Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp167932imm; Tue, 14 Aug 2018 16:23:19 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxFY8EeDWq5Vm9Varp616hBlvqoyPq/mL7vRreVkNgIH8AYzXhpUTPQswJ9NboRghrMGo+M X-Received: by 2002:a17:902:4001:: with SMTP id b1-v6mr22416943pld.208.1534288999300; Tue, 14 Aug 2018 16:23:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534288999; cv=none; d=google.com; s=arc-20160816; b=ihO/lATXop1WBGO0r5CpEBlQQyYsFiAtHAw79HzHPI0gQavNnvRe8yIkLoN8+2r6q0 YjD+3A4ny4GJkzROw5zjWA3CZ7XV7sgFHq/ZDYMwoMH/uKEZUyGFE3Gev7IpO+YmBsu/ 7pU1KprR5NalNuLD2p0t1mCy5fyAEshK7hCf33ZyIA9mRPKZt3iwttDfT1jtq9SelZAV 5BBZv1X1F+YK9P8Q0p7NzgM1TRxFlPJ05cvqBeianCTPIq7VoyPWVzDETTpoDtk4EMBD 2RJLuo+FLJf+Y3UOA5Mz6ypjQNZp+CS/AFudm0RDQSxEJBjnYce3nUVNLF+cWjvye8kf MX/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:reply-to:cc :from:to:dkim-signature:date:arc-authentication-results; bh=OcYDjefpkLlJNbiY0/lSTBVZNxEXmoDeW6ccriyr7tM=; b=tkoVYrFEALRsHl1n8qbxgGa4Hcvyo9TH0v/ng5tg3/q7EypcDxfzZ2XZgzbHqAjXg8 9eoJhmA40Zr+qeW0x0Grb8r5HKrOSb7wgkwFLbqtpSeFBXimmjT/JU0M4BxAjGXA7dVA Qukl6IActGaCCdf3Wngmy6BSMmU8BZDpnQ490AM7Hwn7pfAX5irqHzhXQP0wxHRwcdw6 S1Wwzhc/DjMdDH/tMO5ylm3Gn8GNw5S4ynPNd+rbFTniP05ivcW8srPtDnUGx/v9Bt6D PJ90ff60VuNNc8FETe42mQ/t48wCe52Zg9wYWG4he38sV1cEREPBovIOeM1JbB36nGJ/ +JpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.ch header.s=default header.b=LXyHX5DG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o12-v6si19436456pgn.556.2018.08.14.16.23.03; Tue, 14 Aug 2018 16:23:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.ch header.s=default header.b=LXyHX5DG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732593AbeHOCLk (ORCPT + 99 others); Tue, 14 Aug 2018 22:11:40 -0400 Received: from mail-40133.protonmail.ch ([185.70.40.133]:12288 "EHLO mail-40133.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729705AbeHOCLj (ORCPT ); Tue, 14 Aug 2018 22:11:39 -0400 Date: Tue, 14 Aug 2018 23:22:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=default; t=1534288928; bh=OcYDjefpkLlJNbiY0/lSTBVZNxEXmoDeW6ccriyr7tM=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=LXyHX5DGF5jxLnSuSmWpz5KbKWA4Vjn0ynw8DLF6qZYGZ5+LqomRwdSUvVQJvtNX9 yD9Ojv4M0htHLNp1ZU1AZM+ZdoJ7+RrqTlZO/8s7gEmHS8lFifoQThM1ZvxREtos+8 wPFQzGKFPFgf72S1trILH9tGaAClC28wPwFlQrGA= To: Casey Schaufler From: Jordan Glover Cc: Sargun Dhillon , LSM , LKLM , Paul Moore , Stephen Smalley , SE Linux , "SMACK-discuss@lists.01.org" , John Johansen , Kees Cook , Tetsuo Handa , James Morris , "Schaufler, Casey" Reply-To: Jordan Glover Subject: Re: [PATCH v1 00/22] LSM: Full security module stacking Message-ID: In-Reply-To: References: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> Feedback-ID: QEdvdaLhFJaqnofhWA-dldGwsuoeDdDw7vz0UPs8r8sanA3bIt8zJdf4aDqYKSy4gJuZ0WvFYJtvq21y6ge_uQ==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, FREEMAIL_REPLYTO_END_DIGIT autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.protonmail.ch Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On August 14, 2018 8:28 PM, Casey Schaufler wrote: > On 8/14/2018 10:05 AM, Sargun Dhillon wrote: > > > On Mon, Jul 16, 2018 at 10:53 AM, Casey Schaufler > > casey@schaufler-ca.com wrote: > > > > > LSM: Full security module stacking > > > I'm calling this v1 not because it's the first version > > > I've put out but because it's the first version I'm getting > > > serious external pressure to get upstream. > > > Awesome work, I'm glad that this is getting further. > > It's following the 90/90 rule pretty closely. The first > 90% of the work took 90% of the time, and the last 10% is > taking the other 90% of the time. > > > > The blob management part (through "LSM: Sharing of security blobs") > > > is ready for prime-time. These changes move the management of > > > security blobs out of the security modules and into the security > > > module infrastructure. With this change the proposed S.A.R.A, > > > LandLock and PTAGS security modules could co-exist with any of > > > the existing "major" security modules. The changes reduce some > > > code duplication. > > > Beyond the blob management there's a bit of clean-up. > > > Mounting filesystems had to be changed so that options > > > a security module doesn't recognize won't be considered > > > a fatal error. The mount infrastructure is somewhat > > > more complex than one might assume. > > > > Casey, > > Do you think you can break out 1 into its own patch? It seems like > > that'd be valuable to everyone. > > Yes, I think that is a good idea. Landlock, S.A.R.A. and a couple > other security modules could be added upstream if this part of the > work was available. It would not provide everything needed to stack > all the existing modules. I believe there is concern that if this > much went upstream the work on finishing what's required to make > everything work might be abandoned. > On the other hand there is concern that those security modules might be abandoned if they have to wait until everything is finished :) > > What's your thought here if we ever introduce dynamic security > > modules? It's nice that we now have a way around rolling back blobs if > > one fails, but what if a new module was activated, would we just > > resize the slab cache? > > Making the blob size dynamic at run time makes the blob management > more complicated because you have to keep track of the modules in > play when the blob was allocated, and pay attention to that when hooks > are called. It's a lot simpler if you don't let blobs get smaller, > but still requires more bookkeeping than if the size is static. It > is completely doable. I have played with it a bit. There are performance > implications. Jordan