[RFC] LSM deprecation / removal policies

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Wed May 7 11:06:01 UTC 2025 

On 2025/05/06 6:53, Song Liu wrote:
> On Sat, May 3, 2025 at 4:47 AM Tetsuo Handa
> <penguin-kernel at i-love.sakura.ne.jp> wrote:
>>
>> On 2025/05/03 5:01, Paul Moore wrote:
>>> ## Removing LSM Hooks
>>>
>>> If a LSM hook is no longer used by any in-kernel LSMs, there is no ongoing work
>>> in progress involving the hook, and no expectation of future work that will use
>>> the hook, the LSM community may consider removal of the LSM hook.  The decision
>>> to ultimately remove the LSM hook should balance ongoing maintenance and
>>> performance concerns with the social challenges of reintroducing the hook if
>>> it is needed at a later date.
>>
>> What about BPF-based LSM users? Since BPF-based LSMs cannot be in-kernel LSMs,
>> it will be difficult for users of BPF-based LSMs to respond (that someone wants
>> some to-be-removed LSM hook) when removal of an LSM hook is proposed.
> 
> If a LSM hook is important for an out-of-tree BPF LSM solution, the owner can
> add a BPF selftest for this specific hook. This does not guarantee the hook will
> stay, but it can most likely detect unintentional removal of LSM hooks.
> 

The problem is that the owner out-of-tree BPF LSM solution cannot join the
discussion about LSM hooks being modified/removed. That is, out-of-tree BPF
LSMs will be forced to stay as unstable as out-of-tree non-BPF LSMs.



On 2025/05/06 5:58, Paul Moore wrote:
> On Sat, May 3, 2025 at 1:09 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> That's dangerously close to suggesting that the LSM hook list is an external API.
>> It would be really inconvenient if hooks could never change or go away.
> 
> Unfortunately, this is one of the challenges that out-of-tree LSMs are
> going to face.  As Casey already mentioned, LSM hooks are not part of
> the kernel's userspace API and thus not part of the "don't break
> userspace" edict.

Due to the difficulty of making non-BPF LSMs in-tree due to the "patent examination"
( https://lkml.kernel.org/r/5b09909b-fe43-4a9c-b9a7-2e1122b2cdb6@I-love.SAKURA.ne.jp ),
I don't think it is fair to assert

  LSM hooks are not part of the kernel's userspace API and thus not part of
  the "don't break userspace" edict

without granting all (I mean, both in-tree and out-of-tree, and both BPF-based
and non BPF-based) LSM users the right to join the discussion and comment on
LSM hook changes.

More information about the Linux-security-module-archive mailing list