LSM stacking in next for 6.1?

[John Johansen]

On 9/7/22 09:41, Casey Schaufler wrote:
> On 9/7/2022 7:41 AM, Paul Moore wrote:
>> On Tue, Sep 6, 2022 at 8:10 PM John Johansen
>> <john.johansen at canonical.com> wrote:
>>> On 9/6/22 16:24, Paul Moore wrote:
>>>> On Fri, Sep 2, 2022 at 7:14 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>>>>> On 9/2/2022 2:30 PM, Paul Moore wrote:
>>>>>> On Tue, Aug 2, 2022 at 8:56 PM Paul Moore <paul at paul-moore.com> wrote:
>>>>>>> On Tue, Aug 2, 2022 at 8:01 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> ..
>>
>>>> If you are running AppArmor on the host system and SELinux in a
>>>> container you are likely going to have some *very* bizarre behavior as
>>>> the SELinux policy you load in the container will apply to the entire
>>>> system, including processes which started *before* the SELinux policy
>>>> was loaded.  While I understand the point you are trying to make, I
>>>> don't believe the example you chose is going to work without a lot of
>>>> other changes.
>>> correct but the reverse does work ...
>> Sure, that doesn't surprise me, but that isn't the example Casey brought up.
> 
> I said that I'm not sure how they go about doing Android on Ubuntu.
> I brought it up because I've seen it.
> 

LSM stacking for that use case is necessary but insufficient. At a minimum
SELinux would need bounding, and realistically some other gymnastics. I
don't hold out hope of it happening soon if ever. I have told the anbox people
such. At the momement anbox disables SELinux when run in a container

https://github.com/anbox/platform_system_core/commit/71907fc5e7833866be6ae3c120c602974edf8322

there has been work on using a VM instead so that they can have SELinux
but I am not current on how/when that is used.

Where Canonical is interested in LSM stacking is running snaps with apparmor
confinement on top of SELinux distros. I know snaps aren't popular but it is
a much more realistic and attainable use case for LSM stacking.