Re: [RFC v3 19/22] landlock: Add interrupted origin

[RFC v3 00/22] Landlock LSM: Unprivileged sandboxing · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 01/22] landlock: Add Kconfig · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 04/22] bpf: Set register type according to is_valid_access() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 04/22] bpf: Set register type according to is_valid_access() · Thomas Graf <tgraf@suug.ch> · 2016-10-19
Re: [RFC v3 04/22] bpf: Set register type according to is_valid_access() · Daniel Borkmann <daniel@iogearbox.net> · 2016-10-19
[RFC v3 02/22] bpf: Move u64_to_ptr() to BPF headers and inline it · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 09/22] seccomp: Move struct seccomp_filter in seccomp.h · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 08/22] seccomp: Fix documentation for struct seccomp_filter · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup · Kees Cook <hidden> · 2016-10-03
Re: [RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup · Mickaël Salaün <mic@digikod.net> · 2016-10-05
Re: [RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup · Kees Cook <hidden> · 2016-10-05
[RFC v3 20/22] landlock: Add update and debug access flags · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 22/22] samples/landlock: Add sandbox example · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 22/22] samples/landlock: Add sandbox example · Alexei Starovoitov <hidden> · 2016-09-14
[RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-14
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Alexei Starovoitov <hidden> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Alexei Starovoitov <hidden> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Alexei Starovoitov <hidden> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Alexei Starovoitov <hidden> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Sargun Dhillon <hidden> · 2016-09-20
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-20
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-15
[RFC v3 17/22] cgroup: Add access check for cgroup_get_from_fd() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 17/22] cgroup: Add access check for cgroup_get_from_fd() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 21/22] bpf,landlock: Add optional skb pointer in the Landlock context · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 21/22] bpf,landlock: Add optional skb pointer in the Landlock context · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 21/22] bpf,landlock: Add optional skb pointer in the Landlock context · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Andy Lutomirski <luto@amacapital.net> · 2016-09-14
Re: [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Kees Cook <hidden> · 2016-10-03
Re: [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2016-10-05
[RFC v3 19/22] landlock: Add interrupted origin · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 19/22] landlock: Add interrupted origin · Andy Lutomirski <luto@amacapital.net> · 2016-09-14
Re: [RFC v3 19/22] landlock: Add interrupted origin · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 19/22] landlock: Add interrupted origin · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 19/22] landlock: Add interrupted origin · Kees Cook <hidden> · 2016-10-03
Re: [RFC v3 19/22] landlock: Add interrupted origin · Mickaël Salaün <mic@digikod.net> · 2016-10-05
[RFC v3 06/22] landlock: Add LSM hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 06/22] landlock: Add LSM hooks · Thomas Graf <tgraf@suug.ch> · 2016-10-19
Re: [RFC v3 06/22] landlock: Add LSM hooks · Mickaël Salaün <mic@digikod.net> · 2016-10-19
[RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Jann Horn <hidden> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-15
lsm naming dilemma. Re: [RFC v3 07/22] landlock: Handle file comparisons · Alexei Starovoitov <hidden> · 2016-09-20
Re: lsm naming dilemma. Re: [RFC v3 07/22] landlock: Handle file comparisons · Sargun Dhillon <hidden> · 2016-09-20
Re: lsm naming dilemma. Re: [RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-20
Re: [RFC v3 07/22] landlock: Handle file comparisons · Kees Cook <hidden> · 2016-10-03
[RFC v3 13/22] bpf/cgroup: Replace struct bpf_prog with union bpf_object · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Mickaël Salaün <mic@digikod.net> · 2016-09-15
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Kees Cook <hidden> · 2016-10-03
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Mickaël Salaün <mic@digikod.net> · 2016-10-05
[RFC v3 12/22] bpf: Cosmetic change for bpf_prog_attach() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 10/22] seccomp: Split put_seccomp_filter() with put_seccomp() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 15/22] bpf/cgroup: Move capability check · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 14/22] bpf/cgroup: Make cgroup_bpf_update() return an error code · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 14/22] bpf/cgroup: Make cgroup_bpf_update() return an error code · Alexei Starovoitov <hidden> · 2016-09-14
[RFC v3 05/22] bpf,landlock: Add eBPF program subtype and is_valid_subtype() verifier · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 05/22] bpf,landlock: Add eBPF program subtype and is_valid_subtype() verifier · Thomas Graf <tgraf@suug.ch> · 2016-10-19
RE: [RFC v3 00/22] Landlock LSM: Unprivileged sandboxing · David Laight <hidden> · 2016-09-14

From: Kees Cook <hidden>
Date: 2016-10-03 23:46:39
Also in: cgroups, lkml, netdev

On Wed, Sep 14, 2016 at 6:19 PM, Andy Lutomirski [off-list ref] wrote:

On Wed, Sep 14, 2016 at 3:14 PM, Mickaël Salaün [off-list ref] wrote:

quoted

On 14/09/2016 20:29, Andy Lutomirski wrote:

quoted

On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün [off-list ref] wrote:

quoted

This third origin of hook call should cover all possible trigger paths
(e.g. page fault). Landlock eBPF programs can then take decisions
accordingly.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Kees Cook <redacted>
---

quoted

+       if (unlikely(in_interrupt())) {

IMO security hooks have no business being called from interrupts.
Aren't they all synchronous things done by tasks?  Interrupts are
driver things.

Are you trying to check for page faults and such?

Yes, that was the idea you did put in my mind. Not sure how to deal with
this.

It's not so easy, unfortunately.  The easiest reliable way might be to
set a TS_ flag on all syscall entries when TIF_SECCOMP or similar is
set.

For making this series smaller, let's leave the idea idea of interrupt
hooks out -- the intention is for stricter syscall filtering, yes?

Once things are more well established and there's a use-case for this,
it can be added back in.

-Kees


-- 
Kees Cook
Nexus Security

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help