From: Greg KH <gregkh@linuxfoundation.org>
To: "Dr. Greg" <greg@enjellic.com>
Cc: linux-security-module@vger.kernel.org, paul@paul-moore.com
Subject: Re: [PATCH 08/14] Implement TSEM control plane.
Date: Thu, 16 Feb 2023 07:53:28 +0100 [thread overview]
Message-ID: <Y+3S6COr4U86wi8A@kroah.com> (raw)
In-Reply-To: <20230212065439.GA5189@wind.enjellic.com>
On Sun, Feb 12, 2023 at 12:54:40AM -0600, Dr. Greg wrote:
> On Sat, Feb 11, 2023 at 11:59:19AM +0100, Greg KH wrote:
>
> Looping in Paul Moore in order to get his thoughts.
>
> > On Fri, Feb 10, 2023 at 06:18:06PM -0600, Dr. Greg wrote:
> > > On Thu, Feb 09, 2023 at 12:30:51PM +0100, Greg KH wrote:
> > >
> > > Good afternoon Greg, thanks for taking the time to review the patches
> > > and pass along comments.
> > >
> > > > On Fri, Feb 03, 2023 at 11:09:48PM -0600, Dr. Greg wrote:
> > > > > The fs.c file contains the implementation of the TSEM control
> > > > > plane that is in the form of a pseudo-filesystem mounted on the
> > > > > following directory:
> > > > >
> > > > > /sys/fs/tsem
> > >
> > > > Why are you using sysfs to mount this?
>
> > > We followed the lead of the SMACK and SeLinux LSM's, both of which
> > > create the mount points for their control plane filesystems in
> > > /sys/fs.
> > >
> > > In addition, as a filesystem, we chose to have tsemfs closely follow
> > > their design for continuity across the LSM's. So they share similar
> > > functionality and design, modulo of course, the event description and
> > > trajectory export files that we will chat about below.
> > >
> > > We can't use securityfs, secondary to the fact that it doesn't
> > > implement pollable files, which are a requirement for trust
> > > orchestrators based on external Trusted Modeling Agents.
>
> > Why not fix securityfs to provide pollable files? Other than that,
> > why can't you just use securityfs?
>
> Now that we have had some additional bandwidth to look at issues after
> the first round release, it may be more straight forward to implement
> the pollable files in securityfs than we thought. We will take
> another run at this and see what is possible without having to meddle
> with the internals of securityfs proper.
It's ok to mess around with securityfs to get it to work properly for
your use case, there's no reason to create a whole new filesystem just
because of one missing functionality.
> As the diffstat for the patch series indicates, we spent considerable
> time working to implement TSEM without touching anything outside its
> implementation directory. I think this is something that anyone who
> has tried to upstream functionality into the mainline kernel would
> understand the merit of.
No, that's not how kernel development works, it's ok to touch other
portions when needed, otherwise you duplicate lots of extra code and
functionality as you are doing here. Please do not do that.
> > You are creating a new structure-type-api here, why not use a
> > already-designed protocol instead like varlink if you need userspace
> > to parse events in an atomic way? Or heck even json would be better
> > as there are universal userspace tools for that today.
>
> As an industry, we are in the middle of a software supply chain
> security crisis.
That has nothing to do with the kernel, sorry.
> In a trust orchestrated architecture, the trust
> orchestrators, and their Sancho TMA implementations, are the most
> security critical components on the system. Our objective is to keep
> the supply chain footprint for Quixote as small as possible.
>
> To that point:
>
> size /usr/local/lib/libyajl.so.2.1.1:
> text data bss dec hex filename
> 33333 784 16 34133 8555 /usr/local/lib/libyajl.so.2.1.1
>
> size /u/usr/sources/quixote-1.4/SecurityModel/EventParser.o
> text data bss dec hex filename
> 2520 0 0 2520 9d8 /u/usr/sources/quixote-1.4/SecurityModel/EventParser.o
>
> If we were to use JSON, we would use yajl, it is probably as light as
> anything out there. Given that, on face value, this would represent
> over an order of magnitude increase in code size to achieve the same
> objective, plus add an external dependency.
So you require people to trust your custom parser and format just
because you don't want to rely on a trusted tool that the whole world
depends on?
Again, not a valid argument, sorry, please use common parsing tools
otherwise you are guaranteed to make mistakes and everyone will have to
rely on your custom tools only, which is not something that you would
accept from any other kernel change.
And I don't see a link to the userspace tools anywhere, did I miss it?
thanks,
greg k-h
next prev parent reply other threads:[~2023-02-16 6:53 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-04 5:09 [PATCH 00/14] Implement Trusted Security Event Modeling Dr. Greg
2023-02-04 5:09 ` [PATCH 01/14] Update MAINTAINERS file Dr. Greg
2023-02-04 5:09 ` [PATCH 02/14] Add TSEM specific documentation Dr. Greg
2023-02-09 11:47 ` Greg KH
2023-02-09 23:47 ` Dr. Greg
2023-02-13 4:33 ` Paul Moore
2023-02-14 11:58 ` Dr. Greg
2023-02-14 12:18 ` Roberto Sassu
2023-02-15 16:26 ` Dr. Greg
2023-03-03 4:15 ` Paul Moore
2023-03-13 22:52 ` Dr. Greg
2023-03-22 23:45 ` Paul Moore
2023-03-30 3:34 ` Dr. Greg
2023-04-05 20:45 ` Paul Moore
2023-04-07 14:10 ` Dr. Greg
2023-02-04 5:09 ` [PATCH 03/14] Add magic number for tsemfs Dr. Greg
2023-02-04 5:09 ` [PATCH 04/14] Implement CAP_TRUST capability Dr. Greg
2023-02-06 17:28 ` Serge Hallyn (shallyn)
2023-02-11 0:32 ` Dr. Greg
[not found] ` <a12483d1-9d57-d429-789b-9e47ff575546@schaufler-ca.com>
2023-02-13 11:43 ` Dr. Greg
2023-02-13 18:02 ` Casey Schaufler
2023-02-16 21:47 ` Dr. Greg
2023-02-04 5:09 ` [PATCH 05/14] Add TSEM master header file Dr. Greg
[not found] ` <ecb168ef-b82d-fd61-f2f8-54a4ef8c3b48@schaufler-ca.com>
2023-02-06 0:10 ` Dr. Greg
2023-02-04 5:09 ` [PATCH 06/14] Add primary TSEM implementation file Dr. Greg
2023-02-04 5:09 ` [PATCH 07/14] Add root domain trust implementation Dr. Greg
2023-02-04 5:09 ` [PATCH 08/14] Implement TSEM control plane Dr. Greg
2023-02-09 11:30 ` Greg KH
2023-02-11 0:18 ` Dr. Greg
2023-02-11 10:59 ` Greg KH
2023-02-12 6:54 ` Dr. Greg
2023-02-16 6:53 ` Greg KH [this message]
2023-02-18 18:03 ` Dr. Greg
2023-02-04 5:09 ` [PATCH 09/14] Add namespace implementation Dr. Greg
2023-02-04 5:09 ` [PATCH 10/14] Add security event description export facility Dr. Greg
2023-02-04 5:09 ` [PATCH 11/14] Add event description implementation Dr. Greg
2023-02-04 5:09 ` [PATCH 12/14] Implement security event mapping Dr. Greg
2023-02-04 5:09 ` [PATCH 13/14] Implement an internal Trusted Modeling Agent Dr. Greg
2023-02-04 5:09 ` [PATCH 14/14] Activate the configuration and build of the TSEM LSM Dr. Greg
2023-02-08 22:15 ` Casey Schaufler
2023-02-09 22:21 ` Dr. Greg
[not found] ` <20230204115917.1015-1-hdanton@sina.com>
2023-02-23 18:41 ` [PATCH 09/14] Add namespace implementation Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y+3S6COr4U86wi8A@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=greg@enjellic.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.