[PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering
Casey Schaufler
casey at schaufler-ca.com
Mon Nov 7 17:21:35 UTC 2022
On 11/7/2022 4:35 AM, Mickaël Salaün wrote:
>
> On 04/11/2022 18:20, Casey Schaufler wrote:
>> On 11/4/2022 9:29 AM, Mickaël Salaün wrote:
>>>
>>> On 18/10/2022 21:31, Paul Moore wrote:
>>>> On Tue, Oct 18, 2022 at 1:55 AM Kees Cook <keescook at chromium.org>
>>>> wrote:
>>>>> On Mon, Oct 17, 2022 at 09:45:21PM -0400, Paul Moore wrote:
>>>
>>> [...]
>>>
>>>>>> We can have defaults, like we do know, but I'm in no hurry to remove
>>>>>> the ability to allow admins to change the ordering at boot time.
>>>>>
>>>>> My concern is with new LSMs vs the build system. A system builder
>>>>> will
>>>>> be prompted for a new CONFIG_SECURITY_SHINY, but won't be prompted
>>>>> about making changes to CONFIG_LSM to include it.
>>>>
>>>> I would argue that if an admin/builder doesn't understand what a shiny
>>>> new LSM does, they shouldn't be enabling that shiny new LSM. Adding
>>>> new, potentially restrictive, controls to your kernel build without a
>>>> basic understanding of those controls is a recipe for disaster and I
>>>> try to avoid recommending disaster as a planned course of action :)
>>>
>>> It depends on what this shiny new LSMs do *by default*. In the case of
>>> Landlock, it do nothing unless a process does specific system calls
>>> (same as for most new kernel features: sysfs entries, syscall flags…).
>>> I guess this is the same for most LSMs.
>>
>> "By default" is somewhat ambiguous. Smack will always enforce its
>> basic policy. If files aren't labeled and the Smack process label
>> isn't explicitly set there won't be any problems. However, if files
>> have somehow gotten labels assigned and there are no rules defined
>> things can go sideways.
>
> Right, it should then mean without effect whatever kernel-mediated
> persistent data (e.g. FS's xattr), but I agree that the limit with an
> explicit configuration can be blurry. I guess we could explicitly mark
> LSMs with a property that specify if they consider safe (for the
> system) to be implicitly enabled without explicit run time configuration.
In the Smack example, the system would be "safe" from the standpoint
of system security policy. It might not "work", because the enforcement
could prevent expected access. There is no simple way to identify if an
LSM is going to need configuration, and can be counted on having it, at
initialization. It's up to the LSM to decide what to do if it isn't
properly initialized.
More information about the Linux-security-module-archive
mailing list