linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>,
	Casey Schaufler <casey@schaufler-ca.com>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	James Morris <jmorris@namei.org>,
	LKML <linux-kernel@vger.kernel.org>,
	SE Linux <selinux@tycho.nsa.gov>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	"Schaufler, Casey" <casey.schaufler@intel.com>
Subject: Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock
Date: Thu, 13 Sep 2018 16:51:43 -0700	[thread overview]
Message-ID: <CAGXu5jKZ7rquTux5fS+5tQ==0w_9rDTRaJWS_mS7C+Fy2dXRRQ@mail.gmail.com> (raw)
In-Reply-To: <0eb75e66-ed50-4013-6440-38bc2f814c6f@canonical.com>

On Thu, Sep 13, 2018 at 4:32 PM, John Johansen
<john.johansen@canonical.com> wrote:
> On 09/13/2018 04:06 PM, Kees Cook wrote:
>> - what order should any stacking happen? Makefile? security=?
>>
> Preferably not. For the single LSM we have the ability to choose the default LSM, ideally we let the distro decide in the Kconfig and the user with security=...

I can't find a non-crazy way to do this in Kconfig. Right now, if I
threw out all the _DEFAULT stuff, I could do:

config SECURITY_SELINUX_ENABLED
        bool "SELinux LSM enabled at boot time"
        depends on SECURITY_SELINUX
        depends on !SECURITY_APPARMOR_ENABLED && !SECURITY_SMACK_ENABLED
        default SECURITY_SELINUX

config SECURITY_SMACK_ENABLED
        bool "SMACK LSM enabled at boot time"
        depends on SECURITY_SMACK
        depends on !SECURITY_APPARMOR_ENABLED && !SECURITY_SELINUX_ENABLED
        default SECURITY_SMACK

config SECURITY_APPARMOR_ENABLED
        bool "AppArmor LSM enabled at boot time"
        depends on SECURITY_APPARMOR
        depends on !SECURITY_SMACK_ENABLED && !SECURITY_SELINUX_ENABLED
        default SECURITY_APPARMOR

config SECURITY_TOMOYO_ENABLED
        bool "TOMOYO LSM enabled at boot time"
        depends on SECURITY_TOMOYO
        default y if !SECURITY_SELINUX_ENABLED &&
!SECURITY_SMACK_ENABLED && !SECURITY_APPARMOR_ENABLED

config DEFAULT_SECURITY
        string
        default "selinux" if SECURITY_SELINUX_ENABLED
        default "smack" if SECURITY_SMACK_ENABLED
        default "apparmor" if SECURITY_APPARMOR_ENABLED
        default "tomoyo" if SECURITY_TOMOYO_ENABLED

(As before CONFIG_DEFAULT_SECURITY basically means the effective
"security=" contents. Reminder than Kconfig default are "first match",
so tomoyo would only happen if all others are not enabled by default.)

But this doesn't provide a way for Kconfig to declare the ordering of
TOMOYO followed by SELinux. If we just declare ordering is a function
of the Makefile, then the above would work as expected. The
"conflicting major LSM" could be specified on "security=" and stacked
could be enabled with $lsm.enable=1 (or disabled).

So, before we can really make a decision, I think we have to decide:
should ordering be arbitrary for even this level of stacking?

-Kees

-- 
Kees Cook
Pixel Security

  reply	other threads:[~2018-09-13 23:51 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-11 16:26 [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock Casey Schaufler
2018-09-11 16:41 ` [PATCH 01/10] procfs: add smack subdir to attrs Casey Schaufler
2018-09-11 23:45   ` Ahmed S. Darwish
2018-09-12  0:01     ` Casey Schaufler
2018-09-12 22:57   ` Kees Cook
2018-09-11 16:41 ` [PATCH 02/10] Smack: Abstract use of cred security blob Casey Schaufler
2018-09-12 23:04   ` Kees Cook
2018-09-11 16:41 ` [PATCH 03/10] SELinux: " Casey Schaufler
2018-09-12 23:10   ` Kees Cook
2018-09-11 16:41 ` [PATCH 04/10] LSM: Infrastructure management of the " Casey Schaufler
2018-09-12 23:53   ` Kees Cook
2018-09-13 19:01     ` Casey Schaufler
2018-09-13 21:12       ` Kees Cook
2018-09-11 16:41 ` [PATCH 05/10] SELinux: Abstract use of file " Casey Schaufler
2018-09-12 23:54   ` Kees Cook
2018-09-11 16:42 ` [PATCH 06/10] LSM: Infrastructure management of the " Casey Schaufler
2018-09-13  0:00   ` Kees Cook
2018-09-11 16:42 ` [PATCH 07/10] SELinux: Abstract use of inode " Casey Schaufler
2018-09-13  0:23   ` Kees Cook
2018-09-11 16:42 ` [PATCH 08/10] Smack: " Casey Schaufler
2018-09-13  0:24   ` Kees Cook
2018-09-11 16:42 ` [PATCH 09/10] LSM: Infrastructure management of the inode security Casey Schaufler
2018-09-13  0:30   ` Kees Cook
2018-09-11 16:42 ` [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock Casey Schaufler
2018-09-13  4:19   ` Kees Cook
2018-09-13 13:16     ` Paul Moore
2018-09-13 15:19       ` Kees Cook
2018-09-13 19:12         ` Paul Moore
2018-09-13 20:58           ` Jordan Glover
2018-09-13 21:50             ` Paul Moore
2018-09-13 22:04               ` Jordan Glover
2018-09-13 23:01               ` Casey Schaufler
2018-09-13 21:01           ` Kees Cook
2018-09-13 21:38             ` Paul Moore
2018-09-13 21:51               ` Kees Cook
2018-09-13 23:06                 ` Kees Cook
2018-09-13 23:32                   ` John Johansen
2018-09-13 23:51                     ` Kees Cook [this message]
2018-09-14  0:03                       ` Casey Schaufler
2018-09-14  0:06                         ` Kees Cook
2018-09-13 23:51                   ` Casey Schaufler
2018-09-13 23:57                     ` Kees Cook
2018-09-14  0:08                       ` Casey Schaufler
2018-09-14  0:19                         ` Kees Cook
2018-09-14 15:57                           ` Casey Schaufler
2018-09-14 20:05                             ` Kees Cook
2018-09-14 20:47                               ` Casey Schaufler
2018-09-14 18:18                         ` James Morris
2018-09-14 18:23                           ` John Johansen
2018-09-14  0:03                     ` Kees Cook
2018-09-14  2:42                 ` Paul Moore
2018-09-11 20:43 ` [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock James Morris
2018-09-12 21:29 ` James Morris
2018-09-16 16:54   ` Salvatore Mesoraca
2018-09-16 17:25     ` Casey Schaufler
2018-09-16 17:45       ` Salvatore Mesoraca
2018-09-18  7:44   ` Mickaël Salaün
2018-09-18 15:23     ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5jKZ7rquTux5fS+5tQ==0w_9rDTRaJWS_mS7C+Fy2dXRRQ@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=adobriyan@gmail.com \
    --cc=casey.schaufler@intel.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).