Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp402775imm;
        Tue, 14 Aug 2018 22:22:10 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPzeoViY7WEI/hZOeze7JU0KT4IUXybk/xsiurUBzW9ytex2u9A3Y5V3+KmJUYsStV6gFbP+
X-Received: by 2002:a63:2106:: with SMTP id h6-v6mr23623478pgh.161.1534310530290;
        Tue, 14 Aug 2018 22:22:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534310530; cv=none;
        d=google.com; s=arc-20160816;
        b=JTe/HDj7d7jBSbU5I5WUeCHbi0GY4vhy8P0sTdESdOYHU4yZMAsR8dcrl8PHbgvGRj
         CujQm1AiMqMZNqccsKYBQKKJu7vm7nXOaUVNt7oxTu/tE90PiL5u2lLs35TczPqrte1K
         asMS8ABlT8nY7CqVYmLsdvV/JZUn0OQ2zoOg5V4qNabDuARJsRZ9svzTOJQD9Ht+0fC/
         jRFSmlWy7rgRhaENMcOE/C/384wxgAWhtNqVAdT0Vqtv/J52mAa29EHrHoUmTLSC1/r8
         ht9TE5BRh6tFQ5fIS6cME8psVcx+JHWOH9RdGpwjQ5WUMJO9W16dxeZRMj6l92uiiPnt
         vvZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=1IN6AG/Y6CI0DPChKgLqZtyiyh4m/MuWhZlv/rchj5s=;
        b=waCAP3KBnNRiMLa7oDzoOJzwoT8Eq9UJvgzhYYfVz7qHmCF/UcVncsLH8QY8DQZztM
         fO1C5eTz501KSOJOgS2+CmBSM2CtasQrXcmLU3a50vWlUYm0p4Cb1RWxmOEe9FN77jjq
         ihGdMKO6D1wAu2FZz8bLE/sFpWggW4N76zWvRtGHZ8wfRc9HaPl7XJq9GlvBsaLAOC7q
         gkMlXeBvFOeweZCuA/DbjkbW2eFEAWB5fTqySh0YTPE4NUkI1C18tVQDRzz3d3TrSdXV
         LL7HipAHRR3FcG5fLmhSLS4ilvTTEcIBSj0SnNyz3348bwelm+1PMOwMsJod9I2PMUFC
         bwYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=NszKNSEm;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id bc6-v6si15659000plb.115.2018.08.14.22.21.55;
        Tue, 14 Aug 2018 22:22:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=NszKNSEm;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728783AbeHOIKD (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Wed, 15 Aug 2018 04:10:03 -0400
Received: from mail-yw1-f67.google.com ([209.85.161.67]:37405 "EHLO
        mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726000AbeHOIKD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Aug 2018 04:10:03 -0400
Received: by mail-yw1-f67.google.com with SMTP id w76-v6so81837ywg.4
        for <linux-kernel@vger.kernel.org>; Tue, 14 Aug 2018 22:19:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=1IN6AG/Y6CI0DPChKgLqZtyiyh4m/MuWhZlv/rchj5s=;
        b=NszKNSEm7aOkEaiDgM+zvCa2tlKJR8qLBgl39EiNVIDAseS9kKlhygkWgdNWl1WYRE
         Ov1P5jbTokBGYoOnkrfk8NGSY+UG0jx05J4DizDvbw4FOQbrGcoWu0O1D7A6oKwLQPJp
         iGwywTS5hOC277p1sdWPttv4sBhy+xlIImt1U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=1IN6AG/Y6CI0DPChKgLqZtyiyh4m/MuWhZlv/rchj5s=;
        b=HQ8Rt5pJV7E6ojcXe3Ngt9ppYZwfthJfOTqRuJ82P9lTG7JJjYbkph3NJpg6qFLxc2
         EoF5XQHW+400BxUZJgD5L0qCChgcYqwLsxTvN2FPrh06gfWg/2tp55BYMZ7OTocl+MOP
         eBkQj3egqGX7lyBl5Gx7iiJ0ZCgFsZdIHwIcGgJn5H4gxdc+ek26U/f10XfTdMnJOhp/
         mSEcrqeNEywusv5AIGNm8ULqDAaNMRdq4akxT3fJIdfD3SIUCwZXgsONt5pVVfmKPVUx
         FhzkDDm9bMtBSuHWpcju72dR13pkkvZ2zgFvuhlg6zTKjtISB7Izd2MwHaeju5grMIX1
         HOoQ==
X-Gm-Message-State: AOUpUlG+Rnvfo4xRms/0N/H5d+raQKx2R/BMvwmTAd1v/y74hsYJmjhI
        jg/umw4cmaskCWww6Mgns+LlHNcdwEU=
X-Received: by 2002:a81:7d88:: with SMTP id y130-v6mr13824503ywc.269.1534310365617;
        Tue, 14 Aug 2018 22:19:25 -0700 (PDT)
Received: from mail-yw1-f46.google.com (mail-yw1-f46.google.com. [209.85.161.46])
        by smtp.gmail.com with ESMTPSA id w6-v6sm10559628ywg.23.2018.08.14.22.19.23
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 14 Aug 2018 22:19:24 -0700 (PDT)
Received: by mail-yw1-f46.google.com with SMTP id z143-v6so74294ywa.7
        for <linux-kernel@vger.kernel.org>; Tue, 14 Aug 2018 22:19:23 -0700 (PDT)
X-Received: by 2002:a81:2706:: with SMTP id n6-v6mr12674448ywn.88.1534310363296;
 Tue, 14 Aug 2018 22:19:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:d94c:0:0:0:0:0 with HTTP; Tue, 14 Aug 2018 22:19:22
 -0700 (PDT)
In-Reply-To: <8e2bdc10-3142-9e8d-ff05-70fa4d862dd5@schaufler-ca.com>
References: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com>
 <CAMp4zn94SzqK_Q=de2E+Fpv5yeAhYv62XW-KU3=ghRma9d7Jvw@mail.gmail.com>
 <a287800e-bd4d-2b99-8c4c-bd61ba87fab1@schaufler-ca.com> <kubjHWMWfFDu8Rk19x79iMDKVbewTUMWwSjOA7vFGIbYsWYcGb50jb-Z-PSXxmcby3ZFMZWi0HCeuFgo3F8BRskxo_JUdSHFhdIsIlBxHyQ=@protonmail.ch>
 <8e2bdc10-3142-9e8d-ff05-70fa4d862dd5@schaufler-ca.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 14 Aug 2018 22:19:22 -0700
X-Gmail-Original-Message-ID: <CAGXu5jJ6Ngv8A=3TV5z5+x5kCkkXwjYtDfSQjUQgscP4hv_xYg@mail.gmail.com>
Message-ID: <CAGXu5jJ6Ngv8A=3TV5z5+x5kCkkXwjYtDfSQjUQgscP4hv_xYg@mail.gmail.com>
Subject: Re: [PATCH v1 00/22] LSM: Full security module stacking
To:     Casey Schaufler <casey@schaufler-ca.com>
Cc:     Jordan Glover <Golden_Miller83@protonmail.ch>,
        Sargun Dhillon <sargun@sargun.me>,
        LSM <linux-security-module@vger.kernel.org>,
        LKLM <linux-kernel@vger.kernel.org>,
        Paul Moore <paul@paul-moore.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        SE Linux <selinux@tycho.nsa.gov>,
        "SMACK-discuss@lists.01.org" <SMACK-discuss@lists.01.org>,
        John Johansen <john.johansen@canonical.com>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        James Morris <jmorris@namei.org>,
        "Schaufler, Casey" <casey.schaufler@intel.com>,
        Salvatore Mesoraca <s.mesoraca16@gmail.com>,
        =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@digikod.net>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Aug 14, 2018 at 4:50 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 8/14/2018 4:22 PM, Jordan Glover wrote:
>> On August 14, 2018 8:28 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>>
>>>
>>>>> The blob management part (through "LSM: Sharing of security blobs")
>>>>> is ready for prime-time. These changes move the management of
>>>>> security blobs out of the security modules and into the security
>>>>> module infrastructure. With this change the proposed S.A.R.A,
>>>>> LandLock and PTAGS security modules could co-exist with any of
>>>>> the existing "major" security modules. The changes reduce some
>>>>> code duplication.
>>>>> Beyond the blob management there's a bit of clean-up.
>>>>> Mounting filesystems had to be changed so that options
>>>>> a security module doesn't recognize won't be considered
>>>>> a fatal error. The mount infrastructure is somewhat
>>>>> more complex than one might assume.
>>>> Casey,
>>>> Do you think you can break out 1 into its own patch? It seems like
>>>> that'd be valuable to everyone.
>>> Yes, I think that is a good idea. Landlock, S.A.R.A. and a couple
>>> other security modules could be added upstream if this part of the
>>> work was available. It would not provide everything needed to stack
>>> all the existing modules. I believe there is concern that if this
>>> much went upstream the work on finishing what's required to make
>>> everything work might be abandoned.
>>>
>> On the other hand there is concern that those security modules might
>> be abandoned if they have to wait until everything is finished :)
>
> There is some truth to that. If we can get commitment from the developers
> of those security module to push for getting upstream, a statement of
> intent to support additional modules (e.g. Landlock, S.A.R.A.) from a
> significant distribution (e.g. Fedora, Ubuntu, SuSE) and ACKs from the
> maintainers of the existing modules we should be able to breeze right in.
>
> Yeah, I think that's about all it would take.

I would strongly recommend Landlock and SARA for every distro. They're
opt-in, and provide much-needed missing userspace defenses (and attack
surface reduction).

-Kees

-- 
Kees Cook
Pixel Security