Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp1519115imj; Fri, 8 Feb 2019 02:54:23 -0800 (PST) X-Google-Smtp-Source: AHgI3IbZnXoKAoFMPB4OzsbAn82ylisSKNSC77nAI6XJE48hu0AduXHlSxan3+b8QGxwZawMtPyW X-Received: by 2002:a17:902:280b:: with SMTP id e11mr22013756plb.269.1549623263890; Fri, 08 Feb 2019 02:54:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549623263; cv=none; d=google.com; s=arc-20160816; b=AdMpI05xl+BnsopyYNd0PkeRzgU7zjWMUW34s6Urt1x+2hsjbOPLmLGzrplDnwek4g lebJyeppd+UdQIqrvDQ/FAr6+Gqt+NFbkYvUu1i/NyoWpAeYYSUhynYjRMm06DrgMLnc gbIq0KZJmTfZPpnoAEPuSHGrj//OMARtwCM48Nwb6h8pH6CiG+nZlKkOhA8/rIXnHG1y rc2NRRx6O85e9/yWC+i0TreYV1eN2zNSYWls0hMwBv0fnK7wcSUHYW0UGehJIPFTFhLJ BG5v7oyxRQ70K8ji2AJhS6UOsKnahR318m9ZjRGYwd8oQGRNrGqalpG9rA1Nj0zJ5HEi r7Og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=lpU6HZvbf1oU4mgwLCdpoMYfd7StNxtFvtkGrmh7w5s=; b=Rqv6bUW6u07vMU9rSd6fFYzQwA2PLEycS5wlEAWi4fCy6z33XvHH/d8oGD2ggtJcBE vWsxpPe8wCIirO1hXG15XayXIyD/NtwB1pMXWGdcoUCTtPZiEgth/xhgKzRDxsBbDuSN a8ePbCxQYBx4kDkIETWyXwFfFyl/CDL/HjfrIJARWI7Sy5tUukQrUZGFH6lvmRlXMxE9 jSGJF5dQjZz1cNaG20+4GrwTlLnom7yHe4kzKXMiV6YIAxEMaeCjHazTyLjpepl5l0F+ MKAkvuVp45+YaD9kTJNMK6sNde5aBlzZ79z+EyyPZlIWyEUcqVye8WyxvcL/SAhjwhXB BizQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r81si2183028pfr.164.2019.02.08.02.54.08; Fri, 08 Feb 2019 02:54:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727721AbfBHKx2 (ORCPT + 99 others); Fri, 8 Feb 2019 05:53:28 -0500 Received: from www262.sakura.ne.jp ([202.181.97.72]:35762 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbfBHKx2 (ORCPT ); Fri, 8 Feb 2019 05:53:28 -0500 Received: from fsav110.sakura.ne.jp (fsav110.sakura.ne.jp [27.133.134.237]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id x18AqXt6062343; Fri, 8 Feb 2019 19:52:33 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav110.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav110.sakura.ne.jp); Fri, 08 Feb 2019 19:52:33 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav110.sakura.ne.jp) Received: from [192.168.1.8] (softbank126126163036.bbtec.net [126.126.163.36]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id x18AqWMY062306 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NO); Fri, 8 Feb 2019 19:52:33 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. To: Casey Schaufler , Kees Cook Cc: Dmitry Vyukov , Paul Moore , Stephen Smalley , syzbot , tyhicks@canonical.com, John Johansen , James Morris , LKML , linux-security-module@vger.kernel.org, Serge Hallyn , syzkaller-bugs , Jeffrey Vander Stoep , SELinux , Russell Coker , Laurent Bigonville , syzkaller , Andrew Morton References: <8f48e1d0-c109-f8a9-ea94-9659b16cae49@i-love.sakura.ne.jp> <0d23d1a5-d4af-debf-6b5f-aaaf698daaa8@schaufler-ca.com> <201902070230.x172UUG6002087@www262.sakura.ne.jp> <6def6199-0235-7c37-974c-baf731725606@schaufler-ca.com> From: Tetsuo Handa Message-ID: <54c0ae39-f35c-bdcd-a217-8e62ef14e41b@i-love.sakura.ne.jp> Date: Fri, 8 Feb 2019 19:52:30 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: <6def6199-0235-7c37-974c-baf731725606@schaufler-ca.com> Content-Type: text/plain; charset=iso-2022-jp Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/02/08 1:24, Casey Schaufler wrote: >>>> Then, I think that it is straightforward (and easier to manage) to ignore security= parameter >>>> when lsm= parameter is specified. >>> That reduces flexibility somewhat. If I am debugging security modules >>> I may want to use lsm= to specify the order while using security= to >>> identify a specific exclusive module. I could do that using lsm= by >>> itself, but habits die hard. >> "lsm=" can be used for identifying a specific exclusive module, and Ubuntu kernels would >> have to use CONFIG_LSM (or "lsm=") for identifying the default exclusive module (in order >> to allow enabling both TOMOYO and one of SELinux,Smack,AppArmor at the same time). >> >> Since "security=" can't be used for selectively enable/disable more than one of >> SELinux,Smack,TOMOYO,AppArmor, I think that recommending users to migrate to "lsm=" is the >> better direction. And ignoring "security=" when "lsm=" is specified is easier to understand. > > I added Kees to the CC list. Kees, what to you think about > ignoring security= if lsm= is specified? I'm ambivalent. > > To help administrators easily understand what LSM modules are possibly enabled by default (which have to be fetched from e.g. /boot/config-`uname -r`) and specify lsm= parameter when they need, I propose changes shown below. diff --git a/security/security.c b/security/security.c index 3147785e..051d708 100644 --- a/security/security.c +++ b/security/security.c @@ -51,8 +51,6 @@ static __initdata const char *chosen_lsm_order; static __initdata const char *chosen_major_lsm; -static __initconst const char * const builtin_lsm_order = CONFIG_LSM; - /* Ordered list of LSMs to initialize. */ static __initdata struct lsm_info **ordered_lsms; static __initdata struct lsm_info *exclusive; @@ -284,14 +282,22 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) static void __init ordered_lsm_init(void) { struct lsm_info **lsm; + const char *order = CONFIG_LSM; + const char *origin = "builtin"; ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), GFP_KERNEL); - if (chosen_lsm_order) - ordered_lsm_parse(chosen_lsm_order, "cmdline"); - else - ordered_lsm_parse(builtin_lsm_order, "builtin"); + if (chosen_lsm_order) { + if (chosen_major_lsm) { + pr_info("security= is ignored because of lsm=\n"); + chosen_major_lsm = NULL; + } + order = chosen_lsm_order; + origin = "cmdline"; + } + pr_info("Security Framework initializing: %s\n", order); + ordered_lsm_parse(order, origin); for (lsm = ordered_lsms; *lsm; lsm++) prepare_lsm(*lsm); @@ -333,8 +339,6 @@ int __init security_init(void) int i; struct hlist_head *list = (struct hlist_head *) &security_hook_heads; - pr_info("Security Framework initializing\n"); - for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); i++) INIT_HLIST_HEAD(&list[i]);