Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1296665rwb; Wed, 16 Nov 2022 15:24:19 -0800 (PST) X-Google-Smtp-Source: AA0mqf6xQa2fgg3kQF6TQpch89kAugH+Q2nffF87sIxElwTnPbY8brPF4w/iXOSu6wCQlCnZeiOT X-Received: by 2002:a17:906:3604:b0:78d:99a0:7cf6 with SMTP id q4-20020a170906360400b0078d99a07cf6mr83475ejb.56.1668641059710; Wed, 16 Nov 2022 15:24:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668641059; cv=none; d=google.com; s=arc-20160816; b=o+1djV2wbHM/PtRB5Q9Tzjz67+JwD6k448w0SPSS5/phVhjzyEdORMgXN0SwylQ+Oh fqT8O4rxsaEhil/lfV9uloVmxKAzFrvliC0pu4aMFmhIyKl+QdyMZd3F5TuLLsd2gOV5 oX3KMKmEQYYGH1bCTOclGzfHYcp6bU08HNUnmDFyymmU58bHlVu/cAOI56Ipp/5gtcAo aXr5WX5hfz0T8eGLjgXDxdAewRDDcffWHJIy5DD2vqdqGswSpEaZcU0Hlw+7+xgSabRe TC/MX9Fx8DqMUTqgWOIgisOfccYSojANtSvc99ASOCf0iRlhxiaNv2HCngXFDdlPB/M9 +omw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=3XP941acguvK1ZAkrhvPDttgcSVa1z7xUK43PRl+uio=; b=AwhmI57jkeGcuJI2AEQXWYvYgNOAd8lxxeIEvUAebt5VQKAJvfX0dygY6YoQXNpOMM VTrqZwLGmENgh4Ty/9YBrcLii9LdI0cxvZV7ulej41SvwBBMnSmPAYTAuXm0b4XLtW1a OyHOHJG/bFBMia4XW3nB0wQgFilKm+/b867X82wShIGq24ZdV/KqZH7Zaa4vm2/wmogl xi4HCSrdq+I+dkiEOLHxe87z4MM13lWhESECuL1fLUz9DXLFPsKwZ8zUVlSv5mVleH56 X8HLpr3JK9veAO1pQrZKJyYqBMSd/YbMLYLdq+3Aj2hud/uAtj/gNeiX4LvzbD85T8lt MxAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=56syu10y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i3-20020a17090685c300b007894b9de062si13301998ejy.631.2022.11.16.15.23.56; Wed, 16 Nov 2022 15:24:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=56syu10y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233202AbiKPXEb (ORCPT + 91 others); Wed, 16 Nov 2022 18:04:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42858 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234494AbiKPXE2 (ORCPT ); Wed, 16 Nov 2022 18:04:28 -0500 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 41E7C317D0 for ; Wed, 16 Nov 2022 15:04:27 -0800 (PST) Received: by mail-pg1-x52d.google.com with SMTP id v3so350696pgh.4 for ; Wed, 16 Nov 2022 15:04:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3XP941acguvK1ZAkrhvPDttgcSVa1z7xUK43PRl+uio=; b=56syu10yY4F1zazjA7qQqh2STRuHElk9eY+YEZ2JcKVraIu6zSy+d7hqJ6YBhnyKnk 1+LuOwiNiju5AdvI9xdh5g/G80aKnuJ11AaNiNKaHFRuda9VJx8tJcobAEuesbGIYHgS tMzqZ7quPD44w/BpPwpIxIYOAHQ0Eu6vcZcGfDNkWyxWllI9JW5MvHxeDqabzek7mvJF lRPHcIEV4pjuGc5AmAsFH4Jf4S3BLYvw3FN1EFQw3CaTcsnQ/rxPpU5CayDHenZMNu9J ZglvH/USVkAoU8iRANLUdGJML73p0sP2EWzu5aiesLr10lbTtOu9kbvOSISR4gHJF93H u1/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3XP941acguvK1ZAkrhvPDttgcSVa1z7xUK43PRl+uio=; b=cBN2wyoIx8y1IoNI4fIHs6kXXne4CG6gv/OQAyJ4WyVfecIcJikbPfdSfU3HST4Dkg BzabNlDGp0+OOI7hUrNVsRU3mO7cQEyKuFoo/uyW9JMxhvyngc4h5RTVFbKb1x/9GwsO tO+hSM8UU2LGZbgWAF38XeqF68G2LxpMHcCFpY1bFK0GxbsJsjagxwpVZVYccYoqkB9k OQLpcEHU/3sXj1Lm3UKkN/N0nV3eL9eeRpkyiZb/IA6LMqvK+i6PHAluOTEp3fDa2dNR +hcFTgvmBzRC2ne4fhxJA3Q9IITK0bnmFTwVfFyGbwd3dDaprhjG80458f6zrHYpUi1T o/yg== X-Gm-Message-State: ANoB5pkZX0ui+9DwC9cByZv7WpHYogoZ3vnuAuuqTNWzgMv090NK8bQh 3vquoJiZDOGG06WP2xlJj5ePQ9IlWFB4WRTALWUU X-Received: by 2002:aa7:9518:0:b0:56c:8c13:24fd with SMTP id b24-20020aa79518000000b0056c8c1324fdmr319516pfp.2.1668639866677; Wed, 16 Nov 2022 15:04:26 -0800 (PST) MIME-Version: 1.0 References: <20221102000525.gonna.409-kees@kernel.org> In-Reply-To: <20221102000525.gonna.409-kees@kernel.org> From: Paul Moore Date: Wed, 16 Nov 2022 18:04:15 -0500 Message-ID: Subject: Re: [PATCH v2] LSM: Better reporting of actual LSMs at boot To: Kees Cook Cc: James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 1, 2022 at 8:05 PM Kees Cook wrote: > > Enhance the details reported by "lsm.debug" in several ways: > > - report contents of "security=3D" > - report contents of "CONFIG_LSM" > - report contents of "lsm=3D" > - report any early LSM details > - whitespace-align the output of similar phases for easier visual parsing > - change "disabled" to more accurate "skipped" > - explain what "skipped" and "ignored" mean in a parenthetical > > Upgrade the "security=3D is ignored" warning from pr_info to pr_warn, > and include full arguments list to make the cause even more clear. > > Replace static "Security Framework initializing" pr_info with specific > list of the resulting order of enabled LSMs. > > For example, if the kernel is built with: > > CONFIG_SECURITY_SELINUX=3Dy > CONFIG_SECURITY_APPARMOR=3Dy > CONFIG_SECURITY_LOADPIN=3Dy > CONFIG_SECURITY_YAMA=3Dy > CONFIG_SECURITY_SAFESETID=3Dy > CONFIG_SECURITY_LOCKDOWN_LSM=3Dy > CONFIG_SECURITY_LANDLOCK=3Dy > CONFIG_INTEGRITY=3Dy > CONFIG_BPF_LSM=3Dy > CONFIG_DEFAULT_SECURITY_APPARMOR=3Dy > CONFIG_LSM=3D"landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,= smack,tomoyo,apparmor,bpf" > > Booting without options will show: > > LSM: initializing lsm=3Dlockdown,capability,landlock,yama,loadpin,safeset= id,integrity,selinux,bpf > landlock: Up and running. > Yama: becoming mindful. > LoadPin: ready to pin (currently not enforcing) > SELinux: Initializing. > LSM support for eBPF active > > Boot with "lsm.debug" will show: > > LSM: legacy security=3D *unspecified* > LSM: CONFIG_LSM=3Dlandlock,lockdown,yama,loadpin,safesetid,integrity,seli= nux,smack,tomoyo,apparmor,bpf > LSM: boot arg lsm=3D *unspecified* > LSM: early started: lockdown (enabled) > LSM: first ordered: capability (enabled) > LSM: builtin ordered: landlock (enabled) > LSM: builtin ignored: lockdown (not built into kernel) > LSM: builtin ordered: yama (enabled) > LSM: builtin ordered: loadpin (enabled) > LSM: builtin ordered: safesetid (enabled) > LSM: builtin ordered: integrity (enabled) > LSM: builtin ordered: selinux (enabled) > LSM: builtin ignored: smack (not built into kernel) > LSM: builtin ignored: tomoyo (not built into kernel) > LSM: builtin ordered: apparmor (enabled) > LSM: builtin ordered: bpf (enabled) > LSM: exclusive chosen: selinux > LSM: exclusive disabled: apparmor > LSM: initializing lsm=3Dlockdown,capability,landlock,yama,loadpin,safeset= id,integrity,selinux,bpf > LSM: cred blob size =3D 32 > LSM: file blob size =3D 16 > LSM: inode blob size =3D 72 > LSM: ipc blob size =3D 8 > LSM: msg_msg blob size =3D 4 > LSM: superblock blob size =3D 80 > LSM: task blob size =3D 8 > LSM: initializing capability > LSM: initializing landlock > landlock: Up and running. > LSM: initializing yama > Yama: becoming mindful. > LSM: initializing loadpin > LoadPin: ready to pin (currently not enforcing) > LSM: initializing safesetid > LSM: initializing integrity > LSM: initializing selinux > SELinux: Initializing. > LSM: initializing bpf > LSM support for eBPF active > > And some examples of how the lsm.debug ordering report changes... > > With "lsm.debug security=3Dselinux": > > LSM: legacy security=3Dselinux > LSM: CONFIG_LSM=3Dlandlock,lockdown,yama,loadpin,safesetid,integrity,seli= nux,smack,tomoyo,apparmor,bpf > LSM: boot arg lsm=3D *unspecified* > LSM: early started: lockdown (enabled) > LSM: first ordered: capability (enabled) > LSM: security=3Dselinux disabled: apparmor (only one legacy major LSM) > LSM: builtin ordered: landlock (enabled) > LSM: builtin ignored: lockdown (not built into kernel) > LSM: builtin ordered: yama (enabled) > LSM: builtin ordered: loadpin (enabled) > LSM: builtin ordered: safesetid (enabled) > LSM: builtin ordered: integrity (enabled) > LSM: builtin ordered: selinux (enabled) > LSM: builtin ignored: smack (not built into kernel) > LSM: builtin ignored: tomoyo (not built into kernel) > LSM: builtin ordered: apparmor (disabled) > LSM: builtin ordered: bpf (enabled) > LSM: exclusive chosen: selinux > LSM: initializing lsm=3Dlockdown,capability,landlock,yama,loadpin,safeset= id,integrity,selinux,bpf > > With "lsm.debug lsm=3Dintegrity,selinux,loadpin,crabability,bpf,loadpin,l= oadpin": > > LSM: legacy security=3D *unspecified* > LSM: CONFIG_LSM=3Dlandlock,lockdown,yama,loadpin,safesetid,integrity,seli= nux,smack,tomoyo,apparmor,bpf > LSM: boot arg lsm=3Dintegrity,selinux,loadpin,capability,bpf,loadpin,load= pin > LSM: early started: lockdown (enabled) > LSM: first ordered: capability (enabled) > LSM: cmdline ordered: integrity (enabled) > LSM: cmdline ordered: selinux (enabled) > LSM: cmdline ordered: loadpin (enabled) > LSM: cmdline ignored: crabability (not built into kernel) > LSM: cmdline ordered: bpf (enabled) > LSM: cmdline skipped: apparmor (not in requested order) > LSM: cmdline skipped: yama (not in requested order) > LSM: cmdline skipped: safesetid (not in requested order) > LSM: cmdline skipped: landlock (not in requested order) > LSM: exclusive chosen: selinux > LSM: initializing lsm=3Dlockdown,capability,integrity,selinux,loadpin,bpf > > Cc: Paul Moore > Cc: James Morris > Cc: "Serge E. Hallyn" > Cc: linux-security-module@vger.kernel.org > Signed-off-by: Kees Cook > --- > v2: en/dis-enabled expanded, example output in commit log, use pr_cont. > v1: https://lore.kernel.org/lkml/20221018064825.never.323-kees@kernel.org= / > --- > security/security.c | 45 ++++++++++++++++++++++++++++++++++++--------- > 1 file changed, 36 insertions(+), 9 deletions(-) I tend to agree with Micka=C3=ABl regarding the aligned output, but that's not worth worrying too much about for debug stuff. Merged into lsm/next, thanks Kees. --=20 paul-moore.com