Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1840495imm; Tue, 2 Oct 2018 15:07:12 -0700 (PDT) X-Google-Smtp-Source: ACcGV60axUvrL2LBA+SCPPzrdleAZAniybkQdQyvOq863nwT/N2Ku6JQnCtz2DJCeiwZ8KP1tXA1 X-Received: by 2002:a62:fd06:: with SMTP id p6-v6mr18246733pfh.167.1538518032911; Tue, 02 Oct 2018 15:07:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538518032; cv=none; d=google.com; s=arc-20160816; b=hZSPDNkL9P7Smzsa9A2mgz0rouH8TIIyOF822nneDbhZDPbwsjbVoeoU1XkFKDFEDF LX1eWZ5bjGKaOXm8weNjDRzvdN+chG+9xauVvClEB0EiiCpqgiXZlrC9YX+RZmuSG7af H58viXEDP0AsiGM2Au9a9/o8gifqGzy3CG0Mm8Nrcahwlemyzy6pd4k23AlAtKKpxwYM OOiQLLAp+g5P/7RxfVbbQGmV1yaUo2lJYzLLek9oSXwx/+zvSgfN3oBZxVgzrEhUnUFv p9k5LOCZLBV2ILpK7cS8UGQ286HpIM5rn8p6HpX/KHOjIkxt0FF6vmdfmV8MSACWCkWy t/Xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=9qDdXTNo6/fCkzw5gbZ1mk1vYoU82Ny+9SEHbD/jayY=; b=IZmQ1lcODcZAjmKvAG9nXTVqbYu57vtn336DT9jZiV0AvNkf5kG4TkQ+SW1Tsmrv3f 8SE2d2QVQnI58Sipn1rW1o3ZD0wQyS4h4cDBYY+5JNBNVTMmALi3cRP9aG+5ONX+OQrl da4EjgtRrzd+rjZWvGgq3HKcKngVn3XA4sTBWcSNhXcqN3k4Pw5d4/j5Kbnaii9YW0Mp oC8ops6Vh3a8zdVaSaNqREptl2lGMT9ue0XHEfZ5WLXZPDM729ee3PkY7OpulFvOQ/ZF GVHE+74AZ6xhiSeIW9RwVU0zDJtSkyMohF/BBoaeJVlDXX+U9Pd06I8WFGDeIlveSLKG ed5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l128-v6si5229027pfc.6.2018.10.02.15.06.57; Tue, 02 Oct 2018 15:07:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727604AbeJCEwF (ORCPT + 99 others); Wed, 3 Oct 2018 00:52:05 -0400 Received: from namei.org ([65.99.196.166]:35266 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726809AbeJCEwF (ORCPT ); Wed, 3 Oct 2018 00:52:05 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w92M6Ca3027182; Tue, 2 Oct 2018 22:06:12 GMT Date: Wed, 3 Oct 2018 08:06:12 +1000 (AEST) From: James Morris To: Kees Cook cc: John Johansen , Jordan Glover , Stephen Smalley , Paul Moore , Casey Schaufler , Tetsuo Handa , "Schaufler, Casey" , linux-security-module , Jonathan Corbet , "open list:DOCUMENTATION" , linux-arch , LKML Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter In-Reply-To: Message-ID: References: <20181002005505.6112-1-keescook@chromium.org> <20181002005505.6112-24-keescook@chromium.org> <785ef6a9-ae46-3533-0348-74bcf6f10928@tycho.nsa.gov> <809f1cfd-077b-ee58-51ba-b22daf46d12b@tycho.nsa.gov> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2 Oct 2018, Kees Cook wrote: > On Tue, Oct 2, 2018 at 11:57 AM, John Johansen > wrote: > > Under the current scheme > > > > lsm.enabled=selinux > > > > could actually mean selinux,yama,loadpin,something_else are > > enabled. If we extend this behavior to when full stacking lands > > > > lsm.enabled=selinux,yama > > > > might mean selinux,yama,apparmor,loadpin,something_else > > > > and what that list is will vary from kernel to kernel, which I think > > is harder for the user than the lsm.enabled list being what is > > actually enabled at boot > > Ah, I think I missed this in your earlier emails. What you don't like > here is that "lsm.enable=" is additive. You want it to be explicit. > This is a path to madness. How about enable flags set ONLY per LSM: lsm.selinux.enable=x lsm.apparmor.enable=x With no lsm.enable, and removing selinux=x and apparmor=x. Yes this will break existing docs, but they can be updated for newer kernel versions to say "replace selinux=0 with lsm.selinux.enable=0" from kernel X onwards. Surely distro packages and bootloaders are able to cope with changes to kernel parameters? We can either take a one-time hit now, or build new usability debt, which will confuse people forever. -- James Morris