Re: [PATCH 14/14] Activate the configuration and build of the TSEM LSM.

["Dr. Greg" <greg@enjellic.com>]

On Wed, Feb 08, 2023 at 02:15:26PM -0800, Casey Schaufler wrote:
> On 2/3/2023 9:09 PM, Dr. Greg wrote:
> > Complete the implementation by integrating the LSM into the
> > configuration and kernel build infrastructure.
> >
> > Signed-off-by: Greg Wettstein <greg@enjellic.com>
> > ---
> >  security/Kconfig       | 11 ++++++-----
> >  security/Makefile      |  1 +
> >  security/tsem/Kconfig  | 22 ++++++++++++++++++++++
> >  security/tsem/Makefile |  2 ++
> >  4 files changed, 31 insertions(+), 5 deletions(-)
> >  create mode 100644 security/tsem/Kconfig
> >  create mode 100644 security/tsem/Makefile
> >
> > diff --git a/security/Kconfig b/security/Kconfig
> > index e6db09a779b7..98c538ad6790 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -207,6 +207,7 @@ source "security/yama/Kconfig"
> >  source "security/safesetid/Kconfig"
> >  source "security/lockdown/Kconfig"
> >  source "security/landlock/Kconfig"
> > +source "security/tsem/Kconfig"
> >  
> >  source "security/integrity/Kconfig"
> >  
> > @@ -246,11 +247,11 @@ endchoice
> >  
> >  config LSM
> >  	string "Ordered list of enabled LSMs"
> > -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
> > -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
> > -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> > -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
> > -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
> > +	default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selin
ux,tomoyo,apparmor,bpf,tsem" 

Hi Casey, thanks for the note, I hope your week is going well.

> Better check with the BPF team to see if they're OK with TSEM
> following BPF in loading order.

We can do that, however, as we noted in the documentation, TSEM, being
the first LSM to be based on a narratival security logic philosophy,
should be largely ambivalent with respect to its stacking order.

We would thus, happily, entertain suggestions from the community as to
where it would like us to stand in line.

As an example, without going off into the weeds, since TSEM is a
generic security modeling architecture, it can implement any integrity
policies, including validation of extended security attributes.
Placing it first in line would allow a security workload architect to
reject any modifications to expected MAC security labels as an invalid
security model state point before the event got to the deontological
handlers.

However, being the new kid on the block, we would never presume to be
first or last, given that they may be coveted positions.

So we will remain open to suggestions for the second spin of the
patches.

Have a good afternoon.

As always,
Dr. Greg

The Quixote Project - Flailing at the Travails of Cybersecurity