Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp4552782rwe; Mon, 17 Apr 2023 14:41:04 -0700 (PDT) X-Google-Smtp-Source: AKy350YIUHE1U8Ovxy4sZhw8Sb5EYMQiLwZ1LcmmSemcX4/ZUD1WKJ0hPKoPVa7QXV0qMl86R8St X-Received: by 2002:a05:6a00:998:b0:63b:8425:bf5d with SMTP id u24-20020a056a00099800b0063b8425bf5dmr11847751pfg.24.1681767663997; Mon, 17 Apr 2023 14:41:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681767663; cv=none; d=google.com; s=arc-20160816; b=Uo4oL+fSP+ewMgP6/z3nLMZLk0ybDoPdUnuRrXeRJc77rNXB+1EnnwnZdnlHkYKJeL aFuTovmCwws/g8xtbvKIEXz2QTEe3b7Xo5uV20ZW7am6SUs8RjPtq0dlsWq5SIt033wa nkmGPmtd33sP5brJzURv3FrVpXVXXhvg6C38c9ed/d8JdWvAK4rcESKJglhBqjkfhAZh G+we0qxAEAizbsLQ+9gju2Zl3DcVuO/ZJQAs44Cm89TrR7Qu0ylo74PMt6GRhTBh/iN3 FN1xnggRBlChyP1puC/c1Tv8JA4pRJcnPsF7d6VLLSc02uPqi8JJfFbPl/vkty+BU6cz PXYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=BCzVu2UsKp7hdLDjLx5y43eqwBluLCZhJw8zkmfWK7s=; b=DEwVHMpvoKz8UI55b6gCzVEZEEDUGmCs/+BPx3ZxICN7TdXnw9eVLxAdZFGmBh6gn/ vxw0XxgEylSx8tmNYcdcKUaPxTjJGu7XEa0gv06Sdj2M8uoKOBA0PsLzrpvTOGK7ImDd GvsY+Pf98NTMNy2UbX+f0SO8rT9zIgKq5M+wOC+Ur1wcisjbo7FTAE4EaEMv9h1i9VmK ViAD5rknRC5uJ2VVVLeumyDmjWCdmRnaY1ZM6kA7TH9eM2KdDcf3JwimLJZmMDbVZC2t /eeoH8FAGWfNW9yQqfo69tPYaYVIWOdcV+fVLlf8sBvJ6a7ubjWDQwYJfY0l+Mn9v7oi DZJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=L4lIgMDU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z19-20020a63e113000000b0051bb415165dsi3706644pgh.194.2023.04.17.14.40.50; Mon, 17 Apr 2023 14:41:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=L4lIgMDU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229657AbjDQVb1 (ORCPT + 99 others); Mon, 17 Apr 2023 17:31:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229717AbjDQVbZ (ORCPT ); Mon, 17 Apr 2023 17:31:25 -0400 Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A671F4687 for ; Mon, 17 Apr 2023 14:31:23 -0700 (PDT) Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-54fe3cd445aso128029177b3.5 for ; Mon, 17 Apr 2023 14:31:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1681767083; x=1684359083; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=BCzVu2UsKp7hdLDjLx5y43eqwBluLCZhJw8zkmfWK7s=; b=L4lIgMDUo+CoVwZROqgkHM1P5l8PMDt1tMF+3n6mYb/oTyl6jZZARiOyi4mY749zTf kd6MKQWITu/+gFbXbDd8PRN889Ab1UneKVGjM8dJfGHZk1x69itMrG6mVAMXx6c94Kgj wsnxittzLcJmNlQ2TmgAffk7LZPA0GjY7q3YVrjMNaQxDody759vfh8QxNsbIEZIbNpi YEiGC7lB/ogD9pMXaYUg7qcmHjeO7XkF2svcHQ6pd/dMN/CipBYMhe50S/ctKhKU/5Xb VduqXgJXIwtVunLI04d/oZ9995Fp6s9L0vc6khDXs8odobPBxwM6nmpDBHJfyzOBpVBf lSXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681767083; x=1684359083; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BCzVu2UsKp7hdLDjLx5y43eqwBluLCZhJw8zkmfWK7s=; b=U2U4TbJD2rjckvLR63h3qg640GI6cPC7WmQIg9+NvQwmNRYI+pZDuHZ3eSybY1wLb4 NXwWC4uR9FBCWnXooYD35gkzJJZxXYyCHCf6+7e0lt7MLjf5C0Mcodb83wp5IVi0KQeF r8lZMJ5E98PI1pUQjF6lKerBul7o8wHqqXOFFO5xYFl8okfCnMw56hepHXBYgF3xs8IQ l0X22uUlOAd9SMswEKvfX+eoQKuCD9/uA1YAAm2eRfk+VaKM9wPWUatZjYrhtvygBz9X JjBhH0qxIEXTvU+PEAPub6qRSKkfGpORVNZZCacqqT83aLLB5JovCLxinvNqHeFTNsyJ pNvQ== X-Gm-Message-State: AAQBX9dTAvLgfmxSf9uoc0nhrhZtjYTDVo9OoIir5JZ6DpPXe6DQaSsH ev5/GK6aoLCbpV8oNY8QOzXeMflhemBJrER/P099 X-Received: by 2002:a81:c649:0:b0:54f:2b65:a865 with SMTP id q9-20020a81c649000000b0054f2b65a865mr10208390ywj.8.1681767082657; Mon, 17 Apr 2023 14:31:22 -0700 (PDT) MIME-Version: 1.0 References: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com> <1675119451-23180-6-git-send-email-wufan@linux.microsoft.com> <20230410191035.GB18827@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> <20230412233606.GA16658@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> <20230417180605.GA402@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> <20230417211826.GA6475@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> In-Reply-To: <20230417211826.GA6475@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> From: Paul Moore Date: Mon, 17 Apr 2023 17:31:11 -0400 Message-ID: Subject: Re: [RFC PATCH v9 05/16] ipe: add userspace interface To: Fan Wu Cc: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 17, 2023 at 5:18=E2=80=AFPM Fan Wu = wrote: > On Mon, Apr 17, 2023 at 04:16:29PM -0400, Paul Moore wrote: > > On Mon, Apr 17, 2023 at 2:06???PM Fan Wu wr= ote: > > > On Thu, Apr 13, 2023 at 02:45:07PM -0400, Paul Moore wrote: > > > > On Wed, Apr 12, 2023 at 7:36???PM Fan Wu wrote: > > > > > On Tue, Apr 11, 2023 at 05:45:41PM -0400, Paul Moore wrote: > > > > > > On Mon, Apr 10, 2023 at 3:10???PM Fan Wu wrote: > > > > > > > On Thu, Mar 02, 2023 at 02:04:42PM -0500, Paul Moore wrote: > > > > > > > > On Mon, Jan 30, 2023 at 5:58???PM Fan Wu wrote: > > > > > > > > ... > > > > > > > > > > I guess this does make me wonder about keeping a non-active pol= icy > > > > > > loaded in the kernel, what purpose does that serve? > > > > > > > > > > > > > > > > The non-active policy doesn't serve anything unless it is activat= ed. User can > > > > > even delete a policy if that is no longer needed. Non-active is j= ust the default > > > > > state when a new policy is loaded. > > > > > > > > > > If IPE supports namespace, there is another use case where differ= ent containers > > > > > can select different policies as the active policy from among mul= tiple loaded > > > > > policies. Deven has presented a demo of this during LSS 2021. But= this goes > > > > > beyond the scope of this version. > > > > > > > > Do you plan to add namespace support at some point in the > > > > not-too-distant future? If so, I'm okay with keeping support for > > > > multiple policies, but if you think you're only going to support on= e > > > > active policy at a time, it might be better to remove support for > > > > multiple (inactive) policies. > > > > > > > > -- > > > > paul-moore.com > > > > > > Another benefit of having multiple policies is that it provides isola= tion > > > between different policies. For instance, if we have two policies nam= ed > > > "policy_a" and "policy_b," we can ensure that only team a can update = "policy_a," > > > and only team b can update "policy_b." This way, both teams can updat= e > > > their policy without affecting others. However, if there is only one = policy > > > in the system, both teams will have to operate on the same policy, ma= king it > > > less manageable. > > > > That only really matters if both policies are active at the same time; > > if only one policy can be active at one point in time the only > > permission that matters is the one who can load/activate a policy. > > > > Allowing for multiple policies complicates the code. If there is > > another feature that requires multiple policies, e.g. IPE namespaces, > > then that is okay. However, if there is no feature which requires > > multiple active policies, supporting multiple loaded policies only > > increases the risk of an exploitable bug in the IPE code. > > > > > Besides, removing multiple (inactive) policies support will > > > render the policy_name field meaningless, and we should only audit th= e policy > > > hash. I am fine if we decide to go for the single policy option. > > > > Once again, I think it comes back to: do you still want to support IPE > > namespaces at some point in the future, and if so, when do you expect > > to work on that? > > Yes, absolutely! We definitely have plans to support namespaces in the fu= ture. > However, it's worth mentioning that there are other tasks that we may nee= d > to prioritize due to their relatively lower complexity. For example, befo= re > we can fully implement namespaces, we need to address some other importan= t > aspects of the system, such as adding a policy language for integrity > enforcement on configuration files and defining trusted certificates > that can sign the root hash. Therefore, the timeline for implementing > namespaces will depend on the completion time of these tasks. > > I understand your concerns, and we can proceed with a single policy desig= n > for the initial version. I think it's okay to stick with the multi-policy code for the initial submission, you've got the code now, and it's tested. I just wanted to make sure there were plans to make use of it at some point, if not we might as well drop it now. However, it sounds like you've got a plan to utilize the multi-policy support so that's fine with me. --=20 paul-moore.com