On 6/1/2023 1:48 PM, Jeff Xu wrote:

Hi Paul,

On Wed, May 31, 2023 at 6:26 AM Mickaël Salaün [off-list ref] wrote:

quoted

quoted

quoted

quoted

If I understand correctly:
1> A new lsm syscall - lsm_get_pid_attr():  Landlock will return the
process's landlock sandbox status: true/false.

There would have to be a new LSM_ATTR_ENFORCMENT to query.
Each LSM could then report what, if any, value it choose to.
I can't say whether SELinux would take advantage of this.
I don't see that Smack would report this attribute.

I think such returned status for LSM_ATTR_ENFORCMENT query would make
sense, but the syscall could also return -EPERM and other error codes.

quoted

quoted

Is this a right fit for SELinux to also return the process's enforcing
mode ? such as enforcing/permissive.

Paul could answer that, but I think it would be simpler to have two
different queries, something like LSM_ATTR_ENFORCMENT and
LSM_ATTR_PERMISSIVE queries.

Hi Paul, what do you think ? Could SELinux have something like this.

Not Paul, but answering anyway - No, those are system wide attributes, not
process (task) attributes. You want some other syscall, say lsm_get_system_attr()
for those.

Thanks!
-Jeff