Re: [RFC PATCH v3 00/13] Clavis LSM

From: Mimi Zohar
Date: Tue Mar 04 2025 - 21:21:02 EST

Next message: Darrick J. Wong: "Re: [PATCH] xfs: Replace deprecated strncpy() with strscpy()"
Previous message: David Laight: "Re: [RFC PATCH v v2 0/4] avoid the extra atomic on a ref when closing a fd"
In reply to: Paul Moore: "Re: [RFC PATCH v3 00/13] Clavis LSM"
Next in thread: Paul Moore: "Re: [RFC PATCH v3 00/13] Clavis LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2025-03-04 at 21:09 -0500, Paul Moore wrote:
> On Tue, Mar 4, 2025 at 8:50 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > On Tue, 2025-03-04 at 19:19 -0500, Paul Moore wrote:
> > > On Tue, Mar 4, 2025 at 7:54 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > > > On Mon, 2025-03-03 at 17:38 -0500, Paul Moore wrote:
> > > > > On Fri, Feb 28, 2025 at 12:19 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > > > > > On Fri, 2025-02-28 at 11:14 -0500, Paul Moore wrote:
> > > > > > > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > > > > > > > On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote:
> > > > >
> > > > > ...
> > > > >
> > > > > > Ok, let's go through different scenarios to see if it would scale.
> > > > > >
> > > > > > Scenario 1: Mostly distro signed userspace applications, minimum number of
> > > > > > developer, customer, 3rd party applications.
> > > > > >
> > > > > > Scenario 2: Multiple developer, customer, 3rd party applications, signed by the
> > > > > > same party.
> > > > > >
> > > > > > Scenario 3: extreme case - every application signed by different party.
> > > > > >
> > > > > > With the minimum case, there would probably be a default key or sets of
> > > > > > permissible keys. In the extreme case, the number of keyrings would be
> > > > > > equivalent to the number of application/software packages.
> > > > >
> > > > > Perhaps we're not understanding each other, but my understanding of
> > > > > the above three scenarios is that they are all examples of signed
> > > > > applications where something (likely something in the kernel like IMA)
> > > > > verifies the signature on the application. While there are going to
> > > > > be differing numbers of keys in each of the three scenarios, I believe
> > > > > they would all be on/linked-to the same usage oriented keyring as they
> > > > > all share the same usage: application signatures.
> > > >
> > > > Yes they're all verifying file signatures, but the software packages are from
> > > > different sources (e.g. distro, chrome), signed by different keys.
> > >
> > > Yep.
> > >
> > > > Only a
> > > > particular key should be used to verify the file signatures for a particular
> > > > application.
> > >
> > > That's definitely one access control policy, but I can also envision a
> > > scenario where I have just one keyring for application signatures with
> > > multiple keys from multiple vendors.
> >
> > Having a single keyring with keys from multiple software vendors is the status
> > quo.
>
> A single keyring with keys from multiple vendors does happen today
> yes, but there is no separation based on how those keys are used, e.g.
> separate application signature and kernel module signature keyrings.

As soon as you add multiple vendors keys on the kernel module signature keyring,
you'll need finer grained access control.

Mimi

Next message: Darrick J. Wong: "Re: [PATCH] xfs: Replace deprecated strncpy() with strscpy()"
Previous message: David Laight: "Re: [RFC PATCH v v2 0/4] avoid the extra atomic on a ref when closing a fd"
In reply to: Paul Moore: "Re: [RFC PATCH v3 00/13] Clavis LSM"
Next in thread: Paul Moore: "Re: [RFC PATCH v3 00/13] Clavis LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]