From: Casey Schaufler <casey@schaufler-ca.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>
Cc: LSM List <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
linux-audit@redhat.com, Mimi Zohar <zohar@linux.ibm.com>,
keescook@chromium.org, SElinux list <selinux@vger.kernel.org>,
casey@schaufler-ca.com
Subject: Re: LSM stacking in next for 6.1?
Date: Tue, 25 Oct 2022 15:41:44 -0700 [thread overview]
Message-ID: <aa201ed7-9ca1-9507-08cc-156f280ee5f4@schaufler-ca.com> (raw)
In-Reply-To: <98ab33d6-6c91-9c0a-8647-22f6bdede885@I-love.SAKURA.ne.jp>
On 10/25/2022 3:12 PM, Tetsuo Handa wrote:
> On 2022/10/25 23:12, Casey Schaufler wrote:
>> On 10/25/2022 4:20 AM, Tetsuo Handa wrote:
>>> On 2022/10/25 19:26, John Johansen wrote:
>>>> no, Casey is not. He is trying to find a path forward to get LSM
>>>> stacking upstream sooner than later. He has made proposals that
>>>> admittedly you have not liked, but he has at least tried to propose
>>>> ideas that could work within the insane set of constraints.
>>> I'm OK with getting LSM stacking upstream. But changes made based on
>>> only built-in modules are bad. If LSM id cannot be assigned to loadable
>>> LSM modules at runtime because not all loadable LSM modules will be
>>> in-tree in order to get an LSM id assigned, loadable LSM modules won't
>>> be able to utilize e.g. lsm_module_list system call (or whatever
>>> changes made while trying to unshare resources/interfaces currently
>>> shared among SELinux/Smack/AppArmor).
>>>
>>> It will be a complete reinvention of Linux security framework which is
>>> merely borrowing hooks provided by LSM. That is no different from
>>> duplicating existing LSM hooks and managing via completely different
>>> set of interfaces (e.g. /proc/$pid/attr2/$lsmname/$filename ,
>>> /sys/kernel/security2/$lsmname/$filename ). Such implementation is
>>> no longer loadable LSM. It is LSM version 2. And I don't think that
>>> such implementation will be accepted unless you agree to kill current
>>> LSM (say, LSM version 1).
>> The counter argument to this statement is that BPF has been accepted
>> upstream. eBPF programs are different from built-in security modules.
>> There is no reason that a well implemented LSM that accepts loadable
>> modules *that are different* from built-in modules couldn't be created.
>> I seriously doubt that it would get upstream for all the reasons
>> usually cited. But there is nothing about the implementation I've proposed
>> that would prevent it.
>>
> As an easy example, please show me an eBPF program that allows restricting where
> to chroot to and allows configuring where to chroot to using /sys/kernel/security/
> interface.
>
> An loadable LSM consists of hooks (for filtering access requests) and interface
> (for configuring rules whether to filter access requests).
>
> Your LSM id approach makes it impossible to use interface (due to lack of LSM id
> for loadable LSM modules) by loadable LSM modules. LSM id must not be limited to
> built-in LSM modules.
I'm sorry that I am failing to communicate my understanding of why this
isn't true. You need a built-in LSM that loads and manages loadable
security modules. That LSM would have an LSM ID just like the BPF LSM
has a LSM ID. I have no doubt that there are multiple workable implementations,
as I have looked into many different ways to implement the stacking for
built-in modules. I am also sorry that I don't expect to have enough working
years left to even consider spending any more time on the problem. This is
a development effort for The Next Generation.
next prev parent reply other threads:[~2022-10-25 22:41 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com>
2022-08-03 0:01 ` LSM stacking in next for 6.1? Casey Schaufler
2022-08-03 0:56 ` Paul Moore
2022-08-03 1:56 ` John Johansen
2022-08-03 2:15 ` Casey Schaufler
2022-08-03 2:33 ` Paul Moore
2022-08-03 2:34 ` Steve Grubb
2022-08-03 2:40 ` Paul Moore
2022-09-02 21:30 ` Paul Moore
2022-09-02 23:14 ` Casey Schaufler
2022-09-02 23:57 ` Casey Schaufler
2022-09-06 23:24 ` Paul Moore
2022-09-07 0:10 ` John Johansen
2022-09-07 0:39 ` Casey Schaufler
2022-09-07 0:50 ` John Johansen
2022-09-07 14:41 ` Paul Moore
2022-09-07 16:41 ` Casey Schaufler
2022-09-07 17:23 ` John Johansen
2022-09-07 22:57 ` Paul Moore
2022-09-07 23:27 ` Paul Moore
2022-09-07 23:53 ` Casey Schaufler
2022-09-08 0:19 ` John Johansen
2022-09-08 3:57 ` Paul Moore
2022-09-08 18:05 ` Casey Schaufler
2022-09-08 18:35 ` John Johansen
2022-09-08 19:32 ` Paul Moore
2022-09-08 22:56 ` Casey Schaufler
2022-09-10 4:17 ` Tetsuo Handa
2022-09-12 17:37 ` Casey Schaufler
2022-09-13 10:47 ` Tetsuo Handa
2022-09-13 14:45 ` Casey Schaufler
2022-09-14 13:57 ` Tetsuo Handa
2022-09-14 15:50 ` Casey Schaufler
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 14:54 ` John Johansen
2022-09-15 7:45 ` John Johansen
2022-09-15 14:27 ` Tetsuo Handa
2022-10-25 9:48 ` Tetsuo Handa
2022-10-25 10:26 ` John Johansen
2022-10-25 11:20 ` Tetsuo Handa
2022-10-25 14:12 ` Casey Schaufler
2022-10-25 22:12 ` Tetsuo Handa
2022-10-25 22:41 ` Casey Schaufler [this message]
2022-10-26 10:19 ` Tetsuo Handa
2022-10-26 15:30 ` Casey Schaufler
2022-10-28 10:14 ` John Johansen
2022-10-30 4:03 ` Tetsuo Handa
2022-10-30 7:23 ` John Johansen
2022-10-30 14:02 ` Tetsuo Handa
2022-10-30 16:37 ` Kees Cook
2022-10-30 20:56 ` Casey Schaufler
2022-10-31 10:26 ` Tetsuo Handa
2022-10-31 15:47 ` Casey Schaufler
2022-10-26 20:11 ` Paul Moore
2022-10-27 0:02 ` Tetsuo Handa
2022-10-28 9:50 ` Paul Moore
2022-10-28 13:58 ` Tetsuo Handa
2022-10-28 17:40 ` Kees Cook
2022-10-29 9:33 ` Tetsuo Handa
2022-09-14 13:42 ` Paul Moore
2022-09-27 20:54 ` Casey Schaufler
2022-09-27 22:37 ` Paul Moore
2022-09-07 0:31 ` Casey Schaufler
2022-09-07 15:13 ` Paul Moore
2022-09-07 17:08 ` Casey Schaufler
2022-09-07 23:04 ` Paul Moore
2022-09-07 23:26 ` Casey Schaufler
2022-09-08 15:18 ` Tetsuo Handa
2022-09-08 16:00 ` Casey Schaufler
2022-09-08 18:52 ` Paul Moore
2022-09-09 11:32 ` Tetsuo Handa
2022-09-14 13:56 ` Paul Moore
2022-09-15 14:27 ` Tetsuo Handa
2022-09-15 15:50 ` Casey Schaufler
2022-09-16 13:34 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa201ed7-9ca1-9507-08cc-156f280ee5f4@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=selinux@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox