Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp5300246rwi; Sun, 23 Oct 2022 03:49:24 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5Ny+o6pLJ6S5djPjXnb8N0RUFqlM7OXwlpM6THKz+zrxkA1Yn/9Ml9z9ySIWC9bCBYrde1 X-Received: by 2002:a17:90b:1982:b0:212:fe7f:4a49 with SMTP id mv2-20020a17090b198200b00212fe7f4a49mr2715573pjb.156.1666522164023; Sun, 23 Oct 2022 03:49:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666522164; cv=none; d=google.com; s=arc-20160816; b=kQuQIuuXRqRhdjPi+YfQ3n9fIK5TZNeZlXs9vcOg1qpxERO46qY7V7uQmzxaUKQI0P +HdiV05FJV7OrqtmIDn+3Pevx3Z6MdIVu2UqDSoxgrUXV/itHk8PuwGYyhBeaMBLo1uN e1Bilq34mGJA/onQyK/d/BMP2SfDV4fMUFgjg6JIf2ivGrmyA4/LfX+8XpJrrdqhf5S5 Hmca7oFLyJ8q8prpyy826a35W+BwXmjMYBwz/V+O7rO8m0xeX38oyZ4NAQr5mmHwZwbM nuotz6S0QZjn4cbtfoa6AR9K6whAQ5d4UsbFkV5brfYquAUlogT1jwUrs60MNAZkMACL MOpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-language:references:cc:to:from:subject:user-agent :mime-version:date:message-id; bh=QYrRNBfCssL+cFRgZeCu985cAlnfGM+3Fttt6E3gM9w=; b=FBN8TfgnIa3vxPXGGILKbfgM6gzEzkqKz2Ix0rkNtxToFWTx5LCAYrH5bXVgZqC16Y bHQ6txCWzIUOGYzv7UdqaYuEtS6GVYJ/nF/Xvhm6rCJ1a6pBu3q2QC4L5gqYY4iRLBF7 f/+bYoGm0I5xCQpsTXszYqFfQfF4Kh2/kE2K3kx/Lunnl/lHDtKKD0lzqbO4F7rXzzRT rDKMlghQgDiJG2wEaFIygMtAcoJNmVJYrjWOU/fd4HOtOpmUwq/AyH2F4TA38tRe9rW8 OPXo7kk5o8+S68lLaP8bviI84jTNoUUyg4P3lu4bkbtGFD+D+HhQi35/q4corcM29++Q UvXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 13-20020a63134d000000b0045cfaf0bad5si8092746pgt.476.2022.10.23.03.49.10; Sun, 23 Oct 2022 03:49:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230208AbiJWKLh (ORCPT + 99 others); Sun, 23 Oct 2022 06:11:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43704 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229788AbiJWKLg (ORCPT ); Sun, 23 Oct 2022 06:11:36 -0400 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AA2546EF15 for ; Sun, 23 Oct 2022 03:11:34 -0700 (PDT) Received: from fsav116.sakura.ne.jp (fsav116.sakura.ne.jp [27.133.134.243]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 29NABW6a014366; Sun, 23 Oct 2022 19:11:32 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav116.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav116.sakura.ne.jp); Sun, 23 Oct 2022 19:11:32 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav116.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 29NAAh1h014195 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sun, 23 Oct 2022 19:11:32 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <280c313e-c826-3b9c-a074-2ead3cf4107f@I-love.SAKURA.ne.jp> Date: Sun, 23 Oct 2022 19:10:42 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0 Subject: Re: [PATCH v38 04/39] LSM: Maintain a table of LSM attribute data From: Tetsuo Handa To: Casey Schaufler , casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: linux-audit@redhat.com, jmorris@namei.org, selinux@vger.kernel.org, keescook@chromium.org, john.johansen@canonical.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org References: <20220927195421.14713-1-casey@schaufler-ca.com> <20220927195421.14713-5-casey@schaufler-ca.com> <9907d724-4668-cd50-7454-1a8ca86542b0@I-love.SAKURA.ne.jp> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/10/23 16:27, Tetsuo Handa wrote: > On 2022/10/21 8:42, Casey Schaufler wrote: >> I will, on the other hand, listen to compelling arguments. It is not the >> intention of this code to lock out loadable modules. If I thought it would >> I would not have proposed it. > > This code is exactly for locking out loadable modules. > Imagine a situation where two individuals independently develop their own web applications using the same identifier, and then their web applications started working together with other web applications using that identifier. When they published their web applications for public and wider use, a problem that both web applications are already using the same identifier arises. It is too late to reassign the identifier. The same trouble can happen with loadable LSM modules. Unless the upstream kernel behaves as if a DNS registerer that assigns a unique domainname for whatever web sites (regardless of whether a web site is for public or not), defining a permanent constant for LSM module is a way towards locking out loadable LSM modules. And it is well possible that a loadable LSM module wants to run on older kernels which do not have LSM id defined yet. This "define LSM id as userspace visible constant" is more dangerous than just reserving some space for future use. You are trying to control all IP addresses for the sake of only in-tree LSM modules. No, no, no, please don't do that...