Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp18598img; Wed, 27 Mar 2019 15:56:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqwZLhQn6ZckqZ4hWgfMXEMSNqj/e+8IbvdvtEIFUzoV1AaXvXqKdQfULY9ykHmBvjXWmBmU X-Received: by 2002:a63:1b07:: with SMTP id b7mr38105231pgb.250.1553727389272; Wed, 27 Mar 2019 15:56:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553727389; cv=none; d=google.com; s=arc-20160816; b=MquLs6TOIZO3IxI3zw3dAuyIm212k9lPs7lhqDbV5Tz/PrlpsHWzrGO0kePMKXjUN7 nF9o2IFSf57EFKldavhp1tOAlXJTw9aAT+nk5r7vY1mg0ne8l1BdjXtW1+wV13j91rnj bbXT5fltupyXZa1A9qShKQaH/L0BtyCxTADzwGl8ZsH8SrMxPV50KZ0qLSYILWViJW+G ZVD55Fa78ZBO4ZsUhSxjgsVW3XvL67ILxhbLSgIs/y9qtnUqXypDhcm19sKh2LE0hStR 0EVM5WcE4oQ35u+HmNzRXcy92X8mL1WQKTVxkS8ZDYlfU6FP/eg0Bmi4zJF5JEkem4Dg WG5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=SnnOPuYGwfsBn4pr0Duph/PqYHKZWyJUupKIiMgpd8Y=; b=I64QjUuSMJ7PhXA5Kh8H2ouecaCVysys6W+eL3Tr6FuwsvEmQXkeiJzMzuAAgNGcSI 79ororLF3SU+sV9+At2t2btg9FdDDbSS72JYmFgw9ScAFjmyi9b8NhY+75vHu5jSQdL/ iXns9ZHxPte4mBqlQLoVOE7p46r7napoQSDyGgCZgeroEA7P9hFyISoC9y+IqbvkFoze RJQMi/Z+XGgDPNDKZ8+H86/QxOfYhoUd6862f1UjrUnNAJSRScIlWNYqHkqYxRklxfj9 4eNEX+nBd6lZGqeYbkFZKCQr/OdqndgVfBCN54hnJ55bzYqZZ8UBm/fxUvmTfhpFd5+Z g5iw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b="fpKcru/T"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g6si18893440pgk.478.2019.03.27.15.56.13; Wed, 27 Mar 2019 15:56:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b="fpKcru/T"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728119AbfC0Wz1 (ORCPT + 99 others); Wed, 27 Mar 2019 18:55:27 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:58142 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725601AbfC0Wz1 (ORCPT ); Wed, 27 Mar 2019 18:55:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To: Subject:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=SnnOPuYGwfsBn4pr0Duph/PqYHKZWyJUupKIiMgpd8Y=; b=fpKcru/TWQCqVYR5w+Gi9IFHj +te9k0gDg/mu+05upnLvAiThj4KHpY0upeH8yShRHE65piOYbGA4Nys7H1auxtgoNdBaTGecv3Nmj ZlL1ehH5CWc/vg+aeKOEUQaNVshZmCOs0Vo+FCgXG9KEOba3229JNpPl7/d11Gcl3csvV3ozqom3a cnD4fzUbpn3iOE0B3lNmfi6/Hrtoe7qSCrhWjv6RZrZUqVpZdoGCNrGMM8Z59j8EfMmB+8E/kGDQX QqIDAt7HZDEw33IM1Phas8KGzEK3hbfZKK5X474TIUcgSMLYENQlpvGQ8T2aqwefDVQV3wsJE0KU0 bKK/OxWaQ==; Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16] helo=midway.dunlab) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1h9HS7-0002g0-OD; Wed, 27 Mar 2019 22:55:23 +0000 Subject: Re: Linux 5.1-rc2 To: Casey Schaufler , Tetsuo Handa , Kees Cook Cc: James Morris , Linus Torvalds , Linux List Kernel Mailing , linux-security-module , Jakub Kicinski References: <2d4f3bfa-22c7-a18c-3902-fe1b6ac401f7@infradead.org> <8811b2e4-28e1-2f01-024b-fb7d0196483f@i-love.sakura.ne.jp> <98289cd2-095a-f0cd-e405-887ecbba0030@i-love.sakura.ne.jp> From: Randy Dunlap Message-ID: <366dcec3-1599-9e56-4660-44791e1c7a45@infradead.org> Date: Wed, 27 Mar 2019 15:55:21 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/27/19 3:23 PM, Casey Schaufler wrote: > On 3/27/2019 3:05 PM, Tetsuo Handa wrote: >> On 2019/03/28 6:43, Kees Cook wrote: >>>>> I don't see problems for an exclusive LSM user (AA, SELinux, Smack) >>>>> also initializing TOMOYO, though. It should be a no-op. Is there some >>>>> situation where this is not true? >>>> There should be no problem except some TOMOYO messages are printed. >>> Okay, so I should send my latest version of the patch to James? Or do >>> you explicitly want TOMOYO removed from all the CONFIG_LSM default >>> lines except when selected by CONFIG_DEFAULT_SECURITY_TOMOYO? (I worry >>> the latter will lead to less testing of the stacking.) >>> >> My approach is "opt-in" while your approach is "opt-out". And the problem >> here is that people might fail to change CONFIG_LSM from the default value >> to what they need. (And Jakub did not change CONFIG_LSM to reflect >> CONFIG_DEFAULT_SECURITY_APPARMOR from the old config.) Thus, I suggest >> "opt-in" approach; which includes up to only one legacy major LSM and allows >> people to change the default value to include multiple legacy major LSMs. >> >> You can propose your latest version. If SELinux/Smack/AppArmor people >> prefer "opt-out" approach, I'm fine with "opt-out" approach. > > In the long haul we want people to use CONFIG_LSM to set their > list of modules. Providing a backward compatible CONFIG_DEFAULT_SECURITY_BLAH > makes some sense, but it's important that we encourage a mindset change. > Maybe with CONFIG_DEFAULT_SECURITY_LIST with a a full list, which uses the > value from CONFIG_LSM, and make it the default? > Hi, I'm still confused. Does this mindset change include removing support of SECURITY_DAC? If so, where was this discussed and decided? And if so (again), that feels like enforcing some kind of policy in the kernel. thanks. -- ~Randy