From: John Johansen <john.johansen@canonical.com>
To: Kees Cook <keescook@chromium.org>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: James Morris <jmorris@namei.org>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
LSM <linux-security-module@vger.kernel.org>,
LKLM <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 16/18] LSM: Allow arbitrary LSM ordering
Date: Mon, 17 Sep 2018 12:35:35 -0700 [thread overview]
Message-ID: <55196153-7a01-4555-623b-7e3292475f04@canonical.com> (raw)
In-Reply-To: <CAGXu5jLeTfwEXAZLz_H1PCx0ySWZcRhXQMfnE14TG8BvxY46JA@mail.gmail.com>
On 09/17/2018 11:14 AM, Kees Cook wrote:
> On Mon, Sep 17, 2018 at 10:13 AM, Casey Schaufler
> <casey@schaufler-ca.com> wrote:
>> TOMOYO uses the cred blob pointer. When the blob is shared TOMOYO
>> has to be allocated a pointer size chunk to store the pointer in.
>> Smack has the same behavior on file blobs.
>
> Oh dang, yes, I got confused over secid and other "extreme" shared things.
>
> So one change of my series would be to declare tomoyo as "exclusive" too.
>
>> Today the distinction is based on how the module registers hooks.
>> Modules that use blobs (including TOMOYO) use security_module_enable()
>> and those that don't just use security_add_hooks(). The "pick one"
>> policy is enforced in security_module_enable(), which is why you can
>> have as many non-blob users as you like. You could easily have a
>> non-blob using module that was exclusive simply by using
>> security_module_enable().
>
> True. With my removal of security_module_enable(), yes, it makes sense
> to mark all LSMs that were calling it before as exclusive, rather than
> focusing on whether they would be exclusive under the blob-sharing
> situation.
>
>> Keep security=$lsm with the existing exclusive behavior.
>> Add lsm=$lsm1,...,$lsmN which requires a full list of modules
>>
>> If you want to be fancy (I don't!) you could add
>>
>> lsm.add=$lsm1,...,$lsmN which adds the modules to the stack
>> lsm.delete=$lsm1,...,$lsmN which deletes modules from the stack
>
> We've got two issues: ordering and enablement. It's been strongly
> suggested that we should move away from per-LSM enable/disable flags
> (to which I agree). If ordering should be separate from enablement (to
> avoid the "booted kernel with new LSM built in, but my lsm="..." line
> didn't include it so it's disabled case), then I think we need to
> split the logic (otherwise we just reinvented "security=" with similar
> problems).
>
> Should "lsm=" allow arbitrary ordering? (I think yes.)
> yes
> Should "lsm=" imply implicit enable/disable? (I think no: unlisted
> LSMs are implicitly auto-appended to the explicit list)
>
maybe, adding $lsm to the list could possibly considered as enabling it,
but not having it there doesn't necessarily imply it isn't
> So then we could have "lsm.enable=..." and "lsm.disable=...".
>
> If builtin list was:
> capability,yama,loadpin,integrity,{selinux,smack,tomoyo,apparmor}
> then:
>
> lsm.disable=loadpin lsm=smack
>
> becomes
>
> capability,smack,yama,integrity
>
> and
>
> CONFIG_SECURITY_LOADPIN_DEFAULT_ENABLED=n
> selinux.enable=0 lsm.add=loadpin lsm.disable=smack,tomoyo lsm=integrity
>
> becomes
>
> capability,integrity,yama,loadpin,apparmor
>
>
> If "lsm=" _does_ imply enablement, then how does it interact with
> per-LSM disabling? i.e. what does "apparmor.enabled=0
> lsm=yama,apparmor" mean? If it means "turn on apparmor" how do I turn
> on a CONFIG-default-off LSM without specifying all the other LSMs too?
>
currently using
security=apparmor apparmor=0
means apparmor is the one given the chance to register but it declines
which means you just get capabilities. And with
# caveat not part of the current stacking patchset
security=selinux,apparmor apparmor=0
you end up with
capability,selinux
However apparmor=1 does not imply apparmor is the available LSM
that is
security=selinux apparmor=1
gives you
capability,selinux
if iirc selinux=X behaves the same way
However it is not clear to me whether this is the behavior that we
would want for $lsm.enabled, $lsm.disabled. It appears to be in
conflict with how yama, loadpin and IMA currently work.
next prev parent reply other threads:[~2018-09-17 19:35 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-16 0:30 [PATCH 00/18] LSM: Prepare for explict LSM ordering Kees Cook
2018-09-16 0:30 ` [PATCH 01/18] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook
2018-09-16 0:30 ` [PATCH 02/18] LSM: Rename .security_initcall section to .lsm_info Kees Cook
2018-09-16 0:30 ` [PATCH 03/18] LSM: Remove initcall tracing Kees Cook
2018-09-16 0:30 ` [PATCH 04/18] LSM: Convert from initcall to struct lsm_info Kees Cook
2018-09-16 0:30 ` [PATCH 05/18] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook
2018-09-16 0:30 ` [PATCH 06/18] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook
2018-09-16 0:30 ` [PATCH 07/18] LSM: Add minor LSM initialization loop Kees Cook
2018-09-16 1:27 ` Jann Horn
2018-09-16 1:49 ` Kees Cook
2018-09-16 0:30 ` [PATCH 08/18] integrity: Initialize as LSM_TYPE_MINOR Kees Cook
2018-09-16 0:30 ` [PATCH 09/18] LSM: Record LSM name in struct lsm_info Kees Cook
2018-09-16 0:30 ` [PATCH 10/18] LSM: Plumb visibility into optional "enabled" state Kees Cook
2018-09-16 0:30 ` [PATCH 11/18] LSM: Lift LSM selection out of individual LSMs Kees Cook
2018-09-16 1:32 ` Jann Horn
2018-09-16 1:47 ` Kees Cook
2018-09-16 0:30 ` [PATCH 12/18] LSM: Introduce ordering details in struct lsm_info Kees Cook
2018-09-16 0:30 ` [PATCH 13/18] LoadPin: Initialize as LSM_TYPE_MINOR Kees Cook
2018-09-16 0:30 ` [PATCH 14/18] Yama: " Kees Cook
2018-09-16 0:30 ` [PATCH 15/18] capability: " Kees Cook
2018-09-16 0:30 ` [PATCH 16/18] LSM: Allow arbitrary LSM ordering Kees Cook
2018-09-16 18:49 ` Casey Schaufler
2018-09-16 23:00 ` Kees Cook
2018-09-17 0:46 ` Tetsuo Handa
2018-09-17 15:06 ` Casey Schaufler
2018-09-17 16:24 ` Kees Cook
2018-09-17 17:13 ` Casey Schaufler
2018-09-17 18:14 ` Kees Cook
2018-09-17 19:23 ` Casey Schaufler
2018-09-17 19:55 ` John Johansen
2018-09-17 21:57 ` Casey Schaufler
2018-09-17 22:36 ` John Johansen
2018-09-17 23:10 ` Mickaël Salaün
2018-09-17 23:20 ` Kees Cook
2018-09-17 23:26 ` John Johansen
2018-09-17 23:28 ` Kees Cook
2018-09-17 23:40 ` Casey Schaufler
2018-09-17 23:30 ` Casey Schaufler
2018-09-17 23:47 ` Mickaël Salaün
2018-09-18 0:00 ` Casey Schaufler
2018-09-17 23:25 ` John Johansen
2018-09-17 23:25 ` Casey Schaufler
2018-09-18 0:00 ` Kees Cook
2018-09-18 0:24 ` Casey Schaufler
2018-09-18 0:45 ` Kees Cook
2018-09-18 0:57 ` Casey Schaufler
2018-09-18 0:59 ` Kees Cook
2018-09-18 1:08 ` John Johansen
2018-09-17 19:35 ` John Johansen [this message]
2018-09-16 0:30 ` [PATCH 17/18] LSM: Provide init debugging Kees Cook
2018-09-16 0:30 ` [PATCH 18/18] LSM: Don't ignore initialization failures Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55196153-7a01-4555-623b-7e3292475f04@canonical.com \
--to=john.johansen@canonical.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).