From: Paul Moore <paul@paul-moore.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
bpf <bpf@vger.kernel.org>, KP Singh <kpsingh@kernel.org>,
Kees Cook <keescook@chromium.org>,
Casey Schaufler <casey@schaufler-ca.com>,
song@kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
renauld@google.com, Paolo Abeni <pabeni@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC PATCH v2 0/4] LSM: Officially support appending LSM hooks after boot.
Date: Tue, 21 Nov 2023 23:41:16 -0500 [thread overview]
Message-ID: <CAHC9VhRy_sZNSRHMJoULFX2vb=opj1s2hEffaVNJyaHycWF+=w@mail.gmail.com> (raw)
In-Reply-To: <7b9e471a-a9df-4ff6-89bf-0fed01fcd5e7@I-love.SAKURA.ne.jp>
On Tue, Nov 21, 2023 at 8:03 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> On 2023/11/21 7:52, Paul Moore wrote:
> > On Mon, Nov 20, 2023 at 8:28 AM Tetsuo Handa
> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >>
> >> This functionality will be used by TOMOYO security module.
> >>
> >> In order to officially use an LSM module, that LSM module has to be
> >> built into vmlinux. This limitation has been a big barrier for allowing
> >> distribution kernel users to use LSM modules which the organization who
> >> builds that distribution kernel cannot afford supporting [1]. Therefore,
> >> I've been asking for ability to append LSM hooks from LKM-based LSMs so
> >> that distribution kernel users can use LSMs which the organization who
> >> builds that distribution kernel cannot afford supporting.
> >
> > It doesn't really matter for this discussion, but based on my days
> > working for a Linux distro company I would be very surprised if a
> > commercial distro would support a system running unapproved
> > third-party kernel modules.
>
> A commercial distro does not care about problems that are caused by
> using kernel modules that are not included in that distro's kernels.
My experience has taught me otherwise.
> If a commercial distro does not want to allow use of kernel modules that
> are not included in that distro's kernels, that distro would enforce module
> signature verification rather than disabling loadable module support.
> Keeping loadable module support enabled is a balance that is important for
> getting wider developers/users.
We don't currently support LSMs as dynamically loadable kernel modules
and if the only reasons for doing so are either to A) support
out-of-tree LSMs or B) avoid having to recompile a kernel (to hack an
unsupported LSM into a distro kernel) I have to say (yet again) that I
am not interested.
> > We've talked a lot about this core problem and I maintain that it is
> > still a disto problem and not something I'm really concerned about
> > upstream.
>
> LSM modules that are not built into vmlinux currently cannot be appended
> after boot. Such asymmetry is strange and remains a big barrier.
>
> You are not concerned about this asymmetry, but I am very much concerned.
> Please give me feedback on not "I don't need it" but "how we can do it".
I thought my feedback has been clear up to this point, but perhaps I
need to be more direct. At this point in time I am not interested in
supporting dynamically loaded LSM kernel modules if the only reasons
are to support out-of-tree LSMs or users who want to hack unsupported
LSMs into pre-built distro kernels; both of these use cases can be
solved today by compiling your own kernel.
As with the other threads involving this topic, I'm going to refrain
from any further comments until I see a new discussion point.
--
paul-moore.com
next prev parent reply other threads:[~2023-11-22 4:41 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-20 13:27 [RFC PATCH v2 0/4] LSM: Officially support appending LSM hooks after boot Tetsuo Handa
2023-11-20 13:28 ` [PATCH 1/4] LSM: Auto-undef LSM_HOOK macro Tetsuo Handa
2023-11-20 13:28 ` [PATCH 2/4] LSM: Add a header file containing only arguments of LSM callback functions Tetsuo Handa
2023-11-20 13:29 ` [PATCH 3/4] LSM: Break LSM_HOOK() macro into 6 macros Tetsuo Handa
2023-11-20 13:30 ` [PATCH 4/4] LSM: Add a LSM module which handles dynamically appendable LSM hooks Tetsuo Handa
2023-11-20 22:28 ` kernel test robot
2023-11-20 22:47 ` kernel test robot
2023-11-20 23:36 ` kernel test robot
2023-11-20 22:52 ` [RFC PATCH v2 0/4] LSM: Officially support appending LSM hooks after boot Paul Moore
2023-11-21 13:03 ` Tetsuo Handa
2023-11-22 4:41 ` Paul Moore [this message]
2023-11-26 4:37 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhRy_sZNSRHMJoULFX2vb=opj1s2hEffaVNJyaHycWF+=w@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=keescook@chromium.org \
--cc=kpsingh@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=renauld@google.com \
--cc=song@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).