All of lore.kernel.org
 help / color / mirror / Atom feed
From: john.johansen@canonical.com (John Johansen)
To: linux-security-module@vger.kernel.org
Subject: The secmark "one user" policy
Date: Thu, 29 Jun 2017 09:46:39 -0700	[thread overview]
Message-ID: <b37e1e12-9e64-8772-c15d-0ac64756fa7d@canonical.com> (raw)
In-Reply-To: <alpine.LRH.2.20.1706291826200.3111@namei.org>

On 06/29/2017 02:10 AM, James Morris wrote:
> On Thu, 22 Jun 2017, John Johansen wrote:
> 
>> I don't see why not. The container could be built expecting smack
>> labeling, selinux applies 1 or just a few labels to the whole
>> container, and accesses within the container are mediated fine grained
>> with smack.
> 
> This would require that all LSM-tagged objects and subjects be namespaced, 
> correct?  If there is some way that a mediation happens across the 
> container boundary, things could get confusing (e.g. Smack policy not 
> seeming to allow things which SELinux is in fact denying).
> 
> Note also that LSM and namespaces are not abstracted in identical ways, so 
> we would need to know what it it means for LSM policy when say networking 
> is namespaced but not mounts.  Or how to deal with shared subtrees.
> 
> Namespacing of LSM is probably the more fundamental issue to be resolved.
> 

Yes namespacing of LSMs is an open issue that needs to be solved, and
probably would be needed for the selinux, and smack case, or apparmor
system + (selinux/smack container) but would not be needed for the
(selinux/smack system) + apparmor container case. Stacking should be
sufficient today because apparmor internally supports stacking and
namespacing of it self.  ie. system apparmor + container with a
different apparmor policy

With Casey's stacking patches today we can do an selinux host with an
apparmor container by having selinux do regular enforcement and
setting the system apparmor policy to unconfined.  The container is
then setup to use an apparmor policy namespace. Permissions for the
host are determined by selinux and in the container by the
intersection of what is granted by the selinux system policy and what
is allowed by the apparmor policy in the container.

But we run into problems with networking as soon as apparmor's support
for secmark lands.

> 
>> A little more speculatively another potential example would be an LSM
>> doing a personal firewalls around individual applications. Its really
>> very similar to the snappy/flatpak sandboxing of apps but maybe
>> someone wants that with out the additional baggage of a bigger LSM.
>> Whether it would ever get in upstream is a separate question.
> 
> Landlock shows promise here, and stacking it inside one of the major MAC 
> LSMs seems to make sense.
> 

agreed Landlock is promising here


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  reply	other threads:[~2017-06-29 16:46 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-21  0:41 The secmark "one user" policy Casey Schaufler
2017-06-21  7:13 ` James Morris
2017-06-21 15:23   ` Casey Schaufler
2017-06-21 23:07     ` John Johansen
2017-06-21 23:45       ` Casey Schaufler
2017-06-22  0:48         ` John Johansen
2017-06-22  9:54     ` James Morris
2017-06-22 16:17       ` Casey Schaufler
2017-06-23  3:12         ` James Morris
2017-06-23 15:26           ` Casey Schaufler
2017-06-25  9:41             ` James Morris
2017-06-25 18:05               ` Casey Schaufler
2017-06-26  7:54                 ` José Bollo
2017-06-26 15:10                   ` Casey Schaufler
2017-06-27 10:51                     ` José Bollo
2017-06-27 11:58                       ` Paul Moore
2017-06-22 18:49       ` John Johansen
2017-06-23  3:02         ` James Morris
2017-06-23  4:32           ` John Johansen
2017-06-29  9:10             ` James Morris
2017-06-29 16:46               ` John Johansen [this message]
2017-06-22 22:24     ` Paul Moore
2017-06-22 23:20       ` Casey Schaufler
2017-06-23 20:47         ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b37e1e12-9e64-8772-c15d-0ac64756fa7d@canonical.com \
    --to=john.johansen@canonical.com \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.