It doesn't make sense for CONFIG_LSM to have both AppArmor and SELinux

[jfroy]

Talos's CONFIG_LSM does not entirely make sense currently.

CONFIG_LSM="yama,selinux,loadpin,safesetid,integrity,bpf,apparmor"

It contains both SELinux and AppArmor, which are both major/exclusive LSMs. As shown by the logs below with lsm.debug set, AppArmor gets disabled because SELinux is listed first.

While the policy is "AppArmor is disabled by default", this works, but kind of by accident. It would be better stated as "Talos uses SELinux by default as its major LSM".

If the policy is "Talos does not enable a major LSM by default", then it is broken (SELinux is enabled).

If the policy in the future becomes "Talos uses AppArmor by default as its major LSM", then CONFIG_LSM will either be confusing or need to be changed.

The Talos documentation does recommend to set security=apparmor to enable AppArmor. This is arguably¹ a legacy method, but the kernel still supports it and it will override CONFIG_LSM. It will not however override lsm= on the kernel cmdline (the kernel prefers lsm= over security= and will emit a warning).

Given all this, it may be better to remove both from CONFIG_LSM, and recommend setting lsm= in the kernel cmdline to enable the desired major LSM or continue recommending security= for its simplicity.

192.168.1.13: kern:    info: [2024-09-30T21:29:40.216356995Z]: LSM: legacy security= *unspecified*
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216360995Z]: LSM:   CONFIG_LSM=yama,selinux,loadpin,safesetid,integrity,bpf,apparmor
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216363995Z]: LSM: boot arg lsm= *unspecified*
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216365995Z]: LSM:   early started: lockdown (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216371995Z]: LSM:   first ordered: capability (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216375995Z]: LSM: builtin ordered: yama (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216377995Z]: LSM: builtin ordered: selinux (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216380995Z]: LSM: builtin ignored: loadpin (not built into kernel)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216383995Z]: LSM: builtin ignored: safesetid (not built into kernel)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216386995Z]: LSM: builtin ignored: integrity (not built into kernel)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216389995Z]: LSM: builtin ordered: bpf (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216391995Z]: LSM: builtin ordered: apparmor (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216394995Z]: LSM:    last ordered: ima (enabled)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216396995Z]: LSM: builtin skipped: landlock (not in requested order)
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216399995Z]: LSM: exclusive chosen:   selinux
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216402995Z]: LSM: exclusive disabled: apparmor
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216404995Z]: LSM: initializing lsm=lockdown,capability,yama,selinux,bpf,ima
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216412995Z]: LSM: cred blob size       = 24
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216414995Z]: LSM: file blob size       = 16
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216416995Z]: LSM: inode blob size      = 72
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216418995Z]: LSM: ipc blob size        = 8
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216421995Z]: LSM: msg_msg blob size    = 4
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216423995Z]: LSM: superblock blob size = 72
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216425995Z]: LSM: task blob size       = 8
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216427995Z]: LSM: xattr slots          = 1
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216451995Z]: LSM: initializing capability
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216454995Z]: LSM: initializing yama
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216456995Z]: Yama: becoming mindful.
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216461995Z]: LSM: initializing selinux
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216463995Z]: SELinux:  Initializing.
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216519995Z]: LSM: initializing bpf
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216523995Z]: LSM support for eBPF active
192.168.1.13: kern:    info: [2024-09-30T21:29:40.216525995Z]: LSM: initializing ima

Footnotes

1. https://docs.kernel.org/admin-guide/kernel-parameters.html

       security=       [SECURITY] Choose a legacy "major" security module to
                       enable at boot. This has been deprecated by the
                       "lsm=" parameter.
   

   ↩

[jfroy]

Also note that loadpin, safesetid are listed but not compiled.

integrity has been removed from the kernel¹ in 6.8. My cluster is running 6.10 and I haven't updated my CONFIG_LSM to remove it.

Footnotes

1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/iint.c?id=b6c0dec9f78bc691166d60347b52b3adf03d5875 ↩

[smira]

@jfroy thanks for your feedback.

Talos 1.8.0 ships with experimental support for AppArmor for workloads (Kubernetes pods), but in Talos 1.9.0 we plan to ship a system-wide SELinux protection to isolate Talos core from the workloads.

In Talos 1.9.0 that would be off by default, but if enabled, it would disable AppArmor, even though users might decide to use AppArmor sill and switch off SELinux protection.

As it comes to workloads and SELinux, we don't have a definitive answer right now.

[jfroy]

Sounds good. This is more feedback than an actionable issue indeed.

As I was experimenting with this yesterday, one other amusing thing I found is that the CONFIG_DEFAULT_SECURITY_ settings only alter the default value for CONFIG_LSM. So once you have a config, the next time you edit it, if you change those default security configs, they won't do anything since you'll already have a CONFIG_LSM value 😵‍💫