Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp2446611lqz; Tue, 2 Apr 2024 19:21:29 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV+9YQIAgY5s4BtDBbMxugXr5I3Xnebj/L5m6s7indlglZPpTB7YECWOhzPvCP7Re1QFcGscMHA/nCIZ4irCVLtgvwBxZJD3Nlsy8BTAA== X-Google-Smtp-Source: AGHT+IGsoh4rWwnxrYDQLr2/IPQvIDZcp2kvhod82R/9FdRNx92cwSNnURRFoLVVhQQDrTcORSIW X-Received: by 2002:a05:622a:1788:b0:432:b6d4:613e with SMTP id s8-20020a05622a178800b00432b6d4613emr16905119qtk.15.1712110889003; Tue, 02 Apr 2024 19:21:29 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712110888; cv=pass; d=google.com; s=arc-20160816; b=zGzvqwYpH/RCt3e7DF602F9kY89yQI29BR8dgP8wyZYceeeup6274SWr+P8oRxrNgo pesFtqT/sTAVn0EZ6TWh/c3wQImhwswPL7szESHjS6f40eTwznNyJ16pD1jTyNOfc9hF UTGyCbsgt+r0BS2thUDjmRIw1zA3MoUtXbFvWptlO+1s8D1JO4Ycxu9n97H+FqIo+C+i mlA4eva6JUCWZ5/7xACQdTVI8p5GRC8nEfmPJ+DUs2bFChuzCQMHg9BLV2tX6Iwp45I9 bT4MdHoSGVHE47F47UAn3Qe40R66NC5WJxvpIHhMwCD26OU67iqWu3q48gYkE/n4dgqq W2+g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=g330QbZKpmXoovT0mI5FxZrknOF9KuBu/XS6jFcDi0E=; fh=/42xeWUlY7BCEa9JD5w7rUDKAsY29mH9UfcZ19UV9lE=; b=D09wYXY6ypcS1N3kI6iTUQ9mpwIxQKu7aIr9PqRnmgnRsCPwILqycyzP1bDp67XnPB iymz4HjPOasfBKlDZTe0tkbh7Ql6t7BlueWuFBmc/yGS8nOFIsgukNaikDNmMLLBh1Iu wseQ8NMBkxHbpYq3O9hRPwXSBoEAJ/AA76N4MyXwUTVdNHDqXHzOh5x7khsEprQVOVFE ySgRaNpuT7z5Q9adjPSuN6STz8MVqUN35/WscQMHpBpyc2lYG9ccpL2pr8U2T4csKK/j zjT/aDnZhhMDGseJFySv77iA/V/42RCNi564Qw622cwJHtjQG2y2yfqzlZKUThv9HNEk Oikg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=NE1z1d65; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-128973-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-128973-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id eh27-20020a05622a579b00b00432c49655ccsi9717657qtb.77.2024.04.02.19.21.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 19:21:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-128973-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=NE1z1d65; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-128973-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-128973-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A8F7A1C23A27 for ; Wed, 3 Apr 2024 02:21:28 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 47F4C18AF9; Wed, 3 Apr 2024 02:21:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="NE1z1d65" Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8120817997 for ; Wed, 3 Apr 2024 02:21:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712110876; cv=none; b=S4/urmUGKMKWlV8SgPua2EaL7GwwTRs970M2XmRGsR2vV0xgKu9uxAZCphhhKYWpM8y6fa8bEbfCjkwhGZDNvjDhWGdow1bjCWtzDxwU71YUPMnAHuHXSDEa59yVWKLxYQ0KwR3/DIMnjHb/h+s07HS9UZh2qAnXhb/nZKdzL08= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712110876; c=relaxed/simple; bh=L1V2y2GXYltLjaiMkhGOV5y2Z7ue7LSWprWVpxmLNUk=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=o71M13vJn5NvqQkWOfTWVE39oMNPkenL6h46bhNctM3ASku6ecp3k/DbSNFNN2045eKzTCkQICK7jRj4beXENHMKLXy4WAvwszrN9yWj3KiPWq2H6DIRMNaQpXUrhfwgKdd6wTNCMRloXdUqN1Jx0aBOqSYrPOSrNUb4Qz6k9lU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=NE1z1d65; arc=none smtp.client-ip=209.85.128.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-6152088aa81so15414247b3.0 for ; Tue, 02 Apr 2024 19:21:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1712110873; x=1712715673; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=g330QbZKpmXoovT0mI5FxZrknOF9KuBu/XS6jFcDi0E=; b=NE1z1d65GZjWLzAWpw9GLR57HhKUbNQaIqE9BmN9PpDH41sXw4iLKTjwQ3+6U2TH0X twhVVFEa8GeXhSykc6Ht8Qeq9KKbADBHIvgmnwlKTTONLloCu54C25MFlNQPM4SRm4k8 6zfhREgTelHcZi2j0yEbOxsRAZcBYfeKAhYvXYIaexh+kHepIxp9Nzr32N07BgfvVD0F 0gMUV7l9606UUw0Rmyq/xb1/tpNaiA0A8SfwlIpPPIZaYiKoyvq6oeh7Rim3cByBEZEv Y3r0mqo+mou2DACaO83ZKg/ATPsbzVHFxkY/uNKoKFXcdqoAo3sJYvk7h0XsAtXIItvW GkXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712110873; x=1712715673; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=g330QbZKpmXoovT0mI5FxZrknOF9KuBu/XS6jFcDi0E=; b=Vd9/bfrubB7BZTknqKSVkvg1er/c5ZqPttR5K9E+/t3GhQ+jZeNjIO2cCvBkYabu4+ 42cIWcOPh4CzQdCEBxAd09j7xvhsfbdO+sarjvW/kb2VzpkcxA8aqRjPlYFjYFpxrJiC BK5PdRSjNYKALIsheFrLiCDGLp72KcjT8lHuueYgftmrgnPiQchNybOzkbL8KSIu3rMv 6Ik1qQU5v7fDOZJyFYpxXnHD/Z+Z1eCVh5c6dwk0K7yx6NylaqvUAioNM3sdwacD3EJn VjkzNBdEy6KCMqBrlsRx4eQFT3wVwyfTBnw58eMRDD5qm3s/XiOD99/HIPRO0gWB77F2 s5Lw== X-Forwarded-Encrypted: i=1; AJvYcCV+pToLE+RAfhKBzEbAmy0MlmCmqv5U1eEIKDeK1rawj09sqIXyXFTD4aqBUD47DSdThaWAHCMSgZV3NL4JK+h0t4kNINjCnqsZxUzG X-Gm-Message-State: AOJu0Yyt4A8mHdKnClLTMf76xzSQDdVwrGX2D5IhOfpE8UfGif0KQyM5 hFRS2xbKkkG5SWOCiMuHnIaNAa7hDkAcRb9nB7Sc3t6WN3gPCsbYRWRC//RQrTPeE00pZajL+17 4SVXUkSFBqlQDkhViB7TWwEQpRant081EuRMFfwDZw0WtfVo= X-Received: by 2002:a81:6d09:0:b0:615:2603:7efd with SMTP id i9-20020a816d09000000b0061526037efdmr3631139ywc.8.1712110873474; Tue, 02 Apr 2024 19:21:13 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240402141145.2685631-1-roberto.sassu@huaweicloud.com> <20240402210035.GI538574@ZenIV> <20240402224230.GJ538574@ZenIV> In-Reply-To: <20240402224230.GJ538574@ZenIV> From: Paul Moore Date: Tue, 2 Apr 2024 22:21:02 -0400 Message-ID: Subject: Re: [GIT PULL] security changes for v6.9-rc3 To: Al Viro Cc: Linus Torvalds , Roberto Sassu , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org, Roberto Sassu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Apr 2, 2024 at 6:42=E2=80=AFPM Al Viro wr= ote: > On Tue, Apr 02, 2024 at 05:36:30PM -0400, Paul Moore wrote: > > > > 1) location of that hook is wrong. It's really "how do we ca= tch > > > file creation that does not come through open() - yes, you can use > > > mknod(2) for that". It should've been after the call of vfs_create()= , > > > not the entire switch. LSM folks have a disturbing fondness of inser= ting > > > hooks in various places, but IMO this one has no business being where > > > they'd placed it. > > > > I know it's everyone's favorite hobby to bash the LSM and LSM devs, > > but it's important to note that we don't add hooks without working > > with the associated subsystem devs to get approval. In the cases > > where we don't get an explicit ACK, there is an on-list approval, or > > several ignored on-list attempts over weeks/months/years. We want to > > be good neighbors. > > > > Roberto's original patch which converted from the IMA/EVM hook to the > > LSM hook was ACK'd by the VFS folks. > > > > Regardless, Roberto if it isn't obvious by now, just move the hook > > back to where it was prior to v6.9-rc1. > > The root cause is in the too vague documentation - it's very easy to > misread as "->mknod() must call d_instantiate()", so the authors of > that patchset and reviewers of the same had missed the subtlety > involved. No arguments about that. > > Unkind comments about the LSM folks' tendency to shove hooks in > places where they make no sense had been brought by many things, > the most recent instance being this: > However, I thought, since we were promoting it as an LSM hook, > we should be as generic possible, and support more usages than > what was needed for IMA. > (https://lore.kernel.org/all/3441a4a1140944f5b418b70f557bca72@huawei.com/= ) > > I'm not blaming Roberto - that really seems to be the general attitude > around LSM; I've seen a _lot_ of "it doesn't matter if it makes any sens= e, > somebody might figure out some use for the data we have at that point in > control flow, eventually if not now" kind of responses over the years. > IME asking what this or that hook is for and what it expects from the obj= ects > passed to it gets treated as invalid question. It's rather common for subsystems to push back on the number LSM hooks, which ends up resulting in patterns where LSM hooks are placed in as wide a scope as possible both to satisfy the requirements of the individual subsystems as well as the LSM's requirements on coverage. Clearly documenting hooks, their inputs, return values, constraints, etc. is important and we need to have those discussions as part of the hook. This is a big part of why we CC the subsystems when adding new hooks and why I make sure we get an ACK or some other approval for a subsystem maintainer before we merge a new hook. Is the system perfect, no, clearly not, but I don't believe it is for a lack of trying or any ill intent on the part of the LSM devs. We recently restored the LSM hook comment blocks in security/security.c (long story), I would gladly welcome any comments/edits/suggestions you, or anyone else may have, about the docs there - I will be the first to admit those docs have rotted quite a bit (once again, long story). If you have corrections, notes, or constraints that should be added please let me know and/or send patches. Similarly, if you're aware of any hooks which are ill advised and/or poorly placed, let us know so we can work together to fix things. I'm serious Al. These aren't just words in an email. I realize you don't have a lot of free cycles, but if you do have feedback on any of those things above, I'm listening. I *really* want to see better collaboration between various subsystems and the LSMs; that's part of why I get annoyed with LSM bashing, leaving the LSM devs out of security/LSM related threads, etc. it only helps keep the divide up between the groups which is bad for all of us. --=20 paul-moore.com