Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp4183837imj; Tue, 12 Feb 2019 11:13:20 -0800 (PST) X-Google-Smtp-Source: AHgI3IYqP+YG1hZAq7WgUSGJx8mjYi7CbLSyAWhY8RPxHMgSV91Ub3JmdND49Ry+uq9ziTcSNHWp X-Received: by 2002:a63:3206:: with SMTP id y6mr4920745pgy.338.1549998800123; Tue, 12 Feb 2019 11:13:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549998800; cv=none; d=google.com; s=arc-20160816; b=E1c0e8+kyCn1tO5RdoozjxkpFAtVH382MpxWDCm/r9u2PQTp9kNAp8WIJ/MXeRjk7k SCLFBdpaPMJ91c4NTvjFog+rG6+s9CSinwTaZPHIRAHudlwT8+7NfAx2Pd1h7sarxFE/ PewqS6N1f34Ae2D2KxyUEwQ4ET+NTqKX56B1bhXpQjF1J5aSRwWf0OvVq88OH2lT09jM TaShf2VzJnTSd6X/sNL7ceqHgfoP0DLuhCUk+is/YRiD9aGq/VXClwJAlJCJUh8+2UQ+ F9NI8zBfQNr5EYDKAqbNnkqmsC/f9owMRCExTNrb3d0YVWG67GJ5brQfVOWkH4uhFyci aS3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=mUTN2kVgPr9Rtx3niaarjV1+OXsIe+jmKVNS7ZlRBbk=; b=Xp6gBmTQs/mg/rRa10NYWDCJqaP52HxdU6xNhmzEsYcJinkmZuOdGA+10BSlySFUxn 9jfspUWe9TzqxSQ7zkmJix4VS3XePck9NRosNq8ffScPnvyI2m5P0qa+nvZCsZFskxuh cP6aQaMbV147sEO2s+oAUteVzQeQ9F1f71qJLlADVI9xctW5oKdtuVhmceDDJXHzb/03 BvSL/8Ub/V5JpYlgHww0ATVmL05XWPEGY+xn2s1RyqGTYf561h17F4qqgjwcf6uC3U1N Usl7Z5dR+kSerkw1pGx8R63DrupJQvL21Htq/t4EsEKXsDDwiLjwaNlpaORjuycVTqRC PmHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=k4nWs+tD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n4si13381706pgd.10.2019.02.12.11.13.03; Tue, 12 Feb 2019 11:13:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=k4nWs+tD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730123AbfBLS1E (ORCPT + 99 others); Tue, 12 Feb 2019 13:27:04 -0500 Received: from mail-ua1-f68.google.com ([209.85.222.68]:39873 "EHLO mail-ua1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727039AbfBLS1E (ORCPT ); Tue, 12 Feb 2019 13:27:04 -0500 Received: by mail-ua1-f68.google.com with SMTP id s15so808689uap.6 for ; Tue, 12 Feb 2019 10:27:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mUTN2kVgPr9Rtx3niaarjV1+OXsIe+jmKVNS7ZlRBbk=; b=k4nWs+tDNGy0ynHcSKhJ+yAvoxk4/6erIg4nXcXkJQmK+UDcuJ9ZTwwN36K9Xr0uaB oauBPEPeyWrsMPyZozjMHqxHjJ2/V0Td51Iqq7boFOHaDkQClRVwmQmbdm065mUFsOtJ 2cPSfBQT8ibSF/TOK923MTXQoVBguBQGJ1fo8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mUTN2kVgPr9Rtx3niaarjV1+OXsIe+jmKVNS7ZlRBbk=; b=SpqZQXjKFZwgJ1/JN58t+uATjeJnKzRiBY1yUKB6U09ZZbIEf2KceCYwIN2EPQFbnh H3FfWc5mUKbQyt3Xrzk+o46i6c/EpQcZwsYjfg3GvuXKlrYGQc/2YQNEFlFohiSZTdT4 ch+BqkEwA2rujVgZjb094odB1lBcvQpkIw9LWV1TA39v2O8ZqVxXHbR+bioAqYhb15L6 wjzoKlY2W46Co+AZA64Cea1nogN8vfwoAZuaL0EQFbuNEGT6ul0w4zDZxq5NgkMZddD+ J+0uBOXuO+1Npa9GMkyMkarh7gcKuYUHhBm/JPhuTAQSjhj0l1mwLaGALh+CZOhPDE5r r0ow== X-Gm-Message-State: AHQUAuZSAtKVsv+sJaZbpJLliJx53Uvds/OrCP1SZ3y3VOrQrjWUlERW NhDtGjR1g+AH3My5UU3d8qgqtRjOGhg= X-Received: by 2002:ab0:148e:: with SMTP id d14mr2008593uae.23.1549996023344; Tue, 12 Feb 2019 10:27:03 -0800 (PST) Received: from mail-vs1-f54.google.com (mail-vs1-f54.google.com. [209.85.217.54]) by smtp.gmail.com with ESMTPSA id u188sm2791860vke.33.2019.02.12.10.27.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 10:27:02 -0800 (PST) Received: by mail-vs1-f54.google.com with SMTP id i64so2200145vsc.8 for ; Tue, 12 Feb 2019 10:27:02 -0800 (PST) X-Received: by 2002:a67:848a:: with SMTP id g132mr2071837vsd.222.1549996021985; Tue, 12 Feb 2019 10:27:01 -0800 (PST) MIME-Version: 1.0 References: <201902120021.x1C0LeYB051392@www262.sakura.ne.jp> <201902120059.x1C0xEbp071744@www262.sakura.ne.jp> In-Reply-To: <201902120059.x1C0xEbp071744@www262.sakura.ne.jp> From: Kees Cook Date: Tue, 12 Feb 2019 10:26:49 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] LSM: Ignore "security=" when "lsm=" is specified To: Tetsuo Handa Cc: James Morris , linux-security-module , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 11, 2019 at 4:59 PM Tetsuo Handa wrote: > Kees Cook wrote: > > On Mon, Feb 11, 2019 at 4:21 PM Tetsuo Handa > > wrote: > > > > > > Kees Cook wrote: > > > > To avoid potential confusion, explicitly ignore "security=" when "lsm=" is > > > > used on the command line, and report that it is happening. > > > > > > To maintain the existing behavior of CONFIG_DEFAULT_SECURITY, I also suggest this change. > > > This saves e.g. Ubuntu users who are using only AppArmor from explicitly specifying > > > security=apparmor when they don't want to enable other LSM_FLAG_LEGACY_MAJOR modules. > > > > No, this completely disables the purpose of lsm= > > > > I don't understand the use-case you're concerned about? > > The purpose of lsm= remains. > > I worry that distro users who don't explicitly specify security= parameter > suddenly find TOMOYO messages because TOMOYO is no longer exclusive. What's wrong with that? TOMOYO will start, see there is no policy, and not do anything else. > There are two ways for avoiding it. One is to explicitly specify security= > parameter. The other is to remove tomoyo from CONFIG_LSM. This change adds > the third way; preserve current security= behavior until they start explicitly > specifying lsm= parameter. "security=" has been deprecated due to the many many threads about how it won't work moving forward. Leaving the CONFIG settings confuses the situation and needlessly drags out the transition for no real gain. But yes, if someone selects a "legacy major" LSM, the others (including TOMOYO) will be disabled, which matches the old behavior. Also, yes, removing it from CONFIG_LSM works; this is up to the distro to decide. -- Kees Cook