Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering

From: Mickaël Salaün
Date: Mon Nov 07 2022 - 14:37:37 EST

Next message: Dmitry Torokhov: "Re: [PATCH] Input: joystick - fix Kconfig warning for JOYSTICK_ADC"
Previous message: Edgecombe, Rick P: "Re: [PATCH v3 04/37] x86/cpufeatures: Enable CET CR4 bit for shadow stack"
In reply to: Casey Schaufler: "Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 07/11/2022 18:21, Casey Schaufler wrote:

On 11/7/2022 4:35 AM, Mickaël Salaün wrote:

On 04/11/2022 18:20, Casey Schaufler wrote:

On 11/4/2022 9:29 AM, Mickaël Salaün wrote:

On 18/10/2022 21:31, Paul Moore wrote:

On Tue, Oct 18, 2022 at 1:55 AM Kees Cook <keescook@xxxxxxxxxxxx>
wrote:

On Mon, Oct 17, 2022 at 09:45:21PM -0400, Paul Moore wrote:

[...]

We can have defaults, like we do know, but I'm in no hurry to remove
the ability to allow admins to change the ordering at boot time.

My concern is with new LSMs vs the build system. A system builder
will
be prompted for a new CONFIG_SECURITY_SHINY, but won't be prompted
about making changes to CONFIG_LSM to include it.

I would argue that if an admin/builder doesn't understand what a shiny
new LSM does, they shouldn't be enabling that shiny new LSM. Adding
new, potentially restrictive, controls to your kernel build without a
basic understanding of those controls is a recipe for disaster and I
try to avoid recommending disaster as a planned course of action :)

It depends on what this shiny new LSMs do *by default*. In the case of
Landlock, it do nothing unless a process does specific system calls
(same as for most new kernel features: sysfs entries, syscall flags…).
I guess this is the same for most LSMs.

"By default" is somewhat ambiguous. Smack will always enforce its
basic policy. If files aren't labeled and the Smack process label
isn't explicitly set there won't be any problems. However, if files
have somehow gotten labels assigned and there are no rules defined
things can go sideways.

Right, it should then mean without effect whatever kernel-mediated
persistent data (e.g. FS's xattr), but I agree that the limit with an
explicit configuration can be blurry. I guess we could explicitly mark
LSMs with a property that specify if they consider safe (for the
system) to be implicitly enabled without explicit run time configuration.

In the Smack example, the system would be "safe" from the standpoint
of system security policy. It might not "work", because the enforcement
could prevent expected access. There is no simple way to identify if an
LSM is going to need configuration, and can be counted on having it, at
initialization. It's up to the LSM to decide what to do if it isn't
properly initialized.

I agree, I was thinking about "working" (without specific security contract). I was suggesting to create a dedicated field in the DEFINE_LSM struct to identify if the LSM needs a proper initialization (which is not the case for Yama, Landlock, BPF, and probably others).

Next message: Dmitry Torokhov: "Re: [PATCH] Input: joystick - fix Kconfig warning for JOYSTICK_ADC"
Previous message: Edgecombe, Rick P: "Re: [PATCH v3 04/37] x86/cpufeatures: Enable CET CR4 bit for shadow stack"
In reply to: Casey Schaufler: "Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]