Received: by 2002:ac0:8c8e:0:0:0:0:0 with SMTP id r14csp428643ima; Wed, 6 Feb 2019 02:28:19 -0800 (PST) X-Google-Smtp-Source: AHgI3IZQW9ElxevIOunpB9E8Ykmg4WBKNUD6tAfpLE2TAxzkCj6Dl33IYJ/rXfR4U2nAQdQbjuKU X-Received: by 2002:a63:e249:: with SMTP id y9mr8954248pgj.395.1549448898936; Wed, 06 Feb 2019 02:28:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549448898; cv=none; d=google.com; s=arc-20160816; b=YP/6Ei3HpJ1SMGlHZ/S9XInauS6CBAtYLKCAGcOLoBup5oySIc1FwC/WraUfLRgbmt FFvhJqzQC3iSqH1i45kG6lp+y8moO/4JLHt0QgIDxH0Meg2l9EAdwscEgaxJVgigGl24 ctpj5HrJ90fTmj6xf45Y9JIvPs8+ecDu1BKQEMHYvkUkql5nWkD1zOX7Q4SgKrLPunEJ IHwB2ol8Z07rA2n1F2yp6g/sVJchh0Cw7rNSYDX9aZ83Q1K9bs4KyLNk52KQmpwWf6Oe I62cpT+4qCNPaeWqg4J1FSY/RzbQMJkCcmCmQo7n5AW6gdNKQVeRxChscnmH+89eV0n3 kVjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=rUrpINd3Q6I1ibqdebNJqzvhscUviWw+o+JoqFSdg0k=; b=yowNGe+kTtJA2mqS4jZuhvz10uH+1AIqOmUUEpfvG8qaef5g/woaPXvo3UioiM8vX7 vtg6A190d9eF9S4nMX3k9UwYZVdLDb78vnOVDhVG0r/rFMhjxXTZbOZvw3AF5GlhvH4z AICOn9eVh5ppws6FcdKLdVrY2lEtbtbeO+pNZaEKYNc/8FjYsChqkDUMz4cYgfkpThm3 bRocWGOrB6x6HYQaohiYWxjuZrQ2R9m2RhBIaKxJ21KoB1WAtxhxSTpu1sXAMaRT1nfM QGNsU8gWN9t7g/8YBQtQ0gcwAzf3bvsF3QxjGtSwy2llxfjgwDSSBiILiCcgbdmPRK1T trQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 206si5251623pga.240.2019.02.06.02.28.03; Wed, 06 Feb 2019 02:28:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729011AbfBFKYM (ORCPT + 99 others); Wed, 6 Feb 2019 05:24:12 -0500 Received: from www262.sakura.ne.jp ([202.181.97.72]:26469 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726728AbfBFKYL (ORCPT ); Wed, 6 Feb 2019 05:24:11 -0500 Received: from fsav303.sakura.ne.jp (fsav303.sakura.ne.jp [153.120.85.134]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id x16AN8qX005650; Wed, 6 Feb 2019 19:23:08 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav303.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav303.sakura.ne.jp); Wed, 06 Feb 2019 19:23:08 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav303.sakura.ne.jp) Received: from [192.168.1.8] (softbank126126163036.bbtec.net [126.126.163.36]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id x16AN2qE005605 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NO); Wed, 6 Feb 2019 19:23:08 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. To: Dmitry Vyukov Cc: Casey Schaufler , Paul Moore , Stephen Smalley , syzbot , tyhicks@canonical.com, John Johansen , James Morris , LKML , linux-security-module@vger.kernel.org, Serge Hallyn , syzkaller-bugs , Jeffrey Vander Stoep , SELinux , Russell Coker , Laurent Bigonville , syzkaller , Andrew Morton References: <000000000000c178e305749daba4@google.com> <6c9112a2-33f3-0c29-c944-1d129a0026e7@tycho.nsa.gov> <05340d28-36c2-267e-d54e-416fddfba211@i-love.sakura.ne.jp> <71e3652b-b222-0c3f-8b48-5980ddcaeb93@i-love.sakura.ne.jp> <52531a69-10ed-d263-be66-e707705597d6@i-love.sakura.ne.jp> From: Tetsuo Handa Message-ID: <8f48e1d0-c109-f8a9-ea94-9659b16cae49@i-love.sakura.ne.jp> Date: Wed, 6 Feb 2019 19:23:03 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/02/04 17:07, Dmitry Vyukov wrote: > On Fri, Feb 1, 2019 at 2:09 PM Tetsuo Handa > wrote: >> >> On 2019/02/01 19:50, Dmitry Vyukov wrote: >>> On Fri, Feb 1, 2019 at 11:44 AM Tetsuo Handa >>> wrote: >>>> >>>> On 2019/02/01 19:09, Dmitry Vyukov wrote: >>>>> Thanks for the explanations. >>>>> >>>>> Here is the change that I've come up with: >>>>> https://github.com/google/syzkaller/commit/aa53be276dc84aa8b3825b3416542447ff82b41a >>>> >>>> You are not going to apply this updated config to upstream kernels now, are you? >>>> Removing CONFIG_DEFAULT_SECURITY="apparmor" from configs used by upstream kernels >>>> will cause failing to enable AppArmor (unless security=apparmor is specified). >>> >>> >>> We do use security=apparmor, see: >>> https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-apparmor.cmdline >>> https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-selinux.cmdline >>> https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-smack.cmdline >>> >> >> Oh, security= parameter is explicitly specified on all targets? >> Then, we can abuse CONFIG_DEBUG_AID_FOR_SYZBOT option. ;-) >> >> LSM folks, may we use this patch for linux-next.git ? >> CONFIG_DEBUG_AID_FOR_SYZBOT is a linux-next.git-only kernel config option used by syzbot. > > > Then we also need this on syzbot side, right? Otherwise it seems that > all instances will default to a single security module. > https://github.com/google/syzkaller/commit/ffec3d1894ffd05966b50efa49ca19af76c9ea81 > Right. But as I update the documentation ( https://tomoyo.osdn.jp/2.6/chapter-3.html.en#3.6 ), I came to think that we should ignore security= parameter when lsm= parameter is specified. Currently, it is possible to enable TOMOYO and only one of SELinux/Smack/AppArmor. Therefore, it is possible to disable only TOMOYO by specifying security=selinux when we want to enable only SELinux, by specifying security=smack when we want to enable only Smack, by specifying security=apparmor when we want to enable only AppArmor. That is, we can use security= parameter in order to specify the other LSM module which should not be disabled. But when it becomes possible to enable TOMOYO and more than one of SELinux/Smack/AppArmor, we will no longer be able to selectively disable one LSM module using security= parameter, for security= parameter is intended for specifying only one LSM module which should be enabled. That is, we will need to use lsm= parameter in order to selectively disable LSM modules. Then, I think that it is straightforward (and easier to manage) to ignore security= parameter when lsm= parameter is specified. Furthermore, we could even avoid introducing lsm= parameter by allowing security= parameter to specify multiple LSM modules. For example, security= parameter is interpreted as a list of all LSM modules which should be enabled when it contains a comma, and it is interpreted as one of LSM_FLAG_LEGACY_MAJOR modules which should be enabled otherwise. Then, specifying security=selinux or security=smack or security=tomoyo or security=apparmor or security=none will respectively enable SELinux, Smack, TOMOYO, AppArmor, none of SELinux/Smack/TOMOYO/AppArmor. And specifying e.g. security=, will disable all LSM modules.