Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp5145813rwi; Sun, 23 Oct 2022 00:32:38 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6NXW9L1Af+ZFOYsWc0xBAHQVJAlnRPvuHI7Qno2HrJv+WqGj5RG3pwhMYl6P0hXe1/0t3Q X-Received: by 2002:a17:902:b218:b0:184:710c:8c52 with SMTP id t24-20020a170902b21800b00184710c8c52mr27788230plr.95.1666510347901; Sun, 23 Oct 2022 00:32:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666510347; cv=none; d=google.com; s=arc-20160816; b=PyeNqyGOR8UHYqsSp4b6RJk/e/PYJ3ldv9phNb38zmPHi8BG1mYWghhfAMFmgNpcXA PrKFLOP5t9teyfw94VMGeCJnPglUardtMkQVNt8uvjAwxOiEMOCHGxmWBLKdQzeVNXIv apLqUSC6wlnRyrLowXtP95uolKX2ynZ8AfOPDHGizVcNzYiQJid7YYUPxBcOHBpLQEBq OtAyFMf4GnC6cMNp4Gnnu8rTAibey8e3ub/lU20isft/iTePIwYEBvpa6gio+7JEgTkP uJkzIVLzRIt8Q7bYkTjIFcj8pgH8PkFNtc6SR6wlYbcEqPGSwgoyp2rZftqv9Q82ue6r mhmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=Ep4RN6hJsCiWkJkRgQnDRYBK0POQ+ZSubXq6+WfBCi8=; b=athuuw3QM+vcw7odljsgvFp6zMvngCxYLDqKQfrnFeAgKN5mercM6D/c+Ou0eVkJpA WcZbGOzD82A1hMgHz3dgZDfyeaEGptllN1WUVzs5wI8ZAo13btPWk4y+NHnt4QN5wkiD JEFTQZBsovqvUuR3bVdVrD+9rWBVLXkwIRS2kaSnN2EJRpwySLr6mdot5/kT4rTfqFYH OblKyijBCxz99nHaUQ4CvzJ2qxITCOYJ71JS25NtprjeJdvl/G9CWaYoRFhG93hzX8Sm miWEtd7u6UCeGCq8ESpqrIzDudZsjrkBAGSZxA6RKvbAMyrnO3Q5zikydzPHMHDbA3zr MzsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m1-20020a170902db0100b0017840d9d42esi31912511plx.582.2022.10.23.00.32.16; Sun, 23 Oct 2022 00:32:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230103AbiJWH1T (ORCPT + 99 others); Sun, 23 Oct 2022 03:27:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230024AbiJWH1R (ORCPT ); Sun, 23 Oct 2022 03:27:17 -0400 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B6BF5F98B for ; Sun, 23 Oct 2022 00:27:16 -0700 (PDT) Received: from fsav118.sakura.ne.jp (fsav118.sakura.ne.jp [27.133.134.245]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 29N7RFOQ082330; Sun, 23 Oct 2022 16:27:15 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav118.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav118.sakura.ne.jp); Sun, 23 Oct 2022 16:27:15 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav118.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 29N7RE9v082325 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sun, 23 Oct 2022 16:27:14 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Sun, 23 Oct 2022 16:27:13 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3 Subject: Re: [PATCH v38 04/39] LSM: Maintain a table of LSM attribute data Content-Language: en-US To: Casey Schaufler , casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: linux-audit@redhat.com, jmorris@namei.org, selinux@vger.kernel.org, keescook@chromium.org, john.johansen@canonical.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org References: <20220927195421.14713-1-casey@schaufler-ca.com> <20220927195421.14713-5-casey@schaufler-ca.com> <9907d724-4668-cd50-7454-1a8ca86542b0@I-love.SAKURA.ne.jp> From: Tetsuo Handa In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/10/21 8:42, Casey Schaufler wrote: > On 10/13/2022 3:04 AM, Tetsuo Handa wrote: >> On 2022/09/28 4:53, Casey Schaufler wrote: >>> @@ -483,6 +491,16 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, >>> { >>> int i; >>> >>> + /* >>> + * A security module may call security_add_hooks() more >>> + * than once. Landlock is one such case. >>> + */ >>> + if (lsm_id == 0 || lsm_idlist[lsm_id - 1] != lsmid) >>> + lsm_idlist[lsm_id++] = lsmid; >>> + >>> + if (lsm_id > LSMID_ENTRIES) >>> + panic("%s Too many LSMs registered.\n", __func__); >> I'm not happy with LSMID_ENTRIES. This is a way towards forever forbidding LKM-based LSMs. > > I don't see any way given the locking issues that we're ever going to > mix built in security modules and loaded security modules on the same > hook lists. The SELinux module deletion code is sufficiently scary that > it is being removed. That does not mean that I think loadable modules > are impossible, I think it means that their management is going to have > to be separate, the same way the BPF programs are handled. The only way > that I see a unified hook list is for all the LSMs to be implemented as > loadable modules, and I can't see that happening in my lifetime. I'm not expecting for unloadable LSM modules. I'm expecting for loadable LSM modules. I'm not expecting to make all LSM modules to be implemented as loadable LSM modules, for some want to associate "security label" to everything (including processes which might start before the global init process starts) but others do not need to associate "security label" to everything. > > I can see an LSM like BPF, as I mentioned before, that manages loaded > modules. Over the years I've seen several designs that might work. I'm > encouraged (and not a little bit frightened) by the success of the BPF > work. There can be LSM modules whose lifetime of hooks match the lifetime of a process which registered hooks for that process. In that case, being automatically unregistered upon process termination would be preferable. But there are LSM modules whose lifetime of hooks is irrelevant to a process which registered a hook for that process. In that case, we need a method for allowing registered hooks to remain even after that process terminated. Please don't think loadable LSM modules as something that require special handling. TOMOYO is an LSM module whose lifetime of hooks is irrelevant to a process which registered a hook for that process, but does not need to associate "security label" to everything. It has to be trivial to convert TOMOYO as a loadable LSM module. > > Converting the array[LSMID_ENTRIES] implementation to a hlist like the > hooks have used would not be that big a project and I don't see that > making such a change would be a show-stopper for implementing loadable > modules. I think that a lot of other issues would be more significant. Defining constants for each LSM module (i.e. "LSM: Add an LSM identifier for external use") is the show-stopper for implementing loadable modules. We won't be able to accept whatever LSM modules to upstream, and we won't be able to enable whatever LSM modules in distributor kernels. LSM modules which cannot define a constant due to either "not accepted to upstream" or "not enabled by distributor kernels" will be forbidden. I expect that we assign a constant upon module registration (instead of API visible constants) if we require all LSM modules to have a constant. > > I will, on the other hand, listen to compelling arguments. It is not the > intention of this code to lock out loadable modules. If I thought it would > I would not have proposed it. This code is exactly for locking out loadable modules.