From: Kees Cook <keescook@chromium.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
paul@paul-moore.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, john.johansen@canonical.com,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, mic@digikod.net,
Dave Chinner <david@fromorbit.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>
Subject: Re: [PATCH v15 01/11] LSM: Identify modules by more than name
Date: Sat, 23 Sep 2023 18:58:04 -0700 [thread overview]
Message-ID: <202309231838.CB16E6B5@keescook> (raw)
In-Reply-To: <af696700-ae4b-346e-4c52-3a7a21b0f46c@I-love.SAKURA.ne.jp>
On Sat, Sep 23, 2023 at 01:46:35PM +0900, Tetsuo Handa wrote:
> On 2023/09/21 0:08, Kees Cook wrote:
> > I feel like you are willfully not listening to us when we say that this
> > doesn't block out of tree LSMs. Again, there is nothing here that stops
> > it. To prove this point, here is an out of tree LSM that works with this
> > series. So let's move from theoretical to practical: given this example,
> > why do you think out of tree LSMs are blocked?
>
> Because an LSM ID value
But my example includes one.
> > diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> > index eeda59a77c02..23b7a8f79cef 100644
> > --- a/include/uapi/linux/lsm.h
> > +++ b/include/uapi/linux/lsm.h
> > @@ -63,6 +63,8 @@ struct lsm_ctx {
> > #define LSM_ID_BPF 110
> > #define LSM_ID_LANDLOCK 111
> >
> > +#define LSM_ID_GOAT 1138
> > +
> > /*
> > * LSM_ATTR_XXX definitions identify different LSM attributes
> > * which are used in the kernel's LSM userspace API. Support
>
> is assigned to LSM only when that LSM became no longer out of tree.
Why? My example code will work just fine. The only possible reason
it could be awkward would be if an out of tree LSM became so useful
that the author decided to upstream it, and risked colliding with an
existing LSM id. But lsm_id::id is a u64 (not an enum!), so there is
a HUGE space available. If out of tree LSMs used the epoch time they
were first authored as their id, the chances of a collision would be
approaching zero. There isn't an out of tree LSM written every second,
but if there were, it would take 584 billion years to run out of LSM ids.
And, as mentioned several times before, this is _not a new problem_, and
exists for out of tree syscalls, out of tree prctls, etc. I even DID
this for the Yama LSM when it looked like it wasn't going to get
upstream in the early days. Its prctl number _is not sequential_:
include/uapi/linux/prctl.h:#define PR_SET_PTRACER 0x59616d61
(And you'll see 0x59616d61 in ASCII is "Yama"; my effort to avoid
collision.)
So, there is both ability (u64) and precedent (Yama) for this. Having an
LSM id is _not_ a blocker for out of tree LSMs, and I've given the proof.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2023-09-24 1:58 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230912205658.3432-1-casey.ref@schaufler-ca.com>
2023-09-12 20:56 ` [PATCH v15 00/11] LSM: Three basic syscalls Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 01/11] LSM: Identify modules by more than name Casey Schaufler
2023-09-15 11:32 ` Tetsuo Handa
2023-09-15 17:53 ` Casey Schaufler
2023-09-16 6:32 ` Tetsuo Handa
2023-09-17 16:38 ` Casey Schaufler
2023-09-20 10:20 ` Tetsuo Handa
2023-09-20 15:08 ` Kees Cook
2023-09-23 4:46 ` Tetsuo Handa
2023-09-24 1:58 ` Kees Cook [this message]
2023-09-24 11:06 ` Tetsuo Handa
2023-09-24 19:48 ` Kees Cook
2023-10-05 12:58 ` Tetsuo Handa
2023-10-20 19:52 ` Casey Schaufler
2023-10-21 12:20 ` Tetsuo Handa
2023-10-21 14:11 ` Casey Schaufler
2023-10-29 10:57 ` Tetsuo Handa
2023-10-29 18:00 ` Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 02/11] LSM: Maintain a table of LSM attribute data Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 03/11] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 04/11] LSM: syscalls for current process attributes Casey Schaufler
2023-10-03 14:09 ` Mickaël Salaün
2023-10-06 1:04 ` Paul Moore
2023-10-09 15:36 ` Mickaël Salaün
2023-10-09 16:04 ` Paul Moore
2023-10-10 9:14 ` Mickaël Salaün
2023-10-10 13:10 ` Paul Moore
2023-09-12 20:56 ` [PATCH v15 05/11] LSM: Create lsm_list_modules system call Casey Schaufler
2023-10-03 14:27 ` Mickaël Salaün
2024-03-12 10:16 ` Dmitry V. Levin
2024-03-12 13:25 ` Paul Moore
2024-03-12 15:27 ` Casey Schaufler
2024-03-12 17:06 ` Paul Moore
2024-03-12 17:44 ` Casey Schaufler
2024-03-12 18:09 ` Paul Moore
2024-03-12 18:28 ` Dmitry V. Levin
2024-03-12 21:50 ` Kees Cook
2024-03-12 22:06 ` Casey Schaufler
2024-03-12 22:06 ` Paul Moore
2024-03-12 22:17 ` Casey Schaufler
2024-03-12 23:17 ` Paul Moore
2023-09-12 20:56 ` [PATCH v15 06/11] LSM: wireup Linux Security Module syscalls Casey Schaufler
2023-10-03 14:27 ` Mickaël Salaün
2023-09-12 20:56 ` [PATCH v15 07/11] LSM: Helpers for attribute names and filling lsm_ctx Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-09-12 20:56 ` [PATCH v15 08/11] Smack: implement setselfattr and getselfattr hooks Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-10-20 19:40 ` Casey Schaufler
2023-10-20 19:42 ` Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 09/11] AppArmor: Add selfattr hooks Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 10/11] SELinux: " Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 11/11] LSM: selftests for Linux Security Module syscalls Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-10-12 22:07 ` [PATCH v15 00/11] LSM: Three basic syscalls Paul Moore
2023-10-13 21:55 ` Paul Moore
2023-10-16 12:04 ` Roberto Sassu
2023-10-16 15:06 ` Paul Moore
2023-10-17 7:01 ` Roberto Sassu
2023-10-17 15:58 ` Paul Moore
2023-10-17 16:07 ` Roberto Sassu
2023-10-18 9:31 ` Roberto Sassu
2023-10-18 13:09 ` Mimi Zohar
2023-10-18 14:14 ` Roberto Sassu
2023-10-18 16:35 ` Paul Moore
2023-10-18 20:10 ` Mimi Zohar
2023-10-18 20:40 ` Paul Moore
2023-10-19 7:45 ` Roberto Sassu
2023-10-20 16:36 ` Casey Schaufler
2023-10-19 8:49 ` Roberto Sassu
2023-11-13 4:03 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202309231838.CB16E6B5@keescook \
--to=keescook@chromium.org \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=david@fromorbit.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).