Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp129197imm;
        Thu, 11 Oct 2018 16:56:03 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60zhYMyob3Xv1+qrsOfnHwguIxAzsJPfhDuE7DsbdAdBsCFo54xZpRbFfdF2eYBHYzulRuD
X-Received: by 2002:a62:c60a:: with SMTP id m10-v6mr3666669pfg.15.1539302163311;
        Thu, 11 Oct 2018 16:56:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539302163; cv=none;
        d=google.com; s=arc-20160816;
        b=EZQZuvlTN1A+ghFIyES577wuyTINBkh8VXpmAbl3ukiXAS5MsWahztrr9FAQ/JgG2K
         +AZOtQnSwcr2eGD05k0AZjkidUAqmO1Vs4On/hNy4Uai53iyWGnts+l8Fo86Pbo/WOnz
         nvRa6kE0/aELo8dpBRuZw5LDItRMfiQCWG9z3IpqwrEelhpDhyUKQuTFvdSHoav7p0vJ
         F1pg3UTGnbE6miFKL384HS6MUoT9+85S8AQeenruBA/ZwZ/Fe2boWBoEkaNvJ50rUP4j
         Eed45PO1JDv4LOiANydjbesAhCWrkOx5pXggLCAGk0KK6lVMp+BmGgVI5B/fMy7DXsm+
         xi1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :feedback-id:references:in-reply-to:message-id:subject:reply-to:cc
         :from:to:dkim-signature:date;
        bh=lN2vmUpxuPGPGbURIafWIutb7qhAGlM0IS9B1QVUfCc=;
        b=cL5GGc+iOQ4CNMZsFo05SxoCdG4hEDua4ziAxPOdb3DEPZBCwHfMH5JDsp+Sm3+WcW
         tp9V4JgTusTveTkeBMk0styB1v/lap1TTHnVaijIu5oIROczCvyaXzBRXPvHobMdw9QR
         jQ0cDpYEk+vf5fqF5EXjsdTy73bIljTGo5+YGttjG/GNPmKFfV0cggD3E2HV6+9MLLY0
         Vs8Ymkyp8vN7cnxvmoijH6sgefdRjlyCjaHuNnbyFVuPplPekoY8ZplrWPV29KA7yRaE
         3ZXVX0bCve+RGRU9imHLxxnW28hvdABfHNo8fIxYr9KrQQTSfVK9EPhpccThyvYk6DmJ
         uB+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@protonmail.ch header.s=default header.b=kBWsvDEA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u127-v6si29589646pgc.234.2018.10.11.16.55.48;
        Thu, 11 Oct 2018 16:56:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@protonmail.ch header.s=default header.b=kBWsvDEA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727343AbeJLHXf (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Fri, 12 Oct 2018 03:23:35 -0400
Received: from mail-40130.protonmail.ch ([185.70.40.130]:51856 "EHLO
        mail-40130.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727278AbeJLHXf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 12 Oct 2018 03:23:35 -0400
Date:   Thu, 11 Oct 2018 23:53:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch;
        s=default; t=1539302035;
        bh=lN2vmUpxuPGPGbURIafWIutb7qhAGlM0IS9B1QVUfCc=;
        h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:
         Feedback-ID:From;
        b=kBWsvDEApBaY2XPyP5/btJBNaOnqPj5qnQruYpvny0DGJgt1Q37emKq8nih/QYOwv
         heXGIEfCAsTykVusrRpLs8+p3tEQBwFggXmSo33giPznd9PMGm2exNvqIf5U3HVSpU
         CEz8sjcQdyVRP07xaoAwJr6Uc1nfNRAb1XAHoGYw=
To:     Kees Cook <keescook@chromium.org>
From:   Jordan Glover <Golden_Miller83@protonmail.ch>
Cc:     James Morris <jmorris@namei.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        John Johansen <john.johansen@canonical.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Paul Moore <paul@paul-moore.com>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        LSM <linux-security-module@vger.kernel.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Reply-To: Jordan Glover <Golden_Miller83@protonmail.ch>
Subject: Re: [PATCH security-next v5 00/30] LSM: Explict ordering
Message-ID: <37rRa7F7i2XcwVPiT6gLC8cX8p0732iDiT6mGjstlbBi3mcJsQCLA6A8HcDMNjR0SGheErloJl8z-Z5c57XxtJRBF9-LO_fUTUf41EcAGC4=@protonmail.ch>
In-Reply-To: <CAGXu5j+kekUdcE2EhUu__8MXJ1O+D=-zTXLGNCRVa_VyDxePpw@mail.gmail.com>
References: <20181011001846.30964-1-keescook@chromium.org>
 <CAGXu5jLBaHj5MhXaK-8zdu6Rgo2B6rEq+at17xZ1Puct+YUajQ@mail.gmail.com>
 <ZhaXhoElmWQlsxHmgFHpB2xSWzJYFZWBasrSKQNjGj4_T2A4AY2F9v1rP9LkUfilUbZ0ExWXX9koLNjUM8S6baX6xfSSMPXY_CpihbCetVc=@protonmail.ch>
 <CAGXu5j+kekUdcE2EhUu__8MXJ1O+D=-zTXLGNCRVa_VyDxePpw@mail.gmail.com>
Feedback-ID: QEdvdaLhFJaqnofhWA-dldGwsuoeDdDw7vz0UPs8r8sanA3bIt8zJdf4aDqYKSy4gJuZ0WvFYJtvq21y6ge_uQ==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.6 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
        FREEMAIL_REPLYTO_END_DIGIT autolearn=no autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.protonmail.ch
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Friday, October 12, 2018 1:09 AM, Kees Cook <keescook@chromium.org> wrot=
e:

> We've had things sort of like this proposed, but if you can convince
> James and others, I'm all for it. I think the standing objection from
> James and John about this is that the results of booting with
> "lsm=3Dsomething" ends up depending on CONFIG_LSM=3D for that distro. So
> you end up with different behaviors instead of a consistent behavior
> across all distros.
>

Ok, I'll try :)

The final lsm string contains two parts: Kconfig "CONFIG_LSM=3D" and boot
param "lsm=3D". Changing even only one of those parts also changes the
final string.

In case of distros, it's the "CONFIG_LSM=3D" which changes. Even when "lsm=
=3D"
stays constant, the behavior will be different, example:

Distro A has: CONFIG_LSM=3Dloadpin,integrity,selinux
Distro B has CONFIG_LSM=3Dyama,loadpin,integrity,selinux

User on distro A wants to enable apparmor with:

lsm=3Dloadpin,integrity,apparmor

which they do and add it to howto on wiki.

User on distro B want to enable apparmor, they found info on some wiki and =
do:

lsm=3Dloadpin,integrity,apparmor


Puff, yama got disabled!

Above example shows why I think "consistent behavior across all distros"
argument for current approach is flawed -  because distros aren't
consistent. In my proposition the user will just use "lsm=3Dapparmor" and
it will consistently enable apparmor on all distros which is what they
really wanted, but all pre-existing differences across distros will
remain unchanged.

The current approach requires that everyone who dares to touch "lsm=3D"
knows about existence of all lsm, their enabled/disabled status on
target distro and their order. I doubt there are many people other
than recipients of this mail who fit for the above.

I it's better to assume that average user has rather vague knowledge
about lsm and don't delve deep into Kconfig's of their chosen distro.
If they want to use "lsm=3D" their goal is to disable/enable on or more
things. My proposition will work better for those. More advanced users
still will may pass any "lsm=3D" string as they like, this having full
control.

Jordan