From: Paul Moore <paul@paul-moore.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-security-module@vger.kernel.org
Subject: Re: ANN: new LSM guidelines
Date: Fri, 7 Jul 2023 18:02:38 -0400 [thread overview]
Message-ID: <CAHC9VhTepATGki_8_nyUcmCCvJ2hpLO4bWFhF-gJ3CQceEBMfA@mail.gmail.com> (raw)
In-Reply-To: <4708afda-8867-735a-2f55-ca974e76cc9c@schaufler-ca.com>
On Thu, Jul 6, 2023 at 8:32 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 7/6/2023 1:42 PM, Paul Moore wrote:
> > Hello all,
> >
> > With some renewed interest in submitting new LSMs including in the
> > upstream Linux Kernel I thought it might be a good idea to document
> > some of our longstanding guidelines around submitting new LSMs. I'm
> > posting this mostly as a FYI for those who are working on new LSM
> > submissions, but also to solicit feedback from everyone on the list
> > regarding what we should ask of new LSMs. If you think I'm missing
> > something important, or believe I've added an unfair requirement,
> > please let me know.
> >
> > I've added the guidelines to the README.md at the top of the LSM tree,
> > but to make life easier for those reviewing the guidelines I'm
> > copy-n-pasting them below:
> >
> > * New LSMs must include documentation providing a clear explanation of
> > the LSM's requirements, goals, and expected uses. The documentation
> > does not need to rise to the level of a formal security model, but it
> > must be considered "reasonable" by the LSM community as a whole.
> >
> > * Any user visible interfaces provided by the LSM must be well
> > documented. It is important to remember the user visible APIs are
> > considered to be "forever APIs" by the Linux Kernel community; do not
> > add an API that cannot be supported for the next 20+ years.
> >
> > * Any userspace tools or patches created in support of the LSM must be
> > publicly available, with a public git repository preferable over a
> > tarball snapshot.
> >
> > * The LSM implementation must follow general Linux Kernel coding
> > practices, faithfully implement the security model and APIs described
> > in the documentation, and be free of any known defects at the time of
> > submission.
>
> Some commitment to maintaining the LSM for a reasonable time must be
> provided. Although this should probably be implicit in the use cases
> and goals, changes in product direction or employment status can leave
> an LSM orphaned before its time.
That's a good point, likely worth mentioning. We're currently being
bit by that with SafeSetID, so the implicit understanding may need to
be made a bit more explicit.
> New LSM hooks introduced need to be generically usable. Use of LSM
> specific data should be avoided. The hook should include data at a
> granularity that can accommodate the existing LSMs as well as the
> new one. The data granularity must be appropriate for the sub-system
> from which it is called.
I hadn't thought of adding a section on adding new LSM hooks, but that
seems like a good idea too. Thanks.
--
paul-moore.com
next prev parent reply other threads:[~2023-07-07 22:03 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-06 20:42 ANN: new LSM guidelines Paul Moore
2023-07-07 0:32 ` Casey Schaufler
2023-07-07 22:02 ` Paul Moore [this message]
2023-08-01 22:47 ` Paul Moore
2023-08-02 18:38 ` Mickaël Salaün
2023-08-02 21:56 ` Paul Moore
2023-08-02 22:36 ` Randy Dunlap
2023-08-03 20:55 ` Paul Moore
2023-08-03 9:44 ` Mickaël Salaün
2023-08-03 21:36 ` Paul Moore
2023-08-02 22:00 ` Paul Moore
2023-08-03 9:44 ` Mickaël Salaün
2023-08-03 21:24 ` Paul Moore
2023-08-03 21:38 ` Paul Moore
2023-08-04 7:58 ` Mickaël Salaün
2023-08-07 21:52 ` Paul Moore
2023-09-07 22:12 ` Paul Moore
2023-09-08 16:02 ` Casey Schaufler
2023-09-08 17:29 ` Paul Moore
2023-09-08 20:53 ` Casey Schaufler
2023-09-09 0:46 ` Tetsuo Handa
2023-09-11 13:03 ` Serge E. Hallyn
2023-09-11 20:04 ` Paul Moore
2023-09-12 1:29 ` Tetsuo Handa
2023-09-12 18:08 ` Paul Moore
2023-09-12 18:39 ` Casey Schaufler
2023-09-12 19:00 ` Paul Moore
2023-09-12 19:03 ` Paul Moore
2023-09-25 0:55 ` Tetsuo Handa
2023-09-25 1:32 ` Kees Cook
2023-09-25 4:32 ` Tetsuo Handa
2023-09-26 21:23 ` Paul Moore
2023-09-15 11:29 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhTepATGki_8_nyUcmCCvJ2hpLO4bWFhF-gJ3CQceEBMfA@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).