From: John Johansen <john.johansen@canonical.com>
To: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Casey Schaufler <casey@schaufler-ca.com>,
casey.schaufler@intel.com, linux-security-module@vger.kernel.org,
selinux@vger.kernel.org, keescook@chromium.org,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: Re: [PATCH 00/58] LSM: Module stacking for AppArmor
Date: Wed, 5 Jun 2019 14:43:29 -0700 [thread overview]
Message-ID: <c27ef338-e8fc-cf60-41ed-3d74352add3d@canonical.com> (raw)
In-Reply-To: <alpine.LRH.2.21.1906060653060.20895@namei.org>
On 6/5/19 1:53 PM, James Morris wrote:
> On Tue, 4 Jun 2019, John Johansen wrote:
>
>> Yes, on Ubuntu & suse you can lauch lxd system containers with the
>> container having a system policy bounding the container, and the container
>> having its own apparmor policy namespace. So it loads and has its own
>> policy that is enforced.
>>
>> This allows for us to run older versions of ubuntu (say 16.04) on an
>> 18.04 host, and have the 16.04 policy behave just as if it was the host.
>
> How well does the LSM stacking scale to 100s or more containers?
>
Actually really well,
The cost isn't really based on how many containers but how many LSMs
are registered and how nested we are.
How we are currently handling it is apparmor is registered once, and
it is responsible for looping on its bounding. So for tasks that are
not in the container there is no additional cost.
For tasks in the first container, there is an extra cost of enforcing
the extra layer of apparmor policy loaded in the container. If you do
container in container there are two extra levels of apparmor policy.
This does rely on apparmor doing its own namespacing and bounding. LSM
stacking just allows us to start doing this with apparmor containers
on smack and selinux based systems.
>> This approach won't be an option for the 19.10 release and we will be
>> needing the full patchset. I should be able to provide some benchmark
>> and testing data soon.
>
> Great.
>
next prev parent reply other threads:[~2019-06-05 21:43 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-02 16:50 [PATCH 00/58] LSM: Module stacking for AppArmor Casey Schaufler
2019-06-02 16:50 ` [PATCH 01/58] LSM: Infrastructure management of the superblock Casey Schaufler
2019-06-02 16:50 ` [PATCH 02/58] LSM: Infrastructure management of the sock security Casey Schaufler
2019-06-02 16:50 ` [PATCH 03/58] LSM: Infrastructure management of the key security blob Casey Schaufler
2019-06-02 16:50 ` [PATCH 04/58] LSM: Create an lsm_export data structure Casey Schaufler
2019-06-02 16:50 ` [PATCH 05/58] LSM: Use lsm_export in the inode_getsecid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 06/58] LSM: Use lsm_export in the cred_getsecid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 07/58] LSM: Use lsm_export in the ipc_getsecid and task_getsecid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 08/58] LSM: Use lsm_export in the kernel_ask_as hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 09/58] LSM: Use lsm_export in the getpeersec_dgram hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 10/58] LSM: Use lsm_export in the audit_rule_match hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 11/58] LSM: Use lsm_export in the secid_to_secctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 12/58] LSM: Use lsm_export in the secctx_to_secid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 13/58] LSM: Use lsm_export in security_audit_rule_match Casey Schaufler
2019-06-02 16:50 ` [PATCH 14/58] LSM: Use lsm_export in security_kernel_act_as Casey Schaufler
2019-06-02 16:50 ` [PATCH 15/58] LSM: Use lsm_export in security_socket_getpeersec_dgram Casey Schaufler
2019-06-02 16:50 ` [PATCH 16/58] LSM: Use lsm_export in security_secctx_to_secid Casey Schaufler
2019-06-02 16:50 ` [PATCH 17/58] LSM: Use lsm_export in security_secid_to_secctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 18/58] LSM: Use lsm_export in security_ipc_getsecid Casey Schaufler
2019-06-02 16:50 ` [PATCH 19/58] LSM: Use lsm_export in security_task_getsecid Casey Schaufler
2019-06-02 16:50 ` [PATCH 20/58] LSM: Use lsm_export in security_inode_getsecid Casey Schaufler
2019-06-02 16:50 ` [PATCH 21/58] LSM: Use lsm_export in security_cred_getsecid Casey Schaufler
2019-06-02 16:50 ` [PATCH 22/58] Audit: Change audit_sig_sid to audit_sig_lsm Casey Schaufler
2019-06-02 16:50 ` [PATCH 23/58] Audit: Convert target_sid to an lsm_export structure Casey Schaufler
2019-06-02 16:50 ` [PATCH 24/58] Audit: Convert osid " Casey Schaufler
2019-06-02 16:50 ` [PATCH 25/58] IMA: Clean out lsm_export scaffolding Casey Schaufler
2019-06-02 16:50 ` [PATCH 26/58] NET: Change the UNIXCB from a secid to an lsm_export Casey Schaufler
2019-06-02 16:50 ` [PATCH 27/58] NET: Remove scaffolding on secmarks Casey Schaufler
2019-06-02 16:50 ` [PATCH 28/58] NET: Remove scaffolding on new secmarks Casey Schaufler
2019-06-02 16:50 ` [PATCH 29/58] NET: Remove netfilter scaffolding for lsm_export Casey Schaufler
2019-06-02 16:50 ` [PATCH 30/58] Netlabel: Replace secids with lsm_export Casey Schaufler
2019-06-02 16:50 ` [PATCH 31/58] LSM: Remove lsm_export scaffolding functions Casey Schaufler
2019-06-02 16:50 ` [PATCH 32/58] IMA: FIXUP prototype using lsm_export Casey Schaufler
2019-06-02 16:50 ` [PATCH 33/58] Smack: Restore the release_secctx hook Casey Schaufler
2019-06-02 16:50 ` [PATCH 34/58] AppArmor: Remove unnecessary hook stub Casey Schaufler
2019-06-02 16:50 ` [PATCH 35/58] LSM: Limit calls to certain module hooks Casey Schaufler
2019-06-10 10:20 ` Ondrej Mosnacek
2019-06-02 16:50 ` [PATCH 36/58] LSM: Create a data structure for a security context Casey Schaufler
2019-06-02 16:50 ` [PATCH 37/58] LSM: Use lsm_context in secid_to_secctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 38/58] LSM: Use lsm_context in secctx_to_secid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 39/58] LSM: Use lsm_context in inode_getsecctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 40/58] LSM: Use lsm_context in inode_notifysecctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 41/58] LSM: Use lsm_context in dentry_init_security hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 42/58] LSM: Use lsm_context in security_dentry_init_security Casey Schaufler
2019-06-02 16:50 ` [PATCH 43/58] LSM: Use lsm_context in security_inode_notifysecctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 44/58] LSM: Use lsm_context in security_inode_getsecctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 45/58] LSM: Use lsm_context in security_secctx_to_secid Casey Schaufler
2019-06-02 16:50 ` [PATCH 46/58] LSM: Use lsm_context in release_secctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 47/58] LSM: Use lsm_context in security_release_secctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 48/58] LSM: Use lsm_context in security_secid_to_secctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 49/58] fs: remove lsm_context scaffolding Casey Schaufler
2019-06-02 16:50 ` [PATCH 50/58] LSM: Add the release function to the lsm_context Casey Schaufler
2019-06-02 16:50 ` [PATCH 51/58] LSM: Use lsm_context in inode_setsecctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 52/58] LSM: Use lsm_context in security_inode_setsecctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 53/58] kernfs: remove lsm_context scaffolding Casey Schaufler
2019-06-02 16:50 ` [PATCH 54/58] LSM: Remove unused macro Casey Schaufler
2019-06-02 16:50 ` [PATCH 55/58] LSM: Special handling for secctx lsm hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 56/58] SELinux: Use blob offset in current_sid Casey Schaufler
2019-06-02 16:51 ` [PATCH 57/58] LSM: Specify which LSM to display Casey Schaufler
2019-06-02 16:51 ` [PATCH 58/58] AppArmor: Remove the exclusive flag Casey Schaufler
2019-06-04 12:29 ` [PATCH 00/58] LSM: Module stacking for AppArmor Stephen Smalley
2019-06-04 16:14 ` Casey Schaufler
2019-06-04 17:11 ` Stephen Smalley
2019-06-04 19:58 ` Casey Schaufler
2019-06-04 20:34 ` Stephen Smalley
2019-06-04 20:42 ` James Morris
2019-06-04 21:19 ` Casey Schaufler
2019-06-07 13:03 ` José Bollo
2019-06-05 1:50 ` John Johansen
2019-06-05 3:08 ` James Morris
2019-06-05 5:03 ` John Johansen
2019-06-05 20:53 ` James Morris
2019-06-05 21:43 ` John Johansen [this message]
2019-06-05 22:28 ` James Morris
-- strict thread matches above, loose matches on Subject: below --
2019-05-31 23:30 Casey Schaufler
2019-05-31 23:09 Casey Schaufler
2019-06-01 15:13 ` Kees Cook
2019-06-02 2:56 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c27ef338-e8fc-cf60-41ed-3d74352add3d@canonical.com \
--to=john.johansen@canonical.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).