linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Martin Steigerwald <martin@lichtvoll.de>
To: Kees Cook <keescook@chromium.org>
Cc: James Morris <jmorris@namei.org>,
	Casey Schaufler <casey@schaufler-ca.com>,
	John Johansen <john.johansen@canonical.com>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	"Schaufler, Casey" <casey.schaufler@intel.com>,
	LSM <linux-security-module@vger.kernel.org>,
	Jonathan Corbet <corbet@lwn.net>,
	linux-doc@vger.kernel.org, linux-arch@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH security-next v2 00/26] LSM: Explict LSM ordering
Date: Thu, 20 Sep 2018 22:14:46 +0200	[thread overview]
Message-ID: <1898403.NNy4ELVaME@merkaba> (raw)
In-Reply-To: <20180920162338.21060-1-keescook@chromium.org>

Kees Cook - 20.09.18, 18:23:
> v2:
> - add "lsm.order=" and CONFIG_LSM_ORDER instead of overloading
> "security=" - reorganize introduction of ordering logic code
> 
> Updated cover letter:
> 
> This refactors the LSM registration and initialization infrastructure
> to more centrally support different LSM types. What was considered a
> "major" LSM is kept for legacy use of the "security=" boot parameter,
> and now overlaps with the new class of "exclusive" LSMs for the future
> blob sharing (to be added later). The "minor" LSMs become more well
> defined as a result of the refactoring.
> 
> Instead of continuing to (somewhat improperly) overload the kernel's
> initcall system, this changes the LSM infrastructure to store a
> registration structure (struct lsm_info) table instead, where metadata
> about each LSM can be recorded (name, flags, order, enable flag, init
> function). This can be extended in the future to include things like
> required blob size for the coming "blob sharing" LSMs.

I read the cover letter and still don´t know what this is about. Now I 
am certainly not engaged deeply with LSM. I bet my main missing piece 
is: What is a "blob sharing" LSM.

I think it would improve the cover letter greatly if it explains briefly 
what is a major LSM, what is a minor LSM and what is a "blob sharing" 
LSM.

Why those are all needed? What is the actual security or end user 
benefit of this work? The questions are not to question your work. I bet 
it makes all perfect sense. I just did not understand its sense from 
reading the cover letter.

> The "major" LSMs had to individually negotiate which of them should be
> enabled. This didn't provide a way to negotiate combinations of other
> LSMs (as will be needed for "blob sharing" LSMs). This is solved by
> providing the LSM infrastructure with all the details needed to make
> the choice (exposing the per-LSM "enabled" flag, if used, the LSM
> characteristics, and ordering expectations).
> 
> As a result of the refactoring, the "minor" LSMs are able to remove
> the open-coded security_add_hooks() calls for "capability", "yama",
> and "loadpin", and to redefine "integrity" properly as a general LSM.
> (Note that "integrity" actually defined _no_ hooks, but needs the
> early initialization).
> 
> With all LSMs being proessed centrally, it was possible to implement
> a new boot parameter "lsm.order=" to provide explicit ordering, which
> is helpful for the future "blob sharing" LSMs. Matching this is the
> new CONFIG_LSM_ORDER, which replaces CONFIG_DEFAULT_SECURITY, as it
> provides a higher granularity of control.
> 
> To better show LSMs activation some debug reporting was added (enabled
> with the "lsm.debug" boot commandline option).
> 
> Finally, I added a WARN() around LSM initialization failures, which
> appear to have always been silently ignored. (Realistically any LSM
> init failures would have only been due to catastrophic kernel issues
> that would render a system unworkable anyway, but it'd be better to
> expose the problem as early as possible.)
> 
> -Kees
> 
> Kees Cook (26):
>   LSM: Correctly announce start of LSM initialization
>   vmlinux.lds.h: Avoid copy/paste of security_init section
>   LSM: Rename .security_initcall section to .lsm_info
>   LSM: Remove initcall tracing
>   LSM: Convert from initcall to struct lsm_info
>   vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
>   LSM: Convert security_initcall() into DEFINE_LSM()
>   LSM: Record LSM name in struct lsm_info
>   LSM: Provide init debugging infrastructure
>   LSM: Don't ignore initialization failures
>   LSM: Introduce LSM_FLAG_LEGACY_MAJOR
>   LSM: Provide separate ordered initialization
>   LSM: Plumb visibility into optional "enabled" state
>   LSM: Lift LSM selection out of individual LSMs
>   LSM: Introduce lsm.enable= and lsm.disable=
>   LSM: Prepare for reorganizing "security=" logic
>   LSM: Refactor "security=" in terms of enable/disable
>   LSM: Build ordered list of ordered LSMs for init
>   LSM: Introduce CONFIG_LSM_ORDER
>   LSM: Introduce "lsm.order=" for boottime ordering
>   LoadPin: Initialize as ordered LSM
>   Yama: Initialize as ordered LSM
>   LSM: Introduce enum lsm_order
>   capability: Mark as LSM_ORDER_FIRST
>   LSM: Separate idea of "major" LSM from "exclusive" LSM
>   LSM: Add all exclusive LSMs to ordered initialization
> 
>  .../admin-guide/kernel-parameters.txt         |   7 +
>  arch/arc/kernel/vmlinux.lds.S                 |   1 -
>  arch/arm/kernel/vmlinux-xip.lds.S             |   1 -
>  arch/arm64/kernel/vmlinux.lds.S               |   1 -
>  arch/h8300/kernel/vmlinux.lds.S               |   1 -
>  arch/microblaze/kernel/vmlinux.lds.S          |   2 -
>  arch/powerpc/kernel/vmlinux.lds.S             |   2 -
>  arch/um/include/asm/common.lds.S              |   2 -
>  arch/xtensa/kernel/vmlinux.lds.S              |   1 -
>  include/asm-generic/vmlinux.lds.h             |  25 +-
>  include/linux/init.h                          |   2 -
>  include/linux/lsm_hooks.h                     |  43 ++-
>  include/linux/module.h                        |   1 -
>  security/Kconfig                              |  42 +--
>  security/apparmor/lsm.c                       |  16 +-
>  security/commoncap.c                          |   8 +-
>  security/integrity/iint.c                     |   5 +-
>  security/loadpin/loadpin.c                    |  10 +-
>  security/security.c                           | 304
> ++++++++++++++---- security/selinux/hooks.c                      | 
> 16 +-
>  security/smack/smack_lsm.c                    |   8 +-
>  security/tomoyo/tomoyo.c                      |   7 +-
>  security/yama/yama_lsm.c                      |   7 +-
>  23 files changed, 348 insertions(+), 164 deletions(-)


-- 
Martin



  parent reply	other threads:[~2018-09-20 20:14 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-20 16:23 [PATCH security-next v2 00/26] LSM: Explict LSM ordering Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 01/26] LSM: Correctly announce start of LSM initialization Kees Cook
2018-09-20 23:39   ` Casey Schaufler
2018-09-20 16:23 ` [PATCH security-next v2 02/26] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 03/26] LSM: Rename .security_initcall section to .lsm_info Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 04/26] LSM: Remove initcall tracing Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 05/26] LSM: Convert from initcall to struct lsm_info Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 06/26] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 07/26] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 08/26] LSM: Record LSM name in struct lsm_info Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 09/26] LSM: Provide init debugging infrastructure Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 10/26] LSM: Don't ignore initialization failures Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 11/26] LSM: Introduce LSM_FLAG_LEGACY_MAJOR Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 12/26] LSM: Provide separate ordered initialization Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 13/26] LSM: Plumb visibility into optional "enabled" state Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 14/26] LSM: Lift LSM selection out of individual LSMs Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 15/26] LSM: Introduce lsm.enable= and lsm.disable= Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 16/26] LSM: Prepare for reorganizing "security=" logic Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 17/26] LSM: Refactor "security=" in terms of enable/disable Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 18/26] LSM: Build ordered list of ordered LSMs for init Kees Cook
2018-09-21  0:04   ` Casey Schaufler
2018-09-21  0:37     ` Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 19/26] LSM: Introduce CONFIG_LSM_ORDER Kees Cook
2018-09-21  0:10   ` Casey Schaufler
2018-09-21  0:14     ` Casey Schaufler
2018-09-20 16:23 ` [PATCH security-next v2 20/26] LSM: Introduce "lsm.order=" for boottime ordering Kees Cook
2018-09-21  0:12   ` Casey Schaufler
2018-09-21  0:40     ` Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 21/26] LoadPin: Initialize as ordered LSM Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 22/26] Yama: " Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 23/26] LSM: Introduce enum lsm_order Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 24/26] capability: Mark as LSM_ORDER_FIRST Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 25/26] LSM: Separate idea of "major" LSM from "exclusive" LSM Kees Cook
2018-09-20 16:23 ` [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization Kees Cook
2018-09-21  0:25   ` Casey Schaufler
2018-09-21  0:45     ` Kees Cook
2018-09-21  1:10       ` Casey Schaufler
2018-09-21  1:39         ` John Johansen
2018-09-21  2:05           ` Kees Cook
2018-09-21  2:14             ` John Johansen
2018-09-21  3:02               ` Kees Cook
2018-09-21 13:19                 ` John Johansen
2018-09-21 14:57                   ` Casey Schaufler
2018-09-20 20:14 ` Martin Steigerwald [this message]
2018-09-20 21:55   ` [PATCH security-next v2 00/26] LSM: Explict LSM ordering Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1898403.NNy4ELVaME@merkaba \
    --to=martin@lichtvoll.de \
    --cc=casey.schaufler@intel.com \
    --cc=casey@schaufler-ca.com \
    --cc=corbet@lwn.net \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).