Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5754057img; Wed, 27 Mar 2019 14:45:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqwpZ5d0PiPMLpzoMDHY8fJjA1Cajno5TK/WJcTnEXiAFqBtmUoaENG3Iu7Euvu34rXTAzkS X-Received: by 2002:aa7:85cc:: with SMTP id z12mr37479754pfn.142.1553723112857; Wed, 27 Mar 2019 14:45:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553723112; cv=none; d=google.com; s=arc-20160816; b=Q+8EdbCTw1+XRhic0JTOuNmGUx/2N3peCcpXKwKs0JnzkCXHXxMZCqy/eePjRO8JsA L3Iu5b5fvThDJGbI6qv0342mCnt8U+PVheoP++Im6Z7zx6RmiGExlk6d+9RWKNOdQrKd GWz8PKsb56/7+Shu3c5uCuPWFk4jkI+3enbtm0GQ369heo39LtQ152yIUh8/jlLQgr/J 0rGrbVpyznrMkeWxtL/q4o3BvIdowUdOEMdDHz9Q3p5KfpJFEzNYXnk2Rld9lDtwy63L 3O958BgSWiBaaO1f38fx7d2oJ8i3UyxcxlcS1a7k+D7M3HqB7jc4GnXozRMb606Ae+6d Rljw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=2H9efyYuxSZyrKK5zpfZ+IOK9WqTnb1AoQmbDeHmHqM=; b=n9/B0aTI7dfCxntYkc2wJ6FYg8+NrM4DZpKZBPJ99dhW1rMI+G1UTap+yXXgSPXoRr mkY36prODeH7IjL/Lsek/1J1Mw+aojtjS10kodzb3ARfC4Y0+E/34L/36cCBDvIC2yU1 dtfuDUxGr1MWGXhs923HD8uAVa2Ss9/fEMaam6n6c5Dqw+hp9isK/6S8iE5oEUUB2SVZ 6AmdltdJRWdum9DzsL20eCn8WPshj7yzD2JKx+4RtsnR+IiAOEAXj31mZ/HKxu6pvNz9 qkiOgRsd6u9Z33C+3KpjX34cPiavb3UR2DdGo5dzwnSOqz/THXFIUQ5nDT0YwqFRWrml V2mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="dBlbl/HI"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m133si19525755pga.314.2019.03.27.14.44.56; Wed, 27 Mar 2019 14:45:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="dBlbl/HI"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727656AbfC0Vnz (ORCPT + 99 others); Wed, 27 Mar 2019 17:43:55 -0400 Received: from mail-ua1-f46.google.com ([209.85.222.46]:36705 "EHLO mail-ua1-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726120AbfC0Vnz (ORCPT ); Wed, 27 Mar 2019 17:43:55 -0400 Received: by mail-ua1-f46.google.com with SMTP id e15so6166620uam.3 for ; Wed, 27 Mar 2019 14:43:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2H9efyYuxSZyrKK5zpfZ+IOK9WqTnb1AoQmbDeHmHqM=; b=dBlbl/HIhfeZzoow57UlUGikPWwoKN6NxQ3pNVIIqU5DThO1MNGYVbrn3M3+dhuCQq 6ZVZMJzPTWT8a3/EittrmyL5Zd4mrInyCGen2fMY+Q9Znvre8z7pim8aUBS3/LhRaAS9 ZSPF8MTs1FYoun7ZAQZCLTa3mjw9yiSUZP2cA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2H9efyYuxSZyrKK5zpfZ+IOK9WqTnb1AoQmbDeHmHqM=; b=aXtWAdDaFonG7Q0L8aHj+ELbvzHUcEMOjfy0SpNSgto1ieXClwXogT9PmUEvTMKMGe u/Q9JzMKiYe4fh4OlKq6BUfXuIg7Z7+wbwRKkJtkeE2llFCToJn0hNIJVQ/BxbrPXxY6 tPEX30+a9S/MKJlPiw2q2MHYx7jh9VnXH/nHBHrnNCfjXQysKIfRfGDmnZFvZX54pOXW tHAcDTx3yCAfSl1542Q+GFWleCIqQGRq9aYHahTg3Zwwr8M9Oc993S9n6ZWJmqaPuJvi 80oWpXgTSDh2OEjewWYMG+3TFVtCfiQPuxMa+Tm1S+/nZgaqvq6uuS/oq/9Gx8dJolma IUXw== X-Gm-Message-State: APjAAAXI4ce5R+a8Ata0Lj7AADsdU2BJWEmODswGfDNxdUZhr1Gmf40G sGBA8sReRzJz9RZ4B+qhj1CnW4952lM= X-Received: by 2002:ab0:7358:: with SMTP id k24mr22897437uap.104.1553723033354; Wed, 27 Mar 2019 14:43:53 -0700 (PDT) Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com. [209.85.217.43]) by smtp.gmail.com with ESMTPSA id c204sm1427826vkd.14.2019.03.27.14.43.51 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Mar 2019 14:43:52 -0700 (PDT) Received: by mail-vs1-f43.google.com with SMTP id j184so10890924vsd.11 for ; Wed, 27 Mar 2019 14:43:51 -0700 (PDT) X-Received: by 2002:a67:fa94:: with SMTP id f20mr23597542vsq.172.1553723031625; Wed, 27 Mar 2019 14:43:51 -0700 (PDT) MIME-Version: 1.0 References: <2d4f3bfa-22c7-a18c-3902-fe1b6ac401f7@infradead.org> <8811b2e4-28e1-2f01-024b-fb7d0196483f@i-love.sakura.ne.jp> <98289cd2-095a-f0cd-e405-887ecbba0030@i-love.sakura.ne.jp> In-Reply-To: From: Kees Cook Date: Wed, 27 Mar 2019 14:43:40 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Linux 5.1-rc2 To: Tetsuo Handa Cc: James Morris , Randy Dunlap , Linus Torvalds , Linux List Kernel Mailing , linux-security-module , Jakub Kicinski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 27, 2019 at 2:05 PM Tetsuo Handa wrote: > > On 2019/03/28 5:45, Kees Cook wrote: > > On Wed, Mar 27, 2019 at 1:30 PM Tetsuo Handa > > wrote: > >> > >> On 2019/03/28 4:16, Kees Cook wrote: > >>> The part I don't understand is what you've said about TOMOYO being > >>> primary and not wanting the others stackable? That kind of goes > >>> against the point, but I'm happy to do that if you want it that way. > >> > >> Automatically enabling multiple legacy major LSMs might result in a confusion like > >> Jakub encountered. > > > > The confusion wasn't multiple enabled: it was a change of what was > > enabled (due to ignoring the old config). (My very first suggested > > patch fixed this...) > > Someone else might get confused when TOMOYO is automatically enabled > despite they did not specify TOMOYO in lsm= or security= or CONFIG_LSM. > > > > >> For a few releases from 5.1 (about one year or so?), since > >> CONFIG_DEFAULT_SECURITY_* will be ignored after CONFIG_LSM is once defined in > >> their kernel configs, I guess that it is better not to enable TOMOYO automatically > >> until most people complete migrating from CONFIG_DEFAULT_SECURITY_* to CONFIG_LSM > >> and get used to use lsm= kernel command line option rather than security= kernel > >> command line option. > > > > It sounds like you want TOMOYO to stay an exclusive LSM? Should we > > revert a5e2fe7ede12 ("TOMOYO: Update LSM flags to no longer be > > exclusive") instead? (I'm against this idea, but defer to you. I think > > it should stay stackable since the goal is to entirely remove the > > concept of exclusive LSMs.) > > I never want to revert a5e2fe7ede12. For transition period, I just don't > want to automatically enable TOMOYO when people did not specify TOMOYO. > > > > > I don't see problems for an exclusive LSM user (AA, SELinux, Smack) > > also initializing TOMOYO, though. It should be a no-op. Is there some > > situation where this is not true? > > There should be no problem except some TOMOYO messages are printed. Okay, so I should send my latest version of the patch to James? Or do you explicitly want TOMOYO removed from all the CONFIG_LSM default lines except when selected by CONFIG_DEFAULT_SECURITY_TOMOYO? (I worry the latter will lead to less testing of the stacking.) -- Kees Cook