Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp837178ybm;
        Wed, 22 May 2019 12:22:19 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxGQ6WtkKmM0XSF0tC1OOtZWZbEKkAnF/1tNcEUWrFdogZ7S87eAHNyjYuv93Ksuxtqj0oH
X-Received: by 2002:a63:e616:: with SMTP id g22mr24768587pgh.61.1558552938846;
        Wed, 22 May 2019 12:22:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558552938; cv=none;
        d=google.com; s=arc-20160816;
        b=FW12qx/xwSHaB2Nb717TPDfg6hcH05XycUQK6rlmdgk9DwW8Fay5cZw1vl7Kb3qUTm
         cI8S/owiDILM8gNmxcdNvYbaMDAqIttfI1Q5rc7xDtTuUWLjtcF1c1xeMU6HFcFEUjf6
         pNRCiDdzZKpgsASs7jIrBqRgpaj9ybK7kdrF9qkPkS8JQLK/27egnRF8PUkBtnParrr6
         Xu5e7LZwEaI87Kk4ZChGckyx2Vckjb1x6on4ITOXtbTvHm5aHsSzyIfvxlKrJbrPzjuD
         NA4iqQ2W0v1I/SFxRU5S+I5pqggnT1Y5xg/Mu5VtVm79LeOwoDwMHeF1e9H6Bib7Mdxi
         09uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=bkFzqWyPF+GWLr7/bsh454pHwh4PtDYAWG+h0UgKyLw=;
        b=rv9hQgVn+9P67ZUzuqColTE7lxoJvDbw6mbHaUE2W/M0SH0KznnS+cXCldIvfBk95/
         +kowpoOlxu9LDDVQeBR0nU7NdFU9LDnrYJUG5YZUSrCFl/fnueqDzoZzSJOdEbTDym8P
         12KOTsFijxD9FhK0ku92anK1ZYgyukSyO2AZ5zn75WMoACUtzfs/TOT754cvMlrp88Yk
         1U3irehhQ2y5YdYCPbtlQTjIujJr0HjExEksxJoWCN5JTW3wODTff4I9moxlyRZ0Tyld
         GAOQPuHBN0ROjdt+eB8836b//LITFAh4tTJmVW9pCCymPFDEO2bwavfAQebFohJkTWbn
         +k9Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k62si26830637pgd.502.2019.05.22.12.22.03;
        Wed, 22 May 2019 12:22:18 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729818AbfEVTTX (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Wed, 22 May 2019 15:19:23 -0400
Received: from namei.org ([65.99.196.166]:33844 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728615AbfEVTTX (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 May 2019 15:19:23 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x4MJJFlT023718;
        Wed, 22 May 2019 19:19:15 GMT
Date:   Thu, 23 May 2019 05:19:15 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Stephen Smalley <sds@tycho.nsa.gov>
cc:     Andy Lutomirski <luto@kernel.org>,
        Matthew Garrett <mjg59@google.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Turn lockdown into an LSM
In-Reply-To: <14ed1f30-a1d0-f973-5c8c-241337c8fc09@tycho.nsa.gov>
Message-ID: <alpine.LRH.2.21.1905230457000.18826@namei.org>
References: <20190521224013.3782-1-matthewgarrett@google.com> <alpine.LRH.2.21.1905221203070.3967@namei.org> <CACdnJuuTR=Ut4giPKC=kdxgY9yPv8+3PZyEzuxvON3Jr_92XnQ@mail.gmail.com> <CALCETrVow8U=xhQdJt8kSMX16Lf0Mstf3+QxY4iz4DHVp=PYWA@mail.gmail.com>
 <14ed1f30-a1d0-f973-5c8c-241337c8fc09@tycho.nsa.gov>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 22 May 2019, Stephen Smalley wrote:

> That seems to violate the intent of lockdown as I understood it, and 
> turns security_is_locked_down() into a finer-grained capable() call. 
> Also, if I understand correctly, this could only be done if one were to 
> disable the lockdown module in the lsm list, since the security 
> framework will return non-zero (i.e. the operation is locked down) if 
> any module that implements the hook returns non-zero; LSM is 
> "restrictive". At that point SELinux or the other LSM would be the sole 
> arbiter of lockdown decisions. SELinux or the other LSM also wouldn't 
> have access to the kernel_locked_down level unless that was exported in 
> some manner from the lockdown module.  Not sure how to compose these.

Right, I was envisaging the LSM replacing the default.

i.e. the default is tristate OR fine grained LSM policy.

They could in theory be composed restrictively, but this is likely not 
useful given the coarse grained default policy.  All the LSM could do is 
either further restrict none or integrity.

We'd need to figure out how to avoid confusing users in the case where 
multiple LSMs are registered for the hooks, possibly by having the 
lockdown LSM gate this and update the securityfs lockdown node with 
something like "lsm:smack".


-- 
James Morris
<jmorris@namei.org>