From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Paul Moore <paul@paul-moore.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
John Johansen <john.johansen@canonical.com>,
Kees Cook <kees@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH 04/10] CaitSith: Add header file.
Date: Wed, 9 Nov 2022 19:13:49 +0900 [thread overview]
Message-ID: <f52e6e9f-5e95-8843-c2f5-c50bba48e5e4@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <CAHC9VhS9RQdeCipSpSH3_LZyFfb-BDry=EsSmkt4OLVk=OZnEg@mail.gmail.com>
On 2022/11/09 11:20, Paul Moore wrote:
> On Tue, Nov 8, 2022 at 5:20 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> What I'm asking you are that:
>>
>> Please don't lock out out-of-tree LSM modules (by requiring an LSM id integer value
>> which are assigned to only in-tree LSM modules) because we can't accept whatever LSM
>> modules as in-tree.
>>
>> Please don't lock out loadable LSM modules (by using fixed sized array) because
>> locking out loadable LSM modules reduces the value of your LSM stacking work.
>>
>> Quite simple.
>
> Tetsuo, at this point I think we all understand your concern and I
> appreciate and respect the passion you have for your argument.
> However, I think the rest of the developers, including myself, have
> also made our points very clear. While there may still be revisions
> to the syscall patches, I believe identifying LSMs via a token value
> as opposed to a string value is the better option for the upstream
> Linux Kernel.
I'm not opposing to identifying LSMs via a token value. I'm opposing to who can
obtain a token value, for I haven't heard a clear promise that we shall allow
whatever LSM modules to obtain a token value.
> This alone should not prevent dynamically loadable LSMs
> in the future, if we decide to pursue that, but I do recognize that it
> will present more of a challenge for the long term maintenance of
> out-of-tree LSMs.
Who can obtain a token value affects both built-in LSM modules and dynamically
loadable LSM modules. A "code that is being developed in the open with the
*intention* to be submitted to be in-tree" has to be able to obtain a token
value as soon as starting development (which is much earlier stage than getting
that code in-tree).
Do you remember that you said
>> Currently anyone can start writing new LSM modules using name as identifier. But
>> you are trying to forbid using name as identifier, and trying to force using integer
>> as identifier, but that integer will not be provided unless new LSM modules get
>> upstream.
>
> That is correct. In order to have a LSM identifier token the LSM must
> be upstream.
at https://lkml.kernel.org/r/CAHC9VhT2Azg1F-G3RQ4xL7JgA3OAtHafzS1_nvUyEUFsCJ9+SA@mail.gmail.com ?
If in-tree kernel refuses to assign a token value, no new LSM module would be developed
in the open, for not-yet-in-tree code (in whatever stage) cannot use a token value for
registering into the LSM framework.
> I see no reason to trade off what I believe as a
> better API choice (LSM ID tokens) for something that is explicitly not
> supported by the Linux Kernel as a whole (out-of-tree kernel code).
And even if a "code is being developed in the open with the intention to be
submitted to be in-tree, and actually submitted for in-tree", we know that we
cannot accept all submitted LSM modules. LSM modules which were not accepted for
in-tree have to remain out-of-tree.
We don't make patches for out-of-tree code in order to catch up to upstream kernel
changes. But we didn't and must not try to forbid out-of-tree code to exist.
Although I'm not a fan of proprietary / closed source code, I have to resist
Casey's attempt to lock out out-of-tree code and new code.
>
> Thank you for your comments, but I'm considering this settled.
>
Never settled, unless you all promise that we shall assign a token value to whatever
LSM modules (regardless of whether that LSM module is already in-tree or not).
next prev parent reply other threads:[~2022-11-09 10:14 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-02 17:10 [PATCH 01/10] security: Export security_hook_heads Tetsuo Handa
2022-11-02 17:10 ` [PATCH 02/10] mm: Export copy_to_kernel_nofault() Tetsuo Handa
2022-11-02 17:10 ` [PATCH 03/10] fs,kernel: Export d_absolute_path()/find_task_by_pid_ns()/find_task_by_vpid() Tetsuo Handa
2022-11-05 23:51 ` Serge E. Hallyn
2022-11-02 17:10 ` [PATCH 04/10] CaitSith: Add header file Tetsuo Handa
2022-11-02 17:57 ` Casey Schaufler
2022-11-05 2:43 ` Serge E. Hallyn
2022-11-05 4:05 ` Tetsuo Handa
2022-11-05 23:46 ` Serge E. Hallyn
2022-11-06 0:56 ` Tetsuo Handa
2022-11-07 18:59 ` Casey Schaufler
2022-11-08 10:18 ` Tetsuo Handa
2022-11-09 2:20 ` Paul Moore
2022-11-09 10:13 ` Tetsuo Handa [this message]
2022-11-09 14:48 ` Paul Moore
2022-11-09 23:57 ` Tetsuo Handa
2022-11-10 2:22 ` Kees Cook
2022-11-10 4:10 ` Tetsuo Handa
2022-11-10 4:45 ` Paul Moore
2022-11-07 19:22 ` Paul Moore
2022-11-02 17:10 ` [PATCH 05/10] CaitSith: Add LSM interface management file Tetsuo Handa
2022-11-02 19:05 ` Kees Cook
2022-11-02 17:10 ` [PATCH 07/10] CaitSith: Add permission checking functions Tetsuo Handa
2022-11-02 17:10 ` [PATCH 08/10] CaitSith: Add pathname calculation functions Tetsuo Handa
2022-11-02 17:10 ` [PATCH 09/10] CaitSith: Add garbage collector functions Tetsuo Handa
2022-11-02 17:10 ` [PATCH 10/10] CaitSith: Add Kconfig and Makefile files Tetsuo Handa
[not found] ` <20221102171025.126961-6-penguin-kernel@I-love.SAKURA.ne.jp>
2022-11-02 17:29 ` [PATCH 6a/10] CaitSith: Add policy management functions Tetsuo Handa
2022-11-02 17:29 ` [PATCH 6b/10] " Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f52e6e9f-5e95-8843-c2f5-c50bba48e5e4@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=casey@schaufler-ca.com \
--cc=john.johansen@canonical.com \
--cc=kees@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.