From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FA60ECAAA1 for ; Fri, 28 Oct 2022 10:14:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229535AbiJ1KOU (ORCPT ); Fri, 28 Oct 2022 06:14:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59668 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229992AbiJ1KOT (ORCPT ); Fri, 28 Oct 2022 06:14:19 -0400 Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B35051B8649; Fri, 28 Oct 2022 03:14:11 -0700 (PDT) Received: from [172.20.1.180] (unknown [62.168.35.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id E91F5422EB; Fri, 28 Oct 2022 10:14:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1666952050; bh=QOVPGGl1Px8T1+mV9Kvd/BwJ9ofEBLRLHMNLh/7/g2M=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=IN3QDYXAbK6CtXyvxpSNa3C30NrqUeOZenksIIIUsuvZ30sW636gRG6eKGhHqmOYj yextF8kycHxvCCRGPIqX9GtWzlXKyC32kDfIVOaF9KsGrETSfRyJkKB5g86bkmzKgB JZmvxG/2ORc0TO+TTx7SdNsoWyx2a0NDXQLpoe8E2ECIcU4LkMH+UIdCT4NpdbdNcq o9oFs7rguNrA2aj28o34UEi7ObtllkvxSSQXQq1XxWSo2KtDbAxMfBMFPf2dkGNMaN Ey5w2Aa/O7j0iKyEncxSJLuSSRGEZyJbIFwWB3scyZ6+d/NXktXo0LDZSIiNJ1WqCe Jj9dgKJjbYQGg== Message-ID: Date: Fri, 28 Oct 2022 03:14:09 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 Subject: Re: LSM stacking in next for 6.1? Content-Language: en-US To: Tetsuo Handa , Casey Schaufler , Paul Moore Cc: LSM List , James Morris , linux-audit@redhat.com, Mimi Zohar , keescook@chromium.org, SElinux list References: <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> <5ef4a1ae-e92c-ca77-7089-2efe1d4c4e6d@schaufler-ca.com> <1a9f9182-9188-2f64-4a17-ead2fed70348@schaufler-ca.com> <2225aec6-f0f3-d38e-ee3c-6139a7c25a37@I-love.SAKURA.ne.jp> <5995f18c-5623-9d97-0aa6-5f13a2a8e895@I-love.SAKURA.ne.jp> <77ec837a-ff64-e6f0-fe14-a54c1646ea0b@canonical.com> <0fcc5444-a957-f107-25a1-3540588eab5a@I-love.SAKURA.ne.jp> <11564f69-3bba-abf7-eb46-06813ff4a404@schaufler-ca.com> <98ab33d6-6c91-9c0a-8647-22f6bdede885@I-love.SAKURA.ne.jp> <3266c2c2-cd7e-bc0f-0fc4-478a63d6ee77@I-love.SAKURA.ne.jp> From: John Johansen Organization: Canonical In-Reply-To: <3266c2c2-cd7e-bc0f-0fc4-478a63d6ee77@I-love.SAKURA.ne.jp> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org On 10/26/22 03:19, Tetsuo Handa wrote: > On 2022/10/26 7:41, Casey Schaufler wrote: >> You need a built-in LSM that loads and manages loadable >> security modules. > > That is no longer loadable LSM modules. A loadable LSM module must be capable of > loading any code and using any interface that is allowed to loadable kernel modules > using /sbin/insmod command. That is my understanding of what you have promised (and > the reason I am allowing you to continue working on LSM stacking before I make > CONFIG_SECURITY_TOMOYO=m). > Tetsuo, think of it this way. LSM stacking is going to make it much easier for new LSM modules because they won't automatically be excluded because one of the other LSMs is needed. The problem of loadable LSM modules is orthogonal, and Casey shouldn't need to solve it in this patch series. That is further work to be taken up by another, as Casey has clearly stated its work he is not interested in doing. However the real problem you are trying to solve won't be solved by loadable LSM modules, though they may help. Just having loadable LSMs modules won't mean a distro will build an LSM as a loadable module instead of disabling it, nor does it mean a distro will allow loading an out of tree LSM module. Even if the upstream kernel doesn't provide an option to block loading them, distros will. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4AD8AC38A02 for ; Fri, 28 Oct 2022 12:50:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1666961451; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=cnMuQjlkTd+G/vvYTLYWZsISOyZLAIHkLCfUM1jKBBc=; b=c5xN9wiMYasM6t/mzUvt9qttr2hypFYpHCVXb57VHjnCSxkaGxB1q9MS5GpD3MAxcvZriJ TFeO/XWnVzji/sI3om7vxb1v4oVKiT2shFTto8n1Jof0Oc8Ga4hcGz0CGxujGn1rKuN4Hi Mzx7hetBT/tyUaqqQUATNTlr6UcHchU= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-516-g6j5DSpLM3COxw9fgoQumA-1; Fri, 28 Oct 2022 08:50:48 -0400 X-MC-Unique: g6j5DSpLM3COxw9fgoQumA-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5FFF03803925; Fri, 28 Oct 2022 12:50:47 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 66C3B483EFB; Fri, 28 Oct 2022 12:50:45 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 0B41F1946588; Fri, 28 Oct 2022 12:50:45 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 966651946586 for ; Fri, 28 Oct 2022 10:14:13 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 6C52D2024CB7; Fri, 28 Oct 2022 10:14:13 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast07.extmail.prod.ext.rdu2.redhat.com [10.11.55.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6499C200A7A2 for ; Fri, 28 Oct 2022 10:14:13 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 41BA33C0ED57 for ; Fri, 28 Oct 2022 10:14:13 +0000 (UTC) Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-644-K4VnWzU0O56NIjvUo4Mgzw-1; Fri, 28 Oct 2022 06:14:11 -0400 X-MC-Unique: K4VnWzU0O56NIjvUo4Mgzw-1 Received: from [172.20.1.180] (unknown [62.168.35.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id E91F5422EB; Fri, 28 Oct 2022 10:14:09 +0000 (UTC) Message-ID: Date: Fri, 28 Oct 2022 03:14:09 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 Subject: Re: LSM stacking in next for 6.1? To: Tetsuo Handa , Casey Schaufler , Paul Moore References: <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> <5ef4a1ae-e92c-ca77-7089-2efe1d4c4e6d@schaufler-ca.com> <1a9f9182-9188-2f64-4a17-ead2fed70348@schaufler-ca.com> <2225aec6-f0f3-d38e-ee3c-6139a7c25a37@I-love.SAKURA.ne.jp> <5995f18c-5623-9d97-0aa6-5f13a2a8e895@I-love.SAKURA.ne.jp> <77ec837a-ff64-e6f0-fe14-a54c1646ea0b@canonical.com> <0fcc5444-a957-f107-25a1-3540588eab5a@I-love.SAKURA.ne.jp> <11564f69-3bba-abf7-eb46-06813ff4a404@schaufler-ca.com> <98ab33d6-6c91-9c0a-8647-22f6bdede885@I-love.SAKURA.ne.jp> <3266c2c2-cd7e-bc0f-0fc4-478a63d6ee77@I-love.SAKURA.ne.jp> From: John Johansen Organization: Canonical In-Reply-To: <3266c2c2-cd7e-bc0f-0fc4-478a63d6ee77@I-love.SAKURA.ne.jp> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-Mailman-Approved-At: Fri, 28 Oct 2022 12:50:43 +0000 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: keescook@chromium.org, SElinux list , James Morris , Mimi Zohar , LSM List , linux-audit@redhat.com Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" On 10/26/22 03:19, Tetsuo Handa wrote: > On 2022/10/26 7:41, Casey Schaufler wrote: >> You need a built-in LSM that loads and manages loadable >> security modules. > > That is no longer loadable LSM modules. A loadable LSM module must be capable of > loading any code and using any interface that is allowed to loadable kernel modules > using /sbin/insmod command. That is my understanding of what you have promised (and > the reason I am allowing you to continue working on LSM stacking before I make > CONFIG_SECURITY_TOMOYO=m). > Tetsuo, think of it this way. LSM stacking is going to make it much easier for new LSM modules because they won't automatically be excluded because one of the other LSMs is needed. The problem of loadable LSM modules is orthogonal, and Casey shouldn't need to solve it in this patch series. That is further work to be taken up by another, as Casey has clearly stated its work he is not interested in doing. However the real problem you are trying to solve won't be solved by loadable LSM modules, though they may help. Just having loadable LSMs modules won't mean a distro will build an LSM as a loadable module instead of disabling it, nor does it mean a distro will allow loading an out of tree LSM module. Even if the upstream kernel doesn't provide an option to block loading them, distros will. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit