From: Stephen Smalley <sds@tycho.nsa.gov>
To: Casey Schaufler <casey@schaufler-ca.com>,
James Morris <jmorris@namei.org>,
James Morris <james.l.morris@oracle.com>,
LSM <linux-security-module@vger.kernel.org>,
LKLM <linux-kernel@vger.kernel.org>
Cc: Paul Moore <pmoore@redhat.com>,
John Johansen <john.johansen@canonical.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Eric Paris <eparis@redhat.com>, Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH 0/7 v21] LSM: Multiple concurrent LSMs
Date: Wed, 11 Mar 2015 12:35:26 -0400 [thread overview]
Message-ID: <55006ECE.4040403@tycho.nsa.gov> (raw)
In-Reply-To: <55006C85.4010202@tycho.nsa.gov>
On 03/11/2015 12:25 PM, Stephen Smalley wrote:
> On 03/09/2015 09:13 PM, Casey Schaufler wrote:
>> Subject: [PATCH 0/7 v21] LSM: Multiple concurrent LSMs
>>
>> Replace the current ad hoc stacking of the capabilities
>> and Yama security modules with a generalized stacking scheme.
>>
>> The old structure had a single set of module hooks contained
>> in a security_operations structure. This structure was initialized
>> with a set of stubs referred to as the "capabilities" module.
>> In fact only a few of these hooks actually did anything useful.
>> When a module replaced the capabilities module the entries
>> supplied replaced those from the capabilities module. The
>> new hook was expected to call the replaced capability code
>> if "stacking" was desired, which it usually was. Yama stacking
>> is done by ifdefs in the security infrastructure.
>>
>> The new structure provides a list of module hooks for each
>> interface. The non-trivial functions from the capabilities
>> module are add to the list first. If Yama stacking is configured
>> the Yama functions are added next. If a module is specified as
>> the "default" module, or is specified on the command line, it
>> is added next.
>>
>> Functions are called in the order added to the list. The
>> security interfaces stop when a function indicates an access
>> denial. It is possible for a list to be empty. That is treated
>> as a success in most cases.
>>
>> Each security module provides an array of function list entries.
>> This is initialized with the information needed to properly add
>> the entries to the function lists.
>>
>> The sheer size of this patch set is somewhat frightening. This
>> is an artifact of the number of security interfaces involved and
>> except for a few cases the changes are mechanical in nature.
>> Except for the removal of some information specific to the security
>> module infrastructure itself, the change is transparent to the rest
>> of the kernel.
>>
>> This is going to break out-of-tree security modules. It's easy to
>> update a module to the new scheme, and I'd be happy to do it for
>> any module I know about, but if it isn't in the tree, I don't know
>> about it.
>>
>> The stacking of modules that use the security blob pointers
>> cred->security, inode->i_security, etc has not been addressed.
>> That is future work with a delightful set of issues.
>>
>> This patch set is based on James Morris' security-next tree,
>> which is itself based on Linus' 4.0-rc1. It reflects the 11
>> patches of v20.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> Passes the selinux-testsuite with SELINUX alone or
> SELINUX+YAMA+YAMA_STACKED.
Hmm..sorry, I missed something. Rescinding my ACK; comments to follow.
next prev parent reply other threads:[~2015-03-11 16:36 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-10 1:13 [PATCH 0/7 v21] LSM: Multiple concurrent LSMs Casey Schaufler
2015-03-10 1:20 ` [PATCH 1/7 v21] LSM: Split security.h Casey Schaufler
2015-03-10 1:20 ` [PATCH 2/7 v21] LSM: Add the comment to lsm_hooks.h Casey Schaufler
2015-03-10 1:20 ` [PATCH 3/7 v21] LSM: Remove a comment from security.h Casey Schaufler
2015-03-10 1:20 ` [PATCH 4/7 v21] LSM: Introduce security hook calling Macros Casey Schaufler
2015-03-10 1:20 ` [PATCH 5/7 v21] LSM: Add security module hook list heads Casey Schaufler
2015-03-10 1:20 ` [PATCH 6/7 v21] LSM: Switch to lists of hooks Casey Schaufler
2015-03-11 16:42 ` Stephen Smalley
2015-03-11 18:47 ` Casey Schaufler
2015-03-11 19:24 ` Stephen Smalley
2015-03-11 22:42 ` [PATCH 8/7 v21] LSM: Fixes for issues found in review Casey Schaufler
2015-03-12 13:24 ` Stephen Smalley
2015-03-10 1:20 ` [PATCH 7/7 v21] LSM: Remove unused capability.c Casey Schaufler
2015-03-10 18:58 ` [PATCH 0/7 v21] LSM: Multiple concurrent LSMs Kees Cook
2015-03-11 16:25 ` Stephen Smalley
2015-03-11 16:35 ` Stephen Smalley [this message]
2015-03-12 0:42 ` Casey Schaufler
2015-03-12 14:32 ` Tetsuo Handa
2015-04-10 11:24 ` Tetsuo Handa
2015-04-10 18:22 ` John Johansen
2015-04-10 18:27 ` Casey Schaufler
2015-04-11 10:47 ` John Johansen
2015-04-20 16:24 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55006ECE.4040403@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=pmoore@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.