[PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering
Mickaël Salaün
mic at digikod.net
Mon Nov 7 19:37:27 UTC 2022
On 07/11/2022 18:21, Casey Schaufler wrote:
> On 11/7/2022 4:35 AM, Mickaël Salaün wrote:
>>
>> On 04/11/2022 18:20, Casey Schaufler wrote:
>>> On 11/4/2022 9:29 AM, Mickaël Salaün wrote:
>>>>
>>>> On 18/10/2022 21:31, Paul Moore wrote:
>>>>> On Tue, Oct 18, 2022 at 1:55 AM Kees Cook <keescook at chromium.org>
>>>>> wrote:
>>>>>> On Mon, Oct 17, 2022 at 09:45:21PM -0400, Paul Moore wrote:
>>>>
>>>> [...]
>>>>
>>>>>>> We can have defaults, like we do know, but I'm in no hurry to remove
>>>>>>> the ability to allow admins to change the ordering at boot time.
>>>>>>
>>>>>> My concern is with new LSMs vs the build system. A system builder
>>>>>> will
>>>>>> be prompted for a new CONFIG_SECURITY_SHINY, but won't be prompted
>>>>>> about making changes to CONFIG_LSM to include it.
>>>>>
>>>>> I would argue that if an admin/builder doesn't understand what a shiny
>>>>> new LSM does, they shouldn't be enabling that shiny new LSM. Adding
>>>>> new, potentially restrictive, controls to your kernel build without a
>>>>> basic understanding of those controls is a recipe for disaster and I
>>>>> try to avoid recommending disaster as a planned course of action :)
>>>>
>>>> It depends on what this shiny new LSMs do *by default*. In the case of
>>>> Landlock, it do nothing unless a process does specific system calls
>>>> (same as for most new kernel features: sysfs entries, syscall flags…).
>>>> I guess this is the same for most LSMs.
>>>
>>> "By default" is somewhat ambiguous. Smack will always enforce its
>>> basic policy. If files aren't labeled and the Smack process label
>>> isn't explicitly set there won't be any problems. However, if files
>>> have somehow gotten labels assigned and there are no rules defined
>>> things can go sideways.
>>
>> Right, it should then mean without effect whatever kernel-mediated
>> persistent data (e.g. FS's xattr), but I agree that the limit with an
>> explicit configuration can be blurry. I guess we could explicitly mark
>> LSMs with a property that specify if they consider safe (for the
>> system) to be implicitly enabled without explicit run time configuration.
>
> In the Smack example, the system would be "safe" from the standpoint
> of system security policy. It might not "work", because the enforcement
> could prevent expected access. There is no simple way to identify if an
> LSM is going to need configuration, and can be counted on having it, at
> initialization. It's up to the LSM to decide what to do if it isn't
> properly initialized.
I agree, I was thinking about "working" (without specific security
contract). I was suggesting to create a dedicated field in the
DEFINE_LSM struct to identify if the LSM needs a proper initialization
(which is not the case for Yama, Landlock, BPF, and probably others).
More information about the Linux-security-module-archive
mailing list