[RFC] Finding the right target branch for patches that span IMA and SeLinux

[RFC] Finding the right target branch for patches that span IMA and SeLinux

[Tushar Sugandhi]

Hello Mimi/Stephen/Paul,

As you are already aware, we have several patch-sets in review for
IMA infrastructure for measurement of critical kernel data and it's
usage.

[1] infrastructure for measurement of critical data patch-set:

https://patchwork.kernel.org/project/linux-integrity/list/?series=354437

[2] Using [1] to measure SeLinux data:
     https://patchwork.kernel.org/patch/11801585/

[3] Using [1] to measure dm-crypt data:

https://patchwork.kernel.org/project/linux-integrity/list/?series=366903

[4] Using [1] to measure kernel_version:
     https://patchwork.kernel.org/patch/11854625/

[5] built-in IMA policy rule to handle critical data before
     a custom IMA policy is loaded:
     {Patch is not yet sent for public review}

Mimi has suggested that patch-set [1] should include a demonstrative
example use of the functionality in the same series. And that example
should be SeLinux (patch-set [2]).

However, SeLinux patch-set [2] depends on the functionality in SeLinux
branch [7], which is not yet merged in Integrity branch [6].
Therefore SeLinux patch-set [2] does not apply on the Integrity branch
at this time.

Further, SeLinux patch-set [2] also depends on the new code for
critical data infrastructure (patch-set [1] and [5]) which is all
IMA code. Patch-set [1] and [5], even though all IMA code, applies
cleanly on SeLinux branch - along with patch-set [2].

For the above reason, the new series we are going to post, which
combines [1], [2], and [5], needs to be based on SeLinux branch.

Since [1] and [5] contains IMA code - we wanted to confirm with the
maintainers if there are any concerns to base the series on SeLinux
branch.

Thanks,
Tushar

[6] Integrity Repo/Branch:
Repo: 
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
Branch: linux-integrity

[7] SeLinux Branch:
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
Branch: next

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Mimi Zohar]

On Thu, 2020-10-29 at 16:33 -0700, Tushar Sugandhi wrote:
> Hello Mimi/Stephen/Paul,
> 
> As you are already aware, we have several patch-sets in review for
> IMA infrastructure for measurement of critical kernel data and it's
> usage.
> 
> [1] infrastructure for measurement of critical data patch-set:
> 
> https://patchwork.kernel.org/project/linux-integrity/list/?series=354437
> 
> [2] Using [1] to measure SeLinux data:
>      https://patchwork.kernel.org/patch/11801585/
> 
> [3] Using [1] to measure dm-crypt data:
> 
> https://patchwork.kernel.org/project/linux-integrity/list/?series=366903
> 
> [4] Using [1] to measure kernel_version:
>      https://patchwork.kernel.org/patch/11854625/
> 
> [5] built-in IMA policy rule to handle critical data before
>      a custom IMA policy is loaded:
>      {Patch is not yet sent for public review}
> 
> Mimi has suggested that patch-set [1] should include a demonstrative
> example use of the functionality in the same series. And that example
> should be SeLinux (patch-set [2]).
> 
> However, SeLinux patch-set [2] depends on the functionality in SeLinux
> branch [7], which is not yet merged in Integrity branch [6].
> Therefore SeLinux patch-set [2] does not apply on the Integrity branch
> at this time.
> 
> Further, SeLinux patch-set [2] also depends on the new code for
> critical data infrastructure (patch-set [1] and [5]) which is all
> IMA code. Patch-set [1] and [5], even though all IMA code, applies
> cleanly on SeLinux branch - along with patch-set [2].
> 
> For the above reason, the new series we are going to post, which
> combines [1], [2], and [5], needs to be based on SeLinux branch.
> 
> Since [1] and [5] contains IMA code - we wanted to confirm with the
> maintainers if there are any concerns to base the series on SeLinux
> branch.
> 
> Thanks,
> Tushar
> 
> [6] Integrity Repo/Branch:
> Repo: 
> https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
> Branch: linux-integrity
> 
> [7] SeLinux Branch:
> Repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
> Branch: next

Unless this patch set is specifically dependent on the two patches in
the SELinux tree beyond v5.10.0-rc1, please base it on v5.10.0-rc1.

thanks,

Mimi

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Tushar Sugandhi]

> Unless this patch set is specifically dependent on the two patches in
> the SELinux tree beyond v5.10.0-rc1, please base it on v5.10.0-rc1.
> 
Thanks Mimi. We don't have dependencies on those two patches in SELinux 
tree.

We'll base our changes on v5.10.0-rc1 in SELinux tree.

Thanks for the quick response.

~Tushar

> thanks,
> 
> Mimi
> 

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Paul Moore]

On Fri, Oct 30, 2020 at 12:43 PM Tushar Sugandhi
<tusharsu@linux.microsoft.com> wrote:
> > Unless this patch set is specifically dependent on the two patches in
> > the SELinux tree beyond v5.10.0-rc1, please base it on v5.10.0-rc1.
>
> Thanks Mimi. We don't have dependencies on those two patches in SELinux
> tree.
>
> We'll base our changes on v5.10.0-rc1 in SELinux tree.
>
> Thanks for the quick response.

I'm not as fast as Mimi, but I thought it might be worthwhile to
provide a bit more detail as to what I expect from SELinux kernel
submissions.  I believe most other maintainers operate in a similar
manner, but I obviously can't speak for them.

Unless there is an exception due to a previous discussion, I ask that
all SELinux kernel patches be based on either the selinux/next branch
or Linus' current tree.  If your patch(set) applies cleanly to either
of those branches, and passes review, I'll merge it into the
selinux/next branch taking care of any merge conflicts that may arise.
If the merge is particularly tricky I may ask you to double check the
merge afterwards, but in my experience that is rare, most merge
conflicts are trivially resolved.

In the case where a patch(set) being proposed for inclusion in the
SELinux tree has significant changes to another subsystem, I will ask
the affected subsystem's maintainer to review the patch(set).  If the
other maintainers do not provide an ACK for the patch(set) I will not
merge the patches.  If the other maintainers do not respond at all for
a few weeks, I may go ahead and merge the patch(set) anyway; that is a
decision made on a case-by-base basis.

If the patch(set) introduces new functionality I will ask you to add
or update an existing test in the selinux-testsuite.
* https://github.com/SELinuxProject/selinux-testsuite

If the patch(set) introduces new, or changed, functionality I may ask
you to update The SELinux Notebook.
* https://github.com/SELinuxProject/selinux-notebook

Beyond the above, the general SELinux kernel tree process is
documented in the README.md found in selinux/main:
* https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md

-- 
paul moore
www.paul-moore.com

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Tushar Sugandhi]

Hi Paul,

On 2020-10-30 1:37 p.m., Paul Moore wrote:
> On Fri, Oct 30, 2020 at 12:43 PM Tushar Sugandhi
> <tusharsu@linux.microsoft.com> wrote:
>>> Unless this patch set is specifically dependent on the two patches in
>>> the SELinux tree beyond v5.10.0-rc1, please base it on v5.10.0-rc1.
>>
>> Thanks Mimi. We don't have dependencies on those two patches in SELinux
>> tree.
>>
>> We'll base our changes on v5.10.0-rc1 in SELinux tree.
>>
>> Thanks for the quick response.
> 
> I'm not as fast as Mimi, but I thought it might be worthwhile to
> provide a bit more detail as to what I expect from SELinux kernel
> submissions.  I believe most other maintainers operate in a similar
> manner, but I obviously can't speak for them.
Thanks a lot for the detailed information Paul.
Its very helpful, and we appreciate it.
> 
> Unless there is an exception due to a previous discussion, I ask that
> all SELinux kernel patches be based on either the selinux/next branch
> or Linus' current tree.  If your patch(set) applies cleanly to either
> of those branches, and passes review, I'll merge it into the
> selinux/next branch taking care of any merge conflicts that may arise.
We will base on SeLinux -> next branch, as you/Mimi suggested.

> If the merge is particularly tricky I may ask you to double check the
> merge afterwards, but in my experience that is rare, most merge
> conflicts are trivially resolved.
> 
Based on our testing so far, there aren't any merge conflicts.
But if the need arises, we'll do our best to help you resolve/review
them.

> In the case where a patch(set) being proposed for inclusion in the
> SELinux tree has significant changes to another subsystem, I will ask
> the affected subsystem's maintainer to review the patch(set).  If the
> other maintainers do not provide an ACK for the patch(set) I will not
> merge the patches.  If the other maintainers do not respond at all for
> a few weeks, I may go ahead and merge the patch(set) anyway; that is a
> decision made on a case-by-base basis.
Mimi has been actively reviewing IMA side of the changes for this
patch-set.

> 
> If the patch(set) introduces new functionality I will ask you to add
> or update an existing test in the selinux-testsuite.
> * https://github.com/SELinuxProject/selinux-testsuite
> 
Lakshmi has written an SeLinux test for this feature, and it is
currently being targeted for LTP repo.
https://github.com/linux-test-project/ltp

We can work with you to also get it incorporated in selinux-testsuite.
But the concern here is we may have to pull additional dependent scripts
from LTP to selinux-testsuite to support our test.

Could you please take a look at Lakshmi's SeLinux test, and guide us
further on this? Here is the patch.
https://patchwork.kernel.org/patch/11804587/


> If the patch(set) introduces new, or changed, functionality I may ask
> you to update The SELinux Notebook.
> * https://github.com/SELinuxProject/selinux-notebook
> 
Will do. Thanks.

> Beyond the above, the general SELinux kernel tree process is
> documented in the README.md found in selinux/main:
> * https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md
> 
Thanks for the pointer.
We'll go through the documentation.
~Tushar

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Mimi Zohar]

On Sat, 2020-10-31 at 20:08 -0700, Tushar Sugandhi wrote:
> Hi Paul,
> 
> On 2020-10-30 1:37 p.m., Paul Moore wrote:
> > On Fri, Oct 30, 2020 at 12:43 PM Tushar Sugandhi
> > <tusharsu@linux.microsoft.com> wrote:
> >>> Unless this patch set is specifically dependent on the two patches in
> >>> the SELinux tree beyond v5.10.0-rc1, please base it on v5.10.0-rc1.
> >>
> >> Thanks Mimi. We don't have dependencies on those two patches in SELinux
> >> tree.
> >>
> >> We'll base our changes on v5.10.0-rc1 in SELinux tree.
> >>
> >> Thanks for the quick response.
> > 
> > I'm not as fast as Mimi, but I thought it might be worthwhile to
> > provide a bit more detail as to what I expect from SELinux kernel
> > submissions.  I believe most other maintainers operate in a similar
> > manner, but I obviously can't speak for them.
> Thanks a lot for the detailed information Paul.
> Its very helpful, and we appreciate it.
> > 
> > Unless there is an exception due to a previous discussion, I ask that
> > all SELinux kernel patches be based on either the selinux/next branch
> > or Linus' current tree.  If your patch(set) applies cleanly to either
> > of those branches, and passes review, I'll merge it into the
> > selinux/next branch taking care of any merge conflicts that may arise.
> We will base on SeLinux -> next branch, as you/Mimi suggested.

Unless there was a compelling reason for basing it on the SELinux
branch, I asked that you base the changes on v5.10.0-rc1 (or later),
which has nothing to do with the SELinux branch.  Once this patch set
is reviewed and ready to be upstreamed, a topic branch will be created
containing at least the IMA patches.   The decision as to how the the
SELinux patch will be upstreamed will be made at that point.  That
discussion will be between Paul and me.

thanks,

Mimi

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Tushar Sugandhi]

On 2020-11-02 8:35 a.m., Mimi Zohar wrote:
> On Sat, 2020-10-31 at 20:08 -0700, Tushar Sugandhi wrote:
>> Hi Paul,
>>
>> On 2020-10-30 1:37 p.m., Paul Moore wrote:
>>> On Fri, Oct 30, 2020 at 12:43 PM Tushar Sugandhi
>>> <tusharsu@linux.microsoft.com> wrote:
>>>>> Unless this patch set is specifically dependent on the two patches in
>>>>> the SELinux tree beyond v5.10.0-rc1, please base it on v5.10.0-rc1.
>>>>
>>>> Thanks Mimi. We don't have dependencies on those two patches in SELinux
>>>> tree.
>>>>
>>>> We'll base our changes on v5.10.0-rc1 in SELinux tree.
>>>>
>>>> Thanks for the quick response.
>>>
>>> I'm not as fast as Mimi, but I thought it might be worthwhile to
>>> provide a bit more detail as to what I expect from SELinux kernel
>>> submissions.  I believe most other maintainers operate in a similar
>>> manner, but I obviously can't speak for them.
>> Thanks a lot for the detailed information Paul.
>> Its very helpful, and we appreciate it.
>>>
>>> Unless there is an exception due to a previous discussion, I ask that
>>> all SELinux kernel patches be based on either the selinux/next branch
>>> or Linus' current tree.  If your patch(set) applies cleanly to either
>>> of those branches, and passes review, I'll merge it into the
>>> selinux/next branch taking care of any merge conflicts that may arise.
>> We will base on SeLinux -> next branch, as you/Mimi suggested.
> 
> Unless there was a compelling reason for basing it on the SELinux
> branch, I asked that you base the changes on v5.10.0-rc1 (or later),
> which has nothing to do with the SELinux branch.  Once this patch set
> is reviewed and ready to be upstreamed, a topic branch will be created
> containing at least the IMA patches.   The decision as to how the the
> SELinux patch will be upstreamed will be made at that point.  That
> discussion will be between Paul and me.
> 
Sincere apologies Mimi.
We misunderstood your feedback when you mentioned -
"Unless this patch set is specifically dependent on the two patches in
the SELinux tree beyond v5.10.0-rc1, please base it on v5.10.0-rc1."

We believed you were recommending selinux repo as there were exactly
two patches present in the selinux/next branch after the tag v5.10-rc1.

Anyways - we tried applying the patches to -
repo: https://github.com/torvalds/linux
branch: master
tag: v5.10-rc1

and they get applied cleanly and are working fine.

We will wait for feedback on the v5 patch from you/Paul/Stephen, address
those, and then base v6 of the series to tarvolds/master branch on
v5.10-rc1 (or later).

Does it sound ok?

Here is the v5 of the series we published yesterday.
https://patchwork.kernel.org/project/linux-integrity/list/?series=375103

Thanks,
Tushar


> thanks,
> 
> Mimi
> 

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Paul Moore]

On Sat, Oct 31, 2020 at 11:08 PM Tushar Sugandhi
<tusharsu@linux.microsoft.com> wrote:
> On 2020-10-30 1:37 p.m., Paul Moore wrote:

...

> > If the patch(set) introduces new functionality I will ask you to add
> > or update an existing test in the selinux-testsuite.
> > * https://github.com/SELinuxProject/selinux-testsuite
>
> Lakshmi has written an SeLinux test for this feature, and it is
> currently being targeted for LTP repo.
> https://github.com/linux-test-project/ltp
>
> We can work with you to also get it incorporated in selinux-testsuite.
> But the concern here is we may have to pull additional dependent scripts
> from LTP to selinux-testsuite to support our test.
>
> Could you please take a look at Lakshmi's SeLinux test, and guide us
> further on this? Here is the patch.
> https://patchwork.kernel.org/patch/11804587/

As I'm looking at the test(s) above, I'm thinking that this may not be
something that needs to be in the selinux-testsuite.  While SELinux is
obviously an important part of the test, the test is more IMA focused
(which is probably the way it should be).

As a bit of background, the selinux-testsuite is intended to serve as
a relatively easy and quick to run test that can be used by developers
to quickly test their patches; while it aims for good coverage, it
does not try to be a comprehensive regression test suite.  Not only
would that be duplicating other efforts such as the LTP, it would go
against the goal of making the test suite quick and easy to use.

> > If the patch(set) introduces new, or changed, functionality I may ask
> > you to update The SELinux Notebook.
> > * https://github.com/SELinuxProject/selinux-notebook
>
> Will do. Thanks.
>
> > Beyond the above, the general SELinux kernel tree process is
> > documented in the README.md found in selinux/main:
> > * https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md
> >
> Thanks for the pointer.
> We'll go through the documentation.

Can you and Lakshmi help me better understand the state of the
SELinux/IMA patches?  I see that you included Lakshmi's SELinux/IMA
patch in your last patchset, and it appears to have included feedback
from Stephen's last review.  Is it your intent to continue to submit
the SELinux/IMA patch as part of a larger patchset, or do you plan to
split that back out into a standalone patch?

-- 
paul moore
www.paul-moore.com

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Mimi Zohar]

On Mon, 2020-11-02 at 22:11 -0500, Paul Moore wrote:
> On Sat, Oct 31, 2020 at 11:08 PM Tushar Sugandhi
> 
> Can you and Lakshmi help me better understand the state of the
> SELinux/IMA patches?  I see that you included Lakshmi's SELinux/IMA
> patch in your last patchset, and it appears to have included feedback
> from Stephen's last review.  Is it your intent to continue to submit
> the SELinux/IMA patch as part of a larger patchset, or do you plan to
> split that back out into a standalone patch?

Paul,  I've asked Tushar and Lakshmi to first define "critical data"
and then include at least one example of measuring "critical data" to
simplify review.  As the SELinux patch is the first example, there is a
dependency on the rest of the patch set.

thanks,

Mimi

Re: [RFC] Finding the right target branch for patches that span IMA and SeLinux

[Lakshmi Ramasubramanian]

On 11/2/20 7:11 PM, Paul Moore wrote:

Hi Paul,

> On Sat, Oct 31, 2020 at 11:08 PM Tushar Sugandhi
> <tusharsu@linux.microsoft.com> wrote:
>> On 2020-10-30 1:37 p.m., Paul Moore wrote:
> 
> ...
> 
>>> If the patch(set) introduces new functionality I will ask you to add
>>> or update an existing test in the selinux-testsuite.
>>> * https://github.com/SELinuxProject/selinux-testsuite
>>
>> Lakshmi has written an SeLinux test for this feature, and it is
>> currently being targeted for LTP repo.
>> https://github.com/linux-test-project/ltp
>>
>> We can work with you to also get it incorporated in selinux-testsuite.
>> But the concern here is we may have to pull additional dependent scripts
>> from LTP to selinux-testsuite to support our test.
>>
>> Could you please take a look at Lakshmi's SeLinux test, and guide us
>> further on this? Here is the patch.
>> https://patchwork.kernel.org/patch/11804587/
> 
> As I'm looking at the test(s) above, I'm thinking that this may not be
> something that needs to be in the selinux-testsuite.  While SELinux is
> obviously an important part of the test, the test is more IMA focused
> (which is probably the way it should be).

Yes, as you mentioned, the test is more IMA focused. It is to validate 
the measurement done by IMA against the current state of the 
configuration and policy of SELinux. Therefore we would like to keep it 
in LTP.

> 
> As a bit of background, the selinux-testsuite is intended to serve as
> a relatively easy and quick to run test that can be used by developers
> to quickly test their patches; while it aims for good coverage, it
> does not try to be a comprehensive regression test suite.  Not only
> would that be duplicating other efforts such as the LTP, it would go
> against the goal of making the test suite quick and easy to use.
> 

thanks,
  -lakshmi