From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754598AbbGVB7L (ORCPT ); Tue, 21 Jul 2015 21:59:11 -0400 Received: from smtp105.biz.mail.bf1.yahoo.com ([98.139.221.43]:30050 "EHLO smtp105.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753422AbbGVB7I (ORCPT ); Tue, 21 Jul 2015 21:59:08 -0400 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: .OJfB6wVM1lkPlho9VIyw4nlhsG9I8nIooq.JGVfnWZx2LF dpmx6x4Hc.M3INXsWOv1DVyeJeJ_Y1xV_DbsrJjjvCLWRnUcdbLNg0BB2VhE 5LVe2gRcQQy_M.N_1VyLm8ucX4_BGxwCf9biMfNKrtknJvaOu.sNzQeDDTe2 ZKCGif_Uyqy0GyU.8VmqwA2PJmur0JUipCEJnCDuWHT5hvPi4ZHpGEkgER22 A4YTbg.JBRcXYQy.Rzml3YieC_ivYqTLy4VP0y08yeFJmvtsgQkQcLtokIw9 Fpc3eH5whPUKRbC.GLKJMxU_q98CFS.oBicm.5nzSZw2Hi3nX7h8BDia_g9h RFPUaeUw9q6Wlaq9n0s2H0JwEHi0XiGAe.jkbCji0vI5.pK5m9dPe3jRAB8T re2GWY_SVTbm8.QkKZ7_.abPv6HMADxkkwZy2yIPYfGZ.q1PsJUfe6730z9B Lyg9OTjILnZyJ5_hsCrJSHyTG3ZKhrzESQ5LB7bGAAwUPpjFOhC.2HE23PFX bSpvkHcFdHvtCYoFqTBZgLHA_wPOeaKOQr0AlD4rlpwllARtvThrgoHVVnJo - X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH] Yama: remove needless CONFIG_SECURITY_YAMA_STACKED To: Kees Cook References: <20150721190946.GA5127@www.outflux.net> <55AEA214.1010505@schaufler-ca.com> <55AEB1F5.9000300@schaufler-ca.com> <55AEDDDE.6060809@schaufler-ca.com> Cc: Josh Boyer , linux-security-module , James Morris , "linux-doc@vger.kernel.org" , "Linux-Kernel@Vger. Kernel. Org" , Casey Schaufler From: Casey Schaufler Message-ID: <55AEF8F7.90501@schaufler-ca.com> Date: Tue, 21 Jul 2015 18:59:19 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/21/2015 5:06 PM, Kees Cook wrote: > On Tue, Jul 21, 2015 at 5:03 PM, Casey Schaufler wrote: >> On 7/21/2015 3:41 PM, Kees Cook wrote: >>> On Tue, Jul 21, 2015 at 1:56 PM, Casey Schaufler wrote: >>>> On 7/21/2015 1:09 PM, Josh Boyer wrote: >>>>> On Tue, Jul 21, 2015 at 3:48 PM, Casey Schaufler wrote: >>>>>> On 7/21/2015 12:09 PM, Kees Cook wrote: >>>>>>> Now that minor LSMs can cleanly stack with major LSMs, remove the unneeded >>>>>>> config for Yama to be made to explicitly stack. Just selecting the main >>>>>>> Yama CONFIG will allow it to work, regardless of the major LSM. Since >>>>>>> distros using Yama are already forcing it to stack, this is effectively >>>>>>> a no-op change. >>>>>> Today I can compile in all LSMs including Yama and pick the one I want. >>>>>> If we made your change it would be impossible to build in Yama and not >>>>>> use it. I suggest we hold off until after the security summit discussion >>>>> This is true, but it's also true regardless of stacking. If Yama had >>>>> a CONFIG_SECURITY_YAMA_ENABLED (or whatever bikeshed color), then you >>>>> could enable Yama and not use it, yes? It would also allow people to >>>>> default it as disabled, but then enable it at runtime via the >>>>> ptrace_scope sysctl. >>>> The way Kees proposed it you would *always* get Yama stacked with >>>> your other module if you compile Yama in. Thus, If I compile in >>>> SELinux and Yama I cannot run SELinux without Yama. Today, I can >>> Yama is entirely controllable from sysctl, so you could build it in >>> and set the ptrace_scope setting to 0 at boot. It's already being >>> built into distro kernels this way (via the STACKING config), so this >>> change is effectively no different. >>> >>>> compile SELinux and Yama in but run only SELinux. My suggestion is >>>> to wait until we can specify the modules to use before we remove >>>> the kconfig option that provides that facility today. >>> I'm happy to wait, but I'm still going to send my other 2 "minor" LSMs >>> before LSS. :) Neither of them would be built into a kernel without >>> wanting their functionality, so they'll have the stack "always on" >>> semantics if their CONFIG is selected. >> Fair enough then. I'll withdraw my objection. One question comes >> to mind, and that is how are you planning to order them? I put >> Yama ahead of the "major" modules because that was how it had been >> stacked previously. Let's assume that the capability module stays >> in the first position. Are you planning to put your new modules >> before Yama, before the "major" module(s) or at the end? > It shouldn't matter, IMO. Though perhaps that's a mistake, and we > should make sure all "minor" LSMs go first? As I have it, it'd be in > link order, which is likely not "stable", so perhaps I've just talked > myself out of "it shouldn't matter". I propose that Capabilities go first, Yama 2nd, your new "minor" modules in the order accepted upstream, then the "major" module. It will be set in stone until the ordering options for security= and kconfig are implemented. At that time you'll be able to set 'em up in any order you like. > > -Kees >