lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9802466.KDjcZ61qbX@sifl>
Date:	Wed, 27 Feb 2013 11:43:01 -0500
From:	Paul Moore <pmoore@...hat.com>
To:	Casey Schaufler <casey@...aufler-ca.com>
Cc:	netdev@...r.kernel.org, linux-security-module@...r.kernel.org,
	selinux@...ho.nsa.gov, Andy King <acking@...are.com>,
	Gerd Hoffmann <kraxel@...hat.com>,
	Eric Paris <eparis@...hat.com>
Subject: Re: LSM stacking and the network access controls

On Tuesday, February 26, 2013 03:12:31 PM Casey Schaufler wrote:
> On 2/26/2013 1:21 PM, Paul Moore wrote:
> > On Monday, February 25, 2013 03:06:14 PM Casey Schaufler wrote:
> >> The set of LSMs, the order they are invoked, which LSM
> >> uses /proc/.../attr/current and which LSM uses Netlabel,
> >> XFRM and secmark are all determined by Kconfig. You can
> >> specify a limited set of LSMs using security= at boot,
> >> but not the networking configuration.
> > 
> > That's unfortunate.  I'm _really_ not in favor of that, I would much
> > rather see the non-shared LSM functionality assigned at the same time as
> > the stacking order.  I'm not sure I'd NACK the current approach, or even\
> > if anyone would care that I did, but that is how I'm currently leaning
> > with this split (build vs runtime) selection.
> 
> I'm not against that approach. How would you see it working?
> 
> The distro compiles in all the LSMs.
> They specify that SELinux gets xfrm and secmark.
> They specify the Smack gets Netlabel.
> They tell (the new and improved) AppArmor to eschew networking.
> They specify a boot order of "selinux,smack,apparmor,yama"
> (They left off tomoyo for tax purposes).
> 
> On the boot line, the user types "security=apparmor".
> 
> What should happen?

Okay, I misunderstood what was specified at boot time; I thought the stacking 
order could be defined at boot but based on your example I'm guessing the 
stacking order is defined at compile time and you can only enable/disable LSMs 
at boot?

> >> Tetsuo is lobbying for loadable security modules. I am
> >> doing my best to leave everything in a state where some
> >> soul braver than I might pick that up after I'm done.
> >> I do not have any intention of supporting on the fly
> >> or heuristically determined networking.
> > 
> > Well, if that is the case I think the first-come-first-served approach to
> > the non-shared functionality probably makes the most sense.  I understand
> > why it might not be ideal in ever situation but it is predictable.
> 
> Would you have the same opinion if SELinux were last, instead of first?

Yes.

In fact, considering the example above, and also assuming I'm understanding it 
correctly, I think I am more in favor of the first-come-first-served approach 
since you can enable/disable LSMs at boot.  Imagine if you gave one LSM all 
the non-shared functionality but disabled it at boot in favor of another LSM 
which could make use of some of this functionality but was denied due to the 
compile time option.  This seems much more useful to me.

> >>>> I'm trying not to make too many architectural changes to the
> >>>> code around the LSM mechanism itself. I don't see that as cost
> >>>> effective or likely to be popular. If the implication of that is
> >>>> that there are certain configurations that are unsupportable but
> >>>> that have plausible alternatives I think it will do for phase I.
> >>> 
> >>> That statement is vague enough that I can't really say yes or no to it,
> >>> but I will stick by my previous comments about the network access
> >>> controls.
> >> 
> >> Ah. I want to create a useful system. I want to create it
> >> reasonably short order. I am willing to forgo supporting
> >> some configuration options to reduce the project time. In
> >> particular, I hope to avoid mucking up other people's code
> >> as that is a sure fire way to bog a project down.
> > 
> > Usefulness is paramount of course
> 
> Agreed
> 
> > and quickness is nice,
> 
> If it drags on too long the boss gets cranky. And "labelled" NFSv4.2
> gets done. And the list macros get reworked. And ....
> 
> > but I do think it takes a back seat to "the right solution".
> 
> If I had two years and didn't have to worry about anyone else's
> changes and weren't beholden to retaining some of the past's more
> interesting design choices I'd be more concerned about "right" than
> "good".
> 
> > We're all going to have to live with this f-o-r-e-v-e-r,
> 
> Assuming it gets adopted. It will have to be good enough for that.
> There is no guarantee on that.
> 
> > or at least what will surely seem like it, so I'd much rather we take the
> > time to make sure we beat out as much ugly as we can before it is merged.
> 
> I'm with you there. I just hope the ugly hasn't been lifting weights.

February is "fitness month".

-- 
paul moore
security and virtualization @ redhat

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ