Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1887805imm; Tue, 2 Oct 2018 16:07:05 -0700 (PDT) X-Google-Smtp-Source: ACcGV60ZRttOHzEa3ylXIvv8M5fli9/8B2Mie9VMMcv2ENPqfhHiyta+eEzDmXFNhmOycv6u3YJY X-Received: by 2002:a17:902:aa47:: with SMTP id c7-v6mr19320629plr.100.1538521625618; Tue, 02 Oct 2018 16:07:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538521625; cv=none; d=google.com; s=arc-20160816; b=Ifc/SaM8sZU3fsdMz+0PxSARnb78sTJm8SsMshccWBaeM5bokW6Vx6TufZyRFv/JcR h6Z6Nt7rQ4dMVV+JanrpAolkAHuZmX1UA5RPHuxJIaYi3hx4jgWiVLk6+B4M0aRwubog 1dlqJjXSWPJ32RXuBQvT2l4Z6xon4Cow5aI1pn7SDT8yRMea5kyUsLYAkjovPEQzjOgj CydJxBPZcaGe8r9+/jrgXGv/nEvPsnK5ahCkFiwTUPinnWWfqAbQlE1b8T28TAi4c7IG x7VS6RQJBFE/0mOX2//pDuNv4Lm+qmNDWLun9rZOCreRLcdDe04P2fBT5Kbt9JeL+fuM 4fjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=S0Ciq0S0JGenOhU5WcUgrqpxaUlMx+CT/CSmdLz/MQk=; b=AvsMNVY3pQTfRamk7wtorUcOUBzL0z09XphHaOhEPK/3IKOePnY4qplMwYIb/rLmda mdhWgCWUkfZX9gI6bQ/qJVaUuKhoC2sgp/lkpD0xywICxOUuPnq6GgINHaqp/MP8JA71 t20E9wLERDFWmVjuw1FG1Cp5cifOVPwaH1m9Y6YpKui6v7gEnnWTn85SVZ4wzQPfFFgp n9VVh58V3HETWnwDqPHCh304DJFUwm9yALhHPRLMeoIssLsUjg0S39omUE+/pai1fl7N 5uiuCKaJS9uzZcatY3o/6zz+qNC3x9UT+vEyj9tqMfpQimHPoAJ5nNSNqIbTnVpeaC/Z H7hQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QccxNMId; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l128-v6si5404471pfc.6.2018.10.02.16.06.49; Tue, 02 Oct 2018 16:07:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QccxNMId; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726936AbeJCFwM (ORCPT + 99 others); Wed, 3 Oct 2018 01:52:12 -0400 Received: from mail-yw1-f66.google.com ([209.85.161.66]:35356 "EHLO mail-yw1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725744AbeJCFwM (ORCPT ); Wed, 3 Oct 2018 01:52:12 -0400 Received: by mail-yw1-f66.google.com with SMTP id y76-v6so1524554ywd.2 for ; Tue, 02 Oct 2018 16:06:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=S0Ciq0S0JGenOhU5WcUgrqpxaUlMx+CT/CSmdLz/MQk=; b=QccxNMIdR4mPtjWtaS6DNElAKKah/uGpg+eCuFTE4LqStDJuX44rrhOHWTVEiH/igA qI77veKoVN7YVI86l7Nr4KL8h7m3wP1aFcaVAtYHhAXwO3Z7mGjqG12TqHgcdbHfhSQH 5qioxib6XZNhv2MONOKo1LYRdzpig7P4kHnRo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=S0Ciq0S0JGenOhU5WcUgrqpxaUlMx+CT/CSmdLz/MQk=; b=jR5rpmEl9VpoSyX1swiHQyk1YuYdJJ1BQ1e7pmrMhyiidQd2/KIZ934wuu5QLnijli mH85dSRpg7g4xicGU8iE4gidVtC4GVqlSacciIk7qlXe77W1MXRFYE0POY7nUB7WTS9c nzWviqqxrusBVhpk/JoHB82HjZ8a/IHdNXqXt5u7HzODsPe7MG3yz9OIMneNJ6R9jAUg 0vvibDFGQnW4QC+7tLL7S2jWVe6c6hXmDF7Wucg4t0uiv0q+ZmnJKpDnGJ7xZiQza2gW +CVlflfe3LmO0eLG6wgJ+XuEd75dTko9G+joXVpPLHPUrqjxYugj8L4lRaCMO4qy7Yqf MCVw== X-Gm-Message-State: ABuFfoiB95WyAYyt6IT8uqVaPExPUjVA2XzhFqYST9nbAJiueujHkNwe +jCBqGUI8XyR2LmYT3sFC74uXOogob8= X-Received: by 2002:a81:5146:: with SMTP id f67-v6mr9533028ywb.30.1538521587422; Tue, 02 Oct 2018 16:06:27 -0700 (PDT) Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com. [209.85.219.175]) by smtp.gmail.com with ESMTPSA id h189-v6sm6929980ywf.46.2018.10.02.16.06.26 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Oct 2018 16:06:27 -0700 (PDT) Received: by mail-yb1-f175.google.com with SMTP id d9-v6so1553153ybr.12 for ; Tue, 02 Oct 2018 16:06:26 -0700 (PDT) X-Received: by 2002:a25:3617:: with SMTP id d23-v6mr10188175yba.141.1538521586370; Tue, 02 Oct 2018 16:06:26 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:d116:0:0:0:0:0 with HTTP; Tue, 2 Oct 2018 16:06:25 -0700 (PDT) In-Reply-To: References: <20181002005505.6112-1-keescook@chromium.org> <20181002005505.6112-24-keescook@chromium.org> <785ef6a9-ae46-3533-0348-74bcf6f10928@tycho.nsa.gov> <809f1cfd-077b-ee58-51ba-b22daf46d12b@tycho.nsa.gov> From: Kees Cook Date: Tue, 2 Oct 2018 16:06:25 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter To: James Morris Cc: John Johansen , Jordan Glover , Stephen Smalley , Paul Moore , Casey Schaufler , Tetsuo Handa , "Schaufler, Casey" , linux-security-module , Jonathan Corbet , "open list:DOCUMENTATION" , linux-arch , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 2, 2018 at 3:06 PM, James Morris wrote: > On Tue, 2 Oct 2018, Kees Cook wrote: > >> On Tue, Oct 2, 2018 at 11:57 AM, John Johansen >> wrote: >> > Under the current scheme >> > >> > lsm.enabled=selinux >> > >> > could actually mean selinux,yama,loadpin,something_else are >> > enabled. If we extend this behavior to when full stacking lands >> > >> > lsm.enabled=selinux,yama >> > >> > might mean selinux,yama,apparmor,loadpin,something_else >> > >> > and what that list is will vary from kernel to kernel, which I think >> > is harder for the user than the lsm.enabled list being what is >> > actually enabled at boot >> >> Ah, I think I missed this in your earlier emails. What you don't like >> here is that "lsm.enable=" is additive. You want it to be explicit. >> > > This is a path to madness. > > How about enable flags set ONLY per LSM: > > lsm.selinux.enable=x > lsm.apparmor.enable=x > > With no lsm.enable, and removing selinux=x and apparmor=x. > > Yes this will break existing docs, but they can be updated for newer > kernel versions to say "replace selinux=0 with lsm.selinux.enable=0" from > kernel X onwards. > > Surely distro packages and bootloaders are able to cope with changes to > kernel parameters? > > We can either take a one-time hit now, or build new usability debt, which > will confuse people forever. I'd like to avoid this for a few reasons: - this requires per-LSM plumbing instead of centralized plumbing - each LSM needs to have its own CONFIG flag - each LSM needs to have its own bootparam flag - SELinux has explicited stated they do not want to lose selinux= - this doesn't meet John's goal of having a "single explicit enable list" I think the current proposal (in the other thread) is likely the sanest approach: - Drop CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE - Drop CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE - All enabled LSMs are listed at build-time in CONFIG_LSM_ENABLE - Boot time enabling for selinux= and apparmor= remain - lsm.enable= is explicit: overrides above and omissions are disabled - maybe include lsm.disable= to disable anything -Kees -- Kees Cook Pixel Security