[PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2

Casey Schaufler casey at schaufler-ca.com
Sat Nov 11 20:18:36 UTC 2017 

On 11/11/2017 7:48 AM, Paul Moore wrote:
> On Fri, Oct 27, 2017 at 5:34 PM, Casey Schaufler <casey at schaufler-ca.com> wrote:
>> Subject: [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2
>>
>> This patch set implements stacking for "major" security modules.
> ..
>
>> I have tested these patches in various configurations of Ubuntu and
>> Fedora. Smack and SELinux together pass test suites with some exceptions.
>> There are conflicts with the way the modules treat network configurations.
>> These conflicts are under investigation, and changes to Smack (and
>> possibly SELinux) to reconcile the worst of the issues are in development.
> This remains my big concern, especially the network support.  We've
> talked about this a lot in person, but until I see the code which
> deals with this I can't ack/nack this patchset.

That's well understood, and appreciated.

The LSM infrastructure is based on the system (e.g. vfs) code
making calls to hooks when it is time to make a check. The netlabel
system is based on the LSM making a call when it has information
to present. The former makes coordination of multiple security
modules relatively straight forward. The later requires holding on
to data until such time as the end networking code needs it. Even
if all the security modules made netlabel calls from exactly the
same hooks (they don't) there's still no place to pull everything
together. The solutions used to address the security_blah interfaces
don't work with the networking implementation.

I'm on what I think is about my 5th approach to the netlabel problem.
I have discovered all sorts of nasty little issues, some of which are
artifacts of the IP stack, and some of which are the result of more
general memory and object management.

I would be delighted if someone where inclined to point out an
elegant way to approach the problem. Lacking that, I'll just keep
plugging away with my 12 pound hammer and rusty crowbar.

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list