Received: by 2002:a17:90a:2044:0:0:0:0 with SMTP id n62csp1268849pjc; Wed, 22 May 2019 12:59:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqzMs4RIPqGBCRbsVYfITCd6hSLNG9spTdGbKbPsLN2L8yyNHlWT8ZNCK98KrGHptnNfY3En X-Received: by 2002:a63:6a41:: with SMTP id f62mr91016192pgc.392.1558555149828; Wed, 22 May 2019 12:59:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558555149; cv=none; d=google.com; s=arc-20160816; b=Ibk5lH9EpjFdkOGeTSXAi/pR+dB0vfuVmO0akiXiTYTKkPQtXXf6GA7V4Wc4l6pd8p jyVES5AB3vIok55ld3KXojFHmBKIg6yA2CcHXzSr/iD0I1VVg63gJrXv74mIbVKST54G I43Lg5eOZQnvo8LaOchDBikH2VaKvi65SnwekEv4l1yPQBa3tsH4eqNo8eTOikdRdKv5 UY5f9MUF4u8TQW7TfX8U9oR6jPrnLNyI8H6TzxI3UqbAveX3gEXnCCCIxgxbuW/NjFBJ bd85n1yfr/H4LZEmHouCbWmhQ3WtkMP16PW25ezJEmAsP+j7t07d96Xvx2apFonW4jta j1ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=lxUK78hbg598LYlSBwDY5EGORMzFcW2ess5/JaNr0AU=; b=Qgd+Gu/X5hsjuLaGLT4dKF6bp/To9UGGDfyL8Lxb3c1KCLblVuW0HQP0PhWXqKFxPY Rt3KB9thlAbLnijQhyn5IyNP95aIwDs9pPMn7FOE3+wDt85WJaxA9xHMnRVA/esxWxpx 0cOUn9s2lT9uUHKK1tnC2veWtK4GkY0sPx48JlFwgDd9fZeU9Di+HB7qCc4MyfmZemgO 4JrbxOlTruTsUvZDWxu5AzxleFJqul9XufEAf2+mj5EWpGFdjLwpfm7tq8JEciSNSIzm ej93lNe5uYZ1kLJ97vjk4KPI2UyvtLHquLpd1K+GXxT4Az70USX4zspVyMxmhp6yqwko WBkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=PcfrbUBe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q6si16012140pgm.101.2019.05.22.12.58.54; Wed, 22 May 2019 12:59:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=PcfrbUBe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732258AbfEVT51 (ORCPT + 99 others); Wed, 22 May 2019 15:57:27 -0400 Received: from sonic303-9.consmr.mail.bf2.yahoo.com ([74.6.131.48]:46034 "EHLO sonic303-9.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731273AbfEVT5U (ORCPT ); Wed, 22 May 2019 15:57:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1558555039; bh=lxUK78hbg598LYlSBwDY5EGORMzFcW2ess5/JaNr0AU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=PcfrbUBeS+bOnSQWry2tGvdZWAb24XDqo6aMGXsrRALklApn2d4k24HSjwJw89TijRRXDpYBJeJlL7wFnQVo1gkuftT3uOo7FAQi8f0ZGpMLgSE1fjxi/x3ueHjZeUuTxzPCHEHBbycHZLk63xH6zG6DhJBuh9PabpnJKn9nODk92CC/Jv2kvpBqV1QF++Bib3RRG1koA6si6d1Y6gI95ON8hcGgyCq1Y0shjzfXsgm4wb7Cg3vnZZYyOvZDZjFzf/5Y6p7NRU18c+R07pmTh9RFi3KMJe/YvylYJJ9GYtkt7CPS3ptafvSyijotN15LolI+YjwFGcA8WmKe8UwLOg== X-YMail-OSG: 6jV9iIYVM1kyO4mEtN.FQz.IwSkedBG6_Cl759TxAMFN7pTfy3UMOYZdazIGuWz ZdPjt1.264z_CnqLEWbVfwlEKOX8cyVpU11WMNo8ELWJxyr4GNaQTwLJZCzIkaGtSrUvWlMruFij .IiN7FPvFbqqYzqWeW5DrAx.i5o_gnprk8Bu3BKFJ9XTtpXKQYe0zrv9j1d0E9NF8ZfB_G4xqIql axoGUoTrpH0O2PTkVNjHAxwHYBAZOsF64fFma_RFt.R_9wCnKUouHGK3QQHs.h6TjpPfBIEUApA2 kayKvzOBr.tgBEaz3d7PsUKMLIJ5lF76qvUs4H915rBY_PZKzIk6MVmKtHa.l.C67vOclT.nT132 C62VZWE2MtMK_btgLKsSNXIRi8JiBt8dQspjjPGYtAASmwoFkJlov9EHo.7YnLsEMAxv9ahjVcym Bno6.05yC2sqOhM8B_AQbvoZ_djd8I7EVGOCylM3it4A_Kc5QaIRgRTnOj5CYeCqd.YtqfCvNVNW jM9.cZF4sWyZQFgrkuCmeAQcPuUVgCIEQYeJGnvgbNQpkuRJBumx565iiyRhVSoGu3LgcKh_uxfg Sr1O9MBsUSSp7oXZvypjd9igasfeS4jX4AcnpujpBWYJP1kYXuKHXEeCMVTKH3X185GKf6z7DyoK E6.fNAx2ruj3KaM2g6X3NVKY6sJXP4.7K7D2gUEaY2_8vQIqJW1Ai0WZHsDZc8jCVIP9REtjOQBr ZMB67jYITqDVTE6QMYidVGaRo0z2ktSQ_uGVATf3a8YZKHzcTQZp2NLXo3Mqs68Vg.Awa0E.gQSe UfiBS5EHEk_FjwXBb3fhpCmnWbn2S7SPJbt9UZbeDAyGUn.D8u_5z6nyecMjVTYXPUmEeqAQDx5z h8YyU3q4KTqztQpRr6TB9fZo_iEMOXOGg_l8la5SBVO.Tbhnz.BpvoF3c6pywZTwCrv52v4bhuHO x.cu5Pdq_gvM6IlsgcmTUg7.cu6yHmIv3Jq26HJl157Z2HFRwvIrz1Qfco8g_aAVrxnvjcqWLdKp bLRivyJewEkGvjkGDDloCyPxM4EHSWREy62QrOjj68VGN6_8bxWcFo5Ky_9OM87KKuzU5d2XyKJ0 7cV5U2VP7WdHUeZMkU8smFol1WA0oo6DnqIm9iNWCHuP7wl_BYc3vc4t4UDrChLu3Ho1ljQPDSLh WPUoVioO4L90d_Xu9ez3bMIaXJmKvySdig2fQfmyqTPPq4qVKwOIWCDaGaPbLIYiXNMVEjYe2kKS KtjJJykP5Q.dNDk10.f0- Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.bf2.yahoo.com with HTTP; Wed, 22 May 2019 19:57:19 +0000 Received: from c-73-223-4-185.hsd1.ca.comcast.net (EHLO [192.168.0.103]) ([73.223.4.185]) by smtp403.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID adb4da5c904a17c8b2b4ab09cd681d07; Wed, 22 May 2019 19:57:15 +0000 (UTC) Subject: Re: [RFC] Turn lockdown into an LSM To: James Morris , Stephen Smalley Cc: Andy Lutomirski , Matthew Garrett , LSM List , Linux Kernel Mailing List References: <20190521224013.3782-1-matthewgarrett@google.com> <14ed1f30-a1d0-f973-5c8c-241337c8fc09@tycho.nsa.gov> From: Casey Schaufler Message-ID: <8b33a96f-160d-8e5d-4335-db2445cbe37a@schaufler-ca.com> Date: Wed, 22 May 2019 12:57:13 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/22/2019 12:19 PM, James Morris wrote: > On Wed, 22 May 2019, Stephen Smalley wrote: > >> That seems to violate the intent of lockdown as I understood it, and >> turns security_is_locked_down() into a finer-grained capable() call. >> Also, if I understand correctly, this could only be done if one were to >> disable the lockdown module in the lsm list, since the security >> framework will return non-zero (i.e. the operation is locked down) if >> any module that implements the hook returns non-zero; LSM is >> "restrictive". At that point SELinux or the other LSM would be the sole >> arbiter of lockdown decisions. SELinux or the other LSM also wouldn't >> have access to the kernel_locked_down level unless that was exported in >> some manner from the lockdown module. Not sure how to compose these. > Right, I was envisaging the LSM replacing the default. > > i.e. the default is tristate OR fine grained LSM policy. > > They could in theory be composed restrictively, but this is likely not > useful given the coarse grained default policy. All the LSM could do is > either further restrict none or integrity. > > We'd need to figure out how to avoid confusing users in the case where > multiple LSMs are registered for the hooks, possibly by having the > lockdown LSM gate this and update the securityfs lockdown node with > something like "lsm:smack". The way I'd propose dealing with multiple LSMs using the securityfs interface is the same as I'm proposing for /proc/.../attr/current and SO_PEERSEC. A new interface /proc/self/attr/display contains the name of the LSM that the current process will see when looking at process or security attributes that are "shared". Writing to display is unprivileged and changes which LSM you get information for. Adornments like "lsm:smack" often require modification of programs that fear change. The same would be true of a prctl(). The "display" file approach is no harder for applications that are getting modified and much easier for scripts.