[PATCH security-next v5 00/30] LSM: Explict ordering

Jordan Glover Golden_Miller83 at protonmail.ch
Thu Oct 11 23:53:50 UTC 2018


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, October 12, 2018 1:09 AM, Kees Cook <keescook at chromium.org> wrote:

> We've had things sort of like this proposed, but if you can convince
> James and others, I'm all for it. I think the standing objection from
> James and John about this is that the results of booting with
> "lsm=something" ends up depending on CONFIG_LSM= for that distro. So
> you end up with different behaviors instead of a consistent behavior
> across all distros.
>

Ok, I'll try :)

The final lsm string contains two parts: Kconfig "CONFIG_LSM=" and boot
param "lsm=". Changing even only one of those parts also changes the
final string.

In case of distros, it's the "CONFIG_LSM=" which changes. Even when "lsm="
stays constant, the behavior will be different, example:

Distro A has: CONFIG_LSM=loadpin,integrity,selinux
Distro B has CONFIG_LSM=yama,loadpin,integrity,selinux

User on distro A wants to enable apparmor with:

lsm=loadpin,integrity,apparmor

which they do and add it to howto on wiki.

User on distro B want to enable apparmor, they found info on some wiki and do:

lsm=loadpin,integrity,apparmor


Puff, yama got disabled!

Above example shows why I think "consistent behavior across all distros"
argument for current approach is flawed -  because distros aren't
consistent. In my proposition the user will just use "lsm=apparmor" and
it will consistently enable apparmor on all distros which is what they
really wanted, but all pre-existing differences across distros will
remain unchanged.

The current approach requires that everyone who dares to touch "lsm="
knows about existence of all lsm, their enabled/disabled status on
target distro and their order. I doubt there are many people other
than recipients of this mail who fit for the above.

I it's better to assume that average user has rather vague knowledge
about lsm and don't delve deep into Kconfig's of their chosen distro.
If they want to use "lsm=" their goal is to disable/enable on or more
things. My proposition will work better for those. More advanced users
still will may pass any "lsm=" string as they like, this having full
control.

Jordan



More information about the Linux-security-module-archive mailing list