Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering
From: Mickaël Salaün
Date: Mon Nov 07 2022 - 07:35:17 EST
On 04/11/2022 18:20, Casey Schaufler wrote:
On 11/4/2022 9:29 AM, Mickaël Salaün wrote:
On 18/10/2022 21:31, Paul Moore wrote:
On Tue, Oct 18, 2022 at 1:55 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
On Mon, Oct 17, 2022 at 09:45:21PM -0400, Paul Moore wrote:
[...]
We can have defaults, like we do know, but I'm in no hurry to remove
the ability to allow admins to change the ordering at boot time.
My concern is with new LSMs vs the build system. A system builder will
be prompted for a new CONFIG_SECURITY_SHINY, but won't be prompted
about making changes to CONFIG_LSM to include it.
I would argue that if an admin/builder doesn't understand what a shiny
new LSM does, they shouldn't be enabling that shiny new LSM. Adding
new, potentially restrictive, controls to your kernel build without a
basic understanding of those controls is a recipe for disaster and I
try to avoid recommending disaster as a planned course of action :)
It depends on what this shiny new LSMs do *by default*. In the case of
Landlock, it do nothing unless a process does specific system calls
(same as for most new kernel features: sysfs entries, syscall flags…).
I guess this is the same for most LSMs.
"By default" is somewhat ambiguous. Smack will always enforce its
basic policy. If files aren't labeled and the Smack process label
isn't explicitly set there won't be any problems. However, if files
have somehow gotten labels assigned and there are no rules defined
things can go sideways.
Right, it should then mean without effect whatever kernel-mediated
persistent data (e.g. FS's xattr), but I agree that the limit with an
explicit configuration can be blurry. I guess we could explicitly mark
LSMs with a property that specify if they consider safe (for the system)
to be implicitly enabled without explicit run time configuration.