Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp554523rdh; Sun, 24 Sep 2023 01:34:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHIPXBrCAZGGyyhlY5+T/HSnUAVr3wFeL6VbqFrGrZpNWjM9gjUlxPV18aDfnrX+2jPWIYL X-Received: by 2002:a17:902:f689:b0:1bf:7dfd:5b05 with SMTP id l9-20020a170902f68900b001bf7dfd5b05mr11156256plg.27.1695544487383; Sun, 24 Sep 2023 01:34:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695544487; cv=none; d=google.com; s=arc-20160816; b=GSZ1oXi0ZLg8tAk4IAztAyt7wxpJoxABVpT94DWXW1lGmZ8x3WuqK0m8imhg4IUTuj 6W6WwVrMlbKfhqxfpFw2N0rdNufgbrtNEAs0G1yHI8aTf8QIjKRtD4Exm+VPQ9F/XL4e E215WICWPPKJpuLgliyfVyW4MwpLmaIEVEq8Uec13AFmUT3iAoHmBDbPx/dTwJWCZLs/ cN1q1SUDTZjjtepY8yid9SWzxtEKMpGXYamlRBIXLca3xOZBEJxojhAhyFaptM4/cGX+ XR2jshI4hFnygQE8FqSPZgT5ROBgJyF4j3YanRXL5KMEZttVPVQD8IdNfxtob+5DSk9U NwZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=OJ8gUVcwY7z28ISZZjmTU5keHHyihVN0UqOd3/TKTzs=; fh=bEOTzVAJDxl1CKk8CPeyy1XKKit2gVFgbcwRTPIHpEc=; b=NA24epDXDLyzl0TX0qk1/hZqnAY+lzliDNYPUYVHKAWyQb45zj8OSAt2TRZu89bGEW D1SoYaJZjYoH/2y/irOXWAkuC89kZw4bCpvOyZVYfnxhlDI39fQQTzU2vLwwBXI66Ag3 h6gqxa7hLmReiLZcuHWcYvQiR6gitIYXdr+fJoPsKSC7WvD2kJ70FqH5YRsePfefvH3s vBpozTK+0EAStBbIl3mAenO3kG4mQa+NArJGdmDo/afgBjSwmtneYsWDL60/nt5LLkdt cWz3LgB9coJQiFDsEvINJeWJW4VTj9Z1+U0ym8LMtHSDCYirz6UibsXZ5bFgEIMxaH+G 2Bsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ohh9zu0M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id ay6-20020a1709028b8600b001b9d0ad0d40si6914839plb.128.2023.09.24.01.34.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 Sep 2023 01:34:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ohh9zu0M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 2412E80E5B9C; Sat, 23 Sep 2023 18:58:12 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229837AbjIXB6N (ORCPT + 99 others); Sat, 23 Sep 2023 21:58:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229535AbjIXB6N (ORCPT ); Sat, 23 Sep 2023 21:58:13 -0400 Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 62176124 for ; Sat, 23 Sep 2023 18:58:06 -0700 (PDT) Received: by mail-pg1-x532.google.com with SMTP id 41be03b00d2f7-578a62c088cso4128072a12.1 for ; Sat, 23 Sep 2023 18:58:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1695520686; x=1696125486; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=OJ8gUVcwY7z28ISZZjmTU5keHHyihVN0UqOd3/TKTzs=; b=ohh9zu0M8u1jGlMckxS9BXphiQDtCDbJLIy8Mo8EGzn5/LwjjPiAIYCxltJghxYgKF BNjMnuoUV09bQ/Tl1yzYBz/3hIXkxP841+yJw//ZCl2NwGQzxLAWp8NsTFkrOBe77MnR vtikd9iUodNl6Zr0TjtacWBpUOEHGHn4E1dyM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695520686; x=1696125486; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=OJ8gUVcwY7z28ISZZjmTU5keHHyihVN0UqOd3/TKTzs=; b=krCOOVE9cWZIAQDl0frstBgGv+s0R4CNOrx/1SUfBw1HujaAjEpTz2lG6axYPw+GG2 IHdNldQgcDri89mTZDjeUbVGANBj29VlWp82YgV69umF7LZY4AuCfiHwCayS4iJSqdDp 8g/u1LDtxPGyv6bXH8bH8R68gIjyt9BcUHSNz483fEUh3zJmiG6ClAAxxk+CHuZ6o6ZS zP5J6u3Q3QJ/QBQbzgKtlqu5BeFKrPTEnQT6rbxJhlg2H8WSkYK7q0s2BMnwMoSQurzK lUMRLTPYfO9uRcGRL9Ouv9lWAFgPLaSLykGfPZyWYYjtNez+4OCEGplK74lVTgr5F7kj JmxA== X-Gm-Message-State: AOJu0YyqAFgQXH2c8kHIFpGQgH9+RAfKGTIiCpChuKGlR1fv1rmurUdK QfhXbepdw5j0VdG4jwril3RQFQ== X-Received: by 2002:a17:90b:4a88:b0:274:9be9:7ee3 with SMTP id lp8-20020a17090b4a8800b002749be97ee3mr5225651pjb.8.1695520685811; Sat, 23 Sep 2023 18:58:05 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id 17-20020a17090a001100b00276a58e37c1sm7782731pja.38.2023.09.23.18.58.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Sep 2023 18:58:05 -0700 (PDT) Date: Sat, 23 Sep 2023 18:58:04 -0700 From: Kees Cook To: Tetsuo Handa Cc: Casey Schaufler , paul@paul-moore.com, linux-security-module@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, john.johansen@canonical.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net, Dave Chinner , Linus Torvalds , Jonathan Corbet Subject: Re: [PATCH v15 01/11] LSM: Identify modules by more than name Message-ID: <202309231838.CB16E6B5@keescook> References: <20230912205658.3432-1-casey@schaufler-ca.com> <20230912205658.3432-2-casey@schaufler-ca.com> <1f5e725d-58b6-eca2-97dc-d7c1209ff167@I-love.SAKURA.ne.jp> <568c0730-b458-04b4-dbfa-77da1758aa05@schaufler-ca.com> <94743c22-bc76-e741-e577-3e0845423f69@I-love.SAKURA.ne.jp> <6df9f8b8-5653-09a5-ae0a-6526016abaff@schaufler-ca.com> <202309200803.1911A584@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Sat, 23 Sep 2023 18:58:12 -0700 (PDT) On Sat, Sep 23, 2023 at 01:46:35PM +0900, Tetsuo Handa wrote: > On 2023/09/21 0:08, Kees Cook wrote: > > I feel like you are willfully not listening to us when we say that this > > doesn't block out of tree LSMs. Again, there is nothing here that stops > > it. To prove this point, here is an out of tree LSM that works with this > > series. So let's move from theoretical to practical: given this example, > > why do you think out of tree LSMs are blocked? > > Because an LSM ID value But my example includes one. > > diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h > > index eeda59a77c02..23b7a8f79cef 100644 > > --- a/include/uapi/linux/lsm.h > > +++ b/include/uapi/linux/lsm.h > > @@ -63,6 +63,8 @@ struct lsm_ctx { > > #define LSM_ID_BPF 110 > > #define LSM_ID_LANDLOCK 111 > > > > +#define LSM_ID_GOAT 1138 > > + > > /* > > * LSM_ATTR_XXX definitions identify different LSM attributes > > * which are used in the kernel's LSM userspace API. Support > > is assigned to LSM only when that LSM became no longer out of tree. Why? My example code will work just fine. The only possible reason it could be awkward would be if an out of tree LSM became so useful that the author decided to upstream it, and risked colliding with an existing LSM id. But lsm_id::id is a u64 (not an enum!), so there is a HUGE space available. If out of tree LSMs used the epoch time they were first authored as their id, the chances of a collision would be approaching zero. There isn't an out of tree LSM written every second, but if there were, it would take 584 billion years to run out of LSM ids. And, as mentioned several times before, this is _not a new problem_, and exists for out of tree syscalls, out of tree prctls, etc. I even DID this for the Yama LSM when it looked like it wasn't going to get upstream in the early days. Its prctl number _is not sequential_: include/uapi/linux/prctl.h:#define PR_SET_PTRACER 0x59616d61 (And you'll see 0x59616d61 in ASCII is "Yama"; my effort to avoid collision.) So, there is both ability (u64) and precedent (Yama) for this. Having an LSM id is _not_ a blocker for out of tree LSMs, and I've given the proof. -Kees -- Kees Cook