Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering

[Casey Schaufler <casey@schaufler-ca.com>]

On 11/4/2022 9:29 AM, Mickaël Salaün wrote:
>
> On 18/10/2022 21:31, Paul Moore wrote:
>> On Tue, Oct 18, 2022 at 1:55 AM Kees Cook <keescook@chromium.org> wrote:
>>> On Mon, Oct 17, 2022 at 09:45:21PM -0400, Paul Moore wrote:
>
> [...]
>
>>>> We can have defaults, like we do know, but I'm in no hurry to remove
>>>> the ability to allow admins to change the ordering at boot time.
>>>
>>> My concern is with new LSMs vs the build system. A system builder will
>>> be prompted for a new CONFIG_SECURITY_SHINY, but won't be prompted
>>> about making changes to CONFIG_LSM to include it.
>>
>> I would argue that if an admin/builder doesn't understand what a shiny
>> new LSM does, they shouldn't be enabling that shiny new LSM.  Adding
>> new, potentially restrictive, controls to your kernel build without a
>> basic understanding of those controls is a recipe for disaster and I
>> try to avoid recommending disaster as a planned course of action :)
>
> It depends on what this shiny new LSMs do *by default*. In the case of
> Landlock, it do nothing unless a process does specific system calls
> (same as for most new kernel features: sysfs entries, syscall flags…).
> I guess this is the same for most LSMs.

"By default" is somewhat ambiguous. Smack will always enforce its
basic policy. If files aren't labeled and the Smack process label
isn't explicitly set there won't be any problems. However, if files
have somehow gotten labels assigned and there are no rules defined
things can go sideways.