LSM stacking in next for 6.1?

Tue Oct 25 10:26:17 UTC 2022

On 10/25/22 02:48, Tetsuo Handa wrote:
> On 2022/10/25 1:37, Casey Schaufler wrote:
>>>   What I'm insisting is that "warrant the freedom to load
>>> loadable LSM modules without recompiling the whole kernel".
>>
>> Since security modules are optional and the LSM infrastructure
>> itself is optional you can't ensure that any given kernel would
>> support a loadable security module.
> 
> Like I propose adding EXPORT_SYMBOL_GPL(security_hook_heads),
> I'm not taking about distributors who choose CONFIG_SECURITY=n.
> 
>>> Adding EXPORT_SYMBOL_GPL(security_hook_heads) is the only way that can "allow
>>> LSM modules which distributors cannot support to be legally loaded".
>>
>> I believe that I've identified an alternative. It isn't easy or cheap.
> 
> No. You are just handwaving/postponing the problem using something unknown
> that is not yet shown as a workable code. Anything that can be disabled via
> kernel config option cannot be an alternative.
> 
Uhmmm, loadable LSM modules if they ever happen will have a kernel config.
If not distros will carry a patch just like they have for unprivileged
user namespaces. Trying to force distros to allow out of tree code just
isn't going to work.

>    Quoting from https://lkml.kernel.org/r/2225aec6-f0f3-d38e-ee3c-6139a7c25a37@I-love.SAKURA.ne.jp
>    > Like Paul Moore said
>    >
>    >   However, I will caution that it is becoming increasingly difficult for people
>    >   to find time to review potential new LSMs so it may a while to attract sufficient
>    >   comments and feedback.
>    >
>    > , being unable to legally use loadable LSMs deprives of chances to develop/try
>    > new LSMs, and makes LSM interface more and more unattractive. The consequence
>    > would be "The LSM interface is dead. We will give up implementing as LSMs."
> 
> The biggest problem is that quite few developers show interest in loadable LSM modules.
> How many developers responded to this topic? Once the ability to allow loadable LSM
> modules is technically lost, nobody shall be able to revive it. You will be happy with
> ignoring poor people.
> 
> You are already and completely trapped into "only in-tree and supported by distributors
> is correct" crap.
> 

no, Casey is not. He is trying to find a path forward to get LSM
stacking upstream sooner than later. He has made proposals that
admittedly you have not liked, but he has at least tried to propose
ideas that could work within the insane set of constraints.

>> Of course the upstream kernel isn't going to have LSM IDs for out-of-tree
>> security modules. That's one of many reasons loadable modules are going to
>> have to be treated differently from built-in modules, if they're allowed
>> at all.
> 
> Then, I have to hate your idea of having fixed sized array.
> 
> Nacked-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
> 