| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b470bee2-280d-cfa4-1f5c-1381013baa63@digikod.net>
Date: Mon, 7 Nov 2022 20:37:27 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Casey Schaufler <casey@...aufler-ca.com>,
Paul Moore <paul@...l-moore.com>,
Kees Cook <keescook@...omium.org>
Cc: Nicolas Iooss <nicolas.iooss@....org>,
James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default
LSM stack ordering
On 07/11/2022 18:21, Casey Schaufler wrote:
> On 11/7/2022 4:35 AM, Mickaël Salaün wrote:
>>
>> On 04/11/2022 18:20, Casey Schaufler wrote:
>>> On 11/4/2022 9:29 AM, Mickaël Salaün wrote:
>>>>
>>>> On 18/10/2022 21:31, Paul Moore wrote:
>>>>> On Tue, Oct 18, 2022 at 1:55 AM Kees Cook <keescook@...omium.org>
>>>>> wrote:
>>>>>> On Mon, Oct 17, 2022 at 09:45:21PM -0400, Paul Moore wrote:
>>>>
>>>> [...]
>>>>
>>>>>>> We can have defaults, like we do know, but I'm in no hurry to remove
>>>>>>> the ability to allow admins to change the ordering at boot time.
>>>>>>
>>>>>> My concern is with new LSMs vs the build system. A system builder
>>>>>> will
>>>>>> be prompted for a new CONFIG_SECURITY_SHINY, but won't be prompted
>>>>>> about making changes to CONFIG_LSM to include it.
>>>>>
>>>>> I would argue that if an admin/builder doesn't understand what a shiny
>>>>> new LSM does, they shouldn't be enabling that shiny new LSM. Adding
>>>>> new, potentially restrictive, controls to your kernel build without a
>>>>> basic understanding of those controls is a recipe for disaster and I
>>>>> try to avoid recommending disaster as a planned course of action :)
>>>>
>>>> It depends on what this shiny new LSMs do *by default*. In the case of
>>>> Landlock, it do nothing unless a process does specific system calls
>>>> (same as for most new kernel features: sysfs entries, syscall flags…).
>>>> I guess this is the same for most LSMs.
>>>
>>> "By default" is somewhat ambiguous. Smack will always enforce its
>>> basic policy. If files aren't labeled and the Smack process label
>>> isn't explicitly set there won't be any problems. However, if files
>>> have somehow gotten labels assigned and there are no rules defined
>>> things can go sideways.
>>
>> Right, it should then mean without effect whatever kernel-mediated
>> persistent data (e.g. FS's xattr), but I agree that the limit with an
>> explicit configuration can be blurry. I guess we could explicitly mark
>> LSMs with a property that specify if they consider safe (for the
>> system) to be implicitly enabled without explicit run time configuration.
>
> In the Smack example, the system would be "safe" from the standpoint
> of system security policy. It might not "work", because the enforcement
> could prevent expected access. There is no simple way to identify if an
> LSM is going to need configuration, and can be counted on having it, at
> initialization. It's up to the LSM to decide what to do if it isn't
> properly initialized.
I agree, I was thinking about "working" (without specific security
contract). I was suggesting to create a dedicated field in the
DEFINE_LSM struct to identify if the LSM needs a proper initialization
(which is not the case for Yama, Landlock, BPF, and probably others).
Powered by blists - more mailing lists