Received: by 2002:a05:7412:a9a2:b0:e2:908c:2ebd with SMTP id o34csp2165670rdh; Sun, 29 Oct 2023 03:59:07 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFjbHz4gyzwOHoinqNM6E8vkWTEG0yfM8nVnXkvhbAdT1EkSUOIRuElgGSZWaNk64fLBw62 X-Received: by 2002:a05:6870:2a44:b0:1ef:ace4:f360 with SMTP id jd4-20020a0568702a4400b001eface4f360mr4070945oab.17.1698577147598; Sun, 29 Oct 2023 03:59:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698577147; cv=none; d=google.com; s=arc-20160816; b=lTwSWazepdz7pwFJmsIRVEd4fFoM1tE6xYU5oaOZHGTKWqU0oNRWEHOt8M8y7VLH2V KAbWGaKs2nMWulNNu9i8UfOPdosS0vlU3xEPxE2A0+a6wPAJT3P00LXaaH+JLU5xnCCx hyo/JF6YeqEgjmFDSie4kIouVBurBz9fnIyLFoR9mqfwlXq/FrvwfnHCi0id0ICCoBzN ZOKgh51eESHeG9LsRnJdjomT5aybzofrIBBX0GEob/QNVtJcLxFdG2B3ijZ8u17RYelU fgUfR2ItXfxfCRwpia+067NxmAdhg/FMaRe167TtdV8/SO45v9+S96YpsDbBf5Aj4+wL SStg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=CQu8aKqJ+H6xQVZ6iRz5mZADdp144Oon9+5KrpwfhiY=; fh=ll47VoWWVEqkkuj6V8zQm5NhVoIH3QNWSC48tgEQzCs=; b=vmIgl2XFp6bBBiqRNi4WxHDOfkq78S8PQ+cHHSLrdFPqSmqX+P0VOcS6Vb5im2+YkH 86YotluQ2yyzbxQdSWOQ8CjLGZ4qbN5Tqtk2pQoXfg3z3Xz0esodeE+B7w3iYo0/M0Ek ucsDW0dFkmLiNe4Dc8P39ivHT+vPufLeYnrivGbfzXfCIA65UvC7mlrKrYbk6jVhF/zj Twi/mI1lqDHKY9N4AWuayMED1ut3ny18GkZybicDvj9mwig/MrD0ZQeoZqCJ3LiLS+rG w3JIwOxkxnUURBqJOU9RdaPvTH8F/UZ7JmtrC3PRo5Ip9tfzt3g0yxNS7QuPlP+8EG3/ 7tSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id l72-20020a63914b000000b005aaefc07ccfsi3480101pge.36.2023.10.29.03.59.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Oct 2023 03:59:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id CEB0B808EDC6; Sun, 29 Oct 2023 03:59:04 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230050AbjJ2K6n (ORCPT + 99 others); Sun, 29 Oct 2023 06:58:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37630 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbjJ2K6m (ORCPT ); Sun, 29 Oct 2023 06:58:42 -0400 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F276C0; Sun, 29 Oct 2023 03:58:40 -0700 (PDT) Received: from fsav411.sakura.ne.jp (fsav411.sakura.ne.jp [133.242.250.110]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 39TAw1YC028196; Sun, 29 Oct 2023 19:58:01 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav411.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav411.sakura.ne.jp); Sun, 29 Oct 2023 19:58:01 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav411.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 39TAw1hV028191 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sun, 29 Oct 2023 19:58:01 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Sun, 29 Oct 2023 19:57:59 +0900 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v15 01/11] LSM: Identify modules by more than name Content-Language: en-US To: Casey Schaufler , paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net References: <20230912205658.3432-1-casey@schaufler-ca.com> <20230912205658.3432-2-casey@schaufler-ca.com> <30d1110a-7583-4fa1-85c8-d6ce362f5ae2@schaufler-ca.com> <2fb1a8cd-88d0-40f0-b3d8-cfa8b71e7dd9@I-love.SAKURA.ne.jp> <29fe1e5b-4bf3-4bb3-b8de-fbd8dfc25be3@schaufler-ca.com> From: Tetsuo Handa In-Reply-To: <29fe1e5b-4bf3-4bb3-b8de-fbd8dfc25be3@schaufler-ca.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Sun, 29 Oct 2023 03:59:05 -0700 (PDT) On 2023/10/21 23:11, Casey Schaufler wrote: >> If the system call returning LSM ID value for SELinux but does not tell >> the caller of that system call whether a specific action might be permitted, >> what information does LSM ID value tell? > > It tells the caller that the LSM is active on the system. That's it. > Just like reading /sys/kernel/security/lsm. Then, the The calling application can use this list determine what LSM specific actions it might take. That might include choosing an output format, determining required privilege or bypassing security module specific behavior. part should be removed from the description. Instead, the description should emphasis that the numeric LSM ID values are there in order to allow identifying what LSM modules are active without interpreting string LSM names in /sys/kernel/security/lsm . >> What does "choosing an output format", "determining required privilege", >> "bypassing security module specific behavior" mean? How can they choose >> meaningful output format, determine appropriate privilege, bypass security >> module specific behavior (if the only information the caller can know from >> the LSM ID value were what LSMs are enabled) ? > > If Smack and SELinux not enabled on the system there is no point in > setting up a netlabel configuration, for example. I know nothing about netlabel. But can userspace make such assumption from this granularity? For example, if TOMOYO and AppArmor start supporting netlabel configuration, your assumption If Smack and SELinux not enabled on the system there is no point in setting up a netlabel configuration becomes no longer true. It is also possible that a new LSM implementation obtains an LSM ID for that LSM, and starts supporting netlabel configuration some timer later. I don't know if we come to the point where we can enable SELinux and Smack at the same time. But when it becomes possible to enable SELinux and Smack at the same time, the userspace might have already written code based on current situation that netlabel configuration are exclusive. Then, someday starting to return both LSM ID for SELinux and LSM ID for Smack might confuse userspace. Thus, it might be safe to determine what LSMs are active from the LSM ID values returned from the system call. But it is not safe to assume what functionality is active (e.g. netlabel configuration is interpreted) from the LSM ID values returned from the system call. If you want to allow userspace to make such assumption using the system call, the granularity the system call returns needs to be what access control mechanism (not only LSM modules but also eBPF-based access control mechanisms) hooks which LSM hooks. More information than interpreting string LSM names in /sys/kernel/security/lsm will be needed. > >>> I wish we could stop people from saying "BPF-based LSM". BPF is the LSM. The >>> eBPF programs that implement a "policy" are NOT a LSM. There needs to be a >>> name for that, but LSM is not it. >> My understanding is that "BPF is not an LSM module but infrastructure for using >> LSM hooks". > > As BPF is implemented as a LSM I suggest your statement is incorrect. Enumerating only LSM modules are not useful. "ID for access control mechanisms that can be controlled via LSM hooks" will be needed. > >> >> The patch description lacks relationship between LSM ID value and data. >> In other words, why LSM ID values are needed (and are useful for doing what). >> If the only information the caller can know from the LSM ID value were >> what LSMs are enabled (i.e. the content of /sys/kernel/security/lsm ), why >> bother to use LSM ID values? (Yes, integer comparison is faster than string >> comparison. But that is not enough justification for not allowing out-of-tree >> LSMs and eBPF-based access control mechanisms to have stable LSM ID values.) >> I conclude that LSM ID values are pointless and are NOT needed.