Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933082AbbGUU4O (ORCPT <rfc822;w@1wt.eu>);
	Tue, 21 Jul 2015 16:56:14 -0400
Received: from smtp102.biz.mail.bf1.yahoo.com ([98.139.221.61]:35022 "EHLO
	smtp102.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1755494AbbGUU4L (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 21 Jul 2015 16:56:11 -0400
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 0u91WDkVM1mSYNiWpZ7sl_p3hDEab8MJS73DFtiYsxHFMEU
 IWcoX9_IDdbo85UV1YNSQdWS12DjplWn8Uq.lpGiS7pSHNy0_U5i_ZrzyxOU
 5U9.dFwhyXidYmmv.uW0MbXTKJ.gkyrO41D5qhBaBJdpSIAPi_lhvb7cuue1
 Jm8pEQB5h6ktISm3Wj11RamiBVteTCxG_LlZpnY8O8hxHgWKsbn1ofPgvMYB
 li7x78Rd_jI9E13rtY01mJqBP7T03GNZwUA2ZU1aRSWETbhGKJ9CIIn2xWT8
 nXFJJyDN9.YtoRFy1UvtDAr9v.UpmCq4sanhEGTS_S4UvYVu1fpG7rta7.ug
 pnqoWXy5CXmeL0T2IO8eN8ab9eBJb7rRJrrXFn7rB0XPFuOv3kPt5bGr3v.B
 1pc3zXpsqwz7aKFWnaQX2OWUCqSDCDU0zleUySqMtmA4jxJ3ICIQsm_vWWmw
 8k..qGcy0pXM0625iMnxJosXipFi.eaB2gHB9boL3BpmOCBRMqoPjtiWzFnN
 _PJdggugjWIWXEEwwzrS0QpWLKK2qz0rUQCCzjXVDlT18PfO8_Th_q4mTHVY
 -
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
Subject: Re: [PATCH] Yama: remove needless CONFIG_SECURITY_YAMA_STACKED
To: Josh Boyer <jwboyer@fedoraproject.org>
References: <20150721190946.GA5127@www.outflux.net>
 <55AEA214.1010505@schaufler-ca.com>
 <CA+5PVA6NO5_7s1XeM+c0=1X6kJ_RGG=y-8eGeWgTL-enty88mA@mail.gmail.com>
Cc: Kees Cook <keescook@chromium.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        James Morris <james.l.morris@oracle.com>, linux-doc@vger.kernel.org,
        "Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org>
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <55AEB1F5.9000300@schaufler-ca.com>
Date: Tue, 21 Jul 2015 13:56:21 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <CA+5PVA6NO5_7s1XeM+c0=1X6kJ_RGG=y-8eGeWgTL-enty88mA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1659
Lines: 33

On 7/21/2015 1:09 PM, Josh Boyer wrote:
> On Tue, Jul 21, 2015 at 3:48 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 7/21/2015 12:09 PM, Kees Cook wrote:
>>> Now that minor LSMs can cleanly stack with major LSMs, remove the unneeded
>>> config for Yama to be made to explicitly stack. Just selecting the main
>>> Yama CONFIG will allow it to work, regardless of the major LSM. Since
>>> distros using Yama are already forcing it to stack, this is effectively
>>> a no-op change.
>> Today I can compile in all LSMs including Yama and pick the one I want.
>> If we made your change it would be impossible to build in Yama and not
>> use it. I suggest we hold off until after the security summit discussion
> This is true, but it's also true regardless of stacking.  If Yama had
> a CONFIG_SECURITY_YAMA_ENABLED (or whatever bikeshed color), then you
> could enable Yama and not use it, yes?  It would also allow people to
> default it as disabled, but then enable it at runtime via the
> ptrace_scope sysctl.

The way Kees proposed it you would *always* get Yama stacked with
your other module if you compile Yama in. Thus, If I compile in
SELinux and Yama I cannot run SELinux without Yama. Today, I can
compile SELinux and Yama in but run only SELinux. My suggestion is
to wait until we can specify the modules to use before we remove
the kconfig option that provides that facility today.

>
> josh
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/