The secmark "one user" policy
John Johansen
john.johansen at canonical.com
Thu Jun 22 18:49:15 UTC 2017
On 06/22/2017 02:54 AM, James Morris wrote:
> On Wed, 21 Jun 2017, Casey Schaufler wrote:
>
>> Ideally there would be a separate secmark for each security
>> module that wants to use the mechanism. Mechanism would be
>> provided* so that user-space can identify which security
>> module it is referring to when interacting with the kernel.
>> My understanding is that we're unlikely to get an expanded
>> secmark, so I have concentrated elsewhere.
>
> I don't see us getting an expanded secmark, either.
>
>>
>> A "clever" secid mapping takes the secids from all the
>> security modules and gently manipulates them until they
>> fit into a single u32. This might be an index into a list
>> of secid sets, but if you have two modules using secids
>> you can give each half of the secmark and accommodate
>> many configurations, including Fedora. Again, you need
>> mechanism* for user-space. This option would require changes
>> to the xt_SECMARK implementation, which goes out of it's
>> way to ensure all secmarks come from the same security
>> module. One option is to add a SECMARK_MODE_COMPOUND, but
>> that isn't any more helpful then removing the restriction.
>
> This sounds very ugly, and each user may assume it has 32 bits of secmark.
>
>> As for configuration options, SELinux only uses secmarks
>> when user-space introduces them. If netfilter doesn't have
>> any security rules that add secmarks, none are used. Smack
>> can be configured to set secmarks on all packets, with the
>> potential for change by user-space, but can also be set up
>> without any use of secmarks. There doesn't need to be any
>> significant change to xt_SECMARK if it is important to
>> maintain the "one user" model. Requiring that the user-space
>> use of netfilter be sane for the multiple security module
>> case (e.g. don't use SELinux firewall if Smack has the
>> secmark) seems somewhat reasonable.
>
> Reasonable? I don't think so.
>
> Trying to stack major LSMs arbitrarily and exposing that to userland is an
> architectural mess, which is what these kinds of problems are really
> telling us.
>
The use case I keep seeing is not exposing multiple LSMs to the user
space. Its the container where the container wants a different LSM
than the system is running.
Stacking 2 LSMs in that case and only exposing one to user space isn't
so unreasonable.
> How can a user be expected to reason about a system which is running
> multiple independent MAC security models simultaneously? It's a terrible
> idea.
>
At a generic system MAC level I agree, but not all LSMs that need
state are MACs and in the more limited container case it isn't so
unreasonable. Arguably virtualization is a better solution for the
container that wants a different MAC but then that forces you to
choose virtualization from the start and not just use the existing pre
built container that you want to pull in and use.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list