[Linux-cachefs] [PATCH -next 0/2] lsm: Change inode_setattr() to take struct

[Jay Freyensee]

On 5/30/23 9:01 AM, Christian Brauner wrote:
> On Tue, May 30, 2023 at 07:55:17AM -0700, Casey Schaufler wrote:
>> On 5/30/2023 7:28 AM, Christoph Hellwig wrote:
>>> On Tue, May 30, 2023 at 03:58:35PM +0200, Christian Brauner wrote:
>>>> The main concern which was expressed on other patchsets before is that
>>>> modifying inode operations to take struct path is not the way to go.
>>>> Passing struct path into individual filesystems is a clear layering
>>>> violation for most inode operations, sometimes downright not feasible,
>>>> and in general exposing struct vfsmount to filesystems is a hard no. At
>>>> least as far as I'm concerned.
>>> Agreed.  Passing struct path into random places is not how the VFS works.
>>>
>>>> So the best way to achieve the landlock goal might be to add new hooks
>>> What is "the landlock goal", and why does it matter?
>>>
>>>> or not. And we keep adding new LSMs without deprecating older ones (A
>>>> problem we also face in the fs layer.) and then they sit around but
>>>> still need to be taken into account when doing changes.
>>> Yes, I'm really worried about th amount of LSMs we have, and the weird
>>> things they do.
>> Which LSM(s) do you think ought to be deprecated? I only see one that I
> I don't have a good insight into what LSMs are actively used or are
> effectively unused but I would be curious to hear what LSMs are
> considered actively used/maintained from the LSM maintainer's
> perspective.

It's part of my job to look at functionality enabled by LSMs and how 
they can be applied to product security features and products at the 
distro level.

First of all the flexibility of stacking LSM's has greatly helped enable 
new and more features to be run at the same time on a Linux platform.

So there are feature buzz words out there, the main ones I'm familiar 
with,  like process control, anti-tampering/self-protect, quarantine, 
process injection.  The LSM's I've tried to follow w/respect to these 
features have included SELinux, AppArmor, yama, bpf/krsi, landlock, and 
safesetid.

Usually for process control ppl are most interested in killing a process 
quickly if its detected a threat.  In that end bpf/krsi LSM is a 
wonderful LSM for this and puts Linux on par with Windows and macOS with 
this feature (though the actual kill operation seems slower).

anti-tampering/self-protect is a mechanism to prevent say, an anti-virus 
program from getting killed by a threat process even if that process has 
root.  I believe this could be done via SELinux, Apparmor, maybe bpf, 
and maybe landlock.  In comparison, macOS does have this functionality 
via its Endpoint Security subsystem.

process injection would be a way to monitor a process which, yama would 
have to be turned off which then a customer would have to make a call if 
they want the protection of yama's disablement of tracing over whatever 
process injection feature the security company may be offering.

Quarantine is a way to sandbox a process that has not been determined to 
be a threat or not (unknown) and can be stored "for later (later 
termination or save-keeping for study".  That would be a neat future 
LSM, one I thought could be tacked onto landlock (but from what I 
understand would require the use of cgroups).

And speaking of future LSMs, I read one proposal I saw that I thought 
was a good idea called the NAX driver that was something like the the 
yama driver, only its sole purpose was to shut off the anonymous 
executable pages for fileless malware protection. But it didn't look 
like it got anywhere.

Some interesting usages/beliefs of LSM's I've seen:

*Using SELinux over AppArmor will help a security solution company win a 
govt contract due to the NSA relationship with SELinux.

*The belief lockdown will shut off or cause issues with ebpf, thus its 
not activated and used much.

*RHEL 8.7 having yama driver set to 0 upon install, which I thought the 
kernel Kconfig default was 1? So it makes me wonder what other distro 
installs set yama to 0 by default? Maybe yama causes an issue with 3rd 
party SW if its enabled to 1->3.


If you want to look at a security product making use of LSM's, check out 
KubeArmor.

Hope this helps...someone :-)