pkgs icon indicating copy to clipboard operation
pkgs copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

It doesn't make sense for `CONFIG_LSM` to have both AppArmor and SELinux

Open jfroy opened this issue 4 months ago • 3 comments

Talos's CONFIG_LSM does not entirely make sense currently.

CONFIG_LSM="yama,selinux,loadpin,safesetid,integrity,bpf,apparmor"

It contains both SELinux and AppArmor, which are both major/exclusive LSMs. As shown by the logs below with lsm.debug set, AppArmor gets disabled because SELinux is listed first.

While the policy is "AppArmor is disabled by default", this works, but kind of by accident. It would be better stated as "Talos uses SELinux by default as its major LSM".

If the policy is "Talos does not enable a major LSM by default", then it is broken (SELinux is enabled).

If the policy in the future becomes "Talos uses AppArmor by default as its major LSM", then CONFIG_LSM will either be confusing or need to be changed.

The Talos documentation does recommend to set security=apparmor to enable AppArmor. This is arguably^1 a legacy method, but the kernel still supports it and it will override CONFIG_LSM. It will not however override lsm= on the kernel cmdline (the kernel prefers lsm= over security= and will emit a warning).

Given all this, it may be better to remove both from CONFIG_LSM, and recommend setting lsm= in the kernel cmdline to enable the desired major LSM or continue recommending security= for its simplicity.

192.168.1.13: kern:    info: [2024-09-30T21:29:40.216356995Z]: LSM: legacy security= *unspecified*
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216360995Z]: LSM:   CONFIG_LSM=yama,selinux,loadpin,safesetid,integrity,bpf,apparmor
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216363995Z]: LSM: boot arg lsm= *unspecified*
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216365995Z]: LSM:   early started: lockdown (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216371995Z]: LSM:   first ordered: capability (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216375995Z]: LSM: builtin ordered: yama (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216377995Z]: LSM: builtin ordered: selinux (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216380995Z]: LSM: builtin ignored: loadpin (not built into kernel)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216383995Z]: LSM: builtin ignored: safesetid (not built into kernel)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216386995Z]: LSM: builtin ignored: integrity (not built into kernel)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216389995Z]: LSM: builtin ordered: bpf (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216391995Z]: LSM: builtin ordered: apparmor (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216394995Z]: LSM:    last ordered: ima (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216396995Z]: LSM: builtin skipped: landlock (not in requested order)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216399995Z]: LSM: exclusive chosen:   selinux
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216402995Z]: LSM: exclusive disabled: apparmor
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216404995Z]: LSM: initializing lsm=lockdown,capability,yama,selinux,bpf,ima
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216412995Z]: LSM: cred blob size       = 24
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216414995Z]: LSM: file blob size       = 16
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216416995Z]: LSM: inode blob size      = 72
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216418995Z]: LSM: ipc blob size        = 8
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216421995Z]: LSM: msg_msg blob size    = 4
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216423995Z]: LSM: superblock blob size = 72
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216425995Z]: LSM: task blob size       = 8
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216427995Z]: LSM: xattr slots          = 1
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216451995Z]: LSM: initializing capability
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216454995Z]: LSM: initializing yama
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216456995Z]: Yama: becoming mindful.
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216461995Z]: LSM: initializing selinux
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216463995Z]: SELinux:  Initializing.
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216519995Z]: LSM: initializing bpf
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216523995Z]: LSM support for eBPF active
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216525995Z]: LSM: initializing ima

>         security=       [SECURITY] Choose a legacy "major" security module to
>                         enable at boot. This has been deprecated by the
>                         "lsm=" parameter.

jfroy avatar Sep 30 '24 22:09 jfroy