Re: [PATCH security-next v5 00/30] LSM: Explict ordering

[PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 03/30] LSM: Rename .security_initcall section to .lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 02/30] vmlinux.lds.h: Avoid copy/paste of security_init section · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 04/30] LSM: Remove initcall tracing · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 01/30] LSM: Correctly announce start of LSM initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 08/30] LSM: Record LSM name in struct lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 05/30] LSM: Convert from initcall to struct lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 09/30] LSM: Provide init debugging infrastructure · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 11/30] LSM: Introduce LSM_FLAG_LEGACY_MAJOR · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Mimi Zohar <zohar@linux.ibm.com> · 2018-11-02
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-11-02
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Mimi Zohar <zohar@linux.ibm.com> · 2018-11-05
[PATCH security-next v5 13/30] LoadPin: Rename boot param "enabled" to "enforce" · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 21/30] LSM: Refactor "security=" in terms of enable/disable · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 16/30] LSM: Build ordered list of LSMs to initialize · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 15/30] LSM: Lift LSM selection out of individual LSMs · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 14/30] LSM: Plumb visibility into optional "enabled" state · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 10/30] LSM: Don't ignore initialization failures · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 06/30] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 07/30] LSM: Convert security_initcall() into DEFINE_LSM() · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 18/30] LSM: Introduce "lsm=" for boottime LSM selection · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 24/30] selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 30/30] capability: Initialize as LSM_ORDER_FIRST · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 25/30] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 23/30] apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 22/30] LSM: Separate idea of "major" LSM from "exclusive" LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 19/30] LSM: Tie enabling logic to presence in ordered list · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 20/30] LSM: Prepare for reorganizing "security=" logic · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 28/30] Yama: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 27/30] LoadPin: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 26/30] LSM: Split LSM preparation from initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 17/30] LSM: Introduce CONFIG_LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 29/30] LSM: Introduce enum lsm_order · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · James Morris <jmorris@namei.org> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · James Morris <jmorris@namei.org> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-24
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-24
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-14
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-20
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12

From: Jordan Glover <hidden>
Date: 2018-10-11 23:54:00
Also in: linux-arch, linux-doc, lkml

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, October 12, 2018 1:09 AM, Kees Cook [off-list ref] wrote:

We've had things sort of like this proposed, but if you can convince
James and others, I'm all for it. I think the standing objection from
James and John about this is that the results of booting with
"lsm=something" ends up depending on CONFIG_LSM= for that distro. So
you end up with different behaviors instead of a consistent behavior
across all distros.

Ok, I'll try :)

The final lsm string contains two parts: Kconfig "CONFIG_LSM=" and boot
param "lsm=". Changing even only one of those parts also changes the
final string.

In case of distros, it's the "CONFIG_LSM=" which changes. Even when "lsm="
stays constant, the behavior will be different, example:

Distro A has: CONFIG_LSM=loadpin,integrity,selinux
Distro B has CONFIG_LSM=yama,loadpin,integrity,selinux

User on distro A wants to enable apparmor with:

lsm=loadpin,integrity,apparmor

which they do and add it to howto on wiki.

User on distro B want to enable apparmor, they found info on some wiki and do:

lsm=loadpin,integrity,apparmor


Puff, yama got disabled!

Above example shows why I think "consistent behavior across all distros"
argument for current approach is flawed -  because distros aren't
consistent. In my proposition the user will just use "lsm=apparmor" and
it will consistently enable apparmor on all distros which is what they
really wanted, but all pre-existing differences across distros will
remain unchanged.

The current approach requires that everyone who dares to touch "lsm="
knows about existence of all lsm, their enabled/disabled status on
target distro and their order. I doubt there are many people other
than recipients of this mail who fit for the above.

I it's better to assume that average user has rather vague knowledge
about lsm and don't delve deep into Kconfig's of their chosen distro.
If they want to use "lsm=" their goal is to disable/enable on or more
things. My proposition will work better for those. More advanced users
still will may pass any "lsm=" string as they like, this having full
control.

Jordan

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help