Received: by 2002:ac0:950e:0:0:0:0:0 with SMTP id f14csp837938imc; Sat, 16 Mar 2019 18:15:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqysr1B00h/+9w9JZElmb51128Oe7FzEOfSeRFLDOv/E01PyTakMO53MCiUkTDD/eTYAF/Wt X-Received: by 2002:a63:d442:: with SMTP id i2mr10834837pgj.246.1552785303439; Sat, 16 Mar 2019 18:15:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552785303; cv=none; d=google.com; s=arc-20160816; b=NOhMquqejmsplFZPbAQYn8Uf1HUpfLwA/Th/SqhMrRmGJq8uPJSYyfPUxWhgB/XYwd ntDI/0hnTQq7YqehOc2C41dldo7ga8tUL0clIi+8fcXqnm0rIfl5M42ubQyNk7jkUG8n tK6rVXpXgIydv/tkDTAPWZXQNftJXKlYcPzWB80QFEkoi/alSiPGaR5CYwar3LgqzXOI DlfFrb5nZQdr4zzbIi8pyA/uO7PJYhvcvxyNo8I087g+qlMMPY/hOaVaueruRsdInHGv jJkH0qyXz4g+eM3YzAu0DOPNe3Tl3LEywqkGYAmJGCUkeHOum0ZgZqax2WooYmPsKPE6 UplA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=ZbzKoa4B6L0BfBgRjvRBW5sLUqTu697VSitRR2KIxZE=; b=CWwuuhUTkNUeD0Rq250MFwG0s4tpMll3RlaMLLg4p2BRro/rUnCowt4caGNRTbwome S5H3lt99vkk0/Sh8JowhfswIAVtcBVVUm3ufQpVpR92vkJ1qnkLVTrX2r8HGQvV5/DPI JjVBzZ1pK4N9TOcyzKyrB3LXerjqobK8ESdthxgZ+EwmDd1V+6vi2IJ+g5P2ZeTkxgZy 6SuAlaY6yzAC3LG1OcsvX+6qtChMJInnGHNtkQVwwPG8U/QCUCxmCcVsjATjnRlH/qs0 t4uEf6IbYsnJUhDqJNsQxYNYpMCwkENvzJszynjzcwYY3jzpT0GthFWLZmDRLH6S/zoq etkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=BdXYNVkz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f4si5307163pgv.118.2019.03.16.18.14.43; Sat, 16 Mar 2019 18:15:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=BdXYNVkz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726998AbfCQBCf (ORCPT + 99 others); Sat, 16 Mar 2019 21:02:35 -0400 Received: from sonic302-26.consmr.mail.ne1.yahoo.com ([66.163.186.152]:39862 "EHLO sonic302-26.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726726AbfCQBCe (ORCPT ); Sat, 16 Mar 2019 21:02:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1552784553; bh=ZbzKoa4B6L0BfBgRjvRBW5sLUqTu697VSitRR2KIxZE=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=BdXYNVkznnAJDLudh9iBzZ1Hj8e3UXvCXIOxZ6/nHNGjvO2c7Y335XcREgdRbyd/6d7VvzXDs5DZR4lYNEwLcefHkhZA7oJt/o/MQ+bJ75S3lFa95KTz1wNcG2CCuugD2Wtng5L9APGdB4MWh19X5ieyvFG49+wbriLS6n0m1opSBQ4c0FQ+h655iCedZTnW2uQoTZ4T2nXDM79g7k6wGY3F05icorme6SvByOIb/7I9WjGnPi19Ck7IBBuXsOe/oBThgQUxW3x6CI5Xcfh6rVr8jNjZMScdHC/2CXAow18R87Eg4TKcNZNDncgvfepP+Zy5KXSE463ckb0b6Wjecw== X-YMail-OSG: QlLBd44VM1nYy.QhrXjJqx_a2iwt6KVz7UsSzBVfNKSLnKvacL7OXk5LyuvV3Cm mDTu1cip6L_8xeAlo2PNFcuVQjUbCZbXa43vICaqLi.VqGID6Mlnb_H4IZUkOj41UAvIGJdxSNtG DwkX12Omw2FzGIKP7hIb9mKjmt5dcUN_B_8yjtCCatTXEGMB0O_i33apdiD.PDMRF4RYHlNLwshs GiJes4Hp_6IGled8BTQgWkRW7h2pZDwijxU9QbAham6nYpqWxVXHsWoAOzXXXPHzbPXSG_ctWaUs 3u0ACinvfy8ZGcD1AT0rQAzN_pYVevBZfTHrRFiq12ndS1I6QR9PaefV5B1IRoneAa6wm_fU2bAn KdvNJJmDMWsvYGbOnIX37IKIabm3fHnDfjzL8rAkM59LFIxy4fq3Hd3W499AEo3qMp4P1afJ9sC0 k.kgA1xtnB.vuU1rG03QqRjevaPeH3iiGpBEkBvPNb4SLoNrSf1liNviHF8U79RJqrIxN1oWf1d. Oi_PrBD0wmMsL3FGs8.u1uUQN1AjOHcXEivgtouXgp6oKnc6RT4m66R7UmgnWfl.NBc0Ds2jG1tE SEHAOzrLizi3zfzHN9h6tv6Wj8YajGeOwC4L5GK7aJXtLm6yDEXbpbzVwKrqN2pX.SJLkqMD24t5 jHmFjW0Na8AW6CK3KUpctoGb_zg0_Y9z5WiJFLXvIGIVc.fpWqro2SRLHvObBLas0neGBsZnV5MX e_5QVjeH8Sg13E1CiegqLZf2RzWoooJaCNUHIwG7BVWTgdG_poIqqioZIIegkMTKOPAWZblpgiPa FILftBSS6.wihP2Qw1a_sVTETXKR8OqtRbPMOkHaQZzS9oYNbuaK83jRL5OmB0LaQIOjU0zcISwV nGZDoNsGJHukS.WfKblTfB9kN_2rvdG8dWJpksOE_LXZlRp07lXVHx0p.4HtKbiWYfA4ecAk9iew 4jmTjQ87l3iWb44es.MDbAoWKhBd0ad_NJJldX.H2daAPGMmprAU0eHB75VWlMaQPUBvWsQj9knJ wS1lplr.eERCaaBBLGi7F2H0sm_oZHlMeJcn8adY2nWVgZU8Kx7LC8gwL1fVT2K0FK6X3k3zD6Ow x.oz2ugVFowmhpOjmej.y8xh8 Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Sun, 17 Mar 2019 01:02:33 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.103]) ([67.169.65.224]) by smtp417.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 596d6594fead28a2b67ac524dc9c3831; Sun, 17 Mar 2019 01:02:32 +0000 (UTC) Subject: Re: mount.nfs: Protocol error after upgrade to linux/master To: Tetsuo Handa , Kees Cook Cc: Jakub Kicinski , linux-security-module , Trond Myklebust , "open list:NFS, SUNRPC, AND..." , Anna Schumaker , LKML References: <20190315110555.0807d015@cakuba.netronome.com> <20190315120105.5541ad46@cakuba.netronome.com> <20190315165440.53b9db3c@cakuba.netronome.com> From: Casey Schaufler Message-ID: Date: Sat, 16 Mar 2019 18:02:31 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/16/2019 1:08 AM, Tetsuo Handa wrote: > On 2019/03/16 14:38, Kees Cook wrote: >> config LSM >> string "Ordered list of enabled LSMs" >> + default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK >> + default "yama,loadpin,safesetid,integrity,tomoyo,selinux,smack,apparmor" if DEFAULT_SECURITY_TOMOYO >> + default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR >> default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" >> help >> A comma-separated list of LSMs, in initialization order. >> >> (I don't see a way to include an earlier config string in a new >> default.) Thoughts? >> > Hmm, DEFAULT_SECURITY_TOMOYO no longer works because TOMOYO will be > always enabled as long as CONFIG_SECURITY_TOMOYO=y. Maybe > > config LSM > string "Ordered list of enabled LSMs" > - default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" > + default "yama,loadpin,safesetid,integrity,selinux" if DEFAULT_SECURITY_SELINUX > + default "yama,loadpin,safesetid,integrity,smack" if DEFAULT_SECURITY_SMACK > + default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO > + default "yama,loadpin,safesetid,integrity,apparmor" if DEFAULT_SECURITY_APPARMOR > + default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC > help > A comma-separated list of LSMs, in initialization order. > > (i.e. include only up to one major LSM as default choice, and allow manually including > multiple major LSMs at both kernel build time and kernel boot time) is better? I think this looks pretty good.