Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering
From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2022-11-07 17:22:01
Also in:
lkml
On 11/7/2022 4:35 AM, Mickaël Salaün wrote:
On 04/11/2022 18:20, Casey Schaufler wrote:quoted
On 11/4/2022 9:29 AM, Mickaël Salaün wrote:quoted
On 18/10/2022 21:31, Paul Moore wrote:quoted
On Tue, Oct 18, 2022 at 1:55 AM Kees Cook [off-list ref] wrote:quoted
On Mon, Oct 17, 2022 at 09:45:21PM -0400, Paul Moore wrote:[...]quoted
quoted
quoted
We can have defaults, like we do know, but I'm in no hurry to remove the ability to allow admins to change the ordering at boot time.My concern is with new LSMs vs the build system. A system builder will be prompted for a new CONFIG_SECURITY_SHINY, but won't be prompted about making changes to CONFIG_LSM to include it.I would argue that if an admin/builder doesn't understand what a shiny new LSM does, they shouldn't be enabling that shiny new LSM. Adding new, potentially restrictive, controls to your kernel build without a basic understanding of those controls is a recipe for disaster and I try to avoid recommending disaster as a planned course of action :)It depends on what this shiny new LSMs do *by default*. In the case of Landlock, it do nothing unless a process does specific system calls (same as for most new kernel features: sysfs entries, syscall flags…). I guess this is the same for most LSMs."By default" is somewhat ambiguous. Smack will always enforce its basic policy. If files aren't labeled and the Smack process label isn't explicitly set there won't be any problems. However, if files have somehow gotten labels assigned and there are no rules defined things can go sideways.Right, it should then mean without effect whatever kernel-mediated persistent data (e.g. FS's xattr), but I agree that the limit with an explicit configuration can be blurry. I guess we could explicitly mark LSMs with a property that specify if they consider safe (for the system) to be implicitly enabled without explicit run time configuration.
In the Smack example, the system would be "safe" from the standpoint of system security policy. It might not "work", because the enforcement could prevent expected access. There is no simple way to identify if an LSM is going to need configuration, and can be counted on having it, at initialization. It's up to the LSM to decide what to do if it isn't properly initialized.