Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter

[PATCH security-next v4 00/32] LSM: Explict LSM ordering · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 01/32] LSM: Correctly announce start of LSM initialization · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 04/32] LSM: Remove initcall tracing · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 04/32] LSM: Remove initcall tracing · James Morris <jmorris@namei.org> · 2018-10-02
[PATCH security-next v4 03/32] LSM: Rename .security_initcall section to .lsm_info · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 02/32] vmlinux.lds.h: Avoid copy/paste of security_init section · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 05/32] LSM: Convert from initcall to struct lsm_info · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 08/32] LSM: Record LSM name in struct lsm_info · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 06/32] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 06/32] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA · James Morris <jmorris@namei.org> · 2018-10-02
[PATCH security-next v4 09/32] LSM: Provide init debugging infrastructure · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 09/32] LSM: Provide init debugging infrastructure · James Morris <jmorris@namei.org> · 2018-10-02
[PATCH security-next v4 14/32] LSM: Plumb visibility into optional "enabled" state · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 32/32] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 26/32] LSM: Introduce "lsm.order=" for boottime ordering · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 30/32] capability: Initialize as LSM_ORDER_FIRST · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 31/32] LSM: Separate idea of "major" LSM from "exclusive" LSM · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" · Randy Dunlap <hidden> · 2018-10-02
Re: [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 11/32] LSM: Introduce LSM_FLAG_LEGACY_MAJOR · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 07/32] LSM: Convert security_initcall() into DEFINE_LSM() · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 07/32] LSM: Convert security_initcall() into DEFINE_LSM() · James Morris <jmorris@namei.org> · 2018-10-02
[PATCH security-next v4 15/32] LSM: Lift LSM selection out of individual LSMs · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 12/32] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 10/32] LSM: Don't ignore initialization failures · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 10/32] LSM: Don't ignore initialization failures · James Morris <jmorris@namei.org> · 2018-10-02
Re: [PATCH security-next v4 10/32] LSM: Don't ignore initialization failures · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 18/32] LSM: Introduce lsm.enable= and lsm.disable= · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 19/32] LSM: Prepare for reorganizing "security=" logic · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 22/32] apparmor: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 29/32] LSM: Introduce enum lsm_order · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 28/32] Yama: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 25/32] LSM: Introduce CONFIG_LSM_ORDER · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic · Randy Dunlap <hidden> · 2018-10-02
Re: [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 20/32] LSM: Refactor "security=" in terms of enable/disable · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 24/32] LSM: Build ordered list of ordered LSMs for init · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Paul Moore <paul@paul-moore.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Jordan Glover <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Paul Moore <paul@paul-moore.com> · 2018-10-08
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Jordan Glover <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Randy Dunlap <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-05
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-05
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-05
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-05
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 27/32] LoadPin: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 17/32] LSM: Introduce CONFIG_LSM_ENABLE · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 16/32] LSM: Prepare for arbitrary LSM enabling · Kees Cook <hidden> · 2018-10-02

From: Kees Cook <hidden>
Date: 2018-10-02 19:11:47
Also in: linux-arch, linux-doc, lkml

On Tue, Oct 2, 2018 at 11:33 AM, Stephen Smalley [off-list ref] wrote:

On 10/02/2018 12:54 PM, Kees Cook wrote:

quoted

On Tue, Oct 2, 2018 at 9:33 AM, Jordan Glover
[off-list ref] wrote:

quoted

It's always documented as: "selinux=1 security=selinux" so security=
should
still do the job and selinux=1 become no-op, no?


The v3 patch set worked this way, yes. (The per-LSM enable defaults
were set by the LSM. Only in the case of "lsm.disable=selinux" would
the above stop working.)

John did not like the separation of having two CONFIG and two
bootparams mixing the controls. The v3 resolution rules were:

SECURITY_SELINUX_BOOTPARAM_VALUE overrides CONFIG_LSM_ENABLE.
SECURITY_APPARMOR_BOOTPARAM_VALUE overrides CONFIG_LSM_ENABLE.
selinux= overrides SECURITY_SELINUX_BOOTPARAM_VALUE.
apparmor.enabled= overrides SECURITY_APPARMOR_BOOTPARAM_VALUE.
apparmor= overrides apparmor.enabled=.
lsm.enable= overrides selinux=.
lsm.enable= overrides apparmor=.
lsm.disable= overrides lsm.enable=.
major LSM _omission_ from security= (if present) overrides lsm.enable.

v4 removed the per-LSM boot params and CONFIGs at John's request, but
Paul and Stephen don't want this for SELinux.

The pieces for reducing conflict with CONFIG_LSM_ENABLE and
lsm.{enable,disable}= were:

1- Remove SECURITY_APPARMOR_BOOTPARAM_VALUE.
2- Remove apparmor= and apparmor.enabled=.
3- Remove SECURITY_SELINUX_BOOTPARAM_VALUE.
4- Remove selinux=.

v4 used all of 1-4 above. SELinux says "4" cannot happen as it's too
commonly used. Would 3 be okay for SELinux?


Let's say a user/packager/distro has been building kernels for the past 14
years (*) with a config that has SECURITY_SELINUX_BOOTPARAM_VALUE=0, and now
they build a new kernel that includes these patches using that same config.
Won't SELinux be enabled by default because SECURITY_SELINUX_BOOTPARAM_VALUE
is now ignored and LSM_ENABLE defaults to all?  Is it ok to require them to
specify a new config option to preserve old behavior?

Yes, I think that's fine -- kernel CONFIGs change all the time. System
builders are used to examining these changes.

-Kees

-- 
Kees Cook
Pixel Security

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help