[PATCH] LSM: allow loadable kernel module based LSM modules

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Sat Sep 7 13:41:19 UTC 2024


On 2024/09/06 23:24, Paul Moore wrote:
> I've already recorded your NACK on several patches on two of the four
> static call commits, if you like I can add it to the other two please
> let me know and I'll be sure to do that.  I've recorded your NACKs on
> other patches in the past and mentioned those NACKs to Linus when
> sending the pull request, and I will do so again during this upcoming
> merge window.

Adding Nacked-by: lines is not an indulgence for ignoring my concerns.
Commit f3b8788cde61 ("LSM: Identify modules by more than name") is an example
you added Nacked-by: line without adding hints for why I nacked it (e.g.
links to my posts).

  LSM: Identify modules by more than name

  Create a struct lsm_id to contain identifying information about Linux
  Security Modules (LSMs). At inception this contains the name of the
  module and an identifier associated with the security module.  Change
  the security_add_hooks() interface to use this structure.  Change the
  individual modules to maintain their own struct lsm_id and pass it to
  security_add_hooks().

  The values are for LSM identifiers are defined in a new UAPI
  header file linux/lsm.h. Each existing LSM has been updated to
  include it's LSMID in the lsm_id.

  The LSM ID values are sequential, with the oldest module
  LSM_ID_CAPABILITY being the lowest value and the existing modules
  numbered in the order they were included in the main line kernel.
  This is an arbitrary convention for assigning the values, but
  none better presents itself. The value 0 is defined as being invalid.
  The values 1-99 are reserved for any special case uses which may
  arise in the future. This may include attributes of the LSM
  infrastructure itself, possibly related to namespacing or network
  attribute management. A special range is identified for such attributes
  to help reduce confusion for developers unfamiliar with LSMs.

  LSM attribute values are defined for the attributes presented by
  modules that are available today. As with the LSM IDs, The value 0
  is defined as being invalid. The values 1-99 are reserved for any
  special case uses which may arise in the future.

How can people (or Linus) find why I nacked it from patch description of that commit?
The reason is partially explained in commit 063a7ce32ddc ("Merge tag 'lsm-pr-20240105'
of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm"), but is not accurate.

  - Add three new syscalls: lsm_list_modules(), lsm_get_self_attr(), and
    lsm_set_self_attr().

    The first syscall simply lists the LSMs enabled, while the second and
    third get and set the current process' LSM attributes. Yes, these
    syscalls may provide similar functionality to what can be found under
    /proc or /sys, but they were designed to support multiple,
    simultaneaous (stacked) LSMs from the start as opposed to the current
    /proc based solutions which were created at a time when only one LSM
    was allowed to be active at a given time.

    We have spent considerable time discussing ways to extend the
    existing /proc interfaces to support multiple, simultaneaous LSMs and
    even our best ideas have been far too ugly to support as a kernel
    API; after +20 years in the kernel, I felt the LSM layer had
    established itself enough to justify a handful of syscalls.

    Support amongst the individual LSM developers has been nearly
    unanimous, with a single objection coming from Tetsuo (TOMOYO) as he
    is worried that the LSM_ID_XXX token concept will make it more
    difficult for out-of-tree LSMs to survive. Several members of the LSM
    community have demonstrated the ability for out-of-tree LSMs to
    continue to exist by picking high/unused LSM_ID values as well as
    pointing out that many kernel APIs rely on integer identifiers, e.g.
    syscalls (!), but unfortunately Tetsuo's objections remain.

    My personal opinion is that while I have no interest in penalizing
    out-of-tree LSMs, I'm not going to penalize in-tree development to
    support out-of-tree development, and I view this as a necessary step
    forward to support the push for expanded LSM stacking and reduce our
    reliance on /proc and /sys which has occassionally been problematic
    for some container users. Finally, we have included the linux-api
    folks on (all?) recent revisions of the patchset and addressed all of
    their concerns.

I am not against about having LSM ID itself. I am against about the fact
that out-of-tree LSM modules cannot have stable LSM ID. Commit f3b8788cde61
wants to assign LSM ID sequentially whereas those who demonstrated me
suggests assigning LSM ID non-sequentially and pushes the burden of
managing collision to out-of-tree LSM modules. As a result, out-of-tree
LSM modules cannot start using userspace tools which rely on LSM ID.
Rewriting userspace tools when that out-of-tree LSM module succeeded
becoming in-tree is a penalty, for it breaks existing userspace tools
and also remains the risk of old LSM ID being reused by unrelated LSM
module.

The fact that out-of-tree LSM modules cannot have stable LSM ID penalizes
out-of-tree LSMs due to the risk of collision, and making it difficult for
Linux users to find LSMs they want because Linux users cannot know what
LSMs are available in the world. That is not a good usage of identifiers.

I suggested you that the LSM community should allow assigning stable LSM ID
to any LSM as long as that LSM is available to anybody, and serve as index
for helping people to find LSMs that match their needs.

Paul, where did you explain above when you sent pull request to Linus?
Linus, did you understand why I nacked it from that pull request from Paul?




More information about the Linux-security-module-archive mailing list