Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5712235img; Wed, 27 Mar 2019 13:46:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqwsjOLVQJ8LO4qtt3Dytn7DPmMTliNJA0H179HU+Hr/+y7VtxfLMLba907/NkQL9cphYm7W X-Received: by 2002:a63:490f:: with SMTP id w15mr34702741pga.247.1553719606463; Wed, 27 Mar 2019 13:46:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553719606; cv=none; d=google.com; s=arc-20160816; b=0L3i2Fz9WIPctvrnffiJKYJctx8pxNANkJhdLam4KxZhaAXWSf/4rszXqUISIYOKnK I1R6/90fV3GwJxl7ZPIKvj9AP+3UUm+40VLhNkyoyc/W5vxs1H+mA0BOqV6bgYNWcJhL Vexr/yCRnKVXG8FMdzbZmRgafNYfNxnfCE9Tt7g7vonJmbM6/V9j/237JuscXpoWpShO EeJPitJpo/BLB3G2IX1m0Us6J1PwmyCBetx1O6qqgVSOPl9ZezB+58IGBiYe5H3me+WC Buppjp/PzeToqTSmVOa4FViqGwbOU+IfAVmV+A92bhJDEoD4z4sL+zYncCzFjB7Xmg5b 9lQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=kq826wvn/TLWGIs6hJHKhv70e9n0vWDj2EknqQ2AxhU=; b=0SXGQYUhsDlkZZOQoqAxeAfzj5zR9FtK6WX31t2Jq63d878ZJudI/PnVH3hsU0kS8B b+KIZ/PLLTWnvZOiQplgfyiZVa471rmdOBJ8aPzPNw6W4RzYBZUkG+EE+w058OUAGCK5 XsPZG2uZN02tkI4R7YtLLrZMS9fyfvKvsL9I89QsBm/m6C46RFyYxYXQ8ZjDxVFVCwG3 ZEWR0nF8ZTZmITsFPXLkHlCqSonUggEHEJYnqisbpYIEKKhEm/izdHxSrGQEVtKw9rLh lCkqyFMND5368WKnPMCOycgohoGaXCHcdJAzd5CCFv7yQWGE3JkLVj1sEN3YQcHxg/yJ 6b+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=L5G8aRe3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d11si19083285pgh.447.2019.03.27.13.46.30; Wed, 27 Mar 2019 13:46:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=L5G8aRe3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729636AbfC0Up4 (ORCPT + 99 others); Wed, 27 Mar 2019 16:45:56 -0400 Received: from mail-vs1-f67.google.com ([209.85.217.67]:35200 "EHLO mail-vs1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726176AbfC0Upz (ORCPT ); Wed, 27 Mar 2019 16:45:55 -0400 Received: by mail-vs1-f67.google.com with SMTP id e1so10801705vsp.2 for ; Wed, 27 Mar 2019 13:45:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kq826wvn/TLWGIs6hJHKhv70e9n0vWDj2EknqQ2AxhU=; b=L5G8aRe33gqcEZIDdrvBBKq4FXw3xngseYfNGfp/VClVytIBmagSaDHJWwmiop0/uk CLKJ3mOqeAM2Q2pWlbTiEqPBkXGXojIYu6tW5KW70890LuYTnS5IPX4dwNZFnHBS01Vz ePplaNVlsZWJO//U1H3kJNGvyK1f63HVgvzhI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kq826wvn/TLWGIs6hJHKhv70e9n0vWDj2EknqQ2AxhU=; b=aHM9gYJ0qcoy6SiBvz3Lk/K2j5floln87dk4buDZwNQj5UMuw6U4gclmjXmZsv8eCN kcZWNRwNeTewRi+7izAOQqz+Sw733XYQQJXEFLfJj1DuCukSStntIdRwyxnhKEeuRx+x NFBeWAosYjmpXY6Nc9UUOv2bi91k/X7AJn8i2i9Sial4KdataifdrEFxF74lJYwv+nFx gOqTwOX5gNfZUHfJ8nmooS0naqHJ0sIDPQTOnSWePFj5EkvRW50ZGmp8dCwKbc/B2Qf2 zu4FsaphgaeqRFYy6Kf7TWt3G5pc0hs5PTiUkJIZwcDhoyRMjd8LfG/38CJ7tRv8YM6V l/Tg== X-Gm-Message-State: APjAAAXUcWrcicBRtn6+ZK2iJ004tEW1OnB4pTIwPrdpfxsuJg52prjJ FqRET8kJ+bhMdJEABmJCvi6yFWcUzx8= X-Received: by 2002:a67:e256:: with SMTP id w22mr7292147vse.173.1553719553576; Wed, 27 Mar 2019 13:45:53 -0700 (PDT) Received: from mail-vk1-f174.google.com (mail-vk1-f174.google.com. [209.85.221.174]) by smtp.gmail.com with ESMTPSA id u6sm7753749vke.54.2019.03.27.13.45.51 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Mar 2019 13:45:52 -0700 (PDT) Received: by mail-vk1-f174.google.com with SMTP id l17so4018545vke.7 for ; Wed, 27 Mar 2019 13:45:51 -0700 (PDT) X-Received: by 2002:a1f:3458:: with SMTP id b85mr12458668vka.4.1553719551456; Wed, 27 Mar 2019 13:45:51 -0700 (PDT) MIME-Version: 1.0 References: <2d4f3bfa-22c7-a18c-3902-fe1b6ac401f7@infradead.org> <8811b2e4-28e1-2f01-024b-fb7d0196483f@i-love.sakura.ne.jp> <98289cd2-095a-f0cd-e405-887ecbba0030@i-love.sakura.ne.jp> In-Reply-To: <98289cd2-095a-f0cd-e405-887ecbba0030@i-love.sakura.ne.jp> From: Kees Cook Date: Wed, 27 Mar 2019 13:45:40 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Linux 5.1-rc2 To: Tetsuo Handa Cc: James Morris , Randy Dunlap , Linus Torvalds , Linux List Kernel Mailing , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 27, 2019 at 1:30 PM Tetsuo Handa wrote: > > On 2019/03/28 4:16, Kees Cook wrote: > > The part I don't understand is what you've said about TOMOYO being > > primary and not wanting the others stackable? That kind of goes > > against the point, but I'm happy to do that if you want it that way. > > Automatically enabling multiple legacy major LSMs might result in a confusion like > Jakub encountered. The confusion wasn't multiple enabled: it was a change of what was enabled (due to ignoring the old config). (My very first suggested patch fixed this...) > For a few releases from 5.1 (about one year or so?), since > CONFIG_DEFAULT_SECURITY_* will be ignored after CONFIG_LSM is once defined in > their kernel configs, I guess that it is better not to enable TOMOYO automatically > until most people complete migrating from CONFIG_DEFAULT_SECURITY_* to CONFIG_LSM > and get used to use lsm= kernel command line option rather than security= kernel > command line option. It sounds like you want TOMOYO to stay an exclusive LSM? Should we revert a5e2fe7ede12 ("TOMOYO: Update LSM flags to no longer be exclusive") instead? (I'm against this idea, but defer to you. I think it should stay stackable since the goal is to entirely remove the concept of exclusive LSMs.) I don't see problems for an exclusive LSM user (AA, SELinux, Smack) also initializing TOMOYO, though. It should be a no-op. Is there some situation where this is not true? The situation you helped me see was that a TOMOYO user with CONFIG_DEFAULT_SECURITY_TOMOYO would not want to see any exclusive LSM also initialized, since that may NOT be a no-op. So, AFAICT, my proposal fixes both Jakub's issue (CONFIG_DEFAULT_SECURITY_* oldconfig entirely ignored) and Randy's issue (subset of Jakub's: choosing DAC should mean no legacy major initializes), and the "TOMOYO user surprised to see an exclusive LSM also initialized". If you're happy with the proposed change in my prior email, I'll send it properly to James. If not, what do you see that needs changing? Thanks! -Kees -- Kees Cook