Re: Is there mailist about LSM
Thibaut, On Thu, 31 May 2018 23:11 +0200, Thibaut Sautereau wrote: > Hi Alexander, > > On Wed, May 30, 2018 at 03:10:37PM -0700, Alexander Ivanov wrote: > > I do no need blobs, as I said, it's stateless. > > The question was how to register a subset of hooks that may overlap > > with another module(s). > > I wrote two articles on my blog last year to sum up what I had learned > when digging into the LSM world in order to create one, as I had trouble > finding recent enough documentation. They might answer some of your > questions. > > Here's the link to the second one (which also points to the first): > https://thibaut.sautereau.fr/2017/06/02/linux-security-modules-part-2/ > > Of course, any questions or feedback are welcome ;) > Thanks, it's very helpful! > > Thibaut -- Alexander Ivanov amiva...@fastmail.com ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
Hi Alexander, On Wed, May 30, 2018 at 03:10:37PM -0700, Alexander Ivanov wrote: > I do no need blobs, as I said, it's stateless. > The question was how to register a subset of hooks that may overlap > with another module(s). I wrote two articles on my blog last year to sum up what I had learned when digging into the LSM world in order to create one, as I had trouble finding recent enough documentation. They might answer some of your questions. Here's the link to the second one (which also points to the first): https://thibaut.sautereau.fr/2017/06/02/linux-security-modules-part-2/ Of course, any questions or feedback are welcome ;) Thibaut ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Thu, 31 May 2018 08:22 +0300, Ozgur Kara wrote: > > Hi all, > > @Valdis and @Ivanov you can see the new LSM list archive, Paul Moore helped. > Thanks Dear Paul. > > http://kernsec.org/pipermail/linux-security-module-archive/ > Thanks a lot, Ozgur and Paul! > Regards > > Ozgur > > 31.05.2018, 01:12, "Alexander Ivanov" : > > On Wed, 30 May 2018 14:26 -0400, valdis.kletni...@vt.edu wrote: > >> On Wed, 30 May 2018 11:13:31 -0700, Alexander Ivanov said: > >> > >> > > There's some support for one "large" LSM and a "trivial" one like > >> yama. > >> > > >> > What this some support would be then? > >> > >> Basically, there's a pointer for an LSM-private blob, and no support > >> for a chain of blobs. > > > > I do no need blobs, as I said, it's stateless. > > The question was how to register a subset of hooks that may overlap with > > another module(s). > > > >> > Suppose I have stateless LSM, don't really interested in using any > >> objects' blobs. > >> > >> Congrats. You just re-invented YAMA. :) > > > > Exactly! Isn't learn and re-use a good linux approach ;) > > > > ___ > Kernelnewbies mailing list > Kernelnewbies@kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies -- Alexander Ivanov amiva...@fastmail.com ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
Hi all, @Valdis and @Ivanov you can see the new LSM list archive, Paul Moore helped. Thanks Dear Paul. http://kernsec.org/pipermail/linux-security-module-archive/ Regards Ozgur 31.05.2018, 01:12, "Alexander Ivanov" : > On Wed, 30 May 2018 14:26 -0400, valdis.kletni...@vt.edu wrote: >> On Wed, 30 May 2018 11:13:31 -0700, Alexander Ivanov said: >> >> > > There's some support for one "large" LSM and a "trivial" one like yama. >> > >> > What this some support would be then? >> >> Basically, there's a pointer for an LSM-private blob, and no support >> for a chain of blobs. > > I do no need blobs, as I said, it's stateless. > The question was how to register a subset of hooks that may overlap with > another module(s). > >> > Suppose I have stateless LSM, don't really interested in using any >> objects' blobs. >> >> Congrats. You just re-invented YAMA. :) > > Exactly! Isn't learn and re-use a good linux approach ;) > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, May 30, 2018 at 09:13:46PM +0300, Ozgur Kara wrote: > > > 30.05.2018, 21:08, "valdis.kletni...@vt.edu" : > > On Wed, 30 May 2018 10:37:25 -0700, you said: > > > >> First, theoretical, I suppose: what were the reasons to effectively > >> disable dynamic loading of LSM ? > > > > Because that implies the system was up without the LSM loaded - at which > > point > > somebody can have tampered with whatever labelling the LSM uses. So we > > insist that the LSM be brought online very early during the boot process, > > to make > > sure that the LSM has a chance to stop any unauthorized relabeling. > > > >> Second, is there a way for two or more LSMs to co-exist? After inspecting > >> security_module_enable() and register_security(), it doesn't seem > >> possible, > >> however yama does attempt to load itself? Am I missing something? > > > > There's some support for one "large" LSM and a "trivial" one like yama. > > There's very real and nasty interactions if you try to run (for instance) > > SELinux and AppArmor at the same time. The composition of multiple > > MAC systems is fraught with danger (go back and look at how long it took > > us to get file capabilities to work right...) > > SElinux and AppArmor are completely disappointing. > Really. Fair enough, you are free to create a competing LSM. This is the very reason that the interface was made in the first place. Because no one can decide what the "best" security model is for everyone else. Thanks for proving the design decision was a correct one :) greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 11:13:31 -0700, Alexander Ivanov said: > > There's some support for one "large" LSM and a "trivial" one like yama. > > What this some support would be then? Basically, there's a pointer for an LSM-private blob, and no support for a chain of blobs. > Suppose I have stateless LSM, don't really interested in using any objects' > blobs. Congrats. You just re-invented YAMA. :) pgpnP1mljeArV.pgp Description: PGP signature ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 21:09:59 +0300, Ozgur Kara said: > I think the list is active but the archive has not been kept since 2015. > Please visit: > > https://www.mail-archive.com/linux-security-module@vger.kernel.org/ Somebody needs to fix the info on vger that points to spinics then ;) pgpnEulCYrlye.pgp Description: PGP signature ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 20:12 +0200, Greg KH wrote: > On Wed, May 30, 2018 at 10:37:25AM -0700, Alexander Ivanov wrote: > > On Wed, 30 May 2018 13:25 -0400, valdis.kletni...@vt.edu wrote: > > > What question do you have about it? > > > > There are a couple, actually :) > > First, theoretical, I suppose: what were the reasons to effectively > > disable dynamic loading of LSM ? > > This was discussed loads when LSM was first created. I'll leave this as > an exercise for the reader, how would you properly unload a LSM? Think > about what a LSM does to lots and lots of different objects in the > kernel... > > > Second, is there a way for two or more LSMs to co-exist? After > > inspecting security_module_enable() and register_security(), it > > doesn't seem possible, however yama does attempt to load itself? Am I > > missing something? > > Again, this is discussed all the time. Search for "stackable LSM" and > you should find lots of threads about the problems involved, how people > are considering solving them, and what workarounds are currently in > place to allow some LSM to do this today. > > I think google is your friend here, read the mailing list archives, it > has all of this information there already. > Thanks, Greg. That what my original question was about, proper mailing list. It is indeed very useful to learn an evolution of the framework, there some constraints that make some of the knowledge irrelevant. Say, I have to develop 'minor' LSM for certain kernel version. thx! ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
30.05.2018, 21:08, "valdis.kletni...@vt.edu" : > On Wed, 30 May 2018 10:37:25 -0700, you said: > >> First, theoretical, I suppose: what were the reasons to effectively disable >> dynamic loading of LSM ? > > Because that implies the system was up without the LSM loaded - at which point > somebody can have tampered with whatever labelling the LSM uses. So we > insist that the LSM be brought online very early during the boot process, to > make > sure that the LSM has a chance to stop any unauthorized relabeling. > >> Second, is there a way for two or more LSMs to co-exist? After inspecting >> security_module_enable() and register_security(), it doesn't seem possible, >> however yama does attempt to load itself? Am I missing something? > > There's some support for one "large" LSM and a "trivial" one like yama. > There's very real and nasty interactions if you try to run (for instance) > SELinux and AppArmor at the same time. The composition of multiple > MAC systems is fraught with danger (go back and look at how long it took > us to get file capabilities to work right...) SElinux and AppArmor are completely disappointing. Really. > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 14:05 -0400, valdis.kletni...@vt.edu wrote: > On Wed, 30 May 2018 10:37:25 -0700, you said: > > > First, theoretical, I suppose: what were the reasons to effectively disable > > dynamic loading of LSM ? > > Because that implies the system was up without the LSM loaded - at which > point > somebody can have tampered with whatever labelling the LSM uses. So we > insist that the LSM be brought online very early during the boot > process, to make > sure that the LSM has a chance to stop any unauthorized relabeling. > Understood. It thus implies, custom kernel build, right? > > Second, is there a way for two or more LSMs to co-exist? After inspecting > > security_module_enable() and register_security(), it doesn't seem possible, > > however yama does attempt to load itself? Am I missing something? > > There's some support for one "large" LSM and a "trivial" one like yama. What this some support would be then? Suppose I have stateless LSM, don't really interested in using any objects' blobs. What would be a proper way to register a hook or two then? > There's very real and nasty interactions if you try to run (for instance) > SELinux and AppArmor at the same time. The composition of multiple > MAC systems is fraught with danger (go back and look at how long it took > us to get file capabilities to work right...) thx! ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, May 30, 2018 at 10:37:25AM -0700, Alexander Ivanov wrote: > On Wed, 30 May 2018 13:25 -0400, valdis.kletni...@vt.edu wrote: > > What question do you have about it? > > There are a couple, actually :) > First, theoretical, I suppose: what were the reasons to effectively > disable dynamic loading of LSM ? This was discussed loads when LSM was first created. I'll leave this as an exercise for the reader, how would you properly unload a LSM? Think about what a LSM does to lots and lots of different objects in the kernel... > Second, is there a way for two or more LSMs to co-exist? After > inspecting security_module_enable() and register_security(), it > doesn't seem possible, however yama does attempt to load itself? Am I > missing something? Again, this is discussed all the time. Search for "stackable LSM" and you should find lots of threads about the problems involved, how people are considering solving them, and what workarounds are currently in place to allow some LSM to do this today. I think google is your friend here, read the mailing list archives, it has all of this information there already. good luck! greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
30.05.2018, 21:03, "valdis.kletni...@vt.edu" : > On Wed, 30 May 2018 19:35:45 +0200, Greg KH said: > >> Really? I just got email from it a few minutes ago: > > Gaah. Last in my mail folder is from then, and then I hit the archive > listed on vger (pointing at spinics) *also* popped up stuff from 2015... Hi Valdis, I think the list is active but the archive has not been kept since 2015. Please visit: https://www.mail-archive.com/linux-security-module@vger.kernel.org/ > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 10:37:25 -0700, you said: > First, theoretical, I suppose: what were the reasons to effectively disable > dynamic loading of LSM ? Because that implies the system was up without the LSM loaded - at which point somebody can have tampered with whatever labelling the LSM uses. So we insist that the LSM be brought online very early during the boot process, to make sure that the LSM has a chance to stop any unauthorized relabeling. > Second, is there a way for two or more LSMs to co-exist? After inspecting > security_module_enable() and register_security(), it doesn't seem possible, > however yama does attempt to load itself? Am I missing something? There's some support for one "large" LSM and a "trivial" one like yama. There's very real and nasty interactions if you try to run (for instance) SELinux and AppArmor at the same time. The composition of multiple MAC systems is fraught with danger (go back and look at how long it took us to get file capabilities to work right...) pgpXJXTbcKrtL.pgp Description: PGP signature ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
30.05.2018, 21:02, "Alexander Ivanov" : > On Wed, 30 May 2018 20:54 +0300, Ozgur Kara wrote: >> 30.05.2018, 20:16, "Alexander Ivanov" : >> > Hi All, >> >> Hello >> >> > What would be right place to ask questions about LSM? >> >> I think can ask your questions to LSM kernel e-mail list: >> >> http://vger.kernel.org/vger-lists.html#linux-security-module > > Isn't this list specific to fedora? Hello, No, it's not exclusive to Fedora distor but just name only archive. Regards Ozgur ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 19:35:45 +0200, Greg KH said: > Really? I just got email from it a few minutes ago: Gaah. Last in my mail folder is from then, and then I hit the archive listed on vger (pointing at spinics) *also* popped up stuff from 2015... pgpcinmiOiI34.pgp Description: PGP signature ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 20:54 +0300, Ozgur Kara wrote: > 30.05.2018, 20:16, "Alexander Ivanov" : > > Hi All, > > Hello > > > What would be right place to ask questions about LSM? > > I think can ask your questions to LSM kernel e-mail list: > > http://vger.kernel.org/vger-lists.html#linux-security-module > Isn't this list specific to fedora? ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
30.05.2018, 20:36, "Greg KH" : > On Wed, May 30, 2018 at 01:25:20PM -0400, valdis.kletni...@vt.edu wrote: >> On Wed, 30 May 2018 10:16:13 -0700, Alexander Ivanov said: >> > Hi All, >> > What would be right place to ask questions about LSM? >> >> linux-security-module >> >> is where that development was done, but that list was last active in >> May 2016 or so. > > Really? I just got email from it a few minutes ago: Hello all, I think the list everytime actived but not recorded and archives a while through gmane. So there is still no archive of the list now. Regards Ozgur > Date: Wed, 30 May 2018 12:28:14 -0400 > Subject: [GIT PULL] SELinux fixes for v4.17 (#2) > Message-ID: > > > And I count at least 300 emails total for this month sent there. So it > is very active. That's the place to ask questions about LSM and other > security-related issues. > > thanks, > > greg k-h > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
30.05.2018, 20:16, "Alexander Ivanov" : > Hi All, Hello > What would be right place to ask questions about LSM? I think can ask your questions to LSM kernel e-mail list: http://vger.kernel.org/vger-lists.html#linux-security-module Regards Ozgur > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 13:25 -0400, valdis.kletni...@vt.edu wrote: > On Wed, 30 May 2018 10:16:13 -0700, Alexander Ivanov said: > > Hi All, > > What would be right place to ask questions about LSM? > > linux-security-module > > is where that development was done, but that list was last active in > May 2016 or so. > > linux-ker...@vger.kernel.org would be another place to try. Will try these, thanks! > > What question do you have about it? There are a couple, actually :) First, theoretical, I suppose: what were the reasons to effectively disable dynamic loading of LSM ? Second, is there a way for two or more LSMs to co-exist? After inspecting security_module_enable() and register_security(), it doesn't seem possible, however yama does attempt to load itself? Am I missing something? thx! > ___ > Kernelnewbies mailing list > Kernelnewbies@kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > Email had 1 attachment: > + Attachment1.2 > 1k (application/pgp-signature) -- Alexander Ivanov amiva...@fastmail.com ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, May 30, 2018 at 01:25:20PM -0400, valdis.kletni...@vt.edu wrote: > On Wed, 30 May 2018 10:16:13 -0700, Alexander Ivanov said: > > Hi All, > > What would be right place to ask questions about LSM? > > linux-security-module > > is where that development was done, but that list was last active in > May 2016 or so. Really? I just got email from it a few minutes ago: Date: Wed, 30 May 2018 12:28:14 -0400 Subject: [GIT PULL] SELinux fixes for v4.17 (#2) Message-ID: And I count at least 300 emails total for this month sent there. So it is very active. That's the place to ask questions about LSM and other security-related issues. thanks, greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Is there mailist about LSM
On Wed, 30 May 2018 10:16:13 -0700, Alexander Ivanov said: > Hi All, > What would be right place to ask questions about LSM? linux-security-module is where that development was done, but that list was last active in May 2016 or so. linux-ker...@vger.kernel.org would be another place to try. What question do you have about it? pgpGv2R1ijfMP.pgp Description: PGP signature ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Is there mailist about LSM
Hi All, What would be right place to ask questions about LSM? ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
