Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp115371imm; Thu, 13 Sep 2018 16:54:34 -0700 (PDT) X-Google-Smtp-Source: ANB0Vda7R6oY9j/rurWsHvM7Lc5AUbyZmfhkZcSfJfVD0HZYQEQqNlwvECRp7p6kAcCWUYdljdSU X-Received: by 2002:a62:1fdd:: with SMTP id l90-v6mr9402492pfj.121.1536882874836; Thu, 13 Sep 2018 16:54:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536882874; cv=none; d=google.com; s=arc-20160816; b=KRsuR/2E26KB37LPrJZRcmmSEtXBuh1icyEbLSb1C2PQvmc/bcKZA2YL3VEr5KuyoR XSkgskvSP9CZYjiIsuD1I5N4jnNwmYdD6eWQ8S2MLlQWnzbcGPRt5DuUG3T4pPjb/BIl Pz25T2cfTBCnQbwT9XTcQ66l5gh7/23qoyjGKUR0+sd89WMNRUNngQfXLWUWatgU0dCe PBMPb823bsq9u+UCO7AoFG/c6G3aHJaj2IPVmRp73b2pzEQfP5rdZ7noBdQn1nT1BHvU 6ES4lXMBIoEdcBRRzWPYmZFrmgrAsUBCYacjwQd7sMYNCV73sUCWBcjH2mm5VQc8oL8q Sj+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=TcQIKPwMFVaN0GBK/xzZ3MhnEvz867kC3tFnl8rrao0=; b=iwlwKyB7n4IjakoVNV5DvK45A5V15GerM80Q7Aw4hqu6w05AoSm/jBT0BVCA6occry 8jBU0PY7pYw7yklkcBjhx5CbczPZUqvzxCm51DdjSu+4KPXXureHYvSzp775ylWmZH0M HUdHMt2llaXfo4mPQ7a88Pa9HA5v1lZk5/0j7XMcJVMcHxZa2L8WNht4rpIfkyXe9Wou qgAf5U+varIKbgfcOqyX+ZzCufvu/X5+NbLgAIDKc139uAT/5VPE5pLj7krPnsYHwsi3 xmmYvOhKZmTiZu8K/D2qA3mUcXL+o6UJjARWnNjyc/T2AtWU9grGA3JQPjAHimK87FFA R3QA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=AuiWKcdn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x13-v6si4948775pgr.153.2018.09.13.16.54.18; Thu, 13 Sep 2018 16:54:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=AuiWKcdn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728007AbeINFDa (ORCPT + 99 others); Fri, 14 Sep 2018 01:03:30 -0400 Received: from mail-yb1-f194.google.com ([209.85.219.194]:38446 "EHLO mail-yb1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727013AbeINFDa (ORCPT ); Fri, 14 Sep 2018 01:03:30 -0400 Received: by mail-yb1-f194.google.com with SMTP id e18-v6so4057547ybq.5 for ; Thu, 13 Sep 2018 16:51:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TcQIKPwMFVaN0GBK/xzZ3MhnEvz867kC3tFnl8rrao0=; b=AuiWKcdnegYGgE6bQdvx02KimSMAwE3HFkUpEHwvwDwr5xlusgCnuZBcmbk8ecv8Qf 7hV+DqruG/q2WqNvegOG183NfAHAnOlBbiXjbia3AcrHXpgpLjQPbMCBjiIg5aoA+BVv QTirJYNNqlRyJ75eId7woI9wjNLyLu4/Qm2qU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TcQIKPwMFVaN0GBK/xzZ3MhnEvz867kC3tFnl8rrao0=; b=dM+V/tgvu0xVOI0L+ARYKSV3XdZZe2JJ8b5hCcuszdMbwqn8mWWbweUzqbvXblgBZU ODkQ752UcVszD+PB4IZ7waeoF2QLxBrQXEjglwPPr03K+8iiM7fbVrjoW4ch4BB+i6Ut OtrsztYWZ/tNSwAA0+eQRCgk+YbATN5BJ7CEJp77K2+Ny1SJ6g3268fOc0agISMyG0fv mDexWEtP3mxqRAtse11upJl9unA6vZ8sVvlZT0mspJ2MIi8Bi+71Vu5R4HsJNWM6lVXr dvfMma71dnd4y3VT+N8yQwucjZhn+K2jvxjAikvIbDtuzywsKWV4eSP/LmlpVBTeF7sl TIMw== X-Gm-Message-State: APzg51BB7jstqKfbA0yec7VtHjPpznaFeCPvBoQKNTGFy3NSols1DjfV /bxoUqwKFD7k1hUhmCLOCd/6IjZ5sV0= X-Received: by 2002:a5b:950:: with SMTP id x16-v6mr4737545ybq.67.1536882706097; Thu, 13 Sep 2018 16:51:46 -0700 (PDT) Received: from mail-yb1-f173.google.com (mail-yb1-f173.google.com. [209.85.219.173]) by smtp.gmail.com with ESMTPSA id x184-v6sm4840707ywx.75.2018.09.13.16.51.44 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Sep 2018 16:51:44 -0700 (PDT) Received: by mail-yb1-f173.google.com with SMTP id g79-v6so1426151ybf.4 for ; Thu, 13 Sep 2018 16:51:44 -0700 (PDT) X-Received: by 2002:a25:23c3:: with SMTP id j186-v6mr4529970ybj.137.1536882704367; Thu, 13 Sep 2018 16:51:44 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:5f04:0:0:0:0:0 with HTTP; Thu, 13 Sep 2018 16:51:43 -0700 (PDT) In-Reply-To: <0eb75e66-ed50-4013-6440-38bc2f814c6f@canonical.com> References: <99cb1ae7-8881-eb9a-a8cb-a787abe454e1@schaufler-ca.com> <0eb75e66-ed50-4013-6440-38bc2f814c6f@canonical.com> From: Kees Cook Date: Thu, 13 Sep 2018 16:51:43 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock To: John Johansen Cc: Paul Moore , Casey Schaufler , linux-security-module , James Morris , LKML , SE Linux , Tetsuo Handa , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , "Schaufler, Casey" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 13, 2018 at 4:32 PM, John Johansen wrote: > On 09/13/2018 04:06 PM, Kees Cook wrote: >> - what order should any stacking happen? Makefile? security=? >> > Preferably not. For the single LSM we have the ability to choose the default LSM, ideally we let the distro decide in the Kconfig and the user with security=... I can't find a non-crazy way to do this in Kconfig. Right now, if I threw out all the _DEFAULT stuff, I could do: config SECURITY_SELINUX_ENABLED bool "SELinux LSM enabled at boot time" depends on SECURITY_SELINUX depends on !SECURITY_APPARMOR_ENABLED && !SECURITY_SMACK_ENABLED default SECURITY_SELINUX config SECURITY_SMACK_ENABLED bool "SMACK LSM enabled at boot time" depends on SECURITY_SMACK depends on !SECURITY_APPARMOR_ENABLED && !SECURITY_SELINUX_ENABLED default SECURITY_SMACK config SECURITY_APPARMOR_ENABLED bool "AppArmor LSM enabled at boot time" depends on SECURITY_APPARMOR depends on !SECURITY_SMACK_ENABLED && !SECURITY_SELINUX_ENABLED default SECURITY_APPARMOR config SECURITY_TOMOYO_ENABLED bool "TOMOYO LSM enabled at boot time" depends on SECURITY_TOMOYO default y if !SECURITY_SELINUX_ENABLED && !SECURITY_SMACK_ENABLED && !SECURITY_APPARMOR_ENABLED config DEFAULT_SECURITY string default "selinux" if SECURITY_SELINUX_ENABLED default "smack" if SECURITY_SMACK_ENABLED default "apparmor" if SECURITY_APPARMOR_ENABLED default "tomoyo" if SECURITY_TOMOYO_ENABLED (As before CONFIG_DEFAULT_SECURITY basically means the effective "security=" contents. Reminder than Kconfig default are "first match", so tomoyo would only happen if all others are not enabled by default.) But this doesn't provide a way for Kconfig to declare the ordering of TOMOYO followed by SELinux. If we just declare ordering is a function of the Makefile, then the above would work as expected. The "conflicting major LSM" could be specified on "security=" and stacked could be enabled with $lsm.enable=1 (or disabled). So, before we can really make a decision, I think we have to decide: should ordering be arbitrary for even this level of stacking? -Kees -- Kees Cook Pixel Security