Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp646318imm;
        Fri, 12 Oct 2018 04:31:46 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61kQk8VIRdwGDUVmJ9lixmQMk+S7Oj61L0Sy7mWjqVGS954mLFb2VRghv68kodvjx9OjKMz
X-Received: by 2002:a17:902:7486:: with SMTP id h6-v6mr5372882pll.29.1539343906361;
        Fri, 12 Oct 2018 04:31:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539343906; cv=none;
        d=google.com; s=arc-20160816;
        b=NlCIDDG0Rdfy5zMllIJzp7KuTXPNT1TwtLt4ZitzefuPZJk+c9GtRFd/aYeUzeVpV9
         nRlTte+YFyE7p5k0re5kTQHIeISdWvR3//Bn5l/QIvDS72NS7TuVNqURoEsnk2qopOXE
         7+K5ZB8MaHOMk3AtbyNZYnRPj2rPPJhzAs3VBil5KOA0Ic3h8KtJ35sSr5Nl+AnE5/6X
         nIQoWtapqHrWqo8V6jGyJNnJgBH5MQyn4Oz2zPrRPJLc/0xdsCek0d6Wxi4Kv8PRcrfp
         OsZNR8POTOfMJlGX1ovEcw3zdplpVE8qG3EXc2uyOpxWmQ4R+Uw4sDeUp//kWdBLFDgw
         +zdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :feedback-id:references:in-reply-to:message-id:subject:reply-to:cc
         :from:to:dkim-signature:date;
        bh=izOxPkH7jL1Ak8u4g3Gc4duQgc62xru88g3rROadegs=;
        b=KOCh6dl/H7fULGcX5wsxVXr01EudfYOdowK2lE8A+uEFMUWk8vOy7VWFIhtZBSWsGt
         gj4sxUzSjVxiJDqohczaFEh1aS4hM5xMEcTW7znKZbWEzPcNwXJqBdunTCRvoYrw0zdA
         HjWiuxorGE50YL7y6KeAgnFxtvO/wStXZ1aRHEqXIBRDWF9IawZcZDqXq2XY8uiQekGh
         Dha6TaxPNYbHxZCSIN7gSlIgFpjkxm7PuX122VWKxsgHF2tiOdE1dh6yfuQIIdjPdpJ3
         ghw4VjdNaL1OyWOGbhvQ7ol9MWi0yzu/ic9g5RWMLosQoDYX1tAmqmakriBiJHRTyUzB
         hk2A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@protonmail.ch header.s=default header.b=xo9PGaNM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h184-v6si1088661pfb.146.2018.10.12.04.31.30;
        Fri, 12 Oct 2018 04:31:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@protonmail.ch header.s=default header.b=xo9PGaNM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728074AbeJLTDI (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Fri, 12 Oct 2018 15:03:08 -0400
Received: from mail-40133.protonmail.ch ([185.70.40.133]:10947 "EHLO
        mail-40133.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727838AbeJLTDI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 12 Oct 2018 15:03:08 -0400
Date:   Fri, 12 Oct 2018 11:31:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch;
        s=default; t=1539343864;
        bh=izOxPkH7jL1Ak8u4g3Gc4duQgc62xru88g3rROadegs=;
        h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:
         Feedback-ID:From;
        b=xo9PGaNMbbhEJiZA7GF05PxdpIE+OTkXulqPlxogOla3iA1qpbYdneLlKMIHdGc/Z
         7zop9+QT5kTy+U+z3Nd/nq4zf4bXr8jy++wRlzQo2gyZV/52KoBB6hxjzboA55zJ04
         /U36+16FxSlg5dW3lqJXJ7l+OAhREPzjOFvfefZo=
To:     John Johansen <john.johansen@canonical.com>
From:   Jordan Glover <Golden_Miller83@protonmail.ch>
Cc:     Kees Cook <keescook@chromium.org>,
        James Morris <jmorris@namei.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Paul Moore <paul@paul-moore.com>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        LSM <linux-security-module@vger.kernel.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Reply-To: Jordan Glover <Golden_Miller83@protonmail.ch>
Subject: Re: [PATCH security-next v5 00/30] LSM: Explict ordering
Message-ID: <oANoEf39nJu-HzALTRaisEW9Um9AoAH5KyO5lM7tpmml58QTZLk7U9aHpTmcg8W_684zTws70sLPZXlK5Z91zLluFesVPYXiEUbIZr98Ljs=@protonmail.ch>
In-Reply-To: <1a8ac9f4-8f82-5d3b-46ef-08801793443e@canonical.com>
References: <20181011001846.30964-1-keescook@chromium.org>
 <CAGXu5jLBaHj5MhXaK-8zdu6Rgo2B6rEq+at17xZ1Puct+YUajQ@mail.gmail.com>
 <ZhaXhoElmWQlsxHmgFHpB2xSWzJYFZWBasrSKQNjGj4_T2A4AY2F9v1rP9LkUfilUbZ0ExWXX9koLNjUM8S6baX6xfSSMPXY_CpihbCetVc=@protonmail.ch>
 <CAGXu5j+kekUdcE2EhUu__8MXJ1O+D=-zTXLGNCRVa_VyDxePpw@mail.gmail.com>
 <37rRa7F7i2XcwVPiT6gLC8cX8p0732iDiT6mGjstlbBi3mcJsQCLA6A8HcDMNjR0SGheErloJl8z-Z5c57XxtJRBF9-LO_fUTUf41EcAGC4=@protonmail.ch>
 <1a8ac9f4-8f82-5d3b-46ef-08801793443e@canonical.com>
Feedback-ID: QEdvdaLhFJaqnofhWA-dldGwsuoeDdDw7vz0UPs8r8sanA3bIt8zJdf4aDqYKSy4gJuZ0WvFYJtvq21y6ge_uQ==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.6 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
        FREEMAIL_REPLYTO_END_DIGIT autolearn=no autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.protonmail.ch
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Friday, October 12, 2018 2:26 AM, John Johansen <john.johansen@canonical=
.com> wrote:

> On 10/11/2018 04:53 PM, Jordan Glover wrote:
>
> > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origina=
l Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=
=90
> > On Friday, October 12, 2018 1:09 AM, Kees Cook keescook@chromium.org wr=
ote:
> >
> > > We've had things sort of like this proposed, but if you can convince
> > > James and others, I'm all for it. I think the standing objection from
> > > James and John about this is that the results of booting with
> > > "lsm=3Dsomething" ends up depending on CONFIG_LSM=3D for that distro.=
 So
> > > you end up with different behaviors instead of a consistent behavior
> > > across all distros.
> >
> > Ok, I'll try :)
> > The final lsm string contains two parts: Kconfig "CONFIG_LSM=3D" and bo=
ot
> > param "lsm=3D". Changing even only one of those parts also changes the
> > final string.
> > In case of distros, it's the "CONFIG_LSM=3D" which changes. Even when "=
lsm=3D"
> > stays constant, the behavior will be different, example:
> > Distro A has: CONFIG_LSM=3Dloadpin,integrity,selinux
> > Distro B has CONFIG_LSM=3Dyama,loadpin,integrity,selinux
> > User on distro A wants to enable apparmor with:
> > lsm=3Dloadpin,integrity,apparmor
> > which they do and add it to howto on wiki.
> > User on distro B want to enable apparmor, they found info on some wiki =
and do:
> > lsm=3Dloadpin,integrity,apparmor
> > Puff, yama got disabled!
> > Above example shows why I think "consistent behavior across all distros=
"
> > argument for current approach is flawed - because distros aren't
> > consistent. In my proposition the user will just use "lsm=3Dapparmor" a=
nd
> > it will consistently enable apparmor on all distros which is what they
> > really wanted, but all pre-existing differences across distros will
> > remain unchanged.
>
> Are you sure about that? I have had more than one question about
> security=3DX resulting in a system with more than just X enabled. Ie why
> is yama enabled when I specifically set security to X.
>

So, non-explicit list will match current "security=3D" behavior which users
are more familiar with. The current answer for this question is "because
your distro enabled it and you didn't disabled it. With non-explcit list
that answer will stay the same.

With explicit list, the question will be "why is yama disabled when I
enabled AppArmor with lsm=3Dapparmor".

To ask both questions user have to know that something like "yama" exist
in first place.

As for question what users typically want you may look at search results
for "disable/enable yama" and "disable/enable apparmor/selinux". The
difference is several orders of magnitude. That's why I think typical user
just want to switch on/off one major lsm. I don't think anecdotal evidence
is representative here.

> There will certainly be cases where what you describe is exactly what
> the user wants. The problem is an explosion of options isn't good
> for the user either.
>
> What I want at the moment is the discussion about different ways to
> enable LSMs to be split off so this work can move forward.
>
> > The current approach requires that everyone who dares to touch "lsm=3D"
> > knows about existence of all lsm, their enabled/disabled status on
> > target distro and their order. I doubt there are many people other
> > than recipients of this mail who fit for the above.
>
> Without having gotten a chance to review the current set of patches
> that was not what was discussed, it should only requires they know the
> set that they want.
>

"it should only requires they know the set that they want" is very
hard requirement and I don't think most users will pass this.
Especially when sets like:

lsm=3Dyama,loadpin,integrity,apparmor
lsm=3Dloadpin,integrity,yama,apparmor

will behave differently.

Jordan