From: John Johansen <john.johansen@canonical.com>
To: James Morris <jmorris@namei.org>, Kees Cook <keescook@chromium.org>
Cc: Jordan Glover <Golden_Miller83@protonmail.ch>,
Stephen Smalley <sds@tycho.nsa.gov>,
Paul Moore <paul@paul-moore.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter
Date: Tue, 2 Oct 2018 16:28:44 -0700 [thread overview]
Message-ID: <c0a5b479-72d7-8b03-09ce-31e0a4cd09ba@canonical.com> (raw)
In-Reply-To: <alpine.LRH.2.21.1810030758460.23596@namei.org>
On 10/02/2018 03:06 PM, James Morris wrote:
> On Tue, 2 Oct 2018, Kees Cook wrote:
>
>> On Tue, Oct 2, 2018 at 11:57 AM, John Johansen
>> <john.johansen@canonical.com> wrote:
>>> Under the current scheme
>>>
>>> lsm.enabled=selinux
>>>
>>> could actually mean selinux,yama,loadpin,something_else are
>>> enabled. If we extend this behavior to when full stacking lands
>>>
>>> lsm.enabled=selinux,yama
>>>
>>> might mean selinux,yama,apparmor,loadpin,something_else
>>>
>>> and what that list is will vary from kernel to kernel, which I think
>>> is harder for the user than the lsm.enabled list being what is
>>> actually enabled at boot
>>
>> Ah, I think I missed this in your earlier emails. What you don't like
>> here is that "lsm.enable=" is additive. You want it to be explicit.
>>
>
> This is a path to madness.
>
> How about enable flags set ONLY per LSM:
>
> lsm.selinux.enable=x
> lsm.apparmor.enable=x
>
why add the lsm. prefix? I think if we go this route
selinux.enable=x
apparmor.enable=x
is a little cleaner
the question then becomes is this easier for users? Doing something
similar to this was discussed earlier but its more tedious to type
each of these out, and since they are separate options they can
get spread out making it easy to miss one when you are changing
your boot options.
I honestly don't think we are going to come to a consensus on what is
best for users because different sets of users have different priorities.
But I do think we need to come up with something cleaner than v3
> With no lsm.enable, and removing selinux=x and apparmor=x.
>
this will break the user api, not just the distro/builder kernel
config. I do think it is probably worth doing, but not everyone agrees.
> Yes this will break existing docs, but they can be updated for newer
> kernel versions to say "replace selinux=0 with lsm.selinux.enable=0" from
> kernel X onwards.
>
yes docs can be updated but it does take time to propagate out and their
are always the dozens of blog, and forum posts etc that google will
drag up that won't get updated
> Surely distro packages and bootloaders are able to cope with changes to
> kernel parameters?
>
yes, but users who have been taught to add certain incantations to their
kernel parameters find it a lot harder
> We can either take a one-time hit now, or build new usability debt, which
> will confuse people forever.
>
I'm not opposed to taking a one-time hit for usability in the future.
next prev parent reply other threads:[~2018-10-02 23:28 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-02 0:54 [PATCH security-next v4 00/32] LSM: Explict LSM ordering Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 01/32] LSM: Correctly announce start of LSM initialization Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 02/32] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 03/32] LSM: Rename .security_initcall section to .lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 04/32] LSM: Remove initcall tracing Kees Cook
2018-10-02 21:14 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 05/32] LSM: Convert from initcall to struct lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 06/32] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook
2018-10-02 21:15 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 07/32] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook
2018-10-02 21:16 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 08/32] LSM: Record LSM name in struct lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 09/32] LSM: Provide init debugging infrastructure Kees Cook
2018-10-02 21:17 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 10/32] LSM: Don't ignore initialization failures Kees Cook
2018-10-02 21:20 ` James Morris
2018-10-02 21:38 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 11/32] LSM: Introduce LSM_FLAG_LEGACY_MAJOR Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 12/32] LSM: Provide separate ordered initialization Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" Kees Cook
2018-10-02 1:06 ` Randy Dunlap
2018-10-02 4:47 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 14/32] LSM: Plumb visibility into optional "enabled" state Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 15/32] LSM: Lift LSM selection out of individual LSMs Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 16/32] LSM: Prepare for arbitrary LSM enabling Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 17/32] LSM: Introduce CONFIG_LSM_ENABLE Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 18/32] LSM: Introduce lsm.enable= and lsm.disable= Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 19/32] LSM: Prepare for reorganizing "security=" logic Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 20/32] LSM: Refactor "security=" in terms of enable/disable Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic Kees Cook
2018-10-02 1:18 ` Randy Dunlap
2018-10-02 4:49 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 22/32] apparmor: Remove boot parameter Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 23/32] selinux: " Kees Cook
2018-10-02 12:12 ` Paul Moore
2018-10-02 13:42 ` Stephen Smalley
2018-10-02 14:44 ` Kees Cook
2018-10-02 14:58 ` Stephen Smalley
2018-10-02 16:33 ` Jordan Glover
2018-10-02 16:54 ` Kees Cook
2018-10-02 18:33 ` Stephen Smalley
2018-10-02 19:02 ` Kees Cook
2018-10-02 18:57 ` John Johansen
2018-10-02 19:17 ` Kees Cook
2018-10-02 19:47 ` John Johansen
2018-10-02 20:29 ` Kees Cook
2018-10-02 21:11 ` John Johansen
2018-10-02 22:06 ` James Morris
2018-10-02 23:06 ` Kees Cook
2018-10-02 23:46 ` John Johansen
2018-10-02 23:54 ` Kees Cook
2018-10-03 0:05 ` John Johansen
2018-10-03 0:12 ` Kees Cook
2018-10-03 13:15 ` John Johansen
2018-10-03 13:39 ` Stephen Smalley
2018-10-03 17:26 ` Kees Cook
2018-10-03 19:43 ` Stephen Smalley
2018-10-04 5:38 ` John Johansen
2018-10-04 16:02 ` Kees Cook
2018-10-08 14:25 ` Paul Moore
2018-10-03 18:17 ` James Morris
2018-10-03 18:20 ` Kees Cook
2018-10-03 18:28 ` James Morris
2018-10-03 20:10 ` Kees Cook
2018-10-03 20:36 ` Kees Cook
2018-10-03 21:19 ` James Morris
2018-10-04 5:56 ` John Johansen
2018-10-04 16:18 ` Kees Cook
2018-10-04 17:40 ` Jordan Glover
2018-10-04 17:42 ` Kees Cook
2018-10-03 21:34 ` James Morris
2018-10-03 23:55 ` Kees Cook
2018-10-03 23:59 ` Randy Dunlap
2018-10-04 0:03 ` Kees Cook
2018-10-04 6:22 ` John Johansen
2018-10-04 6:18 ` John Johansen
2018-10-04 17:49 ` James Morris
2018-10-05 0:05 ` Kees Cook
2018-10-05 4:58 ` James Morris
2018-10-05 16:29 ` James Morris
2018-10-05 16:35 ` Kees Cook
2018-10-02 23:28 ` John Johansen [this message]
2018-10-02 16:34 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 24/32] LSM: Build ordered list of ordered LSMs for init Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 25/32] LSM: Introduce CONFIG_LSM_ORDER Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 26/32] LSM: Introduce "lsm.order=" for boottime ordering Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 27/32] LoadPin: Initialize as ordered LSM Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 28/32] Yama: " Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 29/32] LSM: Introduce enum lsm_order Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 30/32] capability: Initialize as LSM_ORDER_FIRST Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 31/32] LSM: Separate idea of "major" LSM from "exclusive" LSM Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 32/32] LSM: Add all exclusive LSMs to ordered initialization Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0a5b479-72d7-8b03-09ce-31e0a4cd09ba@canonical.com \
--to=john.johansen@canonical.com \
--cc=Golden_Miller83@protonmail.ch \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.