On Wed, Feb 5, 2025 at 7:01 AM Dr. Greg [off-list ref] wrote:

On Tue, Jan 28, 2025 at 05:23:52PM -0500, Paul Moore wrote:

quoted

I believe the LSM can support both the enforcement of security policy
and the observation of security relevant events on a system.  In fact
most of the existing LSMs do both, at least to some extent.

However, while logging of security events likely needs to be
asynchronous for performance reasons, enforcement of security policy
likely needs to be synchronous to have any reasonable level of
assurance.  You are welcome to propose LSMs which provide
observability functionality that is either sync, async, or some
combination of both (? it would need to make sense to do both ?), but
I'm not currently interested in accepting LSMs that provide
asynchronous enforcement as I don't view that as a "reasonable"
enforcement mechanism.

This is an artificial distinction that will prove limiting to the
security that Linux will be able to deliver in the future.

Based on your response, is it your stated position as Linux security
maintainer, that you consider modern Endpoint Detection and Response
Systems (EDRS) lacking with respect to their ability to implement a
"reasonable" enforcement and assurance mechanism?

As stated previously: "I'm not currently interested in accepting LSMs
that provide asynchronous enforcement as I don't view that as a
reasonable enforcement mechanism."

If this is the case, your philosophy leaves Linux in a position that
is inconsistent with how the industry is choosing to implement
security.

In this case perhaps TSEM is not well suited for the upstream Linux
kernel and your efforts are better spent downstream, much like the
industry you appear to respect.

-- 
paul-moore.com