Re: [PATCH security-next v5 00/30] LSM: Explict ordering

From: Jordan Glover
Date: Thu Oct 11 2018 - 19:54:01 EST

Next message: Dmitry Torokhov: "[git pull] Input updates for v4.19-rc7"
Previous message: Stephen Rothwell: "linux-next: manual merge of the net-next tree with the net tree"
In reply to: Kees Cook: "Re: [PATCH security-next v5 00/30] LSM: Explict ordering"
Next in thread: John Johansen: "Re: [PATCH security-next v5 00/30] LSM: Explict ordering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

âââââââ Original Message âââââââ
On Friday, October 12, 2018 1:09 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:

> We've had things sort of like this proposed, but if you can convince
> James and others, I'm all for it. I think the standing objection from
> James and John about this is that the results of booting with
> "lsm=something" ends up depending on CONFIG_LSM= for that distro. So
> you end up with different behaviors instead of a consistent behavior
> across all distros.
>

Ok, I'll try :)

The final lsm string contains two parts: Kconfig "CONFIG_LSM=" and boot
param "lsm=". Changing even only one of those parts also changes the
final string.

In case of distros, it's the "CONFIG_LSM=" which changes. Even when "lsm="
stays constant, the behavior will be different, example:

Distro A has: CONFIG_LSM=loadpin,integrity,selinux
Distro B has CONFIG_LSM=yama,loadpin,integrity,selinux

User on distro A wants to enable apparmor with:

lsm=loadpin,integrity,apparmor

which they do and add it to howto on wiki.

User on distro B want to enable apparmor, they found info on some wiki and do:

lsm=loadpin,integrity,apparmor

Puff, yama got disabled!

Above example shows why I think "consistent behavior across all distros"
argument for current approach is flawed - because distros aren't
consistent. In my proposition the user will just use "lsm=apparmor" and
it will consistently enable apparmor on all distros which is what they
really wanted, but all pre-existing differences across distros will
remain unchanged.

The current approach requires that everyone who dares to touch "lsm="
knows about existence of all lsm, their enabled/disabled status on
target distro and their order. I doubt there are many people other
than recipients of this mail who fit for the above.

I it's better to assume that average user has rather vague knowledge
about lsm and don't delve deep into Kconfig's of their chosen distro.
If they want to use "lsm=" their goal is to disable/enable on or more
things. My proposition will work better for those. More advanced users
still will may pass any "lsm=" string as they like, this having full
control.

Jordan

Next message: Dmitry Torokhov: "[git pull] Input updates for v4.19-rc7"
Previous message: Stephen Rothwell: "linux-next: manual merge of the net-next tree with the net tree"
In reply to: Kees Cook: "Re: [PATCH security-next v5 00/30] LSM: Explict ordering"
Next in thread: John Johansen: "Re: [PATCH security-next v5 00/30] LSM: Explict ordering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]