Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering
From: Kees Cook
Date: Tue Oct 18 2022 - 01:55:42 EST
On Mon, Oct 17, 2022 at 09:45:21PM -0400, Paul Moore wrote:
> The code sorta cares about ordering, at least to the extent that the
> LSMs will behave differently depending on the ordering, e.g. a LSM
Right -- this is why I've been so uncomfortable with allowing
arbitrarily reordering of the LSM list from lsm=. There are orderings we
know work, and others may have undesirable side-effects. I'd much rather
the kernel be specific about the order.
> I personally would like to preserve the existing concept where "built"
> does *not* equate to "enabled" by default.
Yup, understood. I didn't think I was going to win over anyone on that
one, but figured I'd just point it out again. ;)
> > I *still* think there should be a way to leave ordering alone and have
> > separate enable/disable control.
>
> My current opinion is that enabling a LSM and specifying its place in
> an ordered list are one in the same. The way LSM stacking as
> currently done almost requires the ability to specify an order if an
> admin is trying to meet an security relevant operation visibility
> goal.
As in an admin wants to see selinux rejections instead of loadpin
rejections for a blocked module loading?
Hmmm. Is this a realistic need?
> We can have defaults, like we do know, but I'm in no hurry to remove
> the ability to allow admins to change the ordering at boot time.
My concern is with new LSMs vs the build system. A system builder will
be prompted for a new CONFIG_SECURITY_SHINY, but won't be prompted
about making changes to CONFIG_LSM to include it.
Even booting with "lsm.debug" isn't entirely helpful to helping someone
construct the "lsm=" option they actually want... I guess I can fix that
part, at least. :)
--
Kees Cook