From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Paul Moore <paul@paul-moore.com>
Cc: John Johansen <john.johansen@canonical.com>,
Casey Schaufler <casey@schaufler-ca.com>,
LSM List <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
linux-audit@redhat.com, Mimi Zohar <zohar@linux.ibm.com>,
keescook@chromium.org, SElinux list <selinux@vger.kernel.org>
Subject: Re: LSM stacking in next for 6.1?
Date: Thu, 27 Oct 2022 09:02:43 +0900 [thread overview]
Message-ID: <a0567b10-fa83-50f4-7bf6-937e0c677e60@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <CAHC9VhQy91eezWMQ=MoLe3fQSu_Rc+ZUWW2Mm3+78Mr7vS_Z0A@mail.gmail.com>
On 2022/10/27 5:11, Paul Moore wrote:
> On Tue, Oct 25, 2022 at 7:20 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> On 2022/10/25 19:26, John Johansen wrote:
>>> no, Casey is not. He is trying to find a path forward to get LSM
>>> stacking upstream sooner than later. He has made proposals that
>>> admittedly you have not liked, but he has at least tried to propose
>>> ideas that could work within the insane set of constraints.
>>
>> I'm OK with getting LSM stacking upstream. But changes made based on
>> only built-in modules are bad. If LSM id cannot be assigned to loadable
>> LSM modules at runtime because not all loadable LSM modules will be
>> in-tree in order to get an LSM id assigned, loadable LSM modules won't
>> be able to utilize e.g. lsm_module_list system call (or whatever
>> changes made while trying to unshare resources/interfaces currently
>> shared among SELinux/Smack/AppArmor).
>
> As a reminder, the LSM layer, just like the rest of the kernel, has no
> plans to provide any level of consideration or support for out-of-tree
> kernel code. LSMs which are not part of the upstream Linux kernel are
> not our concern here; if they fail to work with the syscall and/or LSM
> stacking changes merged, that should not be considered a blocker to
> upstream development.
>
No. You are misunderstanding. This problem is not limited to out-of-tree and/or
loadable LSM modules. This change prevents new LSM modules from getting upstream
due to a chicken-and-egg problem.
Currently anyone can start writing new LSM modules using name as identifier. But
you are trying to forbid using name as identifier, and trying to force using integer
as identifier, but that integer will not be provided unless new LSM modules get
upstream.
Then, how those who want to write new LSM modules can start writing LSM modules and
propose userspace changes for new LSM modules? They can't use the identifier unless
their LSM module get upstream, which in turn forces them not to propose interface for
userspace programs, which in turn makes it difficult to get new LSM modules tested
by users, which in turn makes it difficult to get upstream due to "who is using your
LSM module" question, which in turn makes it difficult to get the identifier...
You are trying to force CONFIG_MODULES=n by just "we don't care about out-of-tree code".
Trying to change identifier from name to integer is a serious bug.
WARNING: multiple messages have this Message-ID (diff)
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Paul Moore <paul@paul-moore.com>
Cc: John Johansen <john.johansen@canonical.com>,
keescook@chromium.org, SElinux list <selinux@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Mimi Zohar <zohar@linux.ibm.com>,
LSM List <linux-security-module@vger.kernel.org>,
linux-audit@redhat.com
Subject: Re: LSM stacking in next for 6.1?
Date: Thu, 27 Oct 2022 09:02:43 +0900 [thread overview]
Message-ID: <a0567b10-fa83-50f4-7bf6-937e0c677e60@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <CAHC9VhQy91eezWMQ=MoLe3fQSu_Rc+ZUWW2Mm3+78Mr7vS_Z0A@mail.gmail.com>
On 2022/10/27 5:11, Paul Moore wrote:
> On Tue, Oct 25, 2022 at 7:20 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> On 2022/10/25 19:26, John Johansen wrote:
>>> no, Casey is not. He is trying to find a path forward to get LSM
>>> stacking upstream sooner than later. He has made proposals that
>>> admittedly you have not liked, but he has at least tried to propose
>>> ideas that could work within the insane set of constraints.
>>
>> I'm OK with getting LSM stacking upstream. But changes made based on
>> only built-in modules are bad. If LSM id cannot be assigned to loadable
>> LSM modules at runtime because not all loadable LSM modules will be
>> in-tree in order to get an LSM id assigned, loadable LSM modules won't
>> be able to utilize e.g. lsm_module_list system call (or whatever
>> changes made while trying to unshare resources/interfaces currently
>> shared among SELinux/Smack/AppArmor).
>
> As a reminder, the LSM layer, just like the rest of the kernel, has no
> plans to provide any level of consideration or support for out-of-tree
> kernel code. LSMs which are not part of the upstream Linux kernel are
> not our concern here; if they fail to work with the syscall and/or LSM
> stacking changes merged, that should not be considered a blocker to
> upstream development.
>
No. You are misunderstanding. This problem is not limited to out-of-tree and/or
loadable LSM modules. This change prevents new LSM modules from getting upstream
due to a chicken-and-egg problem.
Currently anyone can start writing new LSM modules using name as identifier. But
you are trying to forbid using name as identifier, and trying to force using integer
as identifier, but that integer will not be provided unless new LSM modules get
upstream.
Then, how those who want to write new LSM modules can start writing LSM modules and
propose userspace changes for new LSM modules? They can't use the identifier unless
their LSM module get upstream, which in turn forces them not to propose interface for
userspace programs, which in turn makes it difficult to get new LSM modules tested
by users, which in turn makes it difficult to get upstream due to "who is using your
LSM module" question, which in turn makes it difficult to get the identifier...
You are trying to force CONFIG_MODULES=n by just "we don't care about out-of-tree code".
Trying to change identifier from name to integer is a serious bug.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2022-10-27 0:02 UTC|newest]
Thread overview: 148+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com>
2022-08-03 0:01 ` LSM stacking in next for 6.1? Casey Schaufler
2022-08-03 0:01 ` Casey Schaufler
2022-08-03 0:56 ` Paul Moore
2022-08-03 0:56 ` Paul Moore
2022-08-03 1:56 ` John Johansen
2022-08-03 1:56 ` John Johansen
2022-08-03 2:15 ` Casey Schaufler
2022-08-03 2:15 ` Casey Schaufler
2022-08-03 2:33 ` Paul Moore
2022-08-03 2:33 ` Paul Moore
2022-08-03 2:34 ` Steve Grubb
2022-08-03 2:34 ` Steve Grubb
2022-08-03 2:40 ` Paul Moore
2022-08-03 2:40 ` Paul Moore
2022-09-02 21:30 ` Paul Moore
2022-09-02 21:30 ` Paul Moore
2022-09-02 23:14 ` Casey Schaufler
2022-09-02 23:14 ` Casey Schaufler
2022-09-02 23:57 ` Casey Schaufler
2022-09-02 23:57 ` Casey Schaufler
2022-09-06 23:24 ` Paul Moore
2022-09-06 23:24 ` Paul Moore
2022-09-07 0:10 ` John Johansen
2022-09-07 0:10 ` John Johansen
2022-09-07 0:39 ` Casey Schaufler
2022-09-07 0:39 ` Casey Schaufler
2022-09-07 0:50 ` John Johansen
2022-09-07 0:50 ` John Johansen
2022-09-07 14:41 ` Paul Moore
2022-09-07 14:41 ` Paul Moore
2022-09-07 16:41 ` Casey Schaufler
2022-09-07 16:41 ` Casey Schaufler
2022-09-07 17:23 ` John Johansen
2022-09-07 17:23 ` John Johansen
2022-09-07 22:57 ` Paul Moore
2022-09-07 22:57 ` Paul Moore
2022-09-07 23:27 ` Paul Moore
2022-09-07 23:27 ` Paul Moore
2022-09-07 23:53 ` Casey Schaufler
2022-09-07 23:53 ` Casey Schaufler
2022-09-08 0:19 ` John Johansen
2022-09-08 0:19 ` John Johansen
2022-09-08 3:57 ` Paul Moore
2022-09-08 3:57 ` Paul Moore
2022-09-08 18:05 ` Casey Schaufler
2022-09-08 18:05 ` Casey Schaufler
2022-09-08 18:35 ` John Johansen
2022-09-08 18:35 ` John Johansen
2022-09-08 19:32 ` Paul Moore
2022-09-08 19:32 ` Paul Moore
2022-09-08 22:56 ` Casey Schaufler
2022-09-08 22:56 ` Casey Schaufler
2022-09-10 4:17 ` Tetsuo Handa
2022-09-10 4:17 ` Tetsuo Handa
2022-09-12 17:37 ` Casey Schaufler
2022-09-12 17:37 ` Casey Schaufler
2022-09-13 10:47 ` Tetsuo Handa
2022-09-13 10:47 ` Tetsuo Handa
2022-09-13 14:45 ` Casey Schaufler
2022-09-13 14:45 ` Casey Schaufler
2022-09-14 13:57 ` Tetsuo Handa
2022-09-14 13:57 ` Tetsuo Handa
2022-09-14 15:50 ` Casey Schaufler
2022-09-14 15:50 ` Casey Schaufler
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 14:54 ` John Johansen
2022-09-15 14:54 ` John Johansen
2022-09-15 7:45 ` John Johansen
2022-09-15 7:45 ` John Johansen
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 14:27 ` Tetsuo Handa
2022-10-25 9:48 ` Tetsuo Handa
2022-10-25 9:48 ` Tetsuo Handa
2022-10-25 10:26 ` John Johansen
2022-10-25 10:26 ` John Johansen
2022-10-25 11:20 ` Tetsuo Handa
2022-10-25 11:20 ` Tetsuo Handa
2022-10-25 14:12 ` Casey Schaufler
2022-10-25 14:12 ` Casey Schaufler
2022-10-25 22:12 ` Tetsuo Handa
2022-10-25 22:12 ` Tetsuo Handa
2022-10-25 22:41 ` Casey Schaufler
2022-10-25 22:41 ` Casey Schaufler
2022-10-26 10:19 ` Tetsuo Handa
2022-10-26 10:19 ` Tetsuo Handa
2022-10-26 15:30 ` Casey Schaufler
2022-10-26 15:30 ` Casey Schaufler
2022-10-28 10:14 ` John Johansen
2022-10-28 10:14 ` John Johansen
2022-10-30 4:03 ` Tetsuo Handa
2022-10-30 4:03 ` Tetsuo Handa
2022-10-30 7:23 ` John Johansen
2022-10-30 7:23 ` John Johansen
2022-10-30 14:02 ` Tetsuo Handa
2022-10-30 14:02 ` Tetsuo Handa
2022-10-30 16:37 ` Kees Cook
2022-10-30 16:37 ` Kees Cook
2022-10-30 20:56 ` Casey Schaufler
2022-10-30 20:56 ` Casey Schaufler
2022-10-31 10:26 ` Tetsuo Handa
2022-10-31 10:26 ` Tetsuo Handa
2022-10-31 15:47 ` Casey Schaufler
2022-10-31 15:47 ` Casey Schaufler
2022-10-26 20:11 ` Paul Moore
2022-10-26 20:11 ` Paul Moore
2022-10-27 0:02 ` Tetsuo Handa [this message]
2022-10-27 0:02 ` Tetsuo Handa
2022-10-28 9:50 ` Paul Moore
2022-10-28 9:50 ` Paul Moore
2022-10-28 13:58 ` Tetsuo Handa
2022-10-28 13:58 ` Tetsuo Handa
2022-10-28 17:40 ` Kees Cook
2022-10-28 17:40 ` Kees Cook
2022-10-29 9:33 ` Tetsuo Handa
2022-10-29 9:33 ` Tetsuo Handa
2022-09-14 13:42 ` Paul Moore
2022-09-14 13:42 ` Paul Moore
2022-09-27 20:54 ` Casey Schaufler
2022-09-27 20:54 ` Casey Schaufler
2022-09-27 22:37 ` Paul Moore
2022-09-27 22:37 ` Paul Moore
2022-09-07 0:31 ` Casey Schaufler
2022-09-07 0:31 ` Casey Schaufler
2022-09-07 15:13 ` Paul Moore
2022-09-07 15:13 ` Paul Moore
2022-09-07 17:08 ` Casey Schaufler
2022-09-07 17:08 ` Casey Schaufler
2022-09-07 23:04 ` Paul Moore
2022-09-07 23:04 ` Paul Moore
2022-09-07 23:26 ` Casey Schaufler
2022-09-07 23:26 ` Casey Schaufler
2022-09-08 15:18 ` Tetsuo Handa
2022-09-08 15:18 ` Tetsuo Handa
2022-09-08 16:00 ` Casey Schaufler
2022-09-08 16:00 ` Casey Schaufler
2022-09-08 18:52 ` Paul Moore
2022-09-08 18:52 ` Paul Moore
2022-09-09 11:32 ` Tetsuo Handa
2022-09-09 11:32 ` Tetsuo Handa
2022-09-14 13:56 ` Paul Moore
2022-09-14 13:56 ` Paul Moore
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 15:50 ` Casey Schaufler
2022-09-15 15:50 ` Casey Schaufler
2022-09-16 13:34 ` Tetsuo Handa
2022-09-16 13:34 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a0567b10-fa83-50f4-7bf6-937e0c677e60@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.