From: Kees Cook <keescook@chromium.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Kees Cook <kees@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
KP Singh <kpsingh@kernel.org>, Paul Moore <paul@paul-moore.com>,
bpf <bpf@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC PATCH 1/2] LSM: Allow dynamically appendable LSM modules.
Date: Mon, 2 Oct 2023 10:05:57 -0700 [thread overview]
Message-ID: <202310021000.B494D0DD@keescook> (raw)
In-Reply-To: <51d6c605-25cc-71fc-9c11-707b78297b38@I-love.SAKURA.ne.jp>
On Mon, Oct 02, 2023 at 07:04:27PM +0900, Tetsuo Handa wrote:
> On 2023/10/02 0:44, Kees Cook wrote:
> > On October 1, 2023 4:31:05 AM PDT, Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> >> Kees Cook said there is no problem if the policy of assigning LSM ID value were
> >>
> >> 1) author: "Hello, here is a new LSM I'd like to upstream, here it is. I assigned
> >> it the next LSM ID."
> >> maintainer(s): "Okay, sounds good. *review*"
> >>
> >> 2) author: "Hello, here is an LSM that has been in active use at $Place,
> >> and we have $Xxx many userspace applications that we cannot easily
> >> rebuild. We used LSM ID $Value that is far away from the sequential
> >> list of LSM IDs, and we'd really prefer to keep that assignment."
> >> maintainer(s): "Okay, sounds good. *review*"
> >>
> >> and I agreed at https://lkml.kernel.org/r/6e1c25f5-b78c-8b4e-ddc3-484129c4c0ec@I-love.SAKURA.ne.jp .
> >>
> >> But Paul Moore's response was
> >>
> >> No LSM ID value is guaranteed until it is present in a tagged release
> >> from Linus' tree, and once a LSM ID is present in a tagged release
> >> from Linus' tree it should not change. That's *the* policy.
> >>
> >> which means that the policy is not what Kees Cook has said.
> >
> > These don't conflict at all! Paul is saying an ID isn't guaranteed in upstream
> > until it's in upstream. I'm saying the id space is large enough that you could
> > make a new out of tree LSM every second for the next billion years. The upstream
> > assignment process is likely sequential, but that out of sequence LSMs that show
> > a need to be upstream could make a case for their existing value.
>
> Excuse me? If the LSM community wants the assignment sequential, the LSM community
> cannot admit the LSM value assigned to a not-yet-in-tree LSM.
>
> If "Okay, sounds good." does not imply that the LSM community admits the LSM value
> assigned to a not-yet-in-tree LSM, what did "Okay, sounds good." mean?
I'm saying that if someone participates with upstream correctly, they'll
get a sequential ID since that is the expected process.
And if an LSM is out of tree for years and years in some large ecosystem
that has deeply hard-coded the LSM ID but now wants the LSM to land
upstream, then it's likely that an out-of-sequence ID would be accepted.
My point is that there is nothing technical stopping an out-of-tree LSM
from existing, and that the political issues for bringing a large
out-of-tree LSM upstream are going to have plenty of other negotiations
around maintaining operational behavior, of which and LSM ID is unlikely
to be a sticking point. Every release that some code (LSM or not) is out
of tree makes it that much harder to land upstream. (In other words, the
challenges to upstreaming a long-time-out-of-tree codebase are much
larger than dealing with an out-of-sequence LSM ID.)
-Kees
--
Kees Cook
next prev parent reply other threads:[~2023-10-02 17:06 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-27 15:08 [RFC PATCH 1/2] LSM: Allow dynamically appendable LSM modules Tetsuo Handa
2023-09-27 15:09 ` [RFC PATCH 2/2] LSM: A sample of dynamically appendable LSM module Tetsuo Handa
2023-09-27 16:05 ` Song Liu
2023-09-27 15:33 ` [RFC PATCH 1/2] LSM: Allow dynamically appendable LSM modules Greg KH
2023-09-27 16:02 ` KP Singh
2023-10-01 11:08 ` Tetsuo Handa
2023-10-01 14:43 ` KP Singh
2023-10-03 14:27 ` Tetsuo Handa
2023-10-03 15:09 ` KP Singh
2023-10-21 14:19 ` Tetsuo Handa
2023-10-21 15:20 ` KP Singh
2023-10-22 13:34 ` Tetsuo Handa
2023-10-03 23:27 ` Paul Moore
2023-10-03 23:41 ` KP Singh
2023-10-05 9:47 ` José Bollo
2023-10-05 13:59 ` Tetsuo Handa
2023-10-05 14:12 ` KP Singh
2023-09-27 16:37 ` Casey Schaufler
2023-10-01 11:31 ` Tetsuo Handa
2023-10-01 15:19 ` Casey Schaufler
2023-10-04 10:40 ` Tetsuo Handa
2023-10-04 10:48 ` Tetsuo Handa
2023-10-20 20:40 ` Casey Schaufler
2023-10-21 12:21 ` Tetsuo Handa
2023-10-01 15:44 ` Kees Cook
2023-10-02 10:04 ` Tetsuo Handa
2023-10-02 17:05 ` Kees Cook [this message]
2023-10-03 23:39 ` Paul Moore
2023-10-05 10:48 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202310021000.B494D0DD@keescook \
--to=keescook@chromium.org \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=kees@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox