Re: [-next PATCH] security: use octal not symbolic permissions

From: Casey Schaufler
Date: Wed Jun 13 2018 - 17:15:00 EST


On 6/13/2018 12:57 PM, Paul Moore wrote:
> On Wed, Jun 13, 2018 at 3:30 PM, Joe Perches <joe@xxxxxxxxxxx> wrote:
>> On Wed, 2018-06-13 at 12:19 -0400, Paul Moore wrote:
>>> On Wed, Jun 13, 2018 at 12:04 PM, Joe Perches <joe@xxxxxxxxxxx> wrote:
>>>> On Wed, 2018-06-13 at 11:49 -0400, Paul Moore wrote:
>>>>> On Tue, Jun 12, 2018 at 8:29 PM, Joe Perches <joe@xxxxxxxxxxx> wrote:
>>>>>> On Tue, 2018-06-12 at 17:12 -0400, Paul Moore wrote:
>>>>>>> Joe, in general I really appreciate the fixes you send, but these
>>>>>>> patches that cross a lot of subsystem boundaries (this isn't the first
>>>>>>> one that does this) causes unnecessary conflicts in -next and during
>>>>>>> the merge window. Could you split your patches up from now on please?
>>>>>> Sorry. No. Merge conflicts are inherent in this system.
>>>>> Yes, merge conflicts are inherent in this system when one makes a
>>>>> single change which impacts multiple subsystems, e.g. changing a core
>>>>> kernel function which is called by multiple subsystems. However, that
>>>>> isn't what this patch does, it makes a number of self-contained
>>>>> changes across multiple subsystems; there are no cross-subsystem
>>>>> dependencies in this patch. You are increasing the likelihood of
>>>>> conflicts for no good reason; that is why I'm asking you to split this
>>>>> patch and others like it.
>>>> No. History shows with high certainty that splitting
>>>> patches like this across multiple subsystems of a primary
>>>> subsystem means that the entire patchset is not completely
>>>> applied.
>>> I think that is due more to a lack of effort on the part of the patch
>>> author to keep pushing the individual patches.
>> Nope. Try again.
>>
>> Resistance to change and desire for status quo
>> occurs in many subsystems.
> Which gets back to the need for persistence on the part of the patch
> author. If your solution to a stubborn susbsystem is to go around
> them by convincing another, potentially unrelated subsystem, to merge
> the patch then I firmly believe you are doing it wrong.
>
>>>> It's _much_ simpler and provides a generic mechanism to
>>>> get the entire patch applied to send a single patch to the
>>>> top level subsystem maintainer.
>>> I understand it is simpler for you, but it is more difficult for everyone else.
>> Not true.
> I think we are at the agree to disagree stage.
>
> The way you have structured this patch it makes it easier for you to
> submit, but makes it potentially more difficult for me (likely other
> LSM maintainers too), the -next folks, and Linus.

I am agreeing with Paul. There is no reason that I/he should
be compelled to accept the Smack/SELinux patches because he/I
accepted the SELinux/Smack bits.

>
>> It's simply a matter of merge resolution being pushed down
>> where and when necessary.
>>
>> See changes like the additions of the SPDX license tags.
> Please don't even try to suggest that this trivial patch you are
> proposing is even remotely as significant as the SPDX change. There
> are always going to be exceptions to every rule, and with each
> exception there needs to be a solid reason behind the change. The
> SPDX change had a legitimate reason (legal concern) for doing it the
> way it was done; this patch isn't close to that level of concern.
>
>>> Further, where the LSMs are concerned, there is no "top level
>>> subsystem maintainer" anymore. SELinux and AppArmor send pull
>>> requests directly to Linus.
>> MAINTAINERS-SECURITY SUBSYSTEM
>> MAINTAINERS-M: James Morris <jmorris@xxxxxxxxx>
>> MAINTAINERS-M: "Serge E. Hallyn" <serge@xxxxxxxxxx>
>> MAINTAINERS-L: linux-security-module@xxxxxxxxxxxxxxx (suggested Cc:)
>> MAINTAINERS-T: git git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
>> MAINTAINERS-W: http://kernsec.org/
>> MAINTAINERS-S: Supported
>> MAINTAINERS:F: security/
>> MAINTAINERS-
>>
>> If James is not approving or merging security/selinux or
>> security/tomoyo then perhaps the F: entries could be
>> augmented with appropriate X: entries or made specific
>> by using specific entries like:
>>
>> F: security/*
>> F: security/integrity/
>> F: security/keys/

There are already F: entries for security/selinux, security/smack
and security/apparmor so I don't get your point.

> That is a good point. I'll put together a patch for selinux/next as
> soon as the merge window closes. I'll let the other LSMs do as they
> see fit. As I said previously, I believe the only other LSM that
> sends directly to Linux is AppArmor.

Smack will continue using the security subsystem so long as
James offers the service. There's overhead in setting up the
environment for sending directly to Linus that I'm in no rush
to incur.