From: Casey Schaufler <casey@schaufler-ca.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Kees Cook <kees@kernel.org>,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>
Cc: LSM List <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
linux-audit@redhat.com, Mimi Zohar <zohar@linux.ibm.com>,
keescook@chromium.org, SElinux list <selinux@vger.kernel.org>,
casey@schaufler-ca.com
Subject: Re: LSM stacking in next for 6.1?
Date: Mon, 31 Oct 2022 08:47:49 -0700 [thread overview]
Message-ID: <0d12ed29-ec1d-027a-5a87-f8a6687a04fe@schaufler-ca.com> (raw)
In-Reply-To: <feaa5cbc-342e-3863-e761-e7ac8b08d314@I-love.SAKURA.ne.jp>
On 10/31/2022 3:26 AM, Tetsuo Handa wrote:
> On 2022/10/31 1:37, Kees Cook wrote:
>>> You have only three choices:
>>>
>>> (1) allow assigning LSM ID integer value to all LSM modules (regardless of
>>> whether that module was merged into upstream kernel)
>> We are not hardware manufacturers.
>>
> Excuse me? We are not talking about whether we are hardware manufacturers.
> We are talking about the policy for assigning identifier.
>
> I don't like how LSM IDs are assigned, for Casey said
>
> >> If the upstream kernel assigns an LSM id for all LSM modules including out-of-tree
> >> and/or private LSM modules (that's why I described that the upstream kernel behaves
> >> as if a DNS registerer), we can assign LSM id = 100 to "belllapadula" from A and
> >> LSM id = 101 to "belllapadula" from B, and both "belllapadula" modules can work
> >> without conflicts by using LSM id. Of course, this implies that we need to preserve
> >> unused space in lsm_idlist[LSMID_ENTRIES] etc. for such LSM modules (if we use
> >> fixed-sized array rather than a linked list).
> >
> > Of course the upstream kernel isn't going to have LSM IDs for out-of-tree
> > security modules. That's one of many reasons loadable modules are going to
> > have to be treated differently from built-in modules, if they're allowed
> > at all.
>
> at https://lkml.kernel.org/r/7263e155-9024-0508-370c-72692901b326@schaufler-ca.com and
> Paul confirmed
>
> >> Currently anyone can start writing new LSM modules using name as identifier. But
> >> you are trying to forbid using name as identifier, and trying to force using integer
> >> as identifier, but that integer will not be provided unless new LSM modules get
> >> upstream.
> >
> > That is correct. In order to have a LSM identifier token the LSM must
> > be upstream.
>
> at https://lkml.kernel.org/r/CAHC9VhT2Azg1F-G3RQ4xL7JgA3OAtHafzS1_nvUyEUFsCJ9+SA@mail.gmail.com .
>
> If we can agree that the upstream kernel never refuse to assign LSM IDs to whatever
> LSM modules, I'm OK that we introduce LSM ID integer value itself.
>
>
>
> My next concern is that we are trying to use fixed sized capacity as LSMID_ENTRIES,
> commented
>
> On 2022/10/13 19:04, Tetsuo Handa wrote:
> > On 2022/09/28 4:53, Casey Schaufler wrote:
> >> + if (lsm_id > LSMID_ENTRIES)
> >> + panic("%s Too many LSMs registered.\n", __func__);
> >
> > I'm not happy with LSMID_ENTRIES. This is a way towards forever forbidding LKM-based LSMs.
>
> at https://lkml.kernel.org/r/9907d724-4668-cd50-7454-1a8ca86542b0@I-love.SAKURA.ne.jp , for
>
> struct lsm_id *lsm_idlist[LSMID_ENTRIES] __lsm_ro_after_init;
>
> may cause out-of-tree LSM modules to fail to use the slot.
>
> It is a strange hack that users have to enable in-tree LSM modules or rewrite the
> definition of LSMID_ENTRIES in order to use out-of-tree (either built-in or loadable)
> LSM modules, for LSMID_ENTRIES is defined based on only in-tree LSM modules.
>
> #define LSMID_ENTRIES ( \
> 1 + /* capabilities */ \
> (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_IMA) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
> (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
>
> Although built-in out-of-tree LSM modules would be able to rewrite LSMID_ENTRIES definition
> because users will rebuild the whole kernel, loadable out-of-tree LSM modules would not be
> able to rewrite LSMID_ENTRIES definition because users will not rebuild the whole kernel.
> It is still effectively a lock out for loadable out-of-tree LSM modules even if the problem
> of assigning LSM ID integer value is solved.
Propose an implementation of security module loading. If LSMID_ENTRIES is a problem
I will help you resolve the issue. My bet is that there will be an easy solution. It
may be as simple as adding (IS_ENABLED(CONFIG_SECURITY_LOADABLE) ? 1 : 0) + \ to the
code referenced above. But I can't say until I see how you're going to address all
of the real issues.
next prev parent reply other threads:[~2022-10-31 15:48 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com>
2022-08-03 0:01 ` LSM stacking in next for 6.1? Casey Schaufler
2022-08-03 0:56 ` Paul Moore
2022-08-03 1:56 ` John Johansen
2022-08-03 2:15 ` Casey Schaufler
2022-08-03 2:33 ` Paul Moore
2022-08-03 2:34 ` Steve Grubb
2022-08-03 2:40 ` Paul Moore
2022-09-02 21:30 ` Paul Moore
2022-09-02 23:14 ` Casey Schaufler
2022-09-02 23:57 ` Casey Schaufler
2022-09-06 23:24 ` Paul Moore
2022-09-07 0:10 ` John Johansen
2022-09-07 0:39 ` Casey Schaufler
2022-09-07 0:50 ` John Johansen
2022-09-07 14:41 ` Paul Moore
2022-09-07 16:41 ` Casey Schaufler
2022-09-07 17:23 ` John Johansen
2022-09-07 22:57 ` Paul Moore
2022-09-07 23:27 ` Paul Moore
2022-09-07 23:53 ` Casey Schaufler
2022-09-08 0:19 ` John Johansen
2022-09-08 3:57 ` Paul Moore
2022-09-08 18:05 ` Casey Schaufler
2022-09-08 18:35 ` John Johansen
2022-09-08 19:32 ` Paul Moore
2022-09-08 22:56 ` Casey Schaufler
2022-09-10 4:17 ` Tetsuo Handa
2022-09-12 17:37 ` Casey Schaufler
2022-09-13 10:47 ` Tetsuo Handa
2022-09-13 14:45 ` Casey Schaufler
2022-09-14 13:57 ` Tetsuo Handa
2022-09-14 15:50 ` Casey Schaufler
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 14:54 ` John Johansen
2022-09-15 7:45 ` John Johansen
2022-09-15 14:27 ` Tetsuo Handa
2022-10-25 9:48 ` Tetsuo Handa
2022-10-25 10:26 ` John Johansen
2022-10-25 11:20 ` Tetsuo Handa
2022-10-25 14:12 ` Casey Schaufler
2022-10-25 22:12 ` Tetsuo Handa
2022-10-25 22:41 ` Casey Schaufler
2022-10-26 10:19 ` Tetsuo Handa
2022-10-26 15:30 ` Casey Schaufler
2022-10-28 10:14 ` John Johansen
2022-10-30 4:03 ` Tetsuo Handa
2022-10-30 7:23 ` John Johansen
2022-10-30 14:02 ` Tetsuo Handa
2022-10-30 16:37 ` Kees Cook
2022-10-30 20:56 ` Casey Schaufler
2022-10-31 10:26 ` Tetsuo Handa
2022-10-31 15:47 ` Casey Schaufler [this message]
2022-10-26 20:11 ` Paul Moore
2022-10-27 0:02 ` Tetsuo Handa
2022-10-28 9:50 ` Paul Moore
2022-10-28 13:58 ` Tetsuo Handa
2022-10-28 17:40 ` Kees Cook
2022-10-29 9:33 ` Tetsuo Handa
2022-09-14 13:42 ` Paul Moore
2022-09-27 20:54 ` Casey Schaufler
2022-09-27 22:37 ` Paul Moore
2022-09-07 0:31 ` Casey Schaufler
2022-09-07 15:13 ` Paul Moore
2022-09-07 17:08 ` Casey Schaufler
2022-09-07 23:04 ` Paul Moore
2022-09-07 23:26 ` Casey Schaufler
2022-09-08 15:18 ` Tetsuo Handa
2022-09-08 16:00 ` Casey Schaufler
2022-09-08 18:52 ` Paul Moore
2022-09-09 11:32 ` Tetsuo Handa
2022-09-14 13:56 ` Paul Moore
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 15:50 ` Casey Schaufler
2022-09-16 13:34 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0d12ed29-ec1d-027a-5a87-f8a6687a04fe@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kees@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=selinux@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).