[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jL0YzgQR_p9otyOX4+00a0i7Tfv9aLqauZFZs4-Kfjakg@mail.gmail.com>
Date: Wed, 27 Mar 2019 14:43:40 -0700
From: Kees Cook <keescook@...omium.org>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: James Morris <jmorris@...ei.org>,
Randy Dunlap <rdunlap@...radead.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
Jakub Kicinski <jakub.kicinski@...ronome.com>
Subject: Re: Linux 5.1-rc2
On Wed, Mar 27, 2019 at 2:05 PM Tetsuo Handa
<penguin-kernel@...ove.sakura.ne.jp> wrote:
>
> On 2019/03/28 5:45, Kees Cook wrote:
> > On Wed, Mar 27, 2019 at 1:30 PM Tetsuo Handa
> > <penguin-kernel@...ove.sakura.ne.jp> wrote:
> >>
> >> On 2019/03/28 4:16, Kees Cook wrote:
> >>> The part I don't understand is what you've said about TOMOYO being
> >>> primary and not wanting the others stackable? That kind of goes
> >>> against the point, but I'm happy to do that if you want it that way.
> >>
> >> Automatically enabling multiple legacy major LSMs might result in a confusion like
> >> Jakub encountered.
> >
> > The confusion wasn't multiple enabled: it was a change of what was
> > enabled (due to ignoring the old config). (My very first suggested
> > patch fixed this...)
>
> Someone else might get confused when TOMOYO is automatically enabled
> despite they did not specify TOMOYO in lsm= or security= or CONFIG_LSM.
>
> >
> >> For a few releases from 5.1 (about one year or so?), since
> >> CONFIG_DEFAULT_SECURITY_* will be ignored after CONFIG_LSM is once defined in
> >> their kernel configs, I guess that it is better not to enable TOMOYO automatically
> >> until most people complete migrating from CONFIG_DEFAULT_SECURITY_* to CONFIG_LSM
> >> and get used to use lsm= kernel command line option rather than security= kernel
> >> command line option.
> >
> > It sounds like you want TOMOYO to stay an exclusive LSM? Should we
> > revert a5e2fe7ede12 ("TOMOYO: Update LSM flags to no longer be
> > exclusive") instead? (I'm against this idea, but defer to you. I think
> > it should stay stackable since the goal is to entirely remove the
> > concept of exclusive LSMs.)
>
> I never want to revert a5e2fe7ede12. For transition period, I just don't
> want to automatically enable TOMOYO when people did not specify TOMOYO.
>
> >
> > I don't see problems for an exclusive LSM user (AA, SELinux, Smack)
> > also initializing TOMOYO, though. It should be a no-op. Is there some
> > situation where this is not true?
>
> There should be no problem except some TOMOYO messages are printed.
Okay, so I should send my latest version of the patch to James? Or do
you explicitly want TOMOYO removed from all the CONFIG_LSM default
lines except when selected by CONFIG_DEFAULT_SECURITY_TOMOYO? (I worry
the latter will lead to less testing of the stacking.)
--
Kees Cook
Powered by blists - more mailing lists