Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2989207imm; Mon, 24 Sep 2018 13:36:18 -0700 (PDT) X-Google-Smtp-Source: ACcGV60aj8vs2cI4cB6dLqb8KfpX4VEwGNYunOjSC5Mavl9ClxUB/9do23FKUgQsqO/57gMlBVR0 X-Received: by 2002:a63:3f07:: with SMTP id m7-v6mr391877pga.115.1537821378294; Mon, 24 Sep 2018 13:36:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537821378; cv=none; d=google.com; s=arc-20160816; b=GS8Otjc5LZ5d2yirFMv5q4PbivVz5OM6DoobSBEk1uRbcUls6Pm/3UawBKTs3lIytR i6NGK09IymLoHLfzBdo9rwToaRk4g+CWXSMIsMbDJUOdtw1/UPidBkH0jsQxfL7oM7ET sUJEY1U/ESqdgcxQoBlIx2RS+8V5rYh4HQPNOTtcuh3vh2HkrpPF/1RgNYscaztcu9lW ZfgKth9OXeXzJmKcEWgwF0wuth1rMU5W4JdKNiO1ZGv9S8tHbHB0nwLq9rXKfOH0dl07 7jufYkF2GD/HufRyNaJp+JQ4fCCqxAJgpcul6H2o5Kz3hk/Cc/LA2oqObt/hOAojoM86 iHfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=Rurx9ZHNwhjWBpVfxZu5G9dFBDtm0qr/75sfd+4bDZI=; b=qfWscjge7uwctjOg1b6/oCreHTo7L7gBP9pXzcZEwEWoLgsRpFA3mYDjbU54W+hBAk 0LD2M8ijA/jSCwt5AjmN0kOj4r8fbEFideDWqw9TvinCKt72gL72rYuRh+qWkoppCJB2 Qg8zd59q+UMzJetgzrvns3bbu1hKKuWzZ7/fP6gZOpZTnVALcsWbVqgnXyOn0nMWa6xq IV9oBZKYYShIZ8LrmW5rd361NJB02ph5lJ2qqGC3ZIZAyctnwsfJuyMjQKxMVYm6pTme xrcWy8T078B4WMGkLV4dgKwGhGIdnhlAahdtEWxP/XOGh/2ZuxVmJo1yHQMfVvhUJm6O xplw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=BtHfnUjs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i21-v6si325156pgh.53.2018.09.24.13.36.03; Mon, 24 Sep 2018 13:36:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=BtHfnUjs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727676AbeIYChz (ORCPT + 99 others); Mon, 24 Sep 2018 22:37:55 -0400 Received: from sonic309-27.consmr.mail.gq1.yahoo.com ([98.137.65.153]:34529 "EHLO sonic309-27.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727247AbeIYChy (ORCPT ); Mon, 24 Sep 2018 22:37:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537821234; bh=Rurx9ZHNwhjWBpVfxZu5G9dFBDtm0qr/75sfd+4bDZI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=BtHfnUjsHlCcD5Opu37op/j2byCx4PNMlWYbZXu4yumgJcM2tD+dAXYyXaOIskrhfEQDvNIbUdpTYg8nvntyZenIRSZi5R9yAnYnbyhDP7/cWw9LgJSAFuNqlrqpxa1wtYmSC/6wCCPLR9090UliReKsvjJIKJsMqLV+Kc0K2zhavTzgDKpsCBd/zJWsgGIlUNUD2B3e5XyIptuyADOTAcowWUVmdBMPfZ4Fup9nzLNfuE2jWV3Ggg5boPwHL+Atp231KcmkE/B7ee5pgBvYJllQDbCZNQk9+MzH51FiF9qfoEwzJn+QFLsgK4yQHCJz/oriESJ2zc648/8UJbGeYQ== X-YMail-OSG: G938i_kVM1kW33_Gcm8B5Ud5AX03efUvZ3y21eNI_MfjoqjuP7YRKhh1w.ze0Yv LiGS1d.WnMhr0KfqLHyle3m7L.HoKQRf7mZ3Lc4CHi4lu6YydwT0R8PmbHhySRUGvwrPRJ_ZQHSH vauBvY8Bd1WP1au3ZsPVGXZXPh3XBLylUPdxLzzlOJdhg2IhNNCktId0R0fHnCHAr9UScAUbbTMa jC7msDEwWYQFVnFcsPgMBv7TlQZpGupUZ9gzRFqi2vGDMPLgIN_JWYD59lgKJDGojup92wMkuyiu 1aIgat43u31dTsRAqzwn1jsHLy2e2wLLgxrTSw4308G6fxIfuT_CDoF3ifV5Tg.uoqaoYkLrHFz3 Ux6nq4dchTV_l.spmhLsP8eQGMQzDrdJB9actIWApfOrbMmznQqGzLQB09R0sj87EMtIdE5yiKW. DWRD_A4n0lwrHqEbGghW3Dh1YWLD9svNnxZZoS9lZ0ZP1u1_EfyBMxOSxDQQYZcKM.77uDgaPQJb ccGr1LsWpvsu5N8aX0DZ6q2WFZyezceZx7laz1tNHOgodhFbEtH1ry9DI9VncLqDGYI3dFIW5871 kUKzjkDhrtzI93oegmEKJVx5rEUZWlijtTF_lUl5B..vdZ.WzJZrVSCNqWxsjb3Zj8mg6LEwTf7T lcGuV1g6htm989sE25NL7X1k65IrwofKvlv1EpJtjxoRpIsju8yPmaccjtec5GdenD7l69yvdXlw OjR.kkM3i5vq0CTlq_5eiE3e_wTPHX21ljNuSHJBEGmLhqkMicJ_T8yz2PFkA_R87LltyH.DYp_b mbjqw5LH00XR83E010LZiGlx9ImIpmcYMlLUk_cvyk0nasxHHlCL3s9l6FnCG9xSHzLF_2wUpmKp IiIoxgJLZcgmaVJiZaZVqJi_3rq38eYENFcJvjCdTRUnew5rTpwEAkzJVCXdg9UJ8DaR0PZcfwx9 ssN90lyzL4yNHZMV1mNRBMhhBl2tJ1viczLlPryqEC2ciPBt2kbl_1n4yngzW7ox_NCMXORitmYT DCaxC.rbvwJYC9GNIotcyRK9QSqA- Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.gq1.yahoo.com with HTTP; Mon, 24 Sep 2018 20:33:54 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp422.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID c46ebf4d0dddcae4f2722441969ed02b; Mon, 24 Sep 2018 20:33:52 +0000 (UTC) Subject: Re: [PATCH v4 00/19] LSM: Module stacking for SARA and Landlock To: Tetsuo Handa , Kees Cook Cc: LSM , James Morris , SE Linux , LKLM , John Johansen , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Salvatore Mesoraca References: <680e6e16-0890-8304-0e8e-6c58966813b5@schaufler-ca.com> <39457e79-3816-824b-6b4d-89d21b03f9ce@i-love.sakura.ne.jp> <3350edec-c233-9428-73b0-58d582d1e3b9@schaufler-ca.com> From: Casey Schaufler Message-ID: <28e4ca6d-e86c-ee1f-ead8-f03d1ccd7d54@schaufler-ca.com> Date: Mon, 24 Sep 2018 13:33:51 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/24/2018 10:53 AM, Tetsuo Handa wrote: > On 2018/09/25 2:16, Casey Schaufler wrote: >>> Not all of LKM-based LSMs use security blobs. And some of LKM-based LSMs >>> might use security blobs for only a few objects. For example, AKARI uses >>> inode security blob for remembering whether source address/port of an >>> accept()ed socket was already checked, only during accept() operation and >>> first socket operation on the accept()ed socket. Thus, there is no need >>> to waste memory by assigning blobs for all inode objects. >> The first question is why use an inode blob? Shouldn't you >> be using a socket blob for this socket based information? > Indeed. AKARI can as well use security_sk_free() using address of > "struct sock" as a key. > >> If you only want information part of the time you can declare >> a pointer sized blob and manage what hangs off that as you will. >> I personally think that the added complexity of conditional >> blob management is more pain than it's worth, but if you want >> a really big blob, but only on occasion, I could see doing it. > LKM based LSMs are too late for updating blob_sizes.* fields. That is true with the code in this patch set. As I mentioned, changing the blob handling to include a header with real use information would be required. > Even if they could, they after all have to somehow check whether > corresponding init hook was called. That's checking for NULL. Right. >>>>> @@ -1202,11 +1183,11 @@ void security_file_free(struct file *file) >>>>> { >>>>> void *blob; >>>>> >>>>> + call_void_hook(file_free_security, file); >>>>> + >>>>> if (!lsm_file_cache) >>>>> return; >>>>> >>>>> - call_void_hook(file_free_security, file); >>>>> - >>>> Why does this make sense? If the lsm_file_cache isn't >>>> initialized you can't have allocated any file blobs, >>>> no module can have initialized a file blob, hence there >>>> can be nothing for the module to do. >>>> >>> For modules (not limited to LKM-based LSMs) which want to use >>> file blobs for only a few objects and avoid wasting memory by >>> allocating file blobs to all file objects. >>> >>> Infrastructure based blob management fits well for LSM modules >>> which want to assign blobs to all objects (like SELinux). But >>> forcing infrastructure based blob management can become a huge >>> waste of memory for LSM modules which want to assign blobs to >>> only a few objects. Unconditionally calling file_free_security >>> hook (as with other hooks) preserves a room for allowing the >>> latter type of LSM modules without using infrastructure based >>> blob management. >> There is a hypothetical issue here, but that would require abuse >> of the infrastructure. Having a file_free_security hook that doesn't >> free a security blob allocated by file_alloc_security may coincidentaly >> be useful, but that's not the intent of the hook. >> > The free hook might be used for freeing resources which were not allocated > by alloc hook. Yama is using task_free hook without task_alloc hook. > Someone might want to use file_free hook without file_alloc hook. OK, you're correct. Checking for an initialized kmem_cache isn't appropriate.