From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED695C00449 for ; Fri, 5 Oct 2018 16:35:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9A5F12084D for ; Fri, 5 Oct 2018 16:35:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="iYl9ls4D" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9A5F12084D Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-security-module-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727878AbeJEXfB (ORCPT ); Fri, 5 Oct 2018 19:35:01 -0400 Received: from mail-yw1-f65.google.com ([209.85.161.65]:35729 "EHLO mail-yw1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727572AbeJEXfB (ORCPT ); Fri, 5 Oct 2018 19:35:01 -0400 Received: by mail-yw1-f65.google.com with SMTP id y76-v6so5488205ywd.2 for ; Fri, 05 Oct 2018 09:35:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4vcOWcGFWjgwlB0xk/o4LvAQ9uGCBIWBW8bUlhArKxU=; b=iYl9ls4DIMiAVy/svw/tu2nJffUBabsYRHkJjIKrCmMrnkikCXUQ6h7qei1J04PiMm OIDae3hqgGHc824Fhj41m83Qg58istTGaywFs254LeSNbMmatmF4uYFTzCXBGgQuaPem jh4hDDV64YjLpVcPdy+/j8DAzS5xJmlJ1Rj9o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4vcOWcGFWjgwlB0xk/o4LvAQ9uGCBIWBW8bUlhArKxU=; b=rwGOE6yD5FbWEyZ7dlBv0aExyHTQe9gepOkHHpHSnsl70pN6FE6Zq9yeGqCJI7DBVQ c3gdi8oiMOJ0fwqssn4vuj8KM4kSTUrSaSaXmAZZbChTa4Ltp35TtfcLzYbtJ1WyJZbX F5Kgn0wrgXUGBSu4eEnzP7+gs2yIINRnLWhbe+cifBvHPa10b3TZYhRfOKJ1Af5+r/JR GkS2J+vs+abx4LMfUDXYXBRp2vHcCcas9uboy2t+1JMYm8FaJcaHdgfdSb7mgZWcSOKT YCRA+BU2l2E9hpLWgfp94dosB6wG8pcjdlOsUmMZ8BvnlBJ2PCucmSdm5ZZiq3ZG/Ce+ KabQ== X-Gm-Message-State: ABuFfoiIyu3aXklAHJnaddKf7NUGR4DCaObwrZuu63egSa/01w9OY2o4 E3HppDbljNhEb7yaiabbLYsOASZrZx0= X-Google-Smtp-Source: ACcGV63LwIyIIjQSEKm3BuzH1nvhrBIQp9r3AZ+PMd9HgNArQLTu4QdWCAUc6PKfkyyeh5DHlvZUkg== X-Received: by 2002:a81:5357:: with SMTP id h84-v6mr6543296ywb.107.1538757331387; Fri, 05 Oct 2018 09:35:31 -0700 (PDT) Received: from mail-yw1-f52.google.com (mail-yw1-f52.google.com. [209.85.161.52]) by smtp.gmail.com with ESMTPSA id b71-v6sm8798648ywa.48.2018.10.05.09.35.29 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Oct 2018 09:35:29 -0700 (PDT) Received: by mail-yw1-f52.google.com with SMTP id e201-v6so5489966ywa.3 for ; Fri, 05 Oct 2018 09:35:29 -0700 (PDT) X-Received: by 2002:a81:98cb:: with SMTP id p194-v6mr6744281ywg.353.1538757329237; Fri, 05 Oct 2018 09:35:29 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:d116:0:0:0:0:0 with HTTP; Fri, 5 Oct 2018 09:35:27 -0700 (PDT) In-Reply-To: References: <20181002005505.6112-1-keescook@chromium.org> <5955f5ce-b803-4f58-8b07-54c291e33da5@canonical.com> From: Kees Cook Date: Fri, 5 Oct 2018 09:35:27 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter To: James Morris Cc: John Johansen , Jordan Glover , Stephen Smalley , Paul Moore , Casey Schaufler , Tetsuo Handa , "Schaufler, Casey" , linux-security-module , Jonathan Corbet , "open list:DOCUMENTATION" , linux-arch , LKML Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On Thu, Oct 4, 2018 at 9:58 PM, James Morris wrote: > On Thu, 4 Oct 2018, Kees Cook wrote: > >> On Thu, Oct 4, 2018 at 10:49 AM, James Morris wrote: >> > On Wed, 3 Oct 2018, Kees Cook wrote: >> >> Then someone boots the system with: >> >> >> >> selinux=1 security=selinux >> >> >> >> In what order does selinux get initialized relative to yama? >> >> (apparmor, flagged as a "legacy major", would have been disabled by >> >> the "security=" not matching it.) >> > >> > It doesn't, it needs to be specified in one place. >> > >> > Distros will need to update boot parameter handling for this kernel >> > onwards. Otherwise, we will need to carry this confusing mess forward >> > forever. >> >> Are you saying that you want to overrule Paul and Stephen about >> keeping "selinux=1 secuiryt=selinux" working? > > Not overrule, but convince. > > At least, deprecate selinux=1 and security=X, but not extend it any > further. Okay, this is the expectation from me as well. I think my series makes it work as-is with the new stuff just fine. >> > In my most recent suggestion, there is no '!' disablement, just >> > enablement. If an LSM is not listed in CONFIG_LSM="", it's not enabled. >> >> And a user would need to specify ALL lsms on the "lsm=" line? >> > > Yes, the ones they want enabled. > >> What do you think of my latest proposal? It could happily work all >> three ways: old boot params and security= work ("selinux=1 >> security=selinux" keeps working), individual LSM enable/disable works >> ("lsm=+loadpin"), and full LSM ordering works >> ("lsm=each,lsm,in,order,here"): >> >> https://lore.kernel.org/lkml/CAGXu5jJJit8bDNvgXaFkuvFPy7NWtJW2oRWFbG-6iWk0+A1qng@mail.gmail.com/ >> > > I think having something like +yama will still lead to confusion. > Explicitly stating each enabled LSM in order is totally unambiguous. > > If people are moving away from the distro defaults, and there is no > high-level interface to manage this, it seems to me there's a deeper > issue with the distro. Okay. I will adjust the series and send a v5. -Kees -- Kees Cook Pixel Security