Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1676479imm; Tue, 2 Oct 2018 12:03:45 -0700 (PDT) X-Google-Smtp-Source: ACcGV62B18Ico8vFXl+zXsQ5p0tKllcatn0qs0oIBcDC9jjFI+o5fElgqiyiPgD0ck1drHWgLevK X-Received: by 2002:a17:902:1745:: with SMTP id i63-v6mr17905756pli.3.1538507025636; Tue, 02 Oct 2018 12:03:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538507025; cv=none; d=google.com; s=arc-20160816; b=EfrANWPUQfU2CumByAarOswAeOwUJSDFMU0I48GUfafmg53I1cHPtUy1QxF5jRC5l0 bvVP5nkn+L++QtSRCGzNiPO3vdZkiB+tQMjSM6IwYjb2Q0zvJWVGNZMkyqbIbEIUTTeG bK6Wp/3jqtXWQvS4QNAAoINxCfnpsMXfwoKTt/jJVCC/egSh6rz5+0Ocyv0IV6aTGMd9 owIwuFa/BgBtaNApbfrSDchPObB13f0DFixwjHJjJROmx8I/kLlDevIpufALqQ6T+UFP 5/3lgn2cf+qTdq2hsLK+Fi9zIuoYOejwiZcVKpMbH3fFPzu9yUinPoviM97ZB6OfR8Wx CHeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=Z++//P3YjInCGZ08dRZq3CLV98QJ86yU6u/kjrJS+oc=; b=DeKPZTg2gc8fjC8UtYQG+5PmEAI0Ijj02MvSNddpBX2oy0YxFHvAXiV7ZHRLQkgyHh G6LU0gQ45PMY3xpvk4SsYpqYu5J/LfD5oIbrfjxo77KNrkEurRSn1cSgeQtfq/zYBsli 08is03qS2nu6eEHxBhq+RtzLX/+LQ80nZvM8IKVCxKzIv+VPo3Vj7YG7F+V2BW1mD1uC dL4IOGe6oTt/VcXvyjc2W/iK8/tudZwl0nY6splLJmKOxULea2aDG/YnoAGm9VILPf7C YtgH/wBXl/OqWFXId0Gfp431BFAtaCmZa8pXDVxpLxit8RitKejKoVdhjhouG3ZcYi00 1xUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=H84jSiJr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u1-v6si15358433pgj.430.2018.10.02.12.03.28; Tue, 02 Oct 2018 12:03:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=H84jSiJr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727750AbeJCBrv (ORCPT + 99 others); Tue, 2 Oct 2018 21:47:51 -0400 Received: from mail-yw1-f67.google.com ([209.85.161.67]:42472 "EHLO mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727400AbeJCBrv (ORCPT ); Tue, 2 Oct 2018 21:47:51 -0400 Received: by mail-yw1-f67.google.com with SMTP id a197-v6so1221154ywh.9 for ; Tue, 02 Oct 2018 12:03:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Z++//P3YjInCGZ08dRZq3CLV98QJ86yU6u/kjrJS+oc=; b=H84jSiJrrfxdIWpeaTckpQZS2CitH9Cpm4oa0F0fAcAqvuUo9FMI55WQZII2ciETPI 51fzaPxwBIWNjsKO58aIiDfpulTLpnVi0GiMazqY5EJ9qLwOB3Bv9PlYNafTvHDJlu/X m8hA88DSZuWHa4MAau8k9a3DqvhFiL0+4yXB8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Z++//P3YjInCGZ08dRZq3CLV98QJ86yU6u/kjrJS+oc=; b=lcnMmmPEf5/xmEaPP8joEYA64BHMY2ygKkhx15ajzeel4at1Ym3dRThiaEweJbHXCN bnaRYoHuD9gpbSdrIZYtMnztW+HRidzJJHWnn6ZXkmOjCteu82UpLfL7s9+ltL53sZ4V 2cA/Yu4d3Pbt8uL+vJ4d6GSrnxQP1xH8z0HL7N2DCbgycRrjE1opRF1RgpoLHVQ50i2z 66kKY54mS3sDIYsYamoj7Zpua6fLYIC40FX9ZNk2+Xf3J3bBTT4g4bKmHBe9aHEkqayi EZ301NJYnxjglBEm54RIshwqVUp0mTJpQ7fzrWMbKnicDF9XJN2B975TB+Uev646QsPG mxtA== X-Gm-Message-State: ABuFfoi/TOOwKAQBZsLjOrZKIpIc2yKQulJNzYKzxCbOJ6grcOzYzU07 i8AyfxZggDEy8f6Gi1r19q1O7NwxJuw= X-Received: by 2002:a81:e243:: with SMTP id z3-v6mr9614898ywl.25.1538506981255; Tue, 02 Oct 2018 12:03:01 -0700 (PDT) Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com. [209.85.219.178]) by smtp.gmail.com with ESMTPSA id i62-v6sm2462456ywb.32.2018.10.02.12.02.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Oct 2018 12:02:59 -0700 (PDT) Received: by mail-yb1-f178.google.com with SMTP id 184-v6so1274265ybg.1 for ; Tue, 02 Oct 2018 12:02:59 -0700 (PDT) X-Received: by 2002:a25:2395:: with SMTP id j143-v6mr1236460ybj.137.1538506979133; Tue, 02 Oct 2018 12:02:59 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:d116:0:0:0:0:0 with HTTP; Tue, 2 Oct 2018 12:02:58 -0700 (PDT) In-Reply-To: References: <20181002005505.6112-1-keescook@chromium.org> <20181002005505.6112-24-keescook@chromium.org> <785ef6a9-ae46-3533-0348-74bcf6f10928@tycho.nsa.gov> <809f1cfd-077b-ee58-51ba-b22daf46d12b@tycho.nsa.gov> From: Kees Cook Date: Tue, 2 Oct 2018 12:02:58 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter To: Stephen Smalley Cc: Jordan Glover , Paul Moore , James Morris , Casey Schaufler , John Johansen , Tetsuo Handa , "Schaufler, Casey" , linux-security-module , Jonathan Corbet , "open list:DOCUMENTATION" , linux-arch , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 2, 2018 at 11:33 AM, Stephen Smalley wrote: > On 10/02/2018 12:54 PM, Kees Cook wrote: >> >> On Tue, Oct 2, 2018 at 9:33 AM, Jordan Glover >> wrote: >>> >>> It's always documented as: "selinux=1 security=selinux" so security= >>> should >>> still do the job and selinux=1 become no-op, no? >> >> >> The v3 patch set worked this way, yes. (The per-LSM enable defaults >> were set by the LSM. Only in the case of "lsm.disable=selinux" would >> the above stop working.) >> >> John did not like the separation of having two CONFIG and two >> bootparams mixing the controls. The v3 resolution rules were: >> >> SECURITY_SELINUX_BOOTPARAM_VALUE overrides CONFIG_LSM_ENABLE. >> SECURITY_APPARMOR_BOOTPARAM_VALUE overrides CONFIG_LSM_ENABLE. >> selinux= overrides SECURITY_SELINUX_BOOTPARAM_VALUE. >> apparmor.enabled= overrides SECURITY_APPARMOR_BOOTPARAM_VALUE. >> apparmor= overrides apparmor.enabled=. >> lsm.enable= overrides selinux=. >> lsm.enable= overrides apparmor=. >> lsm.disable= overrides lsm.enable=. >> major LSM _omission_ from security= (if present) overrides lsm.enable. >> >> v4 removed the per-LSM boot params and CONFIGs at John's request, but >> Paul and Stephen don't want this for SELinux. >> >> The pieces for reducing conflict with CONFIG_LSM_ENABLE and >> lsm.{enable,disable}= were: >> >> 1- Remove SECURITY_APPARMOR_BOOTPARAM_VALUE. >> 2- Remove apparmor= and apparmor.enabled=. >> 3- Remove SECURITY_SELINUX_BOOTPARAM_VALUE. >> 4- Remove selinux=. >> >> v4 used all of 1-4 above. SELinux says "4" cannot happen as it's too >> commonly used. Would 3 be okay for SELinux? > > > Let's say a user/packager/distro has been building kernels for the past 14 > years (*) with a config that has SECURITY_SELINUX_BOOTPARAM_VALUE=0, and now > they build a new kernel that includes these patches using that same config. > Won't SELinux be enabled by default because SECURITY_SELINUX_BOOTPARAM_VALUE > is now ignored and LSM_ENABLE defaults to all? Is it ok to require them to > specify a new config option to preserve old behavior? Yes, I think that's fine -- kernel CONFIGs change all the time. System builders are used to examining these changes. -Kees -- Kees Cook Pixel Security