| Message ID | 20190212182318.GA16669@beast (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] LSM: Ignore "security=" when "lsm=" is specified | expand |
On 2/12/2019 10:23 AM, Kees Cook wrote: > To avoid potential confusion, explicitly ignore "security=" when "lsm=" is > used on the command line, and report that it is happening. > > Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> > Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Casey Schaufler <casey@schaufler-ca.com> > --- > Documentation/admin-guide/kernel-parameters.txt | 10 ++++------ > security/security.c | 8 ++++++-- > 2 files changed, 10 insertions(+), 8 deletions(-) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 93d2c97f28fe..a0abd5f56e00 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -2340,7 +2340,7 @@ > > lsm=lsm1,...,lsmN > [SECURITY] Choose order of LSM initialization. This > - overrides CONFIG_LSM. > + overrides CONFIG_LSM, and the "security=" parameter. > > machvec= [IA-64] Force the use of a particular machine-vector > (machvec) in a generic kernel. > @@ -4129,11 +4129,9 @@ > Note: increases power consumption, thus should only be > enabled if running jitter sensitive (HPC/RT) workloads. > > - security= [SECURITY] Choose a security module to enable at boot. > - If this boot parameter is not specified, only the first > - security module asking for security registration will be > - loaded. An invalid security module name will be treated > - as if no module has been chosen. > + security= [SECURITY] Choose a legacy "major" security module to > + enable at boot. This has been deprecated by the > + "lsm=" parameter. > > selinux= [SELINUX] Disable or enable SELinux at boot time. > Format: { "0" | "1" } > diff --git a/security/security.c b/security/security.c > index 3147785e20d7..23cbb1a295a3 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -288,9 +288,13 @@ static void __init ordered_lsm_init(void) > ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), > GFP_KERNEL); > > - if (chosen_lsm_order) > + if (chosen_lsm_order) { > + if (chosen_major_lsm) { > + pr_info("security= is ignored because it is superseded by lsm=\n"); > + chosen_major_lsm = NULL; > + } > ordered_lsm_parse(chosen_lsm_order, "cmdline"); > - else > + } else > ordered_lsm_parse(builtin_lsm_order, "builtin"); > > for (lsm = ordered_lsms; *lsm; lsm++)
On 2019/02/14 1:05, Casey Schaufler wrote: > On 2/12/2019 10:23 AM, Kees Cook wrote: >> To avoid potential confusion, explicitly ignore "security=" when "lsm=" is >> used on the command line, and report that it is happening. >> >> Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> >> Signed-off-by: Kees Cook <keescook@chromium.org> > > Acked-by: Casey Schaufler <casey@schaufler-ca.com> > The manual for TOMOYO was updated to follow this change. SELinux folks and AppArmor folks, can we apply this change?
On Sun, Feb 17, 2019 at 12:17 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > On 2019/02/14 1:05, Casey Schaufler wrote: > > On 2/12/2019 10:23 AM, Kees Cook wrote: > >> To avoid potential confusion, explicitly ignore "security=" when "lsm=" is > >> used on the command line, and report that it is happening. > >> > >> Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> > >> Signed-off-by: Kees Cook <keescook@chromium.org> > > > > Acked-by: Casey Schaufler <casey@schaufler-ca.com> > > The manual for TOMOYO was updated to follow this change. > SELinux folks and AppArmor folks, can we apply this change? My main concern is that "selinux={0|1}" continues to work as it has for years. It doesn't look like this affects that, but I can't say I've dug into these changes very far.
On Sun, Feb 17, 2019 at 6:46 PM Paul Moore <paul@paul-moore.com> wrote: > My main concern is that "selinux={0|1}" continues to work as it has > for years. It doesn't look like this affects that, but I can't say > I've dug into these changes very far. Yup, no worries; it does. :)
On 2019/02/17 14:16, Tetsuo Handa wrote: > On 2019/02/14 1:05, Casey Schaufler wrote: >> On 2/12/2019 10:23 AM, Kees Cook wrote: >>> To avoid potential confusion, explicitly ignore "security=" when "lsm=" is >>> used on the command line, and report that it is happening. >>> >>> Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> >>> Signed-off-by: Kees Cook <keescook@chromium.org> >> >> Acked-by: Casey Schaufler <casey@schaufler-ca.com> >> > > The manual for TOMOYO was updated to follow this change. > SELinux folks and AppArmor folks, can we apply this change? > No response from Ubuntu kernel team. Redirecting to AppArmor list...
On 2/21/19 5:12 AM, Tetsuo Handa wrote: > On 2019/02/17 14:16, Tetsuo Handa wrote: >> On 2019/02/14 1:05, Casey Schaufler wrote: >>> On 2/12/2019 10:23 AM, Kees Cook wrote: >>>> To avoid potential confusion, explicitly ignore "security=" when "lsm=" is >>>> used on the command line, and report that it is happening. >>>> >>>> Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> >>>> Signed-off-by: Kees Cook <keescook@chromium.org> >>> >>> Acked-by: Casey Schaufler <casey@schaufler-ca.com> >>> >> >> The manual for TOMOYO was updated to follow this change. >> SELinux folks and AppArmor folks, can we apply this change? >> > > No response from Ubuntu kernel team. Redirecting to AppArmor list... > yeah this is okay Acked-by: John Johansen <john.johansen@canonical.com>
On Tue, 12 Feb 2019, Kees Cook wrote: > To avoid potential confusion, explicitly ignore "security=" when "lsm=" is > used on the command line, and report that it is happening. > > Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> > Signed-off-by: Kees Cook <keescook@chromium.org> Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 93d2c97f28fe..a0abd5f56e00 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2340,7 +2340,7 @@ lsm=lsm1,...,lsmN [SECURITY] Choose order of LSM initialization. This - overrides CONFIG_LSM. + overrides CONFIG_LSM, and the "security=" parameter. machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. @@ -4129,11 +4129,9 @@ Note: increases power consumption, thus should only be enabled if running jitter sensitive (HPC/RT) workloads. - security= [SECURITY] Choose a security module to enable at boot. - If this boot parameter is not specified, only the first - security module asking for security registration will be - loaded. An invalid security module name will be treated - as if no module has been chosen. + security= [SECURITY] Choose a legacy "major" security module to + enable at boot. This has been deprecated by the + "lsm=" parameter. selinux= [SELINUX] Disable or enable SELinux at boot time. Format: { "0" | "1" } diff --git a/security/security.c b/security/security.c index 3147785e20d7..23cbb1a295a3 100644 --- a/security/security.c +++ b/security/security.c @@ -288,9 +288,13 @@ static void __init ordered_lsm_init(void) ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), GFP_KERNEL); - if (chosen_lsm_order) + if (chosen_lsm_order) { + if (chosen_major_lsm) { + pr_info("security= is ignored because it is superseded by lsm=\n"); + chosen_major_lsm = NULL; + } ordered_lsm_parse(chosen_lsm_order, "cmdline"); - else + } else ordered_lsm_parse(builtin_lsm_order, "builtin"); for (lsm = ordered_lsms; *lsm; lsm++)
To avoid potential confusion, explicitly ignore "security=" when "lsm=" is used on the command line, and report that it is happening. Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> --- Documentation/admin-guide/kernel-parameters.txt | 10 ++++------ security/security.c | 8 ++++++-- 2 files changed, 10 insertions(+), 8 deletions(-)