Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp238864imm; Thu, 13 Sep 2018 19:51:27 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbddBe8UYZ7W7QCySfGRrKVmJcWIXoEzlB5q9XochaV0UB1TLb6Tf7211dtUm0tOtua46rp X-Received: by 2002:a63:9a42:: with SMTP id e2-v6mr9877142pgo.263.1536893487361; Thu, 13 Sep 2018 19:51:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536893487; cv=none; d=google.com; s=arc-20160816; b=GzK7+ZFPcI0yy4jkX7GZJvoHLx4QIyqKTl3Kz/KToEEQSyO1umOA3+HDA9EUL3Mu1E Ipd9lJgS8N5ItNYMvYzPGCDhEGbMZpZQYHhgkZS86PXEnFD+YME/O0DgkyKvLEsKxRRk L0xQgAJ04EYtd1d/kwN6xhM1Dg2D10XMG/Rj6leTdjpswW3U/NSdAZVwfEWNwdF6HAm2 Vk3YEjHzebJKbo7vROfPbotERXVHjQmWyuIB+NYR5/JSOz1QeYqQGo90+PfJ1zc64ffc AeGbAkkCjoRIqFaZhtCkuAae7cTkCCFPfWTHR8M7Nzhvqcm5k1vv6W3qOVLqUGJAjpei a/1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=IBnF/Iug2VprWavKp/yn7LsTqdpP4SbGPhMzwmaCiTU=; b=gA7+Bv5gtyg9opSxo4Z6so9aKEu0EZtBHHsiGtSPAbonybojGxCe/tX9F4HMqNSINv yrBT9cwaVNdjS6F1yaeLx+Oc+JCEc72XBmGsRZgLjKi6VMeUlKpUpynURD8tYx8CnzFc il8/Wo7kn5hzMF+GN3VN3j561zj+Hahxc04n4bDCRJHZmtWU8tmJgecNa+kR5cdxZnbY Dr1TMS9Z+wBB5uOzJTALKkHJiNfKW5+qEcvdOu57bfM4kv+cCfhVy/1OJ9+FfS50pNh5 HJPWjao9VBrOfiabT1ekytRQKKccS/6ZLJK+d4nKIacAXiwnfsTdgalQAZ21/HuLHOY9 oAHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Jy0yBUA6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h62-v6si5826416pge.298.2018.09.13.19.51.12; Thu, 13 Sep 2018 19:51:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Jy0yBUA6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728417AbeINHz1 (ORCPT + 99 others); Fri, 14 Sep 2018 03:55:27 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:45732 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726946AbeINHz0 (ORCPT ); Fri, 14 Sep 2018 03:55:26 -0400 Received: by mail-lj1-f194.google.com with SMTP id u83-v6so6247952lje.12 for ; Thu, 13 Sep 2018 19:43:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IBnF/Iug2VprWavKp/yn7LsTqdpP4SbGPhMzwmaCiTU=; b=Jy0yBUA6aSyZBj3WzUqar32R9N1nCnSamzQXQyy7LPPs/dI2cm4nop3XrbC0crDMAN UzuZob1K1dkl+ZGGxH+Anlig5ON1U4gjD9RydgiG713yvumgeRKIP4A39z1z+gRq2iQ1 SwkXiQridnLMGK8oZpg6UtWxIAv/vDy0ZURr9jf+nzdZ2ppLwYUJKG9sGf7a5YYQIZJq C1Hj7M1vt7SxZXx2/zAPEMwmYqLPDZaqr54PeJRtv6Pk0CSaSLqcASg8U3hdy9KQi+8l OVX+0klscmMIGaHGOscgrZd4tpvIITj2W2pXyD6+ZztorMPb1nqqhemk9f8XZX9ueini D/Cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IBnF/Iug2VprWavKp/yn7LsTqdpP4SbGPhMzwmaCiTU=; b=EdwiPCVRQ2AP2AhZCgpJPlnkTzrcwmKeUoAlaObouMyiLI0t7GIxcaIQDNzOGXjSDa XmmMRwaTTKTXVQzncpC9+XWxyPvttPyY68zVjetloThe5l+OX5QymH3rt3hsOYgmfdu6 1PLbWFsVtkag6ZxSTex5uOhwZD8LeBq/DbhZlxL3z3rIdu2HRyO1I4++FGUvK7S1Z4PB YgjsFpXHfxW1FU1upmoJQnDIB2vcJqeDze74HeYRJzBk3RYTBI7hx1m0CR5H96AQHj6M 9TrYIAupds/GiJtmsOwCG+dSyzuMsARvP4/KxxK4oAu5l9c19ZULZNDZ6QdSe7/pcut+ g0Rg== X-Gm-Message-State: APzg51Aa5D7nICoVgpRLq5jVD/Ye/Bk/Yvi1vDiXUX0uZpJTFlh/s2r/ 2RnJ1Hxij3deV2OdcpymOqXvHWGBCiXBwqFrkLoI X-Received: by 2002:a2e:44c6:: with SMTP id b67-v6mr6249259ljf.102.1536892991008; Thu, 13 Sep 2018 19:43:11 -0700 (PDT) MIME-Version: 1.0 References: <99cb1ae7-8881-eb9a-a8cb-a787abe454e1@schaufler-ca.com> In-Reply-To: From: Paul Moore Date: Thu, 13 Sep 2018 22:42:59 -0400 Message-ID: Subject: Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock To: keescook@chromium.org Cc: casey@schaufler-ca.com, linux-security-module@vger.kernel.org, James Morris , linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, Stephen Smalley , linux-fsdevel@vger.kernel.org, adobriyan@gmail.com, casey.schaufler@intel.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 13, 2018 at 5:52 PM Kees Cook wrote: > On Thu, Sep 13, 2018 at 2:38 PM, Paul Moore wrote: > > The infrastructure bits aren't really my concern; in fact I *like* > > that the infrastructure is always exercised, it makes > > testing/debugging easier. I also like the ability to limit the > > user/admin to one LSM at boot time to make support easier; my goal is > > to allow a distro to build support for multiple LSMs without also > > requiring that distro to support *stacked* LSMs > > I see your point, but as soon as SARA and Landlock appear, they'll have: > > depends on SECURITY_STACKING > > and then all distros will enable it and there will be no sensible > runtime way to manage it. If, instead, we make it entirely runtime > now, then a CONFIG can control the default state and we can provide > guidance to how SARA and Landlock should expose their "enable"ness. I question why SARA and LandLock require stacking. While some LSMs may benefit from stacking, e.g. Yama, traditionally each LSM has been able to stand on its own. I think this is a quality that should be preserved. > > (see my earlier > > comments about the difficulty in determining the source of a failed > > operation). > > Agreed. I would hope that audit could help for that case. *stare at blue sky* *also staring at blue sky* Audit can help, but it is independent of the LSMs and not a hard requirement for all, and even when it is enabled the config might not be suitable to provide enough information to be helpful in this case. -- paul moore www.paul-moore.com