Re: [PATCH] ptrace: allow restriction of ptrace scope

["Serge E. Hallyn" <serge@hallyn.com>]

Quoting Eric W. Biederman (ebiederm@xmission.com):
> Theodore Tso <tytso@MIT.EDU> writes:
> 
> > i think we really need to have stacked LSM's, because there is a large set
> > of people who will never use SELinux.  Every few years, I take another 
> > look at SELinux, my head explodes with the (IMHO unneeded complexity),
> > and I go away again...
> >
> > Yet I would really like a number of features such as this ptrace scope idea ---
> > which I think is a useful feature, and it may be that stacking is the only
> > way we can resolve this debate.   The SELinux people will never believe that
> > their system is too complicated, and I don't like using things that are impossible
> > for me to understand or configure, and that doesn't seem likely to change anytime
> > in the near future.
> >
> > I mean, even IPSEC RFC's are easier for me to understand, and that's saying
> > a lot...
> 
> 
> If anyone is going to work on this let me make a concrete suggestion.
> Let's aim at not stacked lsm's but chained lsm's, and put the chaining
> logic in the lsm core.
> 
> The core difficulty appears to be how do you multiplex the security pointers
> on various objects out there.

Here ya go, chaining for lsm security pointers:

http://lists.jammed.com/linux-security-module/2004/11/
http://lwn.net/Articles/114588/

:)

> My wishlist has this working so that I can logically have a local security
> policy in a container, restricted by the global policy but with additional
> restrictions.

At the upcoming linux security summit[1], colocated with linuxcon, Kees is going
to be doing a talk 'widely used but out of tree', where presumably the topic
of stacking LSMs will come back up.

If we were going to seriously consider stacking LSMs again, I'd want to
dig through archives to produce a precise list of previous issues, so we
can build on that to try and design something which might work.  So
I guess I'm suggesting a beer BOF for the evening or next day for
discussing design in more detail.

The general answer tends to be "generic stacking doesn't work, LSMs
need to know about each other."  But even for that (as evidenced by
the selinux+commoncap experience with stacking) is hairy, and more
to the point it probably does not scale when we have 5-10 small
LSMs.  I.e. LSM 1 wants to prevent some action while LSM 2 requires
that action to succeed so that it can properly prevent another
action.  Concrete examples are buried in the stacker discussions
on the lsm list from 2004-2005.

Mind you, I'm not interested in doing a stacking patchset myself again,
would prefer to spend my time on user namespaces.  I'm not even sure
which side of the stacking-vs-nostacking fence I'll be on, except that I
always prefer to discuss based on experience with real code than
pie-in-the-skie arguments, so would encourage patches.  I do suspect
once we better understand user namespaces we may have want for fewer
little LSMs.  So someone else can have all the fun to themselves  :)

-serge

[1] https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010