Sat, Jun 5, 2021 at 2:17 PM Linus Torvalds wrote: > On Sat, Jun 5, 2021 at 11:11 AM Casey Schaufler wrote: > > > > You have fallen into a common fallacy. The fact that the "code runs" > > does not assure that the "system works right". In the security world > > we face this all the time, often with performance expectations. In this > > case the BPF design has failed [..] > > I think it's the lockdown patches that have failed. They did the wrong > thing, they didn't work, > > The report in question is for a regression. > > THERE ARE NO VALID ARGUMENTS FOR REGRESSIONS. To think I was worried we might end this thread without a bit of CAPS LOCK, whew! :) I don't think anyone in this discussion, even Casey's last comment, was denying that there was a problem. The discussion and the disagreements were about what a "proper" fix would be, and how one might implement that fix; of course there were different ideas of "proper" and implementations vary even when people agree, so things were a bit of a mess. If you want to get upset and shouty, I think there are a few things spread across the subsystems involved that would be worthy targets, but to say that Casey, myself, or anyone else who plays under security/ denied the problem in this thread is not fair, or correct, in my opinion. > Honestly, security people need to understand that "not working" is not > a success case of security. It's a failure case. I can't pretend to know what all of the "security people" are thinking, but I can say with a good degree of certainty that my goal is not to crash, panic, kill, or otherwise disable a user's system. When it comes to things like the LSM hooks, my goal is to try and make sure we have the right hooks in the right places so that admins and users have the tools they need to control access to their data and systems in the way that they choose. Sometimes this puts us at odds with other subsystems in the kernel, we saw that in this thread, but that's to be expected anytime you have competing priorities. The important part is that eventually we figure out some way to move forward, and the fact that we are still all making progress and putting out new kernel releases is proof that we are finding a way. That's what matters to me, and if I was forced to guess, I would imagine that matters quite a lot to most of us here. -- paul moore www.paul-moore.com