Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp3220506imj; Mon, 11 Feb 2019 16:27:58 -0800 (PST) X-Google-Smtp-Source: AHgI3IYyDvjosAsZ5G26PtPH7YWxMQtgZuZ7Ff3No3DVe8eEx1u0ZVtAWkss5QeTjgnugiRO6cXM X-Received: by 2002:a17:902:aa01:: with SMTP id be1mr1102114plb.60.1549931278296; Mon, 11 Feb 2019 16:27:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549931278; cv=none; d=google.com; s=arc-20160816; b=elz9bwq0gGWSmLrIMaVfqp7yuJdsmRzbkmkrIvvZLiYXHlAI+Q00koHbQa+IQwcbgR UroPZtHL9jiYTRK3hLeIuouDx5HOcJa8jcjqils7JGeMbDg201NaZsJQPTnyiyJqHzPX GoS93aYAeSWcobvr/gx4JTm3EHZvLycsrr7RnFX5ntiS0K/cF8I3xHMZ5ENAgQ83ew+W NtcHpS7m8rCMbrI15GnRq1N/JlPhdNzxFWf06hz/Gc27hmn6Qj3Pwwfj2dlJfOjiW+sP HvGNKTAEVv6GbUsvO01NdNS21FY/Wz79D/N7/TgfnxXN4nZyABOVj6b9axpr73w4NL/u bAZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=BlOmcajIsX/TyRVqHHcJ2IUxXPM+kmCdH3mAHl/Kkko=; b=J/g722TqatvL5hyrOrPjnhppy3kXTvMCKPh07ydg8TnME1R3E1t/YLAKtzZj6LidbL Roi+56jMTwNqWQ0471dNQfV5Ehr8akayRH/M+XhFEJ+D/T7UE3/wqtktdofM5P2Sev6z jokM61hW4q5NtK3VFtF7AZ7fKca+jcrdjx6j80o20ldoMvPWKlyoKisTN9NjL77OoQhE vlKZNhFuhuPA7w2ALGsOgg1CQABrQA3V5JSOD38EWpBQH2t3iuN3oZq9lUEUqGbkMkoE 4dcrMAOQzOybYbdRF1DXFCZCTw12+GmvlLPwoLzKUuCTahpeJMUbdRwCcZbe5UqqNuPt cHrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=EcXGbVeN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x5si10692628pgq.535.2019.02.11.16.27.41; Mon, 11 Feb 2019 16:27:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=EcXGbVeN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727707AbfBLA0S (ORCPT + 99 others); Mon, 11 Feb 2019 19:26:18 -0500 Received: from mail-ua1-f68.google.com ([209.85.222.68]:39394 "EHLO mail-ua1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727344AbfBLA0R (ORCPT ); Mon, 11 Feb 2019 19:26:17 -0500 Received: by mail-ua1-f68.google.com with SMTP id w12so289804uaq.6 for ; Mon, 11 Feb 2019 16:26:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BlOmcajIsX/TyRVqHHcJ2IUxXPM+kmCdH3mAHl/Kkko=; b=EcXGbVeNKTOlIXwKyuvoJEAuGqe9r28DubSTCS+eblu1zA8W6bjlfgxtbGOghAo3UT vkgbCjimvjPoVuDV59cux5VLhz54bE/8DOd3S+JDBQ5DaSIQtsASEjHRvOsVmeNbNefX rTuBao5M+KmOrhw9HW7BwgHqZUpPOd7t0yjbk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BlOmcajIsX/TyRVqHHcJ2IUxXPM+kmCdH3mAHl/Kkko=; b=k1n2VwrNYcKOL+2DP8oMWdAz5BIvhrFsJFAYj+K0JmpnE4mFnA0GVC7RdeAmClvUWH 6z2AOjHiZS94WBWvW9Hmdr850yTh54m6wSZLxbb8ob/VXaOE7vxVUDVwk2DCGSNUqkaK cmPt4Ul3QyAGtbXJxV914TWNUl1PE86M/N+NtjFSiGGeqQrXSpb6jef1lPsP6mDD48W1 fhysPgpaYl2YV612O+IcyM05eCA983AybIoo2fLIoc1JxsMeA45TwXXf5PjIY4LtxRPf ah9E2/lTRntpfUGQuqi5B2dWwv638hHvb4VNXU94kfr/TkBnqgiOJXxdMCGj3/IWs5qj ZNsQ== X-Gm-Message-State: AHQUAuZZ5uS93nmurwZXn4LuFpCXQaaZPg1ySYIdZ4fAA2wF2RdTrjP1 H6BXfVgKEFudGjPp1cjd+BI1J/KhDA0= X-Received: by 2002:ab0:6446:: with SMTP id j6mr439317uap.2.1549931175744; Mon, 11 Feb 2019 16:26:15 -0800 (PST) Received: from mail-vs1-f42.google.com (mail-vs1-f42.google.com. [209.85.217.42]) by smtp.gmail.com with ESMTPSA id d66sm13105154vkh.9.2019.02.11.16.26.14 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 16:26:14 -0800 (PST) Received: by mail-vs1-f42.google.com with SMTP id z18so520969vso.7 for ; Mon, 11 Feb 2019 16:26:14 -0800 (PST) X-Received: by 2002:a67:7d01:: with SMTP id y1mr447476vsc.48.1549931173601; Mon, 11 Feb 2019 16:26:13 -0800 (PST) MIME-Version: 1.0 References: <20190211225403.GA7769@beast> <201902120021.x1C0LeYB051392@www262.sakura.ne.jp> In-Reply-To: <201902120021.x1C0LeYB051392@www262.sakura.ne.jp> From: Kees Cook Date: Mon, 11 Feb 2019 16:26:02 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] LSM: Ignore "security=" when "lsm=" is specified To: Tetsuo Handa Cc: James Morris , linux-security-module , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 11, 2019 at 4:21 PM Tetsuo Handa wrote: > > Kees Cook wrote: > > To avoid potential confusion, explicitly ignore "security=" when "lsm=" is > > used on the command line, and report that it is happening. > > To maintain the existing behavior of CONFIG_DEFAULT_SECURITY, I also suggest this change. > This saves e.g. Ubuntu users who are using only AppArmor from explicitly specifying > security=apparmor when they don't want to enable other LSM_FLAG_LEGACY_MAJOR modules. No, this completely disables the purpose of lsm= I don't understand the use-case you're concerned about? -Kees > > --- > security/Kconfig | 37 +++++++++++++++++++++++++++++++++++++ > security/security.c | 5 ++++- > 2 files changed, 41 insertions(+), 1 deletion(-) > > diff --git a/security/Kconfig b/security/Kconfig > index 9555f49..6a40995 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -250,5 +250,42 @@ config LSM > > If unsure, leave this as the default. > > +choice > + prompt "Default exclusive security module" > + default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX > + default DEFAULT_SECURITY_SMACK if SECURITY_SMACK > + default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO > + default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR > + default DEFAULT_SECURITY_DAC > + > + help > + The security module where only one of these modules should be enabled if > + neither the "security=" parameter nor the "lsm=" parameter is specified. > + > + config DEFAULT_SECURITY_SELINUX > + bool "SELinux" if SECURITY_SELINUX=y > + > + config DEFAULT_SECURITY_SMACK > + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y > + > + config DEFAULT_SECURITY_TOMOYO > + bool "TOMOYO" if SECURITY_TOMOYO=y > + > + config DEFAULT_SECURITY_APPARMOR > + bool "AppArmor" if SECURITY_APPARMOR=y > + > + config DEFAULT_SECURITY_DAC > + bool "Unix Discretionary Access Controls" > + > +endchoice > + > +config DEFAULT_SECURITY > + string > + default "selinux" if DEFAULT_SECURITY_SELINUX > + default "smack" if DEFAULT_SECURITY_SMACK > + default "tomoyo" if DEFAULT_SECURITY_TOMOYO > + default "apparmor" if DEFAULT_SECURITY_APPARMOR > + default "" if DEFAULT_SECURITY_DAC > + > endmenu > > diff --git a/security/security.c b/security/security.c > index e6153ed..c44e3cd 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -294,8 +294,11 @@ static void __init ordered_lsm_init(void) > chosen_major_lsm = NULL; > } > ordered_lsm_parse(chosen_lsm_order, "cmdline"); > - } else > + } else { > + if (!chosen_major_lsm) > + chosen_major_lsm = CONFIG_DEFAULT_SECURITY; > ordered_lsm_parse(builtin_lsm_order, "builtin"); > + } > > for (lsm = ordered_lsms; *lsm; lsm++) > prepare_lsm(*lsm); > -- > 1.8.3.1 > -- Kees Cook