[v3,1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering
diff mbox series

Message ID 20210222150608.808146-2-mic@digikod.net
State New, archived
Headers show
Series
  • Automatic LSM stack ordering
Related show

Commit Message

Mickaël Salaün Feb. 22, 2021, 3:06 p.m. UTC
From: Mickaël Salaün <mic@linux.microsoft.com>

Add a new option CONFIG_LSM_AUTO to enable users to delegate default LSM
stacking order to kernel developers.  This enable to keep a consistent
order of enabled LSM when changing the LSM selection, especially when a
new LSM is added to the kernel.

CONFIG_LSM depends on !CONFIG_LSM_AUTO, which is backward compatible and
gives the opportunity to users to select CONFIG_LSM_AUTO with a make
oldconfig.

CONFIG_LSM and CONFIG_LSM_AUTO depend on CONFIG_SECURITY, which makes
sense because an LSM depends on the security framework.

Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: James Morris <jmorris@namei.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210222150608.808146-2-mic@digikod.net
---

Changes since v2:
* Revamp without virtual dependencies but a new option to automatically
  enable all selected LSMs.

Changes since v1:
* Add CONFIG_SECURITY as a dependency of CONFIG_LSM.  This prevent an
  error when building without any LSMs.
---
 security/Kconfig    | 19 +++++++++++++++++++
 security/security.c | 26 +++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)

Comments

Casey Schaufler Feb. 22, 2021, 4:51 p.m. UTC | #1
On 2/22/2021 7:06 AM, Mickaël Salaün wrote:
> From: Mickaël Salaün <mic@linux.microsoft.com>
>
> Add a new option CONFIG_LSM_AUTO to enable users to delegate default LSM
> stacking order to kernel developers.  This enable to keep a consistent
> order of enabled LSM when changing the LSM selection, especially when a
> new LSM is added to the kernel.

TL;DR - NAK

Do you think that we might have considered this when stacking was
introduced? Did you even consider the implications before sending
the patch? This only makes any sense if you want to compile in
AppArmor and/or Smack but always use SELinux. The existing Kconfig
model handles that perfectly well. Also, this will break when the
next phase of module stacking comes in, and all of a sudden
systems will automatically get AppArmor in addition to SELinux
or Smack.

I know that the CONFIG_LSM/lsm= mechanism is clumsy. But we spent
about a year discussing, proposing and implementing alternatives,
and if there's a better mechanism, we couldn't find it. Of course
we considered "just use the kernel order". It doesn't work for
generic kernels. I understand that adding a new LSM that you want
to be included by default is a tough problem. I also suggest
that silently adding an LSM to an existing configuration is likely
to violate the principle of least astonishment.

>
> CONFIG_LSM depends on !CONFIG_LSM_AUTO, which is backward compatible and
> gives the opportunity to users to select CONFIG_LSM_AUTO with a make
> oldconfig.
>
> CONFIG_LSM and CONFIG_LSM_AUTO depend on CONFIG_SECURITY, which makes
> sense because an LSM depends on the security framework.
>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> Cc: James Morris <jmorris@namei.org>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Serge E. Hallyn <serge@hallyn.com>
> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
> Link: https://lore.kernel.org/r/20210222150608.808146-2-mic@digikod.net
> ---
>
> Changes since v2:
> * Revamp without virtual dependencies but a new option to automatically
>   enable all selected LSMs.
>
> Changes since v1:
> * Add CONFIG_SECURITY as a dependency of CONFIG_LSM.  This prevent an
>   error when building without any LSMs.
> ---
>  security/Kconfig    | 19 +++++++++++++++++++
>  security/security.c | 26 +++++++++++++++++++++++++-
>  2 files changed, 44 insertions(+), 1 deletion(-)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 7561f6f99f1d..fae083e9867d 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -243,6 +243,7 @@ source "security/integrity/Kconfig"
>  
>  choice
>  	prompt "First legacy 'major LSM' to be initialized"
> +	depends on SECURITY
>  	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
>  	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
>  	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> @@ -275,8 +276,26 @@ choice
>  
>  endchoice
>  
> +config LSM_AUTO
> +	bool "Automatically enable all selected LSMs at boot"
> +	depends on SECURITY
> +	default y
> +	help
> +	  This automatically configure the build-time selected LSMs to be
> +	  enabled at boot unless the "lsm=" parameter is provided.
> +
> +	  If this option is not selected, it will be required to configure and
> +	  maintained a static list of enabled LSMs that may become inconsistent
> +	  with future user configuration.  Indeed, this list will not be
> +	  automatically upgraded when selecting a new (future) LSM, e.g. with
> +	  make oldconfig.
> +
> +	  If you are unsure how to answer this question, answer Y.
> +
> +# This lists should be synchronized with LSM_ORDER defined in security/security.c .
>  config LSM
>  	string "Ordered list of enabled LSMs"
> +	depends on SECURITY && !LSM_AUTO
>  	default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
>  	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
>  	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> diff --git a/security/security.c b/security/security.c
> index 401663b5b70e..defa1d2c40a3 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -82,7 +82,31 @@ static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init;
>  static __initdata const char *chosen_lsm_order;
>  static __initdata const char *chosen_major_lsm;
>  
> -static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
> +#ifdef CONFIG_LSM
> +#define LSM_ORDER	CONFIG_LSM
> +#else
> +
> +/*
> + * This lists should be synchronized with the default values of CONFIG_LSM
> + * defined in security/Kconfig .
> + */
> +#define LSM_ORDER_PRE	"lockdown,yama,loadpin,safesetid,integrity,"
> +
> +#if defined(CONFIG_DEFAULT_SECURITY_SMACK)
> +#define LSM_ORDER	LSM_ORDER_PRE "smack,selinux,tomoyo,apparmor,bpf"
> +#elif defined(CONFIG_DEFAULT_SECURITY_APPARMOR)
> +#define LSM_ORDER	LSM_ORDER_PRE "apparmor,selinux,smack,tomoyo,bpf"
> +#elif defined(CONFIG_DEFAULT_SECURITY_TOMOYO)
> +#define LSM_ORDER	LSM_ORDER_PRE "tomoyo,bpf"
> +#elif defined(CONFIG_DEFAULT_SECURITY_DAC)
> +#define LSM_ORDER	LSM_ORDER_PRE "bpf"
> +#else
> +#define LSM_ORDER	LSM_ORDER_PRE "selinux,smack,tomoyo,apparmor,bpf"
> +#endif
> +
> +#endif /* CONFIG_LSM */
> +
> +static __initconst const char * const builtin_lsm_order = LSM_ORDER;
>  
>  /* Ordered list of LSMs to initialize. */
>  static __initdata struct lsm_info **ordered_lsms;
Mickaël Salaün Feb. 22, 2021, 6:31 p.m. UTC | #2
On 22/02/2021 17:51, Casey Schaufler wrote:
> On 2/22/2021 7:06 AM, Mickaël Salaün wrote:
>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>
>> Add a new option CONFIG_LSM_AUTO to enable users to delegate default LSM
>> stacking order to kernel developers.  This enable to keep a consistent
>> order of enabled LSM when changing the LSM selection, especially when a
>> new LSM is added to the kernel.
> 
> TL;DR - NAK
> 
> Do you think that we might have considered this when stacking was
> introduced?

I didn't dig the detailed history of LSM stacking, but you are in Cc
because I know that you know. I may have though that the main goal of
the current LSM stacking implementation was to enable to stack existing
LSMs, which works well with this CONFIG_LSM list, but doesn't work as
well for new LSMs.

> Did you even consider the implications before sending
> the patch?

Yes, and it doesn't change much the current behavior without user
interaction. However, it gives the choice to users to choose how they
want their configuration to evolve.

> This only makes any sense if you want to compile in
> AppArmor and/or Smack but always use SELinux. The existing Kconfig
> model handles that perfectly well.

This patch series doesn't change this behavior if the user doesn't want
it to change.

> Also, this will break when the
> next phase of module stacking comes in, and all of a sudden
> systems will automatically get AppArmor in addition to SELinux
> or Smack.

What is the next phase of module stacking? What would be the consequences?

Systems will only get new LSMs if their configuration said so, either
from Kconfig or from boot arguments. I think we should make easier to
have a working, consistent and secure kernel configuration by default.
If users want to have a non-default configuration, that's fine, fully
supported, and they can do it.

> 
> I know that the CONFIG_LSM/lsm= mechanism is clumsy. But we spent
> about a year discussing, proposing and implementing alternatives,
> and if there's a better mechanism, we couldn't find it. Of course
> we considered "just use the kernel order".

This is indeed the intent of this patch, but this configuration is optional.

> It doesn't work for generic kernels.

Why? Generic kernels can be configured with CONFIG_LSM or with
CONFIG_LSM_AUTO. I agree that generic distros may want to not enable
major LSMs such as SELinux, AppArmor, Smack and Tomoyo by default but
support them in their generic kernel anyway to let users pick and
configure an LSM thanks to the boot arguments, and that's totally fine.
Moreover, distro maintainers will surely browse most of new options to
identify if it is the best choice for their distro. The *default* choice
(for LSMs enabled at boot) is in the hand of users configuring their
kernel, and they are in the best position to choose if they want to
follow new kernel options and their consequences (e.g. distro kernel
maintainers, whose job is to follow kernel development), or to have an
easier way to maintain an up-to-date kernel (e.g. sysadmins or
hobbyists, who may not have so much time dedicated to follow kernel
developments).

> I understand that adding a new LSM that you want
> to be included by default is a tough problem. I also suggest
> that silently adding an LSM to an existing configuration is likely
> to violate the principle of least astonishment.

Nothing is silently added to the user configuration with this patch. It
is an optional (default) configuration, which I think makes more sense
for users not expert in every kernel toggles.

> 
>>
>> CONFIG_LSM depends on !CONFIG_LSM_AUTO, which is backward compatible and
>> gives the opportunity to users to select CONFIG_LSM_AUTO with a make
>> oldconfig.
>>
>> CONFIG_LSM and CONFIG_LSM_AUTO depend on CONFIG_SECURITY, which makes
>> sense because an LSM depends on the security framework.
>>
>> Cc: Casey Schaufler <casey@schaufler-ca.com>
>> Cc: James Morris <jmorris@namei.org>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Serge E. Hallyn <serge@hallyn.com>
>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>> Link: https://lore.kernel.org/r/20210222150608.808146-2-mic@digikod.net
>> ---
>>
>> Changes since v2:
>> * Revamp without virtual dependencies but a new option to automatically
>>   enable all selected LSMs.
>>
>> Changes since v1:
>> * Add CONFIG_SECURITY as a dependency of CONFIG_LSM.  This prevent an
>>   error when building without any LSMs.
>> ---
>>  security/Kconfig    | 19 +++++++++++++++++++
>>  security/security.c | 26 +++++++++++++++++++++++++-
>>  2 files changed, 44 insertions(+), 1 deletion(-)
>>
>> diff --git a/security/Kconfig b/security/Kconfig
>> index 7561f6f99f1d..fae083e9867d 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -243,6 +243,7 @@ source "security/integrity/Kconfig"
>>  
>>  choice
>>  	prompt "First legacy 'major LSM' to be initialized"
>> +	depends on SECURITY
>>  	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
>>  	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
>>  	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
>> @@ -275,8 +276,26 @@ choice
>>  
>>  endchoice
>>  
>> +config LSM_AUTO
>> +	bool "Automatically enable all selected LSMs at boot"
>> +	depends on SECURITY
>> +	default y
>> +	help
>> +	  This automatically configure the build-time selected LSMs to be
>> +	  enabled at boot unless the "lsm=" parameter is provided.
>> +
>> +	  If this option is not selected, it will be required to configure and
>> +	  maintained a static list of enabled LSMs that may become inconsistent
>> +	  with future user configuration.  Indeed, this list will not be
>> +	  automatically upgraded when selecting a new (future) LSM, e.g. with
>> +	  make oldconfig.
>> +
>> +	  If you are unsure how to answer this question, answer Y.
>> +
>> +# This lists should be synchronized with LSM_ORDER defined in security/security.c .
>>  config LSM
>>  	string "Ordered list of enabled LSMs"
>> +	depends on SECURITY && !LSM_AUTO
>>  	default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
>>  	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
>>  	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
>> diff --git a/security/security.c b/security/security.c
>> index 401663b5b70e..defa1d2c40a3 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -82,7 +82,31 @@ static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init;
>>  static __initdata const char *chosen_lsm_order;
>>  static __initdata const char *chosen_major_lsm;
>>  
>> -static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
>> +#ifdef CONFIG_LSM
>> +#define LSM_ORDER	CONFIG_LSM
>> +#else
>> +
>> +/*
>> + * This lists should be synchronized with the default values of CONFIG_LSM
>> + * defined in security/Kconfig .
>> + */
>> +#define LSM_ORDER_PRE	"lockdown,yama,loadpin,safesetid,integrity,"
>> +
>> +#if defined(CONFIG_DEFAULT_SECURITY_SMACK)
>> +#define LSM_ORDER	LSM_ORDER_PRE "smack,selinux,tomoyo,apparmor,bpf"
>> +#elif defined(CONFIG_DEFAULT_SECURITY_APPARMOR)
>> +#define LSM_ORDER	LSM_ORDER_PRE "apparmor,selinux,smack,tomoyo,bpf"
>> +#elif defined(CONFIG_DEFAULT_SECURITY_TOMOYO)
>> +#define LSM_ORDER	LSM_ORDER_PRE "tomoyo,bpf"
>> +#elif defined(CONFIG_DEFAULT_SECURITY_DAC)
>> +#define LSM_ORDER	LSM_ORDER_PRE "bpf"
>> +#else
>> +#define LSM_ORDER	LSM_ORDER_PRE "selinux,smack,tomoyo,apparmor,bpf"
>> +#endif
>> +
>> +#endif /* CONFIG_LSM */
>> +
>> +static __initconst const char * const builtin_lsm_order = LSM_ORDER;
>>  
>>  /* Ordered list of LSMs to initialize. */
>>  static __initdata struct lsm_info **ordered_lsms;
>
Casey Schaufler Feb. 22, 2021, 8:31 p.m. UTC | #3
On 2/22/2021 10:31 AM, Mickaël Salaün wrote:
> On 22/02/2021 17:51, Casey Schaufler wrote:
>> On 2/22/2021 7:06 AM, Mickaël Salaün wrote:
>>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>>
>>> Add a new option CONFIG_LSM_AUTO to enable users to delegate default LSM
>>> stacking order to kernel developers.  This enable to keep a consistent
>>> order of enabled LSM when changing the LSM selection, especially when a
>>> new LSM is added to the kernel.
>> TL;DR - NAK
>>
>> Do you think that we might have considered this when stacking was
>> introduced?
> I didn't dig the detailed history of LSM stacking, but you are in Cc
> because I know that you know. I may have though that the main goal of
> the current LSM stacking implementation was to enable to stack existing
> LSMs, which works well with this CONFIG_LSM list, but doesn't work as
> well for new LSMs.

It works just fine for new LSMs if you treat them as significant
features which may have significant impact on the behavior of the
system.

>> Did you even consider the implications before sending
>> the patch?
> Yes, and it doesn't change much the current behavior without user
> interaction. However, it gives the choice to users to choose how they
> want their configuration to evolve.

Automatic inclusions of new LSMs would be counter to existing practice.
It won't work for "major" LSMs.


>> This only makes any sense if you want to compile in
>> AppArmor and/or Smack but always use SELinux. The existing Kconfig
>> model handles that perfectly well.
> This patch series doesn't change this behavior if the user doesn't want
> it to change.

Well, there's the question. If a distribution/system uses the new scheme
"users" are going to get new LSMs spontaniously. If they don't it's up to
the "user". Unsophisticated users won't want this, and the others don't
need it.

>> Also, this will break when the
>> next phase of module stacking comes in, and all of a sudden
>> systems will automatically get AppArmor in addition to SELinux
>> or Smack.
> What is the next phase of module stacking? What would be the consequences?

The next phase ( coming real soon now :) ) allows AppArmor and SELinux/Smack
at the same time. More generically, the number of interfaces that can't be
used by multiple LSMs are reduced.

> Systems will only get new LSMs if their configuration said so, either
> from Kconfig or from boot arguments. I think we should make easier to
> have a working, consistent and secure kernel configuration by default.
> If users want to have a non-default configuration, that's fine, fully
> supported, and they can do it.

That really only matters for distribution or product kernels.
Neither of those should use CONFIG_LSM_AUTO.


>> I know that the CONFIG_LSM/lsm= mechanism is clumsy. But we spent
>> about a year discussing, proposing and implementing alternatives,
>> and if there's a better mechanism, we couldn't find it. Of course
>> we considered "just use the kernel order".
> This is indeed the intent of this patch, but this configuration is optional.

Anyone who should rationally chose this option doesn't need it.


>> It doesn't work for generic kernels.
> Why? 

Because you only ever get the first compiled in Major LSM, which
will always be SELinux. If you only ever get a particular LSM,
why compile in the others? OK, I'm ignoring boot options.

> Generic kernels can be configured with CONFIG_LSM or with
> CONFIG_LSM_AUTO. 

Sure, if they use SELinux. But why would they use CONFIG_LSM_AUTO?
They loss of control over system behavior is unreasonable for a
distribution or a product kernel.

> I agree that generic distros may want to not enable
> major LSMs such as SELinux, AppArmor, Smack and Tomoyo by default but
> support them in their generic kernel anyway to let users pick and
> configure an LSM thanks to the boot arguments, and that's totally fine.
> Moreover, distro maintainers will surely browse most of new options to
> identify if it is the best choice for their distro. The *default* choice
> (for LSMs enabled at boot) is in the hand of users configuring their
> kernel, and they are in the best position to choose if they want to
> follow new kernel options and their consequences (e.g. distro kernel
> maintainers, whose job is to follow kernel development), or to have an
> easier way to maintain an up-to-date kernel (e.g. sysadmins or
> hobbyists, who may not have so much time dedicated to follow kernel
> developments).

Users who configure their kernels don't need CONFIG_LSM_AUTO.
Users who don't configure their kernels shouldn't have it.


>> I understand that adding a new LSM that you want
>> to be included by default is a tough problem. I also suggest
>> that silently adding an LSM to an existing configuration is likely
>> to violate the principle of least astonishment.
> Nothing is silently added to the user configuration with this patch. It
> is an optional (default) configuration, which I think makes more sense
> for users not expert in every kernel toggles.

That is exactly wrong. Users who are not expert on kernel configuration
should not get LSMs added to their configuration without their knowledge.

>>> CONFIG_LSM depends on !CONFIG_LSM_AUTO, which is backward compatible and
>>> gives the opportunity to users to select CONFIG_LSM_AUTO with a make
>>> oldconfig.
>>>
>>> CONFIG_LSM and CONFIG_LSM_AUTO depend on CONFIG_SECURITY, which makes
>>> sense because an LSM depends on the security framework.
>>>
>>> Cc: Casey Schaufler <casey@schaufler-ca.com>
>>> Cc: James Morris <jmorris@namei.org>
>>> Cc: Kees Cook <keescook@chromium.org>
>>> Cc: Serge E. Hallyn <serge@hallyn.com>
>>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>>> Link: https://lore.kernel.org/r/20210222150608.808146-2-mic@digikod.net
>>> ---
>>>
>>> Changes since v2:
>>> * Revamp without virtual dependencies but a new option to automatically
>>>   enable all selected LSMs.
>>>
>>> Changes since v1:
>>> * Add CONFIG_SECURITY as a dependency of CONFIG_LSM.  This prevent an
>>>   error when building without any LSMs.
>>> ---
>>>  security/Kconfig    | 19 +++++++++++++++++++
>>>  security/security.c | 26 +++++++++++++++++++++++++-
>>>  2 files changed, 44 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/security/Kconfig b/security/Kconfig
>>> index 7561f6f99f1d..fae083e9867d 100644
>>> --- a/security/Kconfig
>>> +++ b/security/Kconfig
>>> @@ -243,6 +243,7 @@ source "security/integrity/Kconfig"
>>>  
>>>  choice
>>>  	prompt "First legacy 'major LSM' to be initialized"
>>> +	depends on SECURITY
>>>  	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
>>>  	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
>>>  	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
>>> @@ -275,8 +276,26 @@ choice
>>>  
>>>  endchoice
>>>  
>>> +config LSM_AUTO
>>> +	bool "Automatically enable all selected LSMs at boot"
>>> +	depends on SECURITY
>>> +	default y
>>> +	help
>>> +	  This automatically configure the build-time selected LSMs to be
>>> +	  enabled at boot unless the "lsm=" parameter is provided.
>>> +
>>> +	  If this option is not selected, it will be required to configure and
>>> +	  maintained a static list of enabled LSMs that may become inconsistent
>>> +	  with future user configuration.  Indeed, this list will not be
>>> +	  automatically upgraded when selecting a new (future) LSM, e.g. with
>>> +	  make oldconfig.
>>> +
>>> +	  If you are unsure how to answer this question, answer Y.
>>> +
>>> +# This lists should be synchronized with LSM_ORDER defined in security/security.c .
>>>  config LSM
>>>  	string "Ordered list of enabled LSMs"
>>> +	depends on SECURITY && !LSM_AUTO
>>>  	default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
>>>  	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
>>>  	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
>>> diff --git a/security/security.c b/security/security.c
>>> index 401663b5b70e..defa1d2c40a3 100644
>>> --- a/security/security.c
>>> +++ b/security/security.c
>>> @@ -82,7 +82,31 @@ static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init;
>>>  static __initdata const char *chosen_lsm_order;
>>>  static __initdata const char *chosen_major_lsm;
>>>  
>>> -static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
>>> +#ifdef CONFIG_LSM
>>> +#define LSM_ORDER	CONFIG_LSM
>>> +#else
>>> +
>>> +/*
>>> + * This lists should be synchronized with the default values of CONFIG_LSM
>>> + * defined in security/Kconfig .
>>> + */
>>> +#define LSM_ORDER_PRE	"lockdown,yama,loadpin,safesetid,integrity,"
>>> +
>>> +#if defined(CONFIG_DEFAULT_SECURITY_SMACK)
>>> +#define LSM_ORDER	LSM_ORDER_PRE "smack,selinux,tomoyo,apparmor,bpf"
>>> +#elif defined(CONFIG_DEFAULT_SECURITY_APPARMOR)
>>> +#define LSM_ORDER	LSM_ORDER_PRE "apparmor,selinux,smack,tomoyo,bpf"
>>> +#elif defined(CONFIG_DEFAULT_SECURITY_TOMOYO)
>>> +#define LSM_ORDER	LSM_ORDER_PRE "tomoyo,bpf"
>>> +#elif defined(CONFIG_DEFAULT_SECURITY_DAC)
>>> +#define LSM_ORDER	LSM_ORDER_PRE "bpf"
>>> +#else
>>> +#define LSM_ORDER	LSM_ORDER_PRE "selinux,smack,tomoyo,apparmor,bpf"
>>> +#endif
>>> +
>>> +#endif /* CONFIG_LSM */
>>> +
>>> +static __initconst const char * const builtin_lsm_order = LSM_ORDER;
>>>  
>>>  /* Ordered list of LSMs to initialize. */
>>>  static __initdata struct lsm_info **ordered_lsms;
Nicolas Iooss Feb. 22, 2021, 9:12 p.m. UTC | #4
On Mon, Feb 22, 2021 at 9:32 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 2/22/2021 10:31 AM, Mickaël Salaün wrote:
> > On 22/02/2021 17:51, Casey Schaufler wrote:
> >> On 2/22/2021 7:06 AM, Mickaël Salaün wrote:
> >>> From: Mickaël Salaün <mic@linux.microsoft.com>
> >>>
> >>> Add a new option CONFIG_LSM_AUTO to enable users to delegate default LSM
> >>> stacking order to kernel developers.  This enable to keep a consistent
> >>> order of enabled LSM when changing the LSM selection, especially when a
> >>> new LSM is added to the kernel.
> >> TL;DR - NAK
> >>
> >> Do you think that we might have considered this when stacking was
> >> introduced?
> > I didn't dig the detailed history of LSM stacking, but you are in Cc
> > because I know that you know. I may have though that the main goal of
> > the current LSM stacking implementation was to enable to stack existing
> > LSMs, which works well with this CONFIG_LSM list, but doesn't work as
> > well for new LSMs.
>
> It works just fine for new LSMs if you treat them as significant
> features which may have significant impact on the behavior of the
> system.
>
> >> Did you even consider the implications before sending
> >> the patch?
> > Yes, and it doesn't change much the current behavior without user
> > interaction. However, it gives the choice to users to choose how they
> > want their configuration to evolve.
>
> Automatic inclusions of new LSMs would be counter to existing practice.
> It won't work for "major" LSMs.
>
>
> >> This only makes any sense if you want to compile in
> >> AppArmor and/or Smack but always use SELinux. The existing Kconfig
> >> model handles that perfectly well.
> > This patch series doesn't change this behavior if the user doesn't want
> > it to change.
>
> Well, there's the question. If a distribution/system uses the new scheme
> "users" are going to get new LSMs spontaniously. If they don't it's up to
> the "user". Unsophisticated users won't want this, and the others don't
> need it.

Hello, sorry if I missed something simple but I did not understand
what "Automatic inclusions of new LSMs " and "get new LSMs
spontaniously" is about. If I understood the kernel practice
development correctly, when a new LSM will be included, it will have a
dedicated "config SECURITY_MYNEWLSM" which will be default to "n" in
order to respect the "principle of least astonishment". How could such
a new LSM be automatically/spontaneously added to the LSM list?

I understand that this is a tough issue and that the subject might
have been discussed a few years ago, and if that's the case, it would
be nice to have pointers to some clear documentation or past emails
(and it would be very very nice if the kernel documentation was
updated to document the current state of LSM stacking: for example
https://www.kernel.org/doc/html/v5.11/admin-guide/LSM/index.html still
documents the "security=" kernel parameter even though it conflicts
with CONFIG_LSM and can be ignored by the kernel in practise).

Thanks,
Nicolas
Casey Schaufler Feb. 22, 2021, 10:46 p.m. UTC | #5
On 2/22/2021 1:12 PM, Nicolas Iooss wrote:
> On Mon, Feb 22, 2021 at 9:32 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 2/22/2021 10:31 AM, Mickaël Salaün wrote:
>>> On 22/02/2021 17:51, Casey Schaufler wrote:
>>>> On 2/22/2021 7:06 AM, Mickaël Salaün wrote:
>>>>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>>>>
>>>>> Add a new option CONFIG_LSM_AUTO to enable users to delegate default LSM
>>>>> stacking order to kernel developers.  This enable to keep a consistent
>>>>> order of enabled LSM when changing the LSM selection, especially when a
>>>>> new LSM is added to the kernel.
>>>> TL;DR - NAK
>>>>
>>>> Do you think that we might have considered this when stacking was
>>>> introduced?
>>> I didn't dig the detailed history of LSM stacking, but you are in Cc
>>> because I know that you know. I may have though that the main goal of
>>> the current LSM stacking implementation was to enable to stack existing
>>> LSMs, which works well with this CONFIG_LSM list, but doesn't work as
>>> well for new LSMs.
>> It works just fine for new LSMs if you treat them as significant
>> features which may have significant impact on the behavior of the
>> system.
>>
>>>> Did you even consider the implications before sending
>>>> the patch?
>>> Yes, and it doesn't change much the current behavior without user
>>> interaction. However, it gives the choice to users to choose how they
>>> want their configuration to evolve.
>> Automatic inclusions of new LSMs would be counter to existing practice.
>> It won't work for "major" LSMs.
>>
>>
>>>> This only makes any sense if you want to compile in
>>>> AppArmor and/or Smack but always use SELinux. The existing Kconfig
>>>> model handles that perfectly well.
>>> This patch series doesn't change this behavior if the user doesn't want
>>> it to change.
>> Well, there's the question. If a distribution/system uses the new scheme
>> "users" are going to get new LSMs spontaniously. If they don't it's up to
>> the "user". Unsophisticated users won't want this, and the others don't
>> need it.
> Hello, sorry if I missed something simple but I did not understand
> what "Automatic inclusions of new LSMs " and "get new LSMs
> spontaniously" is about. If I understood the kernel practice
> development correctly, when a new LSM will be included, it will have a
> dedicated "config SECURITY_MYNEWLSM" which will be default to "n" in
> order to respect the "principle of least astonishment". How could such
> a new LSM be automatically/spontaneously added to the LSM list?

It wouldn't. But compiling the new LSM mynewlsm doesn't add it to
the list, either. Today no one should expect a LSM to be active if
it hasn't been added to the CONFIG_LSM list. The proposed addition
of CONFIG_LSM_AUTO would change that. "make oldconfig" would add
security modules that are built to the list. This is unnecessary
since whoever changed CONFIG_SECURITY_MYNEWLSM to "y" could easily
have added it to CONFIG_LSM. In the right place.

> I understand that this is a tough issue and that the subject might
> have been discussed a few years ago, and if that's the case, it would
> be nice to have pointers to some clear documentation or past emails
> (and it would be very very nice if the kernel documentation was
> updated to document the current state of LSM stacking:

I'm not going to argue against that.

>  for example
> https://www.kernel.org/doc/html/v5.11/admin-guide/LSM/index.html still
> documents the "security=" kernel parameter even though it conflicts
> with CONFIG_LSM and can be ignored by the kernel in practise).

You can still select one "major" module using security= if you
don't use lsm= to specify a full list. We put real effort into
being backward compatible. 

>
> Thanks,
> Nicolas
>
Nicolas Iooss Feb. 23, 2021, 6:21 a.m. UTC | #6
On Mon, Feb 22, 2021 at 11:46 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
>
> On 2/22/2021 1:12 PM, Nicolas Iooss wrote:
> > On Mon, Feb 22, 2021 at 9:32 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >> On 2/22/2021 10:31 AM, Mickaël Salaün wrote:
> >>> On 22/02/2021 17:51, Casey Schaufler wrote:
> >>>> On 2/22/2021 7:06 AM, Mickaël Salaün wrote:
> >>>>> From: Mickaël Salaün <mic@linux.microsoft.com>
> >>>>>
> >>>>> Add a new option CONFIG_LSM_AUTO to enable users to delegate default LSM
> >>>>> stacking order to kernel developers.  This enable to keep a consistent
> >>>>> order of enabled LSM when changing the LSM selection, especially when a
> >>>>> new LSM is added to the kernel.
> >>>> TL;DR - NAK
> >>>>
> >>>> Do you think that we might have considered this when stacking was
> >>>> introduced?
> >>> I didn't dig the detailed history of LSM stacking, but you are in Cc
> >>> because I know that you know. I may have though that the main goal of
> >>> the current LSM stacking implementation was to enable to stack existing
> >>> LSMs, which works well with this CONFIG_LSM list, but doesn't work as
> >>> well for new LSMs.
> >> It works just fine for new LSMs if you treat them as significant
> >> features which may have significant impact on the behavior of the
> >> system.
> >>
> >>>> Did you even consider the implications before sending
> >>>> the patch?
> >>> Yes, and it doesn't change much the current behavior without user
> >>> interaction. However, it gives the choice to users to choose how they
> >>> want their configuration to evolve.
> >> Automatic inclusions of new LSMs would be counter to existing practice.
> >> It won't work for "major" LSMs.
> >>
> >>
> >>>> This only makes any sense if you want to compile in
> >>>> AppArmor and/or Smack but always use SELinux. The existing Kconfig
> >>>> model handles that perfectly well.
> >>> This patch series doesn't change this behavior if the user doesn't want
> >>> it to change.
> >> Well, there's the question. If a distribution/system uses the new scheme
> >> "users" are going to get new LSMs spontaniously. If they don't it's up to
> >> the "user". Unsophisticated users won't want this, and the others don't
> >> need it.
> > Hello, sorry if I missed something simple but I did not understand
> > what "Automatic inclusions of new LSMs " and "get new LSMs
> > spontaniously" is about. If I understood the kernel practice
> > development correctly, when a new LSM will be included, it will have a
> > dedicated "config SECURITY_MYNEWLSM" which will be default to "n" in
> > order to respect the "principle of least astonishment". How could such
> > a new LSM be automatically/spontaneously added to the LSM list?
>
> It wouldn't. But compiling the new LSM mynewlsm doesn't add it to
> the list, either. Today no one should expect a LSM to be active if
> it hasn't been added to the CONFIG_LSM list. The proposed addition
> of CONFIG_LSM_AUTO would change that. "make oldconfig" would add
> security modules that are built to the list. This is unnecessary
> since whoever changed CONFIG_SECURITY_MYNEWLSM to "y" could easily
> have added it to CONFIG_LSM. In the right place.
>
> > I understand that this is a tough issue and that the subject might
> > have been discussed a few years ago, and if that's the case, it would
> > be nice to have pointers to some clear documentation or past emails
> > (and it would be very very nice if the kernel documentation was
> > updated to document the current state of LSM stacking:
>
> I'm not going to argue against that.
>
> >  for example
> > https://www.kernel.org/doc/html/v5.11/admin-guide/LSM/index.html still
> > documents the "security=" kernel parameter even though it conflicts
> > with CONFIG_LSM and can be ignored by the kernel in practise).
>
> You can still select one "major" module using security= if you
> don't use lsm= to specify a full list. We put real effort into
> being backward compatible.

No, this is not true. If CONFIG_LSM is defined to "lockdown,yama,bpf"
and if the kernel command line contains "security=selinux" without any
"lsm" parameter, then SELinux is not enabled properly.

This broke the configuration of several Arch Linux users (cf.
https://bbs.archlinux.org/viewtopic.php?id=263360 and
https://github.com/archlinuxhardened/selinux/issues/81) and I reported
this on some kernel mailing lists a few days ago
(https://lore.kernel.org/linux-security-module/CAJfZ7=nWJisw2RRW2AvFgpYKQK_PghudeBqiTQXNfedS2idP-Q@mail.gmail.com/).
Your answer to this issue was very clear (and thank you for explaining
this):

« You can't (currently) use SELinux and BPF at the same time. This is
because the infrastructure does not support multiple secid<->secctx
translation hooks. You get the first one in the list. BPF provides all
hooks, so the SELinux hooks aren't reached and the secid to secctx
translation fails in the "bpf,selinux" case. »

Anyway, this means that using "security=..." does not work if
CONFIG_LSM contains the BPF LSM module, so no: you *cannot* select one
major module using security=, when the kernel is compiled with
CONFIG_LSM="lockdown,yama,bpf".

Backward compatibility was broken and Arch Linux users were required
to switch to lsm= in order to use AppArmor, SELinux, etc. (and the
documentation of this distribution got updated:
https://wiki.archlinux.org/index.php/AppArmor,
https://wiki.archlinux.org/index.php/SELinux, etc.).

Nicolas

Patch
diff mbox series

diff --git a/security/Kconfig b/security/Kconfig
index 7561f6f99f1d..fae083e9867d 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -243,6 +243,7 @@  source "security/integrity/Kconfig"
 
 choice
 	prompt "First legacy 'major LSM' to be initialized"
+	depends on SECURITY
 	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
 	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
@@ -275,8 +276,26 @@  choice
 
 endchoice
 
+config LSM_AUTO
+	bool "Automatically enable all selected LSMs at boot"
+	depends on SECURITY
+	default y
+	help
+	  This automatically configure the build-time selected LSMs to be
+	  enabled at boot unless the "lsm=" parameter is provided.
+
+	  If this option is not selected, it will be required to configure and
+	  maintained a static list of enabled LSMs that may become inconsistent
+	  with future user configuration.  Indeed, this list will not be
+	  automatically upgraded when selecting a new (future) LSM, e.g. with
+	  make oldconfig.
+
+	  If you are unsure how to answer this question, answer Y.
+
+# This lists should be synchronized with LSM_ORDER defined in security/security.c .
 config LSM
 	string "Ordered list of enabled LSMs"
+	depends on SECURITY && !LSM_AUTO
 	default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
 	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
 	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
diff --git a/security/security.c b/security/security.c
index 401663b5b70e..defa1d2c40a3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -82,7 +82,31 @@  static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init;
 static __initdata const char *chosen_lsm_order;
 static __initdata const char *chosen_major_lsm;
 
-static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
+#ifdef CONFIG_LSM
+#define LSM_ORDER	CONFIG_LSM
+#else
+
+/*
+ * This lists should be synchronized with the default values of CONFIG_LSM
+ * defined in security/Kconfig .
+ */
+#define LSM_ORDER_PRE	"lockdown,yama,loadpin,safesetid,integrity,"
+
+#if defined(CONFIG_DEFAULT_SECURITY_SMACK)
+#define LSM_ORDER	LSM_ORDER_PRE "smack,selinux,tomoyo,apparmor,bpf"
+#elif defined(CONFIG_DEFAULT_SECURITY_APPARMOR)
+#define LSM_ORDER	LSM_ORDER_PRE "apparmor,selinux,smack,tomoyo,bpf"
+#elif defined(CONFIG_DEFAULT_SECURITY_TOMOYO)
+#define LSM_ORDER	LSM_ORDER_PRE "tomoyo,bpf"
+#elif defined(CONFIG_DEFAULT_SECURITY_DAC)
+#define LSM_ORDER	LSM_ORDER_PRE "bpf"
+#else
+#define LSM_ORDER	LSM_ORDER_PRE "selinux,smack,tomoyo,apparmor,bpf"
+#endif
+
+#endif /* CONFIG_LSM */
+
+static __initconst const char * const builtin_lsm_order = LSM_ORDER;
 
 /* Ordered list of LSMs to initialize. */
 static __initdata struct lsm_info **ordered_lsms;