From: Casey Schaufler <casey@schaufler-ca.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
paul@paul-moore.com, linux-security-module@vger.kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, stephen.smalley.work@gmail.com,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
mic@digikod.net, Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v15 01/11] LSM: Identify modules by more than name
Date: Sun, 29 Oct 2023 11:00:39 -0700 [thread overview]
Message-ID: <f1608a96-e18d-45a8-84c9-8195a9bd9458@schaufler-ca.com> (raw)
In-Reply-To: <c35322f3-3f89-40d2-a5fb-7226fb93d202@I-love.SAKURA.ne.jp>
On 10/29/2023 3:57 AM, Tetsuo Handa wrote:
> On 2023/10/21 23:11, Casey Schaufler wrote:
>>> If the system call returning LSM ID value for SELinux but does not tell
>>> the caller of that system call whether a specific action might be permitted,
>>> what information does LSM ID value tell?
>> It tells the caller that the LSM is active on the system. That's it.
>> Just like reading /sys/kernel/security/lsm.
> Then, the
>
> The calling application can use this list determine what LSM
> specific actions it might take. That might include choosing an
> output format, determining required privilege or bypassing
> security module specific behavior.
>
> part should be removed from the description. Instead, the description should
> emphasis that the numeric LSM ID values are there in order to allow
> identifying what LSM modules are active without interpreting string LSM names
> in /sys/kernel/security/lsm .
No, I stand by the description as written.
>>> What does "choosing an output format", "determining required privilege",
>>> "bypassing security module specific behavior" mean? How can they choose
>>> meaningful output format, determine appropriate privilege, bypass security
>>> module specific behavior (if the only information the caller can know from
>>> the LSM ID value were what LSMs are enabled) ?
>> If Smack and SELinux not enabled on the system there is no point in
>> setting up a netlabel configuration, for example.
> I know nothing about netlabel. But can userspace make such assumption from
> this granularity? For example, if TOMOYO and AppArmor start supporting
> netlabel configuration, your assumption
>
> If Smack and SELinux not enabled on the system there is no point in
> setting up a netlabel configuration
>
> becomes no longer true.
You are correct. If I thought there was the remotest possibility
of that, I wouldn't have used it as an example.
If Smack isn't enabled there's no point in running the Smack testsuite.
If SELinux isn't enabled there's no point in running the SELinux testsuite.
If SELinux isn't enabled there's no reason to invoke SELinux userspace features.
> It is also possible that a new LSM implementation
> obtains an LSM ID for that LSM, and starts supporting netlabel configuration
> some timer later. I don't know if we come to the point where we can enable
> SELinux and Smack at the same time. But when it becomes possible to enable
> SELinux and Smack at the same time, the userspace might have already written
> code based on current situation that netlabel configuration are exclusive. Then,
> someday starting to return both LSM ID for SELinux and LSM ID for Smack might
> confuse userspace.
Believe me, that's way down on the list of userspace issues with using Smack and
SELinux together in a meaningful way.
>
> Thus, it might be safe to determine what LSMs are active from the LSM ID values
> returned from the system call. But it is not safe to assume what functionality
> is active (e.g. netlabel configuration is interpreted) from the LSM ID values
> returned from the system call.
That is correct.
> If you want to allow userspace to make such assumption using the system call,
> the granularity the system call returns needs to be what access control mechanism
> (not only LSM modules but also eBPF-based access control mechanisms) hooks which
> LSM hooks. More information than interpreting string LSM names in
> /sys/kernel/security/lsm will be needed.
That's already true. You have to understand all sorts of factors, like SELinux policy,
Smack rule sets and AppArmor policy definitions. Then there's netfilter configuration.
>>>> I wish we could stop people from saying "BPF-based LSM". BPF is the LSM. The
>>>> eBPF programs that implement a "policy" are NOT a LSM. There needs to be a
>>>> name for that, but LSM is not it.
>>> My understanding is that "BPF is not an LSM module but infrastructure for using
>>> LSM hooks".
>> As BPF is implemented as a LSM I suggest your statement is incorrect.
> Enumerating only LSM modules are not useful. "ID for access control mechanisms
> that can be controlled via LSM hooks" will be needed.
The BPF program set is no different from the SELinux policy in this regard.
It's completely user defined, and out of the kernel's control. I seriously
doubt that you want an ID for "SELinux reference policy 4.3.2 with Infiniband"
>>> The patch description lacks relationship between LSM ID value and data.
>>> In other words, why LSM ID values are needed (and are useful for doing what).
>>> If the only information the caller can know from the LSM ID value were
>>> what LSMs are enabled (i.e. the content of /sys/kernel/security/lsm ), why
>>> bother to use LSM ID values? (Yes, integer comparison is faster than string
>>> comparison. But that is not enough justification for not allowing out-of-tree
>>> LSMs and eBPF-based access control mechanisms to have stable LSM ID values.)
>>>
> I conclude that LSM ID values are pointless and are NOT needed.
OK.
next prev parent reply other threads:[~2023-10-29 18:00 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230912205658.3432-1-casey.ref@schaufler-ca.com>
2023-09-12 20:56 ` [PATCH v15 00/11] LSM: Three basic syscalls Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 01/11] LSM: Identify modules by more than name Casey Schaufler
2023-09-15 11:32 ` Tetsuo Handa
2023-09-15 17:53 ` Casey Schaufler
2023-09-16 6:32 ` Tetsuo Handa
2023-09-17 16:38 ` Casey Schaufler
2023-09-20 10:20 ` Tetsuo Handa
2023-09-20 15:08 ` Kees Cook
2023-09-23 4:46 ` Tetsuo Handa
2023-09-24 1:58 ` Kees Cook
2023-09-24 11:06 ` Tetsuo Handa
2023-09-24 19:48 ` Kees Cook
2023-10-05 12:58 ` Tetsuo Handa
2023-10-20 19:52 ` Casey Schaufler
2023-10-21 12:20 ` Tetsuo Handa
2023-10-21 14:11 ` Casey Schaufler
2023-10-29 10:57 ` Tetsuo Handa
2023-10-29 18:00 ` Casey Schaufler [this message]
2023-09-12 20:56 ` [PATCH v15 02/11] LSM: Maintain a table of LSM attribute data Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 03/11] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 04/11] LSM: syscalls for current process attributes Casey Schaufler
2023-10-03 14:09 ` Mickaël Salaün
2023-10-06 1:04 ` Paul Moore
2023-10-09 15:36 ` Mickaël Salaün
2023-10-09 16:04 ` Paul Moore
2023-10-10 9:14 ` Mickaël Salaün
2023-10-10 13:10 ` Paul Moore
2023-09-12 20:56 ` [PATCH v15 05/11] LSM: Create lsm_list_modules system call Casey Schaufler
2023-10-03 14:27 ` Mickaël Salaün
2024-03-12 10:16 ` Dmitry V. Levin
2024-03-12 13:25 ` Paul Moore
2024-03-12 15:27 ` Casey Schaufler
2024-03-12 17:06 ` Paul Moore
2024-03-12 17:44 ` Casey Schaufler
2024-03-12 18:09 ` Paul Moore
2024-03-12 18:28 ` Dmitry V. Levin
2024-03-12 21:50 ` Kees Cook
2024-03-12 22:06 ` Casey Schaufler
2024-03-12 22:06 ` Paul Moore
2024-03-12 22:17 ` Casey Schaufler
2024-03-12 23:17 ` Paul Moore
2023-09-12 20:56 ` [PATCH v15 06/11] LSM: wireup Linux Security Module syscalls Casey Schaufler
2023-10-03 14:27 ` Mickaël Salaün
2023-09-12 20:56 ` [PATCH v15 07/11] LSM: Helpers for attribute names and filling lsm_ctx Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-09-12 20:56 ` [PATCH v15 08/11] Smack: implement setselfattr and getselfattr hooks Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-10-20 19:40 ` Casey Schaufler
2023-10-20 19:42 ` Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 09/11] AppArmor: Add selfattr hooks Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 10/11] SELinux: " Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 11/11] LSM: selftests for Linux Security Module syscalls Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-10-12 22:07 ` [PATCH v15 00/11] LSM: Three basic syscalls Paul Moore
2023-10-13 21:55 ` Paul Moore
2023-10-16 12:04 ` Roberto Sassu
2023-10-16 15:06 ` Paul Moore
2023-10-17 7:01 ` Roberto Sassu
2023-10-17 15:58 ` Paul Moore
2023-10-17 16:07 ` Roberto Sassu
2023-10-18 9:31 ` Roberto Sassu
2023-10-18 13:09 ` Mimi Zohar
2023-10-18 14:14 ` Roberto Sassu
2023-10-18 16:35 ` Paul Moore
2023-10-18 20:10 ` Mimi Zohar
2023-10-18 20:40 ` Paul Moore
2023-10-19 7:45 ` Roberto Sassu
2023-10-20 16:36 ` Casey Schaufler
2023-10-19 8:49 ` Roberto Sassu
2023-11-13 4:03 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f1608a96-e18d-45a8-84c9-8195a9bd9458@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.