Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1653628pxf; Fri, 19 Mar 2021 12:09:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyz8zqi9VqLRQxjqb3dWnsoiYSpBSZ08A3fuV53dueEF0OGrMLk+Nt4lI8gsK37dQN4urxL X-Received: by 2002:a17:906:8583:: with SMTP id v3mr6180713ejx.361.1616180968281; Fri, 19 Mar 2021 12:09:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616180968; cv=none; d=google.com; s=arc-20160816; b=afVqHvbfpN6f6Cx1AHCYqQqx5wOPWh0N7Lbyi+C/ypWAM4cmKCOvvG/OuPzgXyKr/t QJ+MFOf7vIou2QSJzcjbxuiSy3Y9js2/IDZ+B2kTR6uhgTTBpX8u8BpEPZrkVXNkEeON pUYYeq83LtAl/HrPbW5mGjkyC6aDsSs8jWOOu6BrZ3lCOMcASTy/T1kkVfYpafK1ONBV VlW9lvTnG3EyUpzegpjpwI7kcT+cKaVTp68b83CQ5rHtIr3li6Vuv2nv7h21VAgc86vf uqvUnEg13+z/+sTkLc4BBuXzRZ17KIVR7iIt/a2N9vgGOJuG1k+YWeKSqny0mybn6/y1 NWLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=RSOdZ7EgmJRnd/n2Lfzs1MUtp+JEIp3PnPHph8AqLUQ=; b=NNG2SSA2w65GbY04AkKo9s/QclRGaUl7T0yzu0riD3PnlQ/HjkpnazdPUWf++/5yrd 8s8CA1/GLLOQQiXOzaYeV0sYqfieipLep8WfHFFqVCRjDjXNSXou3iqMQjKvxY4Yat6S 7Y1eAq/dPlHHPpYHwcUnv1XIXFxV9ypd6Jgfkc6fQvWz5YJ1LYoUh8Xn5zLJ7I3qhIv1 6HaT5bJk355xm2LYnTmFgYbEO2cB764amO+DA3lakCT7O1u6bqBoGvka9MJM4RlQRe4R 4iq2b7M1A9Q2XZGHLrdrGHzziOoAWQKvIm8HoVcxu/+QoxxPjqz/MKfqTb1T+foX1fbo 8TKg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id be2si5076515edb.153.2021.03.19.12.09.05; Fri, 19 Mar 2021 12:09:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230440AbhCSTIK (ORCPT + 99 others); Fri, 19 Mar 2021 15:08:10 -0400 Received: from smtp-42af.mail.infomaniak.ch ([84.16.66.175]:32835 "EHLO smtp-42af.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229925AbhCSTHm (ORCPT ); Fri, 19 Mar 2021 15:07:42 -0400 Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4F2D190pMTzMqkmM; Fri, 19 Mar 2021 20:07:41 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4F2D173KCrzlh8TB; Fri, 19 Mar 2021 20:07:39 +0100 (CET) Subject: Re: [PATCH v30 03/12] landlock: Set up the security framework and manage credentials To: Kees Cook Cc: James Morris , Jann Horn , "Serge E . Hallyn" , Al Viro , Andrew Morton , Andy Lutomirski , Anton Ivanov , Arnd Bergmann , Casey Schaufler , David Howells , Jeff Dike , Jonathan Corbet , Michael Kerrisk , Richard Weinberger , Shuah Khan , Vincent Dagonneau , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-security-module@vger.kernel.org, x86@kernel.org, =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= References: <20210316204252.427806-1-mic@digikod.net> <20210316204252.427806-4-mic@digikod.net> <202103191140.7D1F10CBFD@keescook> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <3a8a9744-20fe-a3e7-24bb-aeac2c4b74f8@digikod.net> Date: Fri, 19 Mar 2021 20:07:55 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: <202103191140.7D1F10CBFD@keescook> Content-Type: text/plain; charset=iso-8859-15 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 19/03/2021 19:45, Kees Cook wrote: > On Tue, Mar 16, 2021 at 09:42:43PM +0100, Micka?l Sala?n wrote: >> config LSM >> string "Ordered list of enabled LSMs" >> - default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK >> - default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR >> - default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO >> - default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC >> - default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" >> + default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK >> + default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR >> + default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO >> + default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC >> + default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" >> help >> A comma-separated list of LSMs, in initialization order. >> Any LSMs left off this list will be ignored. This can be > > There was some discussion long ago about landlock needing to be last > in the list because it was unprivileged. Is that no longer true? (And > what is the justification for its position in the list?) Indeed, I wanted to put Landlock last because it was an unprivileged programmable access-control, which could lead to side-channel attacks against other access-controls (e.g. to infer enforced policies). This is not valid anymore because Landlock is not using eBPF, only the BPF LSM does that (which is not the only reason why it is the last stacked). > >> diff --git a/security/landlock/common.h b/security/landlock/common.h >> new file mode 100644 >> index 000000000000..5dc0fe15707d >> --- /dev/null >> +++ b/security/landlock/common.h >> @@ -0,0 +1,20 @@ >> +/* SPDX-License-Identifier: GPL-2.0-only */ >> +/* >> + * Landlock LSM - Common constants and helpers >> + * >> + * Copyright ? 2016-2020 Micka?l Sala?n >> + * Copyright ? 2018-2020 ANSSI >> + */ >> + >> +#ifndef _SECURITY_LANDLOCK_COMMON_H >> +#define _SECURITY_LANDLOCK_COMMON_H >> + >> +#define LANDLOCK_NAME "landlock" >> + >> +#ifdef pr_fmt >> +#undef pr_fmt >> +#endif > > When I see "#undef pr_fmt" I think there is a header ordering problem. Not is this case, it's a "namespace" definition. :) > >> [...] > > Everything else looks like regular boilerplate for an LSM. :) > > Reviewed-by: Kees Cook >