Re: [PATCH v2 security-next 1/4] security: Hornet LSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
Subject: Re: [PATCH v2 security-next 1/4] security: Hornet LSM
From: Blaise Boscaccy <bboscaccy@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Apr 2025 10:31:18 -0700
Cc: Jonathan Corbet <corbet@xxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, "Serge E. Hallyn" <serge@xxxxxxxxxx>, Masahiro Yamada <masahiroy@xxxxxxxxxx>, Nathan Chancellor <nathan@xxxxxxxxxx>, Nicolas Schier <nicolas@xxxxxxxxx>, Shuah Khan <shuah@xxxxxxxxxx>, Mickaël Salaün <mic@xxxxxxxxxxx>, Günther Noack <gnoack@xxxxxxxxxx>, Nick Desaulniers <nick.desaulniers+lkml@xxxxxxxxx>, Bill Wendling <morbo@xxxxxxxxxx>, Justin Stitt <justinstitt@xxxxxxxxxx>, Jarkko Sakkinen <jarkko@xxxxxxxxxx>, Jan Stancek <jstancek@xxxxxxxxxx>, Neal Gompa <neal@xxxxxxxxx>, "open list:DOCUMENTATION" <linux-doc@xxxxxxxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, keyrings@xxxxxxxxxxxxxxx, Linux Crypto Mailing List <linux-crypto@xxxxxxxxxxxxxxx>, LSM List <linux-security-module@xxxxxxxxxxxxxxx>, Linux Kbuild mailing list <linux-kbuild@xxxxxxxxxxxxxxx>, "open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@xxxxxxxxxxxxxxx>, bpf <bpf@xxxxxxxxxxxxxxx>, clang-built-linux <llvm@xxxxxxxxxxxxxxx>, nkapron@xxxxxxxxxx, Matteo Croce <teknoraver@xxxxxxxx>, Roberto Sassu <roberto.sassu@xxxxxxxxxx>, Cong Wang <xiyou.wangcong@xxxxxxxxx>
In-reply-to: <CAADnVQ+LMAnyT4yV5iuJ=vswgtUu97cHKnvysipc6o7HZfEbUA@mail.gmail.com>
References: <20250404215527.1563146-1-bboscaccy@linux.microsoft.com> <20250404215527.1563146-2-bboscaccy@linux.microsoft.com> <CAADnVQJyNRZVLPj_nzegCyo+BzM1-whbnajotCXu+GW+5-=P6w@mail.gmail.com> <87semdjxcp.fsf@microsoft.com> <CAADnVQ+JGfwRgsoe2=EHkXdTyQ8ycn0D9nh1k49am++4oXUPHg@mail.gmail.com> <87friajmd5.fsf@microsoft.com> <CAADnVQKb3gPBFz+n+GoudxaTrugVegwMb8=kUfxOea5r2NNfUA@mail.gmail.com> <87a58hjune.fsf@microsoft.com> <CAADnVQ+LMAnyT4yV5iuJ=vswgtUu97cHKnvysipc6o7HZfEbUA@mail.gmail.com>

Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> writes:

> History repeats itself.
> 1. the problem is hard.
> 2. you're only interested in addressing your own use case.
> There is no end-to-end design here and no attempt to
> think it through how it will work for others.
>

Well, I suppose anything worth doing is going to be hard :)

The end-to-end design for this is the same end-to-end design that exists
for signing kernel modules today. We envisioned it working for others
the same way module signing works for others. 

> Hacking into bpf internal objects like maps is not acceptable.

We've heard your concerns about kern_sys_bpf and we agree that the LSM
should not be calling it. The proposal in this email should meet both of
our needs
https://lore.kernel.org/bpf/874iypjl8t.fsf@xxxxxxxxxxxxx/

-blaise

Follow-Ups:
- Re: [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Alexei Starovoitov

References:
- [PATCH v2 security-next 0/4] Introducing Hornet LSM
  - From: Blaise Boscaccy
- [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Blaise Boscaccy
- Re: [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Alexei Starovoitov
- Re: [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Blaise Boscaccy
- Re: [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Alexei Starovoitov
- Re: [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Blaise Boscaccy
- Re: [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Alexei Starovoitov
- Re: [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Blaise Boscaccy
- Re: [PATCH v2 security-next 1/4] security: Hornet LSM
  - From: Alexei Starovoitov

Prev by Date: Re: [PATCH v12 18/26] x86/resctrl: Add default MBM event configurations for mbm_cntr_assign mode
Next by Date: Re: [PATCH v2] slab: Decouple slab_debug and no_hash_pointers
Previous by thread: Re: [PATCH v2 security-next 1/4] security: Hornet LSM
Next by thread: Re: [PATCH v2 security-next 1/4] security: Hornet LSM
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Linux FS] [Yosemite Forum] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper] [Linux Resources]