Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp14243438rwb; Sun, 27 Nov 2022 20:45:52 -0800 (PST) X-Google-Smtp-Source: AA0mqf66rVuN6Rrbg96/VV5tFNK21h0nh6fmVl1zPrpYYYJ6E3IzeNoHwIYa7iuuIZpeZa9UtDxV X-Received: by 2002:a17:906:5aca:b0:7be:e7f2:bfe2 with SMTP id x10-20020a1709065aca00b007bee7f2bfe2mr4750179ejs.654.1669610752340; Sun, 27 Nov 2022 20:45:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669610752; cv=none; d=google.com; s=arc-20160816; b=Bd0ktEc7HL7ks/1hhV8ksdgxZnrK9YRZ/yvd3TredI8I3bPpzlSXFUKpSbKROjfQ7l BFQ6edSleYPI4FUvxEEbqrQbcqTdvkPMAiismA8wgVqgrk56jqz0zwnsaWdGzPYkxzZF vnXb8JXxWuQY3M3X1K/hO5wuCvmYOjQ++6F1tkoL/10tyzqv3DS1rUUP2kA0gHxej6Uy ntN3zgVwIAXUM+0nBkJ1JOaqJlvrYPt2Bl9vTF2tc3UReE6G7Z5owa8siNWEcIMMROvD hlx2I4GMWT0t7KFWosmX5hfdBUFTZ8ssk0vCESkk7OPkNqNBBrjMQUrakQn5/zgcEA1M mH3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=UF1ge54xIUAlHX2n++cnMUpCa6Myhy4vGKBhQP7XRwo=; b=Dzdt3s8Wis0EwQycvUsywbiTrXlOczWSqfndGyIqK/vUJXIB3Yx54mIr2Bty/M0VrI wtu8O5HLdGjxZJTz407ibWJpL0yT/9qvmQ/mqFjbK5S+siWiiqN4JC5boNOmvCnmfExR fMUASl8O8VucMmYfyjASe8smBKqcIuC6dIK/UiyKYHmFCyygsmv5a4A1p9MoFT2TkySN ev+0K7QxopJzUwhPNS2VnWou8pwTDz8/B3I7OrXN/2YcckP1ib8PvuTuKs/zhAPSMt+0 +JforVJ8+GWIIaEzs9+POUTDf+JyoUXoMNYiuV1PROc25MB8lKYEjGHHzJTxYJq4TV2F YHug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=N51njAkD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b10-20020a056402084a00b0046721c5b7e0si10139350edz.511.2022.11.27.20.45.32; Sun, 27 Nov 2022 20:45:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=N51njAkD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229912AbiK1DxG (ORCPT + 84 others); Sun, 27 Nov 2022 22:53:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46014 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229629AbiK1DxE (ORCPT ); Sun, 27 Nov 2022 22:53:04 -0500 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB28738AD for ; Sun, 27 Nov 2022 19:53:03 -0800 (PST) Received: by mail-pj1-x1030.google.com with SMTP id hd14-20020a17090b458e00b0021909875bccso5464749pjb.1 for ; Sun, 27 Nov 2022 19:53:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=UF1ge54xIUAlHX2n++cnMUpCa6Myhy4vGKBhQP7XRwo=; b=N51njAkDPRiOvWBJH4TPhl1rnQ6neieaIE+cew6kxfjHluLG7+EMzZzDDNtTGHGfcr 9Jh+WxwP+N6kB6VIS4R/KwFFzt27vDQqypOd82UiEGdu3TTVPNnwVnZT3IiVj+invY6y GOceA9n6zIdpWzkbEnTXm042AyYYqbOcpmi0bdUm/9a/utH74s4zfLeHQ/6E6KLc1DPy 207LZrRBpbu8OgbNts8XwsW6qA/VDzRJzxujROxsnnrEijRJs1LLROke2qhcmzjv7VtZ u9/5RbH9FYjOj0rt1ELKI5XOdV6/DtLhAJsGKN3qUfuHWkC5JEN3E/Y7OrIbilp0wjRn cFAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UF1ge54xIUAlHX2n++cnMUpCa6Myhy4vGKBhQP7XRwo=; b=ipkKTBZDxVCCPleafBjKxWvBX/Q4svkQxT6bljbnYblt1alOc6HvTFoMGKYquWoZ+s Iu+NOZfglDl7Y77fhnK3YDnvUCpxbqlcAuaszEkESqSSQr0/6oWB8qf7/DW+uZ9zm/FY +mdeOI8eBbd7LquZ3+/C7gTghjfkvKauEup3ipABnzDWijJtpDDivyTTxwaPW2uXpSRf RR2ajCwTshUHTkt9LyPRoAPis1qgvc7hQaw03Knxwk2ilj8y+QxKDH1mFUafpH1vje4h gloP53Pg4j6SNihuWhgDNr767imF1yP23binw8NP6qnrJ4JQyHBI/6BtLwXdfTtRWfT9 Hbww== X-Gm-Message-State: ANoB5pmcR1Ql4vFEv9QIMOE5LuYwbCtvuPvJV+cUKykplCBC2Us/02s6 pZP0x0PkCPxpQsT91AtfE6OiSTUEEHOH0gOdsxEv X-Received: by 2002:a17:902:9892:b0:186:c3b2:56d1 with SMTP id s18-20020a170902989200b00186c3b256d1mr30991891plp.15.1669607583130; Sun, 27 Nov 2022 19:53:03 -0800 (PST) MIME-Version: 1.0 References: <20221123201552.7865-1-casey@schaufler-ca.com> <20221123201552.7865-2-casey@schaufler-ca.com> <94ac3c49-550b-c517-680f-ba653d568f72@digikod.net> In-Reply-To: <94ac3c49-550b-c517-680f-ba653d568f72@digikod.net> From: Paul Moore Date: Sun, 27 Nov 2022 22:52:52 -0500 Message-ID: Subject: Re: [PATCH v3 1/9] LSM: Identify modules by more than name To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: Casey Schaufler , casey.schaufler@intel.com, linux-security-module@vger.kernel.org, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 25, 2022 at 11:30 AM Micka=C3=ABl Sala=C3=BCn = wrote: > On 23/11/2022 21:15, Casey Schaufler wrote: > > Create a struct lsm_id to contain identifying information > > about Linux Security Modules (LSMs). At inception this contains > > the name of the module and an identifier associated with the > > security module. Change the security_add_hooks() interface to > > use this structure. Change the individual modules to maintain > > their own struct lsm_id and pass it to security_add_hooks(). > > > > The values are for LSM identifiers are defined in a new UAPI > > header file linux/lsm.h. Each existing LSM has been updated to > > include it's LSMID in the lsm_id. > > > > The LSM ID values are sequential, with the oldest module > > LSM_ID_CAPABILITY being the lowest value and the existing modules > > numbered in the order they were included in the main line kernel. > > This is an arbitrary convention for assigning the values, but > > none better presents itself. The value 0 is defined as being invalid. > > The values 1-99 are reserved for any special case uses which may > > arise in the future. > > > > Signed-off-by: Casey Schaufler > > --- > > include/linux/lsm_hooks.h | 16 ++++++++++++++-- > > include/uapi/linux/lsm.h | 32 ++++++++++++++++++++++++++++++++ > > security/apparmor/lsm.c | 8 +++++++- > > security/bpf/hooks.c | 13 ++++++++++++- > > security/commoncap.c | 8 +++++++- > > security/landlock/cred.c | 2 +- > > security/landlock/fs.c | 2 +- > > security/landlock/ptrace.c | 2 +- > > security/landlock/setup.c | 6 ++++++ > > security/landlock/setup.h | 1 + > > security/loadpin/loadpin.c | 9 ++++++++- > > security/lockdown/lockdown.c | 8 +++++++- > > security/safesetid/lsm.c | 9 ++++++++- > > security/security.c | 12 ++++++------ > > security/selinux/hooks.c | 9 ++++++++- > > security/smack/smack_lsm.c | 8 +++++++- > > security/tomoyo/tomoyo.c | 9 ++++++++- > > security/yama/yama_lsm.c | 8 +++++++- > > 18 files changed, 141 insertions(+), 21 deletions(-) > > create mode 100644 include/uapi/linux/lsm.h ... > > diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h > > new file mode 100644 > > index 000000000000..47791c330cbf > > --- /dev/null > > +++ b/include/uapi/linux/lsm.h > > @@ -0,0 +1,32 @@ > > +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ > > +/* > > + * Linux Security Modules (LSM) - User space API > > + * > > + * Copyright (C) 2022 Casey Schaufler > > + * Copyright (C) 2022 Intel Corporation > > + */ > > + > > +#ifndef _UAPI_LINUX_LSM_H > > +#define _UAPI_LINUX_LSM_H > > + > > +/* > > + * ID values to identify security modules. > > + * A system may use more than one security module. > > + * > > + * Values 1-99 are reserved for future use in special cases. > > This line should be removed unless justified. What could be special > about IDs? The syscalls already have a "flags" argument, which is enough. > > > + */ > > +#define LSM_ID_INVALID 0 > > Reserving 0 is good, but it doesn't deserve a dedicated declaration. > LSM_ID_INVALID should be removed. > > > > +#define LSM_ID_CAPABILITY 100 > > This should be 1=E2=80=A6 No. Scratch that, make that an emphatic "No". If you want to argue for a different reserved low-number range, e.g. something with a nice power-of-2 limit, I'm okay with that, but as I wrote earlier I feel strongly we need to have a low-number reserved range for potential future uses. --=20 paul-moore.com