[PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing

[PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing · Mickaël Salaün <mic@digikod.net> · 2017-03-28
[PATCH net-next v6 01/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 01/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier · kbuild test robot <hidden> · 2017-03-29
Re: [PATCH net-next v6 01/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier · Kees Cook <hidden> · 2017-04-18
[PATCH net-next v6 07/11] landlock: Add ptrace restrictions · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [kernel-hardening] [PATCH net-next v6 07/11] landlock: Add ptrace restrictions · Djalal Harouni <hidden> · 2017-04-10
Re: [kernel-hardening] [PATCH net-next v6 07/11] landlock: Add ptrace restrictions · Mickaël Salaün <mic@digikod.net> · 2017-04-11
[PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock · Mickaël Salaün <mic@digikod.net> · 2017-04-16
Re: [PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock · Kees Cook <hidden> · 2017-04-18
[PATCH net-next v6 08/11] bpf: Add a Landlock sandbox example · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 08/11] bpf: Add a Landlock sandbox example · Kees Cook <hidden> · 2017-04-18
Re: [PATCH net-next v6 08/11] bpf: Add a Landlock sandbox example · Mickaël Salaün <mic@digikod.net> · 2017-04-18
[PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock · Kees Cook <hidden> · 2017-04-18
Re: [PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock · Mickaël Salaün <mic@digikod.net> · 2017-04-18
Re: [PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock · Kees Cook <hidden> · 2017-04-18
[PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism · Kees Cook <hidden> · 2017-04-19
Re: [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism · Mickaël Salaün <mic@digikod.net> · 2017-04-19
Re: [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism · Kees Cook <hidden> · 2017-04-19
Re: [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism · Mickaël Salaün <mic@digikod.net> · 2017-04-19
Re: [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism · Kees Cook <hidden> · 2017-04-20
[PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · kbuild test robot <hidden> · 2017-03-29
Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Kees Cook <hidden> · 2017-04-18
Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Mickaël Salaün <mic@digikod.net> · 2017-04-18
Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Casey Schaufler <casey@schaufler-ca.com> · 2017-04-18
Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Kees Cook <hidden> · 2017-04-18
Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Mickaël Salaün <mic@digikod.net> · 2017-04-19
Re: [kernel-hardening] Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Casey Schaufler <casey@schaufler-ca.com> · 2017-04-19
Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Kees Cook <hidden> · 2017-04-20
Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem · Kees Cook <hidden> · 2017-04-18
[PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp() · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp() · Kees Cook <hidden> · 2017-04-18
Re: [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp() · Mickaël Salaün <mic@digikod.net> · 2017-04-18
Re: [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp() · Mickaël Salaün <mic@digikod.net> · 2017-04-19
Re: [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp() · Kees Cook <hidden> · 2017-04-20
[PATCH net-next v6 11/11] landlock: Add user and kernel documentation for Landlock · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 11/11] landlock: Add user and kernel documentation for Landlock · kbuild test robot <hidden> · 2017-03-29
[PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [kernel-hardening] [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy · Djalal Harouni <hidden> · 2017-03-29
Re: [kernel-hardening] [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2017-03-31
Re: [kernel-hardening] [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy · Kees Cook <hidden> · 2017-04-18
Re: [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy · Kees Cook <hidden> · 2017-04-18
Re: [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2017-04-18
Re: [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy · Kees Cook <hidden> · 2017-04-18
[PATCH net-next v6 03/11] bpf: Define handle_fs and add a new helper bpf_handle_fs_get_mode() · Mickaël Salaün <mic@digikod.net> · 2017-03-28
Re: [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing · Kees Cook <hidden> · 2017-04-18
Re: [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing · Mickaël Salaün <mic@digikod.net> · 2017-04-19

From: Kees Cook <hidden>
Date: 2017-04-18 23:26:14
Also in: linux-api, lkml, netdev

On Tue, Mar 28, 2017 at 4:46 PM, Micka?l Sala?n [off-list ref] wrote:

This sixth series add some changes to the previous one [1], including a simpler
rule inheritance hierarchy (similar to seccomp-bpf), a ptrace scope protection,
some file renaming (better feature identification per file), a future-proof
eBPF subtype and miscellaneous cosmetic fixes.

Sorry for the delay in review! I finally had a chunk of time I could
devote to this. I really like how it's heading. I still wonder about
its overlap with seccomp (it's really only using the syscall now...),
but that's just a detail. Getting the abstraction away from direct LSM
hooks looks good.

There is as yet no way to allow a process to access only a subset of the
filesystem where the subset is specified via a path or a file descriptor.  This
feature is intentionally left out so as to minimize the amount of code of this
patch series but will come in a following series.  However, it is possible to
check the file type, as done in the following example.

I understand why you've taken a progressive approach here, but I think
there are two fundamental areas where people will use Landlock: path
evaluation and network address evaluation. I think it's worth
expanding this series to include those two confinement examples, since
that can help people understand what the "general" case will look
like.

As I mentioned in one of the patch review emails, I think there needs
to be a clearer explanation of how usage counting works vs the
"events" (which I think of as "rule tables" not events -- maybe it
needs a new name?) and "rule" lists. I think I understand it, but I
spent a lot of time trying to get there. More comments would help.

Finally, another thing I'm curious about is how to deal with the
thread-sync issue. Seccomp uses its TSYNC thing, and I'd expect we'd
want something similar for landlock... but that looks really hairy as
far as locking goes. Perhaps it's already solved by using the same
locking seccomp uses, in which case I'm less inclined to kick landlock
out of seccomp.c. :)

Looks like it's coming along nicely! Thanks for continuing to work on this!

-Kees

-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help