From: Casey Schaufler <casey@schaufler-ca.com>
To: Christian Brauner <brauner@kernel.org>
Cc: "Christoph Hellwig" <hch@lst.de>,
"Mickaël Salaün" <mic@digikod.net>,
"Xiu Jianfeng" <xiujianfeng@huawei.com>,
gregkh@linuxfoundation.org, rafael@kernel.org,
viro@zeniv.linux.org.uk, dhowells@redhat.com, code@tyhicks.com,
hirofumi@mail.parknet.co.jp, linkinjeon@kernel.org,
sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com,
chuck.lever@oracle.com, jlayton@kernel.org, miklos@szeredi.hu,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
stephen.smalley.work@gmail.com, eparis@parisplace.org,
dchinner@redhat.com, john.johansen@canonical.com,
mcgrof@kernel.org, mortonm@chromium.org, fred@cloudflare.com,
mpe@ellerman.id.au, nathanl@linux.ibm.com, gnoack3000@gmail.com,
roberto.sassu@huawei.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-cachefs@redhat.com,
ecryptfs@vger.kernel.org, linux-cifs@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-unionfs@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
wangweiyang2@huawei.com,
"Casey Schaufler" <casey@schaufler-ca.com>
Subject: Re: [PATCH -next 0/2] lsm: Change inode_setattr() to take struct
Date: Wed, 31 May 2023 09:44:58 -0700 [thread overview]
Message-ID: <498f8719-219d-b4cf-8231-54d7fb6a58dd@schaufler-ca.com> (raw)
In-Reply-To: <20230531-endpreis-gepflanzt-80a5a4a9c8d6@brauner>
On 5/31/2023 1:36 AM, Christian Brauner wrote:
> On Tue, May 30, 2023 at 03:15:01PM -0700, Casey Schaufler wrote:
>> On 5/30/2023 9:01 AM, Christian Brauner wrote:
>>> On Tue, May 30, 2023 at 07:55:17AM -0700, Casey Schaufler wrote:
>>>> On 5/30/2023 7:28 AM, Christoph Hellwig wrote:
>>>>> On Tue, May 30, 2023 at 03:58:35PM +0200, Christian Brauner wrote:
>>>>>> The main concern which was expressed on other patchsets before is that
>>>>>> modifying inode operations to take struct path is not the way to go.
>>>>>> Passing struct path into individual filesystems is a clear layering
>>>>>> violation for most inode operations, sometimes downright not feasible,
>>>>>> and in general exposing struct vfsmount to filesystems is a hard no. At
>>>>>> least as far as I'm concerned.
>>>>> Agreed. Passing struct path into random places is not how the VFS works.
>>>>>
>>>>>> So the best way to achieve the landlock goal might be to add new hooks
>>>>> What is "the landlock goal", and why does it matter?
>>>>>
>>>>>> or not. And we keep adding new LSMs without deprecating older ones (A
>>>>>> problem we also face in the fs layer.) and then they sit around but
>>>>>> still need to be taken into account when doing changes.
>>>>> Yes, I'm really worried about th amount of LSMs we have, and the weird
>>>>> things they do.
>>>> Which LSM(s) do you think ought to be deprecated? I only see one that I
>>> I don't have a good insight into what LSMs are actively used or are
>>> effectively unused but I would be curious to hear what LSMs are
>>> considered actively used/maintained from the LSM maintainer's
>>> perspective.
>> I'm not the LSM maintainer, but I've been working on the infrastructure
>> for quite some time. All the existing LSMs save one can readily be associated
>> with active systems, and the one that isn't is actively maintained. We have
>> not gotten into the habit of accepting LSMs upstream that don't have a real
>> world use.
>>
>>>> might consider a candidate. As for weird behavior, that's what LSMs are
>>>> for, and the really weird ones proposed (e.g. pathname character set limitations)
>>> If this is effectively saying that LSMs are licensed to step outside the
>>> rules of the subsystem they're a guest in then it seems unlikely
>>> subsystems will be very excited to let new LSM changes go in important
>>> codepaths going forward. In fact this seems like a good argument against
>>> it.
>> This is an artifact of Linus' decision that security models should be
>> supported as add-on modules. On the one hand, all that a subsystem maintainer
>> needs to know about a security feature is what it needs in the way of hooks.
>> On the other hand, the subsystem maintainer loses control over what kinds of
>> things the security feature does with the available information. It's a
>> tension that we've had to deal with since the Orange Book days of the late
>> 1980's. The deal has always been:
>>
>> You can have your security feature if:
>> 1. If I turn it off it has no performance impact
>> 2. I don't have to do anything to maintain it
>> 3. It doesn't interfere with any other system behavior
>> 4. You'll leave me alone
>>
>> As a security developer from way back I would be delighted if maintainers of
>> other subsystems took an active interest in some of what we've been trying
>> to accomplish in the security space. If the VFS maintainers would like to
>> see the LSM interfaces for file systems changed I, for one, would like very
>> much to hear about what they'd prefer.
> What is important for us is that the security layer must understand and
> accept that some things cannot be done the way it envisions them to be
> done because it would involve design compromises in the fs layer that
> the fs maintainers are unwilling to make. The idea to pass struct path
> to almost every security hook is a good example.
Yes, and that's completely acceptable. What would be really great is some
guidance about what to do instead. Fishing for NAKs isn't fun for anybody.
> If the project is feature parity between inode and path based LSMs then
> it must be clear from the start that this won't be achieved at the cost
> of mixing up the layer where only dentries and inodes are relevant and
> the layer where struct paths are most relevant.
Which is a fair point, and helps those of us who don't work in the VFS
layer daily understand the rationale.
>
>> We do a lot of crazy things to avoid interfering with the subsystems we
>> interact with. A closer developer relationship would be most welcome, so
>> long as it helps us achieve or goals. We get a lot of complaints about how
>> LSM feature perform, but no one wants to hear that a good deal of that comes
>> about because of what has to be done in support of 1, 2 and 3 above. Sometimes
>> we do stoopid things, but usually it's to avoid changes "outside our swim lane".
> I personally am not opposed to comment on patches but they will
> naturally have lower priority than other things.
I can't say that I see how security features "naturally have lower priority",
but everyone has to balance things.
next prev parent reply other threads:[~2023-05-31 16:45 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 8:11 [PATCH -next 0/2] lsm: Change inode_setattr() to take struct Xiu Jianfeng
2023-05-05 8:11 ` [PATCH -next 1/2] fs: Change notify_change() to take struct path argument Xiu Jianfeng
2023-05-05 17:22 ` [PATCH -next 1/2] " Chuck Lever III
2023-05-05 8:12 ` [PATCH -next 2/2] lsm: Change inode_setattr hook " Xiu Jianfeng
2023-05-10 0:58 ` [PATCH -next 0/2] lsm: Change inode_setattr() to take struct xiujianfeng
2023-05-15 15:12 ` Christian Brauner
2023-05-26 16:33 ` Mickaël Salaün
2023-05-30 13:58 ` Christian Brauner
2023-05-30 14:28 ` Christoph Hellwig
2023-05-30 14:55 ` Casey Schaufler
2023-05-30 16:01 ` Christian Brauner
2023-05-30 22:15 ` Casey Schaufler
2023-05-31 8:36 ` Christian Brauner
2023-05-31 16:44 ` Casey Schaufler [this message]
2023-05-31 13:22 ` Christoph Hellwig
2023-05-31 14:17 ` Casey Schaufler
2023-05-31 15:22 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=498f8719-219d-b4cf-8231-54d7fb6a58dd@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=brauner@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=code@tyhicks.com \
--cc=dchinner@redhat.com \
--cc=dhowells@redhat.com \
--cc=ecryptfs@vger.kernel.org \
--cc=eparis@parisplace.org \
--cc=fred@cloudflare.com \
--cc=gnoack3000@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=hirofumi@mail.parknet.co.jp \
--cc=jlayton@kernel.org \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linkinjeon@kernel.org \
--cc=linux-cachefs@redhat.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mic@digikod.net \
--cc=miklos@szeredi.hu \
--cc=mortonm@chromium.org \
--cc=mpe@ellerman.id.au \
--cc=nathanl@linux.ibm.com \
--cc=paul@paul-moore.com \
--cc=rafael@kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=selinux@vger.kernel.org \
--cc=senozhatsky@chromium.org \
--cc=serge@hallyn.com \
--cc=sfrench@samba.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tom@talpey.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wangweiyang2@huawei.com \
--cc=xiujianfeng@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).