Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp3341958ybd; Tue, 25 Jun 2019 00:35:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqx3lmoIN7P+Uqa8OY6PzWO5ag1aaJxFbbstUqYHBXtDW/IlhmJVya75r/wqjXPEhUiEN9dQ X-Received: by 2002:a63:dc50:: with SMTP id f16mr37950969pgj.447.1561448138699; Tue, 25 Jun 2019 00:35:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561448138; cv=none; d=google.com; s=arc-20160816; b=cin1j7dvTBeZjR5OgnQNUYsoR+yKOyfwEhktMvz+BoRFnK5+dasI4kYuHuDxo9QjQF TxrGQNiaDfbClKuErYhkXNvN9x3Okfmfp62kVg8WOZjr7h+XOW4aN+7Dhdj+WFRuQ89F v5hPSd+ziXvcQl183bdiZHMOP1mFvnMnIpbxSbSPV7ZbaospjrKf4PJf310eyH41WRLr 9IMWvTO5fqgzEa8kgjjORoGx0/1ul9y2+fd6k3OkaOsgkrpKw0dNfo17otSubZE2rD8Z kRkUv5gh7vXaqUWHHN2Qtg+jUrHGNsPbakLcacmrlW6IB08oKENxjOuwRueyREO5k6lJ uONA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=JMn7bvJVPXrPDlwY+lRXLJejp+51h8UJI7n11/UtHfU=; b=wo6zqk6GgwRstuXXfQGuIkquovXQobwyX9xAD/S7OKDkKTG3zM1eVhUeNJBDAfpq4K BK39TJH9zTj8EKRZxSDyvIMZ9rsflb75eePkzkno9xuHJVvcTdBPSFbNUcXt4vvbAGhM LEwCVvJeNdYbZoP9lRt9R0mNgdegLS8NUAQM4wGdYS7e2w3L7SaHUrDfXUbZaoBMBhQv +PD2SHKypYEH85oD1WhILVQ8J4LOMPq4RGTSntORXtql8wMJna0We3L7CwCU1Vd4lxCg 0yMGdMgsosl1fhhr3CIv57JNZmoPachgrmOevi2JsRBp+9ErMGEv1+1GQ9ns17kWhrMc 7wig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i9si12839415pgl.452.2019.06.25.00.35.23; Tue, 25 Jun 2019 00:35:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728931AbfFYGE1 (ORCPT + 99 others); Tue, 25 Jun 2019 02:04:27 -0400 Received: from namei.org ([65.99.196.166]:47546 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726495AbfFYGE1 (ORCPT ); Tue, 25 Jun 2019 02:04:27 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x5P64Fvp031584; Tue, 25 Jun 2019 06:04:15 GMT Date: Tue, 25 Jun 2019 16:04:15 +1000 (AEST) From: James Morris To: Matthew Garrett cc: LSM List , Linux Kernel Mailing List , Linux API , Stephen Smalley , Andy Lutomirski , John Johansen , Casey Schaufler Subject: Re: [PATCH V34 00/29] Lockdown as an LSM In-Reply-To: Message-ID: References: <20190622000358.19895-1-matthewgarrett@google.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 24 Jun 2019, Matthew Garrett wrote: > > We are still not resolved on granularity. Stephen has said he's not sure > > if a useful policy can be constructed with just confidentiality and > > integrity settings. I'd be interested to know JJ and Casey's thoughts on > > lockdown policy flexibility wrt their respective LSMs. > > This implementation provides arbitrary granularity at the LSM level, > though the lockdown LSM itself only provides two levels. Other LSMs > can choose an appropriate level of exposure. Ahh, OK, I only looked at the patchset description and had not looked at V33 yet. This is looking good. -- James Morris