linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Randy Dunlap <rdunlap@infradead.org>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	Kees Cook <keescook@chromium.org>
Cc: James Morris <jmorris@namei.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Jakub Kicinski <jakub.kicinski@netronome.com>
Subject: Re: Linux 5.1-rc2
Date: Wed, 27 Mar 2019 16:22:16 -0700	[thread overview]
Message-ID: <3bca3aa4-ee37-cd1d-448a-c2e8c4aee81a@schaufler-ca.com> (raw)
In-Reply-To: <366dcec3-1599-9e56-4660-44791e1c7a45@infradead.org>

On 3/27/2019 3:55 PM, Randy Dunlap wrote:
> On 3/27/19 3:23 PM, Casey Schaufler wrote:
>> On 3/27/2019 3:05 PM, Tetsuo Handa wrote:
>>> On 2019/03/28 6:43, Kees Cook wrote:
>>>>>> I don't see problems for an exclusive LSM user (AA, SELinux, Smack)
>>>>>> also initializing TOMOYO, though. It should be a no-op. Is there some
>>>>>> situation where this is not true?
>>>>> There should be no problem except some TOMOYO messages are printed.
>>>> Okay, so I should send my latest version of the patch to James? Or do
>>>> you explicitly want TOMOYO removed from all the CONFIG_LSM default
>>>> lines except when selected by CONFIG_DEFAULT_SECURITY_TOMOYO? (I worry
>>>> the latter will lead to less testing of the stacking.)
>>>>
>>> My approach is "opt-in" while your approach is "opt-out". And the problem
>>> here is that people might fail to change CONFIG_LSM from the default value
>>> to what they need. (And Jakub did not change CONFIG_LSM to reflect
>>> CONFIG_DEFAULT_SECURITY_APPARMOR from the old config.) Thus, I suggest
>>> "opt-in" approach; which includes up to only one legacy major LSM and allows
>>> people to change the default value to include multiple legacy major LSMs.
>>>
>>> You can propose your latest version. If SELinux/Smack/AppArmor people
>>> prefer "opt-out" approach, I'm fine with "opt-out" approach.
>> In the long haul we want people to use CONFIG_LSM to set their
>> list of modules. Providing a backward compatible CONFIG_DEFAULT_SECURITY_BLAH
>> makes some sense, but it's important that we encourage a mindset change.
>> Maybe with CONFIG_DEFAULT_SECURITY_LIST with a a full list, which uses the
>> value from CONFIG_LSM, and make it the default?
>>
> Hi,
>
> I'm still confused.  Does this mindset change include removing support of
> SECURITY_DAC?

No.

>    If so, where was this discussed and decided?

linux-security-module@vger.kernel.org on threads related to security
module stacking. It's easy to get the same result with a CONFIG_LSM
that includes none of the SELinux, Smack, TOMOYO or AppArmor.

> And if so (again), that feels like enforcing some kind of policy in the kernel.

Again, not so. It's a change from "The not-more-the One Major Module" to
"Whatever set of policies works for you". The NULL set is completely
supported. The current flap is that it's more difficult to express doing
things the old way. Kees and Tetsuo are hashing out how best to support
old .confg files in support of automated tools.


> thanks.

  reply	other threads:[~2019-03-27 23:22 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-24 21:26 Linux 5.1-rc2 Linus Torvalds
2019-03-25  2:31 ` Randy Dunlap
2019-03-25 19:08   ` James Morris
2019-03-25 21:05     ` Tetsuo Handa
2019-03-27 19:16       ` Kees Cook
2019-03-27 20:30         ` Tetsuo Handa
2019-03-27 20:45           ` Kees Cook
2019-03-27 21:05             ` Tetsuo Handa
2019-03-27 21:43               ` Kees Cook
2019-03-27 22:05                 ` Tetsuo Handa
2019-03-27 22:23                   ` Casey Schaufler
2019-03-27 22:55                     ` Randy Dunlap
2019-03-27 23:22                       ` Casey Schaufler [this message]
2019-03-29 18:07                 ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3bca3aa4-ee37-cd1d-448a-c2e8c4aee81a@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=jakub.kicinski@netronome.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=rdunlap@infradead.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).