Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp683691imm; Thu, 13 Sep 2018 06:17:24 -0700 (PDT) X-Google-Smtp-Source: ANB0VdabbYflPY86tw5hwBoa6O4xlTsTF9ipu9VlW9Yv3o3/SymhX2a09unE1l7GkW+WpBpPmroV X-Received: by 2002:a63:3c5c:: with SMTP id i28-v6mr7142047pgn.415.1536844644101; Thu, 13 Sep 2018 06:17:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536844644; cv=none; d=google.com; s=arc-20160816; b=JXxY8rLxOPIGBkXihWibuwbFr+DIYVNGEB4T1S256IdMJsSeUXp0EIpJgAlRIAiI3P XbRJukomit1YYh0I+0ad+kwUu6Z3Zzla2jUWh/QdJi6pDzXLyiCsXxC8SXamsGh7iZKO E2lXLU33CUL/MpdlVDRSxAumAsoNZtHfWOuCS3lA+4BWgNDVfcG8MNiBPw35OpU5bCaf MG7YGXNmlk9KSdZlhz8hrktxzOlxRy6GtMta1ZNh7Zv2lDXebK9TDYkKNNcXW1BvQhyX jM+qNkzHAbyQ0k06Lhwa9W/SsbwcNOtr4pidQoadd1ZYTW+umhsjSXYMef5HCYr64Tfx SYmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=9AiYgXrIawJIgvYrQKzVn6hFt7fxHpMJ7RkWi2T3eow=; b=HI9/M/bpmOTqdk6enBhyUn14O+P3eXBFyNy+XWu0X67e7EqIB/07wTAMn2H2Ykz321 SsFlVH2pdk295BC1o2ATh2fiIsNYJeuulZbG0IusNrnSUP2snLTEffyVoUSrrpkOZqjO 7JEwffWLFt/mgM9ZhB8amuPNd5Q77/AbK4bOulgMTlgp1n5u3elTbOsl3Zrb2cgtrs37 oDrI/fObzC1R3Zqe3vTYTQCT0cKBu7ZjsMrNBm8ptWlvIMFUIPu9HsOFP/j4ULzirtyU lcIJsum5hxwi9Qw1z+Y0lCpBf9zuV/gw/S8Z+jr1s4Owbi9aLr4BsWDLgNiVvkunJHtu YKHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=IUE6kX1x; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j15-v6si3770256pfn.366.2018.09.13.06.16.59; Thu, 13 Sep 2018 06:17:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=IUE6kX1x; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727623AbeIMS0T (ORCPT + 99 others); Thu, 13 Sep 2018 14:26:19 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:45944 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727403AbeIMS0T (ORCPT ); Thu, 13 Sep 2018 14:26:19 -0400 Received: by mail-lj1-f195.google.com with SMTP id u83-v6so4544951lje.12 for ; Thu, 13 Sep 2018 06:16:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9AiYgXrIawJIgvYrQKzVn6hFt7fxHpMJ7RkWi2T3eow=; b=IUE6kX1xirh+LJxA0cT2FIzessZBKhxrfpfJ11cFlHltEoP+pyaB9tgTOuQIkKwemz aiVrzm+KdhTP6ajh+2TDqTHZXpyrCkM66EPbC0Zho5DcSlNZa68fIkxqloAi9G2G3O7o aQA0HHMqvLoSzGsK6HYVMAZE4swh4qcRpVbrMAtH3zFssP8mo1fYb3OtilsIaliM2ZYO /PeTVckPzB9Nav73seu1mL7YCCMoqf6HUWjHNDWyfdYtFQaL0tVqulSjjKbbH1pqwfdl lXLTKc3SoMvyslb24u1bmduNY5dzMm94OG814Uyj1joWK02KmrNg6JhoVpGK2W+Eeuua H6Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9AiYgXrIawJIgvYrQKzVn6hFt7fxHpMJ7RkWi2T3eow=; b=Ry0B5Pskf57t7cqC6+N2RQt37+N7TV3lDLQ8oD2TGH6Ss7S25IDOoSGemwgm5bPy4y Roc8dTQZEK3x4BKjZliUcBVgKZg3tfBh9crzSYEGDkA7ifRCrn5zHtA/JHjqPf1XGoG5 woPmHgNoEbnRgzL9pzAOx5oxP4pzb+3FcSr4t7FgJX/uxg8DXXZWoJ271vouyCy7KoKM VlngY3+P5+TagBDELB8P5TJRw/XxFHJSgo0yScJVr7YxzNJoPMsC4WI5zVE8CbUutzHY 1+vjeG0jzlZpCBu2jq1gqzuz79N3uF4uW65Mrp7Wx+Sl20iPBrGdGs7E36wHXTOZic6T geDA== X-Gm-Message-State: APzg51BofVA/sS2MutWIURPnGOeaEBo20ttEGKuHOZTXguJh4cH6v2SB zBlN5jm1YtGeU7d36r+uSHmIewQp41rmIrP9EhIV X-Received: by 2002:a2e:811:: with SMTP id 17-v6mr4795832lji.140.1536844610768; Thu, 13 Sep 2018 06:16:50 -0700 (PDT) MIME-Version: 1.0 References: <99cb1ae7-8881-eb9a-a8cb-a787abe454e1@schaufler-ca.com> In-Reply-To: From: Paul Moore Date: Thu, 13 Sep 2018 09:16:39 -0400 Message-ID: Subject: Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock To: keescook@chromium.org Cc: casey@schaufler-ca.com, linux-security-module@vger.kernel.org, James Morris , linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, Stephen Smalley , linux-fsdevel@vger.kernel.org, adobriyan@gmail.com, casey.schaufler@intel.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 13, 2018 at 12:19 AM Kees Cook wrote: > On Tue, Sep 11, 2018 at 9:42 AM, Casey Schaufler wrote: > > Two proposed security modules require the ability to > > share security blobs with existing "major" security modules. > > These modules, S.A.R.A and LandLock, provide significantly > > different services than SELinux, Smack or AppArmor. Using > > either in conjunction with the existing modules is quite > > reasonable. S.A.R.A requires access to the cred blob, while > > LandLock uses the cred, file and inode blobs. > > > > The use of the cred, file and inode blobs has been > > abstracted in preceding patches in the series. This > > patch teaches the affected security modules how to access > > the part of the blob set aside for their use in the case > > where blobs are shared. The configuration option > > CONFIG_SECURITY_STACKING identifies systems where the > > blobs may be shared. > > > > The mechanism for selecting which security modules are > > active has been changed to allow non-conflicting "major" > > security modules to be used together. At this time the > > TOMOYO module can safely be used with any of the others. > > The two new modules would be non-conflicting as well. > > > > Signed-off-by: Casey Schaufler > > --- > > Documentation/admin-guide/LSM/index.rst | 14 +++-- > > include/linux/lsm_hooks.h | 2 +- > > security/Kconfig | 81 +++++++++++++++++++++++++ > > security/apparmor/include/cred.h | 8 +++ > > security/apparmor/include/file.h | 9 ++- > > security/apparmor/include/lib.h | 4 ++ > > security/apparmor/lsm.c | 8 ++- > > security/security.c | 30 ++++++++- > > security/selinux/hooks.c | 3 +- > > security/selinux/include/objsec.h | 18 +++++- > > security/smack/smack.h | 19 +++++- > > security/smack/smack_lsm.c | 17 +++--- > > security/tomoyo/common.h | 12 +++- > > security/tomoyo/tomoyo.c | 3 +- > > 14 files changed, 200 insertions(+), 28 deletions(-) ... > > diff --git a/security/Kconfig b/security/Kconfig > > index 22f7664c4977..ed48025ae9e0 100644 > > --- a/security/Kconfig > > +++ b/security/Kconfig > > @@ -36,6 +36,28 @@ config SECURITY_WRITABLE_HOOKS > > bool > > default n > > > > +config SECURITY_STACKING > > + bool "Security module stacking" > > + depends on SECURITY > > + help > > + Allows multiple major security modules to be stacked. > > + Modules are invoked in the order registered with a > > + "bail on fail" policy, in which the infrastructure > > + will stop processing once a denial is detected. Not > > + all modules can be stacked. SELinux, Smack and AppArmor are > > + known to be incompatible. User space components may > > + have trouble identifying the security module providing > > + data in some cases. > > + > > + If you select this option you will have to select which > > + of the stackable modules you wish to be active. The > > + "Default security module" will be ignored. The boot line > > + "security=" option can be used to specify that one of > > + the modules identifed for stacking should be used instead > > + of the entire stack. > > + > > + If you are unsure how to answer this question, answer N. > > I don't see a good reason to make this a config. Why shouldn't this > always be enabled? I do. From a user perspective it is sometimes difficult to determine the reason behind a failed operation; its is a DAC based denial, the LSM, or some other failure? Stacking additional LSMs has the potential to make this worse. The boot time configuration adds to the complexity. I think we should leave this decision to the individual distros so that they can make their own decision on LSM stacking based on the savviness of their user base and the quality of their support infrastructure. -- paul moore www.paul-moore.com