From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Casey Schaufler <casey@schaufler-ca.com>,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>
Cc: LSM List <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
linux-audit@redhat.com, Mimi Zohar <zohar@linux.ibm.com>,
keescook@chromium.org, SElinux list <selinux@vger.kernel.org>
Subject: Re: LSM stacking in next for 6.1?
Date: Wed, 26 Oct 2022 07:12:47 +0900 [thread overview]
Message-ID: <98ab33d6-6c91-9c0a-8647-22f6bdede885@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <11564f69-3bba-abf7-eb46-06813ff4a404@schaufler-ca.com>
On 2022/10/25 23:12, Casey Schaufler wrote:
> On 10/25/2022 4:20 AM, Tetsuo Handa wrote:
>> On 2022/10/25 19:26, John Johansen wrote:
>>> no, Casey is not. He is trying to find a path forward to get LSM
>>> stacking upstream sooner than later. He has made proposals that
>>> admittedly you have not liked, but he has at least tried to propose
>>> ideas that could work within the insane set of constraints.
>> I'm OK with getting LSM stacking upstream. But changes made based on
>> only built-in modules are bad. If LSM id cannot be assigned to loadable
>> LSM modules at runtime because not all loadable LSM modules will be
>> in-tree in order to get an LSM id assigned, loadable LSM modules won't
>> be able to utilize e.g. lsm_module_list system call (or whatever
>> changes made while trying to unshare resources/interfaces currently
>> shared among SELinux/Smack/AppArmor).
>>
>> It will be a complete reinvention of Linux security framework which is
>> merely borrowing hooks provided by LSM. That is no different from
>> duplicating existing LSM hooks and managing via completely different
>> set of interfaces (e.g. /proc/$pid/attr2/$lsmname/$filename ,
>> /sys/kernel/security2/$lsmname/$filename ). Such implementation is
>> no longer loadable LSM. It is LSM version 2. And I don't think that
>> such implementation will be accepted unless you agree to kill current
>> LSM (say, LSM version 1).
>
> The counter argument to this statement is that BPF has been accepted
> upstream. eBPF programs are different from built-in security modules.
> There is no reason that a well implemented LSM that accepts loadable
> modules *that are different* from built-in modules couldn't be created.
> I seriously doubt that it would get upstream for all the reasons
> usually cited. But there is nothing about the implementation I've proposed
> that would prevent it.
>
As an easy example, please show me an eBPF program that allows restricting where
to chroot to and allows configuring where to chroot to using /sys/kernel/security/
interface.
An loadable LSM consists of hooks (for filtering access requests) and interface
(for configuring rules whether to filter access requests).
Your LSM id approach makes it impossible to use interface (due to lack of LSM id
for loadable LSM modules) by loadable LSM modules. LSM id must not be limited to
built-in LSM modules.
next prev parent reply other threads:[~2022-10-25 22:12 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com>
2022-08-03 0:01 ` LSM stacking in next for 6.1? Casey Schaufler
2022-08-03 0:56 ` Paul Moore
2022-08-03 1:56 ` John Johansen
2022-08-03 2:15 ` Casey Schaufler
2022-08-03 2:33 ` Paul Moore
2022-08-03 2:34 ` Steve Grubb
2022-08-03 2:40 ` Paul Moore
2022-09-02 21:30 ` Paul Moore
2022-09-02 23:14 ` Casey Schaufler
2022-09-02 23:57 ` Casey Schaufler
2022-09-06 23:24 ` Paul Moore
2022-09-07 0:10 ` John Johansen
2022-09-07 0:39 ` Casey Schaufler
2022-09-07 0:50 ` John Johansen
2022-09-07 14:41 ` Paul Moore
2022-09-07 16:41 ` Casey Schaufler
2022-09-07 17:23 ` John Johansen
2022-09-07 22:57 ` Paul Moore
2022-09-07 23:27 ` Paul Moore
2022-09-07 23:53 ` Casey Schaufler
2022-09-08 0:19 ` John Johansen
2022-09-08 3:57 ` Paul Moore
2022-09-08 18:05 ` Casey Schaufler
2022-09-08 18:35 ` John Johansen
2022-09-08 19:32 ` Paul Moore
2022-09-08 22:56 ` Casey Schaufler
2022-09-10 4:17 ` Tetsuo Handa
2022-09-12 17:37 ` Casey Schaufler
2022-09-13 10:47 ` Tetsuo Handa
2022-09-13 14:45 ` Casey Schaufler
2022-09-14 13:57 ` Tetsuo Handa
2022-09-14 15:50 ` Casey Schaufler
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 14:54 ` John Johansen
2022-09-15 7:45 ` John Johansen
2022-09-15 14:27 ` Tetsuo Handa
2022-10-25 9:48 ` Tetsuo Handa
2022-10-25 10:26 ` John Johansen
2022-10-25 11:20 ` Tetsuo Handa
2022-10-25 14:12 ` Casey Schaufler
2022-10-25 22:12 ` Tetsuo Handa [this message]
2022-10-25 22:41 ` Casey Schaufler
2022-10-26 10:19 ` Tetsuo Handa
2022-10-26 15:30 ` Casey Schaufler
2022-10-28 10:14 ` John Johansen
2022-10-30 4:03 ` Tetsuo Handa
2022-10-30 7:23 ` John Johansen
2022-10-30 14:02 ` Tetsuo Handa
2022-10-30 16:37 ` Kees Cook
2022-10-30 20:56 ` Casey Schaufler
2022-10-31 10:26 ` Tetsuo Handa
2022-10-31 15:47 ` Casey Schaufler
2022-10-26 20:11 ` Paul Moore
2022-10-27 0:02 ` Tetsuo Handa
2022-10-28 9:50 ` Paul Moore
2022-10-28 13:58 ` Tetsuo Handa
2022-10-28 17:40 ` Kees Cook
2022-10-29 9:33 ` Tetsuo Handa
2022-09-14 13:42 ` Paul Moore
2022-09-27 20:54 ` Casey Schaufler
2022-09-27 22:37 ` Paul Moore
2022-09-07 0:31 ` Casey Schaufler
2022-09-07 15:13 ` Paul Moore
2022-09-07 17:08 ` Casey Schaufler
2022-09-07 23:04 ` Paul Moore
2022-09-07 23:26 ` Casey Schaufler
2022-09-08 15:18 ` Tetsuo Handa
2022-09-08 16:00 ` Casey Schaufler
2022-09-08 18:52 ` Paul Moore
2022-09-09 11:32 ` Tetsuo Handa
2022-09-14 13:56 ` Paul Moore
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 15:50 ` Casey Schaufler
2022-09-16 13:34 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=98ab33d6-6c91-9c0a-8647-22f6bdede885@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).