Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3405298imm; Sun, 16 Sep 2018 17:48:42 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZemmpW4xVzsvqa2PIuOwGyK02pxAJPaDEmRiBOF2k1bORM41nzXM0F4b6iV/jYT3MwrMQJ X-Received: by 2002:a63:7353:: with SMTP id d19-v6mr21158861pgn.281.1537145322276; Sun, 16 Sep 2018 17:48:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537145322; cv=none; d=google.com; s=arc-20160816; b=wgsBYH4Rs7BEQ9IOsKu0wMGCaGsJDXoUcsYS7Em6zP604q5IuYlJr8K6YOFJMhrFHy gn0Dmfg0yQgc3DgyqdaaD/GzO64OgfQWJ2qliRJgwbo1q7Rg4WM+6WfPo1u+wqYB1Vwl 6hqpdPwwpGLrZ4S9SMoKhTy2ZwLyxa2cqfjVpb1/ZD4F4sXYJLMACsrf6YxTALxj7U8i Fn2NE5dZwMRYplkHYOyx0plwrg6/EO/RnZlMJSI6vI6xUzsJUD20p2nxqPe1n88p+vZO py0HdO/D0FnMt7VIuh+9ug7qZWAyF4FCrNydjseb8tVesZqxWrDeaKubcrPkPMlLs32O k0gA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=wAgLBhjqfVzMeo5gkc+6aL8yWyy7rnujfJBgW8TVDbI=; b=dO1RRrNEQdSlJsC9FVOJJutHM/tNGOTDJASNB/RH+u7xqcaFqB/Cpv7aNpb/X4yvWH KIPDBjofc62VjSeiqFQf5K0sxWLKmMT9GnWSMr6A0p6H23rYuurINwnVUIeU3hOMRn2G 7jFZ1cyf9esNqfGTExz60UT8WfOLaydLnTsPnr/LnZGkXUcrLY42sAG/Ot3U5iZK7G0Z KY1GzJs51bsPNASg3m+lXL2DMIi8DoAIZ3/hHglPBoKDWfgpCEk+QOfRXptnB73DlTZy BxYS8tJ9dV5bO0G0EV0jBuNnvuNFyNR8CDnUG9JGiF267rN3iwwfn/k4HTZ9HB4b6qcb TaZw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w3-v6si14261828ply.370.2018.09.16.17.48.27; Sun, 16 Sep 2018 17:48:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728227AbeIQGMR (ORCPT + 99 others); Mon, 17 Sep 2018 02:12:17 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:61306 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726457AbeIQGMQ (ORCPT ); Mon, 17 Sep 2018 02:12:16 -0400 Received: from fsav103.sakura.ne.jp (fsav103.sakura.ne.jp [27.133.134.230]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id w8H0l2Ee094630; Mon, 17 Sep 2018 09:47:02 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav103.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav103.sakura.ne.jp); Mon, 17 Sep 2018 09:47:02 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav103.sakura.ne.jp) Received: from [192.168.1.8] (softbank060157066051.bbtec.net [60.157.66.51]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id w8H0kv74094624 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Sep 2018 09:47:01 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: [PATCH 16/18] LSM: Allow arbitrary LSM ordering To: Kees Cook , Casey Schaufler Cc: James Morris , John Johansen , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , LKLM References: <20180916003059.1046-1-keescook@chromium.org> <20180916003059.1046-17-keescook@chromium.org> <84e1a5a8-8997-829f-cf09-1d29895a3f99@schaufler-ca.com> From: Tetsuo Handa Message-ID: Date: Mon, 17 Sep 2018 09:46:58 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018/09/17 8:00, Kees Cook wrote: > On Sun, Sep 16, 2018 at 11:49 AM, Casey Schaufler > wrote: >> One solution is to leave security= as is, not affecting "minor" >> modules and only allowing specification of one major module, and adding > > I would much prefer this, yes. > > A question remains: how do we map the existing "security=" selection > of a "major" LSM against what will be next "exclusive" plus tomoyo, > and in the extreme case, nothing? > > Perhaps as part of deprecating "security=", we could just declare that > it is selecting between SELinux, AppArmor, Smack, and Tomoyo only? > >> another boot option security.stack= that overrides a security= option >> and that takes the list as you've implemented here. > > or "lsm.stack=" that overrides "security=" entirely? Yes, I think we can add new option. For example, introducing lsm= and obsoleting security= (because total length for kernel command line is limited while enumeration makes the parameter value longer). security= works like current behavior. lsm= requires explicit enumeration of all modules (except capability which has to be always enabled) which should be enabled at boot. security= is ignored if lsm= is specified.