From: John Johansen <firstname.lastname@example.org>
To: Kees Cook <email@example.com>, Paul Moore <firstname.lastname@example.org>
Cc: Casey Schaufler <email@example.com>,
James Morris <firstname.lastname@example.org>,
SE Linux <email@example.com>,
Tetsuo Handa <firstname.lastname@example.org>,
Stephen Smalley <email@example.com>,
Alexey Dobriyan <firstname.lastname@example.org>,
"Schaufler, Casey" <email@example.com>
Subject: Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock
Date: Thu, 13 Sep 2018 16:32:42 -0700 [thread overview]
Message-ID: <firstname.lastname@example.org> (raw)
On 09/13/2018 04:06 PM, Kees Cook wrote:
> On Thu, Sep 13, 2018 at 2:51 PM, Kees Cook <email@example.com> wrote:
>> At the very least, to avoid stacking now (i.e. TOMOYO being enabled
>> with another major LSM), we just do nothing. The existing code already
>> makes the existing major LSMs exclusive. Adding a stackable LSM would
>> need to just have its own "enable" flag (i.e. ignore
>> security_module_enable()), and then either check a runtime "is
>> stacking allowed?" flag or have new "depends on SECURITY_STACKING". (I
>> think the CONFIG will force distros into enabling it without any
>> runtime opt-out.)
> Before stacking, we have:
> - major LSM, pick one
> - all CONFIG minor LSMs, in security.c order
> There are two minor LSMs: Yama and LoadPin. If built, Yama is always
> on (though it has sysctl knobs). If built, LoadPin is controlled by a
> boot param.
> Picking the major LSM happens via "security=$LSM" and a per-LSM check
> of security_module_enable("$LSM").
> Ordering is major, then per security.c for minors.
> Under stacking, we have:
> The minor LSMs remain unchanged.
> We don't have SARA and Landlock yet, but we do have TOMOYO, which we
> can use as an example to future "compatible blob-using LSMs".
> I see two issues:
> - how to determine which set of LSMs are enabled at boot
> - how to determine the ORDER of the LSMs
> Casey's implementation does this (correct me if I'm wrong):
> The minor LSMs remain unchanged.
> SECURITY_$lsm_STACKED determines which major is enabled, with
> SECURITY_TOMOYO_STACKED allowed in addition. If security= is
> specified, all other major LSMs are disabled (i.e. it is not possible
> to switch between SELinux/AppArmor/SMACK without also disabling
> Ordering is per security/Makefile modulo enabled-ness for majors (i.e.
> TOMOYO is always _before_ AppArmor if stacked together, otherwise
> after SELinux and SMACK), and per security.c for minors.
> I don't think this is how we want it to work. For example, Ubuntu
> builds in all LSMs, and default-enables AppArmor. If an Ubuntu user
> wants TOMOYO, the boot with "security=tomoyo". If Ubuntu wants to make
> stacking available to users but off by default, what CONFIGs do they
> pick? They could try SECURITY_APPARMOR_STACKED=y and
> SECURITY_TOMOYO_STACKED=n, but then how does an end user choose
> "apparmor and tomoyo" (or more meaningfully, for the future:
> "apparmor, sara, and landlock")? They can still pick
> "security=tomoyo", but there isn't a runtime way to opt into stacking.
Ubuntu is carrying an early set of the stacking patches and about a
dozen patches on top of that.
It allows choosing to build the LSMs separate from the what the
default LSM(s) are. There is some config patching here that I need to
update and drop onto this thread.
There is also a patch that allows selecting the set of LSMs at boot.
but yama and loadpin are treated differently and I never liked
that. But again another patch to rebase and drop on this thread for
> What about leaving SECURITY_$lsm_DEFAULT as-is, and then...
> In the past I'd suggested using "security=" to determine both enabled
> and order: "security=tomoyo,smack" would mean stacked LSMs, with
> tomoyo going first.
> Currently I'm leaning towards "security=" to select ONLY the
> incompatible LSM, and per-LSM "enable" flags to determine stacking:
> tomoyo.enabled=1 security=smack
I don't like this, it makes it hard for the end user specifying option
at boot time. They have to set security= for the modules they want and
then also individual modules $lsm.enabled= which is very inconvenient
apparmor.enabled really should only default to enabled and provides a
legacy way to disable apparmor during boot. This option was around
before security= was added.
I need to leave it available as its become part of the api (there are
applications checking /sys/module/apparmor/parameters/enabled but we
can remove it from the Kconfig.
> This doesn't explicitly address ordering, though. If we made param
> _position_ meaningful, then we could get ordering (i.e. above would
> mean "tomoyo first").
yes, I think that makes sense
> Note, ordering matters because call_int_hook() will _stop_ on a
> non-zero return value: potentially hiding events from later LSMs. Do
> we need to revisit this? I seem to remember if being a very dead
> horse, and we needed to quick-abort otherwise we ended up in
> nonsensical states.
we shouldn't be in nonsensical states but we are doing work that is
Another potential solution is allowing an LSM to register a set of
post hooks that will get called after the regular LSM hooks are
called. This would allow an LSM that cared about whether a hook
succeeded or not to do some processing.
> The reason for the new approach is because I can't find a meaningful
> way to provide CONFIGs that make sense. We want to provide a few
> - is an LSM built into the kernel at all? (CONFIG_SECURITY_$lsm)
> - is an LSM enabled by default? (CONFIG_SECURITY_$lsm_ENABLED?)
> - has an LSM been enable for this boot? $lsm.enabled=1 or security=$lsm,$lsm ?
at least for apparmor it is apparmor.enabled=1 AND security=apparmor or security=$lsm,apparmor ...
> - what order should any stacking happen? Makefile? security=?
Preferably not. For the single LSM we have the ability to choose the default LSM, ideally we let the distro decide in the Kconfig and the user with security=...
> And for the incompatible-major, do we stick with CONFIG_SECURITY_$lsm_DEFAULT ?
Ideally Kconfig wouldn't let you choose incompatible LSMs when
selecting what is going to be enabled by default.
> Anyway, if the concern is with exposed behavior for distros, what do
> we want? i.e. what should be done for patch 10. Everything else looks
well speaking for Ubuntu we want to be able to specify the default LSMs
and we want to enable our users to change this.
The current patchset we have is less than ideal partly because of the
whole $lsm.enabled vs security= mess that needs to be resolved.
next prev parent reply other threads:[~2018-09-14 4:44 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-11 16:26 [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock Casey Schaufler
2018-09-11 16:41 ` [PATCH 01/10] procfs: add smack subdir to attrs Casey Schaufler
2018-09-12 22:57 ` Kees Cook
2018-09-11 16:41 ` [PATCH 02/10] Smack: Abstract use of cred security blob Casey Schaufler
2018-09-12 23:04 ` Kees Cook
2018-09-11 16:41 ` [PATCH 03/10] SELinux: " Casey Schaufler
2018-09-12 23:10 ` Kees Cook
2018-09-11 16:41 ` [PATCH 04/10] LSM: Infrastructure management of the " Casey Schaufler
2018-09-12 23:53 ` Kees Cook
2018-09-13 19:01 ` Casey Schaufler
2018-09-13 21:12 ` Kees Cook
2018-09-11 16:41 ` [PATCH 05/10] SELinux: Abstract use of file " Casey Schaufler
2018-09-12 23:54 ` Kees Cook
2018-09-11 16:42 ` [PATCH 06/10] LSM: Infrastructure management of the " Casey Schaufler
2018-09-13 0:00 ` Kees Cook
2018-09-11 16:42 ` [PATCH 07/10] SELinux: Abstract use of inode " Casey Schaufler
2018-09-13 0:23 ` Kees Cook
2018-09-11 16:42 ` [PATCH 08/10] Smack: " Casey Schaufler
2018-09-13 0:24 ` Kees Cook
2018-09-11 16:42 ` [PATCH 09/10] LSM: Infrastructure management of the inode security Casey Schaufler
2018-09-13 0:30 ` Kees Cook
2018-09-11 16:42 ` [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock Casey Schaufler
2018-09-13 4:19 ` Kees Cook
2018-09-13 13:16 ` Paul Moore
2018-09-13 15:19 ` Kees Cook
2018-09-13 19:12 ` Paul Moore
2018-09-13 20:58 ` Jordan Glover
2018-09-13 21:50 ` Paul Moore
2018-09-13 22:04 ` Jordan Glover
2018-09-13 23:01 ` Casey Schaufler
2018-09-13 21:01 ` Kees Cook
2018-09-13 21:38 ` Paul Moore
2018-09-13 21:51 ` Kees Cook
2018-09-13 23:06 ` Kees Cook
2018-09-13 23:32 ` John Johansen [this message]
2018-09-13 23:51 ` Kees Cook
2018-09-14 0:03 ` Casey Schaufler
2018-09-14 0:06 ` Kees Cook
2018-09-13 23:51 ` Casey Schaufler
2018-09-13 23:57 ` Kees Cook
2018-09-14 0:08 ` Casey Schaufler
2018-09-14 0:19 ` Kees Cook
2018-09-14 15:57 ` Casey Schaufler
2018-09-14 20:05 ` Kees Cook
2018-09-14 20:47 ` Casey Schaufler
2018-09-14 18:18 ` James Morris
2018-09-14 18:23 ` John Johansen
2018-09-14 0:03 ` Kees Cook
2018-09-14 2:42 ` Paul Moore
2018-09-11 20:43 ` [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock James Morris
2018-09-12 21:29 ` James Morris
2018-09-16 16:54 ` Salvatore Mesoraca
2018-09-16 17:25 ` Casey Schaufler
2018-09-16 17:45 ` Salvatore Mesoraca
2018-09-18 7:44 ` Mickaël Salaün
2018-09-18 15:23 ` Casey Schaufler
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).