Re: [PATCH security-next v5 00/30] LSM: Explict ordering

[PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 03/30] LSM: Rename .security_initcall section to .lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 02/30] vmlinux.lds.h: Avoid copy/paste of security_init section · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 04/30] LSM: Remove initcall tracing · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 01/30] LSM: Correctly announce start of LSM initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 08/30] LSM: Record LSM name in struct lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 05/30] LSM: Convert from initcall to struct lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 09/30] LSM: Provide init debugging infrastructure · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 11/30] LSM: Introduce LSM_FLAG_LEGACY_MAJOR · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Mimi Zohar <zohar@linux.ibm.com> · 2018-11-02
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-11-02
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Mimi Zohar <zohar@linux.ibm.com> · 2018-11-05
[PATCH security-next v5 13/30] LoadPin: Rename boot param "enabled" to "enforce" · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 21/30] LSM: Refactor "security=" in terms of enable/disable · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 16/30] LSM: Build ordered list of LSMs to initialize · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 15/30] LSM: Lift LSM selection out of individual LSMs · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 14/30] LSM: Plumb visibility into optional "enabled" state · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 10/30] LSM: Don't ignore initialization failures · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 06/30] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 07/30] LSM: Convert security_initcall() into DEFINE_LSM() · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 18/30] LSM: Introduce "lsm=" for boottime LSM selection · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 24/30] selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 30/30] capability: Initialize as LSM_ORDER_FIRST · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 25/30] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 23/30] apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 22/30] LSM: Separate idea of "major" LSM from "exclusive" LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 19/30] LSM: Tie enabling logic to presence in ordered list · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 20/30] LSM: Prepare for reorganizing "security=" logic · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 28/30] Yama: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 27/30] LoadPin: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 26/30] LSM: Split LSM preparation from initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 17/30] LSM: Introduce CONFIG_LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 29/30] LSM: Introduce enum lsm_order · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · James Morris <jmorris@namei.org> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · James Morris <jmorris@namei.org> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-24
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-24
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-14
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-20
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12

From: Jordan Glover <hidden>
Date: 2018-10-12 11:31:22
Also in: linux-arch, linux-doc, lkml

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, October 12, 2018 3:19 AM, John Johansen [off-list ref] wrote:

It isn't perfect but it manages consistency across distros as best as
can be achieved atm.

Its just a fact that some LSMs are not going to be built into some
kernels. The only way to deal with that is direct people to build
their own kernels.

The other major problem is that the current LSM stacking patches do
not deal with "extreme" stacking. So doing

lsm=+apparmor

(I am going to stick with the + syntax atm to avoid confusion between
adding and setting)

assuming apparmor is builtin will not necessarily get you apparmor if
another major lsm is enabled. Yes your specific proposal would as it
specifies it overrides the current major, except that ordering
important so if say landlock registers before apparmor, you may still
not get apparmor.

I think this will be solved with LSM_ORDER_LAST or something like that
Kees proposed.

You proposal does not provide a means to ensure you have only a
specific set of LSMs enabled. As an LSM not explicitly listed in lsm=
lsm=! may still be enabled. So the user is going to have to be aware
of the initial LSMs list if they are trying to guarentee a specific
security arrangement.

What about special marker like "!!" which will mean "this string is
explicit?

lsm=!!,apparmor

will enable apparmor and disable everything else.

lsm=!!,!apparmor or lsm=!!

will set the string empty and disable everything.

"!!" in "CONFIG_LSM" will take precedence over "!!" in "lsm=" which
will make "lsm=" totally ignored. This way distro could lock specific
lsm set which isn't possible with current approach.

CONFIG_LSM=!!,yama,loadpin,integrity,apparmor

This violates one of the hard asks, and I will tell you that this will
just mean there is going to be some distro patching to make sure it
exists.

I think I can quess who will make those patches :)

The current explicit list is more consistent, and it is amenable to
being extended with + or ! as selective add/remove so we are not
locked into only supporting an explicit list.

Jordan

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help