Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp344263ybm; Fri, 29 May 2020 01:23:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyWq4c0sRIR65frsiFs025t+jpZQmXRiOJ7hOhQLoryfD9vqFg6HYSI+dMDjtpac3edobXt X-Received: by 2002:a50:99c9:: with SMTP id n9mr7187637edb.1.1590740603957; Fri, 29 May 2020 01:23:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590740603; cv=none; d=google.com; s=arc-20160816; b=YnTJM1C3dVC0on1yDIbO1xqItSjpmSY2+G864h8xcHs/uPInBgJgu0Sjo/TN5UerD4 cQrq2LC5Vd6Bj10/V4b0uSzTcSgOL4umYwKo+RyZ1i6VxC6pPVBDo6GdSg4YEmaeX16o GfdSjS+l87wPeXs0nNH5dY871EW2CYMf3AbVRd9ES5p/SNK3oIDXHiUnGG1yY4QjWxuj 7zd/6qpNgZ7Ve5vi+Cuv4BymzTPgZBjwjKzr7xmx9n5HzhMpgRGjtLtKqCpKwh/krY2B 1e03DtdCDhwkALYkGtP2aZkvwF1Lhpy5i19UuGbRxbLAJyBEgBDYwlAoiAqpDrVkC0cf 4vXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=L9OQePj0r1DxbbQKMpVTsjJe+ec/LI2IBj6P0///7AE=; b=g75URmCHLW1LhO55u3yWuuBn2byJ04pvwzPIDqeXFSBUhBFYTChaXQ5DsIW8RyFtZ3 HaKB1vzuk4Egp4dAr8pnrBYgMnBfW52uiycrNoQoBGUQsLSv8XDSu4ka2OA4bDFTJJd3 iL9ykyr//Us/JrCWMOuRvILzLA05/9m5ZizCd25giWstxv1LUzyFy+a2KvcsaADuvbzA 4oynGK/BLSphg6DX+IvfIOfXeV+Slz2GyurGyUHCOFoEwd0FDTux0+seHo1QezawRXAD 8JVrRKfJoQ74MZB0JrevGOIFCVO1Y4eXOty2Xqc7ZFdDypdUpc1aCY3YnnAr4oPwRSNC xC8w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n22si3179476eda.377.2020.05.29.01.23.00; Fri, 29 May 2020 01:23:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726446AbgE2IS7 (ORCPT + 99 others); Fri, 29 May 2020 04:18:59 -0400 Received: from smtp-8fae.mail.infomaniak.ch ([83.166.143.174]:43447 "EHLO smtp-8fae.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725562AbgE2IS6 (ORCPT ); Fri, 29 May 2020 04:18:58 -0400 Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 49YHXH2hL3zlhf9v; Fri, 29 May 2020 10:18:55 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 49YHXB4XMdzlhC5w; Fri, 29 May 2020 10:18:50 +0200 (CEST) Subject: Re: [RFC PATCH v3 00/12] Integrity Policy Enforcement LSM (IPE) To: Jaskaran Singh Khurana Cc: Deven Bowers , agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, dm-devel@redhat.com, linux-block@vger.kernel.org, jannh@google.com, tyhicks@linux.microsoft.com, pasha.tatashin@soleen.com, sashal@kernel.org, nramas@linux.microsoft.com, mdsakib@linux.microsoft.com, linux-kernel@vger.kernel.org, corbet@lwn.net References: <20200415162550.2324-1-deven.desai@linux.microsoft.com> <0001755a-6b2a-b13b-960c-eb0b065c8e3c@linux.microsoft.com> <8ba7b15f-de91-40f7-fc95-115228345fce@linux.microsoft.com> <44fb36ae-959d-4ff7-ed1f-ccfc2e292232@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <56a8c084-1496-b465-4f01-99282ac53baf@digikod.net> Date: Fri, 29 May 2020 10:18:36 +0200 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=iso-8859-15 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Jaskaran, On 17/05/2020 00:14, Jaskaran Singh Khurana wrote: > > Hello Mickael, > > On Thu, 14 May 2020, Micka?l Sala?n wrote: > >> >> On 12/05/2020 22:46, Deven Bowers wrote: >>> >>> >>> On 5/11/2020 11:03 AM, Deven Bowers wrote: >>>> >>>> >>>> On 5/10/2020 2:28 AM, Micka?l Sala?n wrote: >>>> >>>> [...snip] >>>> >>>>>> >>>>>> Additionally, rules are evaluated top-to-bottom. As a result, any >>>>>> revocation rules, or denies should be placed early in the file to >>>>>> ensure >>>>>> that these rules are evaluated before a rule with "action=ALLOW" is >>>>>> hit. >>>>>> >>>>>> IPE policy is designed to be forward compatible and backwards >>>>>> compatible, >>>>>> thus any failure to parse a rule will result in the line being >>>>>> ignored, >>>>>> and a warning being emitted. If backwards compatibility is not >>>>>> required, >>>>>> the kernel commandline parameter and sysctl, ipe.strict_parse can be >>>>>> enabled, which will cause these warnings to be fatal. >>>>> >>>>> Ignoring unknown command may lead to inconsistent beaviors. To achieve >>>>> forward compatibility, I think it would be better to never ignore >>>>> unknown rule but to give a way to userspace to known what is the >>>>> current >>>>> kernel ABI. This could be done with a securityfs file listing the >>>>> current policy grammar. >>>>> >>>> >>>> That's a fair point. From a manual perspective, I think this is fine. >>>> A human-user can interpret a grammar successfully on their own when new >>>> syntax is introduced. >>>> >>>> ?From a producing API perspective, I'd have to think about it a bit >>>> more. Ideally, the grammar would be structured in such a way that the >>>> userland >>>> interpreter of this grammar would not have to be updated once new >>>> syntax >>>> is introduced, avoiding the need to update the userland binary. To >>>> do so >>>> generically ("op=%s") is easy, but doesn't necessarily convey >>>> sufficient >>>> information (what happens when a new "op" token is introduced?). I >>>> think >>>> this may come down to regular expression representations of valid >>>> values >>>> for these tokens, which worries me as regular expressions are >>>> incredibly >>>> error-prone[1]. >>>> >>>> I'll see what I can come up with regarding this. >>> >>> I have not found a way that I like to expose some kind of grammar >>> through securityfs that can be understood by usermode to parse the >>> policy. Here's what I propose as a compromise: >>> >>> ????1. I remove the unknown command behavior. This address your >>> first point about inconsistent behaviors, and effectively removes the >>> strict_parse sysctl (as it is always enabled). >>> >>> ????2. I introduce a versioning system for the properties >>> themselves. The valid set of properties and their versions >>> can be found in securityfs, under say, ipe/config in a key=value >>> format where `key` indicates the understood token, and `value` >>> indicates their current version. For example: >>> >>> ????$ cat $SECURITYFS/ipe/config >>> ????op=1 >>> ????action=1 >>> ????policy_name=1 >>> ????policy_version=1 >>> ????dmverity_signature=1 >>> ????dmverity_roothash=1 >>> ????boot_verified=1 >> >> The name ipe/config sounds like a file to configure IPE. Maybe something >> like ipe/config_abi or ipe/config_grammar? >> >>> >>> if new syntax is introduced, the version number is increased. >>> >>> ????3. The format of those versions are documented as part of >>> the admin-guide around IPE. If user-mode at that point wants to rip >>> the documentation formats and correlate with the versioning, then >>> it fulfills the same functionality as above, with out the complexity >>> around exposing a parsing grammar and interpreting it on-the-fly. >>> Many of these are unlikely to move past version 1, however. >>> >>> Thoughts? >>> >> >> That seems reasonable. >> > > There is a use case for not having strict parsing in the cloud world > where there are multiple versions of OS deployed across a large number > of systems say 100,000 nodes. An OS update can take weeks to complete > across all the nodes, and we end up having a heterogeneous mix of OS > versions. > > Without non-strict parsing, to fix an issue in a policy we will need to > update the various versions of the policy (one each for all OS versions > which have different IPE policy schema). We will lose the agility we > need to fix and deploy something urgently in the policy, the nodes might > be failing some critical workloads meanwhile. All the various versions > of the policy will need to be changed and production signed then > deployed etc. Further some versions might introduce newer issues and we > will need to see what all versions of the policy have that bug. What can be done in the kernel to ignore some policy rules could also be done in a tool managing different policies. For instance, a simple tool can instantiate a human-written policy into multiple backward compatible policies (according to different versions of supported kernels). The appropriate policy could then be fetched on the fly by the nodes or pushed by an orchestration system. > > I propose keeping the non-strict option as well to cater to this use > case. Let me know your thoughts on this. With your constraints in mind, I still think that flexible policy management can be achieved with strict kernel policy parsing. The complexity should be handled by infrastructure management system. > > Regards, > JK