FS#42910 - [linux] consider re-enabling TOMOYO / SMACK as they don't depend on AUDIT

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Wednesday, 26 November 2014, 12:09 GMT
Last edited by Jan Alexander Steffens (heftig) - Tuesday, 09 April 2019, 21:53 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 21
Private No

Details

Here's the thread where the decision was made to remove these:

https://lists.archlinux.org/pipermail/arch-dev-public/2014-March/026028.html

SELinux and AppArmor require CONFIG_AUDIT=y, which makes enabling them an intrusive change with an impact on everyone. I agree with keeping those disabled until upstream provides a way to fully disable audit by default.

However, SMACK and TOMOYO don't have the hard dependency on CONFIG_AUDIT=y and are built as entirely optional modules. Enabling these has no impact on people who aren't opting into to using them beyond an insignificant increase in the package size.

The TOMOYO tools were included in the repositories when it was disabled, and I'm interested in moving them back.

I'm not interested in SMACK, but there are packages for it in the AUR and the current lack of interest in them likely has to do with the need to keep recompiling the kernel whenever it updates... I don't see a good reason to make life harder for people who want to use it.
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Tuesday, 09 April 2019, 21:53 GMT
Reason for closing:  Implemented
Additional comments about closing:  Added in trunk, pending next release.
Comment by Doug Newgard (Scimmia) - Wednesday, 26 November 2014, 21:35 GMT
This is mostly a duplicate of  FS#39852 , but I'll let the maintainers make that call.
Comment by Daniel Micay (thestinger) - Wednesday, 26 November 2014, 22:56 GMT
I don't think it's a duplicate. It wasn't clear that these were fully modular from that issue report. The rationale for disabling these features was to get rid of non-optional, invasive features like CONFIG_AUDIT which has a significant performance impact and adds useless nonsense to the kernel logs. SELinux and AppArmor had to go as they have a hard dependency on it but removing these was actually unnecessary. As long as the default security model is left as DAC there's no impact on people who aren't opting in.

Technical decisions should be re-evaluated when new information comes to light. I've verified that TOMOYO works fine without audit support enabled, although it does have the ability to use it for logging enhancements.
Comment by Daniel Micay (thestinger) - Wednesday, 26 November 2014, 22:58 GMT
Arch is enabling the LSM framework to get the very useful ptrace_scope feature from Yama anyway.
Comment by Xan (xan) - Monday, 22 June 2015, 13:18 GMT
Perhaps the same could be done with Apparmor, because it only needs

CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y

So no CONFIG_AUDIT too.
Comment by Daniel Micay (thestinger) - Monday, 22 June 2015, 13:38 GMT
Enabling it will turn on AUDIT:

config SECURITY_APPARMOR
bool "AppArmor support"
depends on SECURITY && NET
select AUDIT
select SECURITY_PATH
select SECURITYFS
select SECURITY_NETWORK
default n
help
This enables the AppArmor security module.
Required userspace tools (if they are not included in your
distribution) and further information may be found at
http://apparmor.wiki.kernel.org

If you are unsure how to answer this question, answer N.
Comment by Abelardo Ricart (aricart) - Tuesday, 09 April 2019, 17:39 GMT
Can this be enabled again? It does not affect other users, but saves those of us who prefer utilizing tomoyo as a MAC mechanism the cost of recompiling.

Loading...