From: Paul Moore <paul@paul-moore.com> To: John Johansen <john.johansen@canonical.com> Cc: Casey Schaufler <casey@schaufler-ca.com>, LSM List <linux-security-module@vger.kernel.org>, James Morris <jmorris@namei.org>, linux-audit@redhat.com, Mimi Zohar <zohar@linux.ibm.com>, keescook@chromium.org, SElinux list <selinux@vger.kernel.org> Subject: Re: LSM stacking in next for 6.1? Date: Wed, 7 Sep 2022 18:57:21 -0400 [thread overview] Message-ID: <CAHC9VhRPO+nE7bc9nXVLYbjXDVHz_QTCLn7ns74RMviR7BJ3VA@mail.gmail.com> (raw) In-Reply-To: <65d21148-6a6d-4c4c-aa39-fafc1740ce24@canonical.com> On Wed, Sep 7, 2022 at 1:23 PM John Johansen <john.johansen@canonical.com> wrote: > On 9/7/22 09:41, Casey Schaufler wrote: > > On 9/7/2022 7:41 AM, Paul Moore wrote: > >> On Tue, Sep 6, 2022 at 8:10 PM John Johansen > >> <john.johansen@canonical.com> wrote: > >>> On 9/6/22 16:24, Paul Moore wrote: > >>>> On Fri, Sep 2, 2022 at 7:14 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > >>>>> On 9/2/2022 2:30 PM, Paul Moore wrote: > >>>>>> On Tue, Aug 2, 2022 at 8:56 PM Paul Moore <paul@paul-moore.com> wrote: > >>>>>>> On Tue, Aug 2, 2022 at 8:01 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > >> .. > >> > >>>> If you are running AppArmor on the host system and SELinux in a > >>>> container you are likely going to have some *very* bizarre behavior as > >>>> the SELinux policy you load in the container will apply to the entire > >>>> system, including processes which started *before* the SELinux policy > >>>> was loaded. While I understand the point you are trying to make, I > >>>> don't believe the example you chose is going to work without a lot of > >>>> other changes. > >>> correct but the reverse does work ... > >> Sure, that doesn't surprise me, but that isn't the example Casey brought up. > > > > I said that I'm not sure how they go about doing Android on Ubuntu. > > I brought it up because I've seen it. > > LSM stacking for that use case is necessary but insufficient. Yes, exactly. One of my bigger worries about the stacking effort is that a lot of people have some false assumptions about what it will actually enable. Of course that doesn't mean it isn't worth doing, just that there may be a lot of disappointed people out there. > At a minimum > SELinux would need bounding, and realistically some other gymnastics. I > don't hold out hope of it happening soon if ever. I have told the anbox people > such. Most of that is just a matter of writing the code. Yes, that's going to be a decent chunk of work, but the idea is relatively straightforward. The bit that keeps blocking this in my mind is handling of the persistent filesystem labels, that's a conceptual problem we have yet to solve. The current solution of just creating more and more (scoped) xattrs isn't going to scale to the level I believe we are going to need. I keep toying with the idea of just punting on it and leaving it up to the container orchestrator to manage the filesystems; if you want to run a nested SELinux instance inside a container with dedicated file labels you need your own filesystem mounted. Dunno, lots to think about here ... > At the momement anbox disables SELinux when run in a container > > https://github.com/anbox/platform_system_core/commit/71907fc5e7833866be6ae3c120c602974edf8322 > > there has been work on using a VM instead so that they can have SELinux > but I am not current on how/when that is used. That makes much more sense, thanks John. -- paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com> To: John Johansen <john.johansen@canonical.com> Cc: SElinux list <selinux@vger.kernel.org>, James Morris <jmorris@namei.org>, Mimi Zohar <zohar@linux.ibm.com>, LSM List <linux-security-module@vger.kernel.org>, linux-audit@redhat.com Subject: Re: LSM stacking in next for 6.1? Date: Wed, 7 Sep 2022 18:57:21 -0400 [thread overview] Message-ID: <CAHC9VhRPO+nE7bc9nXVLYbjXDVHz_QTCLn7ns74RMviR7BJ3VA@mail.gmail.com> (raw) In-Reply-To: <65d21148-6a6d-4c4c-aa39-fafc1740ce24@canonical.com> On Wed, Sep 7, 2022 at 1:23 PM John Johansen <john.johansen@canonical.com> wrote: > On 9/7/22 09:41, Casey Schaufler wrote: > > On 9/7/2022 7:41 AM, Paul Moore wrote: > >> On Tue, Sep 6, 2022 at 8:10 PM John Johansen > >> <john.johansen@canonical.com> wrote: > >>> On 9/6/22 16:24, Paul Moore wrote: > >>>> On Fri, Sep 2, 2022 at 7:14 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > >>>>> On 9/2/2022 2:30 PM, Paul Moore wrote: > >>>>>> On Tue, Aug 2, 2022 at 8:56 PM Paul Moore <paul@paul-moore.com> wrote: > >>>>>>> On Tue, Aug 2, 2022 at 8:01 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > >> .. > >> > >>>> If you are running AppArmor on the host system and SELinux in a > >>>> container you are likely going to have some *very* bizarre behavior as > >>>> the SELinux policy you load in the container will apply to the entire > >>>> system, including processes which started *before* the SELinux policy > >>>> was loaded. While I understand the point you are trying to make, I > >>>> don't believe the example you chose is going to work without a lot of > >>>> other changes. > >>> correct but the reverse does work ... > >> Sure, that doesn't surprise me, but that isn't the example Casey brought up. > > > > I said that I'm not sure how they go about doing Android on Ubuntu. > > I brought it up because I've seen it. > > LSM stacking for that use case is necessary but insufficient. Yes, exactly. One of my bigger worries about the stacking effort is that a lot of people have some false assumptions about what it will actually enable. Of course that doesn't mean it isn't worth doing, just that there may be a lot of disappointed people out there. > At a minimum > SELinux would need bounding, and realistically some other gymnastics. I > don't hold out hope of it happening soon if ever. I have told the anbox people > such. Most of that is just a matter of writing the code. Yes, that's going to be a decent chunk of work, but the idea is relatively straightforward. The bit that keeps blocking this in my mind is handling of the persistent filesystem labels, that's a conceptual problem we have yet to solve. The current solution of just creating more and more (scoped) xattrs isn't going to scale to the level I believe we are going to need. I keep toying with the idea of just punting on it and leaving it up to the container orchestrator to manage the filesystems; if you want to run a nested SELinux instance inside a container with dedicated file labels you need your own filesystem mounted. Dunno, lots to think about here ... > At the momement anbox disables SELinux when run in a container > > https://github.com/anbox/platform_system_core/commit/71907fc5e7833866be6ae3c120c602974edf8322 > > there has been work on using a VM instead so that they can have SELinux > but I am not current on how/when that is used. That makes much more sense, thanks John. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2022-09-07 22:57 UTC|newest] Thread overview: 148+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> 2022-08-03 0:01 ` LSM stacking in next for 6.1? Casey Schaufler 2022-08-03 0:01 ` Casey Schaufler 2022-08-03 0:56 ` Paul Moore 2022-08-03 0:56 ` Paul Moore 2022-08-03 1:56 ` John Johansen 2022-08-03 1:56 ` John Johansen 2022-08-03 2:15 ` Casey Schaufler 2022-08-03 2:15 ` Casey Schaufler 2022-08-03 2:33 ` Paul Moore 2022-08-03 2:33 ` Paul Moore 2022-08-03 2:34 ` Steve Grubb 2022-08-03 2:34 ` Steve Grubb 2022-08-03 2:40 ` Paul Moore 2022-08-03 2:40 ` Paul Moore 2022-09-02 21:30 ` Paul Moore 2022-09-02 21:30 ` Paul Moore 2022-09-02 23:14 ` Casey Schaufler 2022-09-02 23:14 ` Casey Schaufler 2022-09-02 23:57 ` Casey Schaufler 2022-09-02 23:57 ` Casey Schaufler 2022-09-06 23:24 ` Paul Moore 2022-09-06 23:24 ` Paul Moore 2022-09-07 0:10 ` John Johansen 2022-09-07 0:10 ` John Johansen 2022-09-07 0:39 ` Casey Schaufler 2022-09-07 0:39 ` Casey Schaufler 2022-09-07 0:50 ` John Johansen 2022-09-07 0:50 ` John Johansen 2022-09-07 14:41 ` Paul Moore 2022-09-07 14:41 ` Paul Moore 2022-09-07 16:41 ` Casey Schaufler 2022-09-07 16:41 ` Casey Schaufler 2022-09-07 17:23 ` John Johansen 2022-09-07 17:23 ` John Johansen 2022-09-07 22:57 ` Paul Moore [this message] 2022-09-07 22:57 ` Paul Moore 2022-09-07 23:27 ` Paul Moore 2022-09-07 23:27 ` Paul Moore 2022-09-07 23:53 ` Casey Schaufler 2022-09-07 23:53 ` Casey Schaufler 2022-09-08 0:19 ` John Johansen 2022-09-08 0:19 ` John Johansen 2022-09-08 3:57 ` Paul Moore 2022-09-08 3:57 ` Paul Moore 2022-09-08 18:05 ` Casey Schaufler 2022-09-08 18:05 ` Casey Schaufler 2022-09-08 18:35 ` John Johansen 2022-09-08 18:35 ` John Johansen 2022-09-08 19:32 ` Paul Moore 2022-09-08 19:32 ` Paul Moore 2022-09-08 22:56 ` Casey Schaufler 2022-09-08 22:56 ` Casey Schaufler 2022-09-10 4:17 ` Tetsuo Handa 2022-09-10 4:17 ` Tetsuo Handa 2022-09-12 17:37 ` Casey Schaufler 2022-09-12 17:37 ` Casey Schaufler 2022-09-13 10:47 ` Tetsuo Handa 2022-09-13 10:47 ` Tetsuo Handa 2022-09-13 14:45 ` Casey Schaufler 2022-09-13 14:45 ` Casey Schaufler 2022-09-14 13:57 ` Tetsuo Handa 2022-09-14 13:57 ` Tetsuo Handa 2022-09-14 15:50 ` Casey Schaufler 2022-09-14 15:50 ` Casey Schaufler 2022-09-15 14:27 ` Tetsuo Handa 2022-09-15 14:27 ` Tetsuo Handa 2022-09-15 14:54 ` John Johansen 2022-09-15 14:54 ` John Johansen 2022-09-15 7:45 ` John Johansen 2022-09-15 7:45 ` John Johansen 2022-09-15 14:27 ` Tetsuo Handa 2022-09-15 14:27 ` Tetsuo Handa 2022-10-25 9:48 ` Tetsuo Handa 2022-10-25 9:48 ` Tetsuo Handa 2022-10-25 10:26 ` John Johansen 2022-10-25 10:26 ` John Johansen 2022-10-25 11:20 ` Tetsuo Handa 2022-10-25 11:20 ` Tetsuo Handa 2022-10-25 14:12 ` Casey Schaufler 2022-10-25 14:12 ` Casey Schaufler 2022-10-25 22:12 ` Tetsuo Handa 2022-10-25 22:12 ` Tetsuo Handa 2022-10-25 22:41 ` Casey Schaufler 2022-10-25 22:41 ` Casey Schaufler 2022-10-26 10:19 ` Tetsuo Handa 2022-10-26 10:19 ` Tetsuo Handa 2022-10-26 15:30 ` Casey Schaufler 2022-10-26 15:30 ` Casey Schaufler 2022-10-28 10:14 ` John Johansen 2022-10-28 10:14 ` John Johansen 2022-10-30 4:03 ` Tetsuo Handa 2022-10-30 4:03 ` Tetsuo Handa 2022-10-30 7:23 ` John Johansen 2022-10-30 7:23 ` John Johansen 2022-10-30 14:02 ` Tetsuo Handa 2022-10-30 14:02 ` Tetsuo Handa 2022-10-30 16:37 ` Kees Cook 2022-10-30 16:37 ` Kees Cook 2022-10-30 20:56 ` Casey Schaufler 2022-10-30 20:56 ` Casey Schaufler 2022-10-31 10:26 ` Tetsuo Handa 2022-10-31 10:26 ` Tetsuo Handa 2022-10-31 15:47 ` Casey Schaufler 2022-10-31 15:47 ` Casey Schaufler 2022-10-26 20:11 ` Paul Moore 2022-10-26 20:11 ` Paul Moore 2022-10-27 0:02 ` Tetsuo Handa 2022-10-27 0:02 ` Tetsuo Handa 2022-10-28 9:50 ` Paul Moore 2022-10-28 9:50 ` Paul Moore 2022-10-28 13:58 ` Tetsuo Handa 2022-10-28 13:58 ` Tetsuo Handa 2022-10-28 17:40 ` Kees Cook 2022-10-28 17:40 ` Kees Cook 2022-10-29 9:33 ` Tetsuo Handa 2022-10-29 9:33 ` Tetsuo Handa 2022-09-14 13:42 ` Paul Moore 2022-09-14 13:42 ` Paul Moore 2022-09-27 20:54 ` Casey Schaufler 2022-09-27 20:54 ` Casey Schaufler 2022-09-27 22:37 ` Paul Moore 2022-09-27 22:37 ` Paul Moore 2022-09-07 0:31 ` Casey Schaufler 2022-09-07 0:31 ` Casey Schaufler 2022-09-07 15:13 ` Paul Moore 2022-09-07 15:13 ` Paul Moore 2022-09-07 17:08 ` Casey Schaufler 2022-09-07 17:08 ` Casey Schaufler 2022-09-07 23:04 ` Paul Moore 2022-09-07 23:04 ` Paul Moore 2022-09-07 23:26 ` Casey Schaufler 2022-09-07 23:26 ` Casey Schaufler 2022-09-08 15:18 ` Tetsuo Handa 2022-09-08 15:18 ` Tetsuo Handa 2022-09-08 16:00 ` Casey Schaufler 2022-09-08 16:00 ` Casey Schaufler 2022-09-08 18:52 ` Paul Moore 2022-09-08 18:52 ` Paul Moore 2022-09-09 11:32 ` Tetsuo Handa 2022-09-09 11:32 ` Tetsuo Handa 2022-09-14 13:56 ` Paul Moore 2022-09-14 13:56 ` Paul Moore 2022-09-15 14:27 ` Tetsuo Handa 2022-09-15 14:27 ` Tetsuo Handa 2022-09-15 15:50 ` Casey Schaufler 2022-09-15 15:50 ` Casey Schaufler 2022-09-16 13:34 ` Tetsuo Handa 2022-09-16 13:34 ` Tetsuo Handa
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAHC9VhRPO+nE7bc9nXVLYbjXDVHz_QTCLn7ns74RMviR7BJ3VA@mail.gmail.com \ --to=paul@paul-moore.com \ --cc=casey@schaufler-ca.com \ --cc=jmorris@namei.org \ --cc=john.johansen@canonical.com \ --cc=keescook@chromium.org \ --cc=linux-audit@redhat.com \ --cc=linux-security-module@vger.kernel.org \ --cc=selinux@vger.kernel.org \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.