Re: [RFC 0/4] Landlock: ioctl support

[RFC 0/4] Landlock: ioctl support · Günther Noack <hidden> · 2023-05-02
[RFC 1/4] landlock: Increment Landlock ABI version to 4 · Günther Noack <hidden> · 2023-05-02
Re: [RFC 1/4] landlock: Increment Landlock ABI version to 4 · Mickaël Salaün <mic@digikod.net> · 2023-06-19
[RFC 2/4] landlock: Add LANDLOCK_ACCESS_FS_IOCTL access right · Günther Noack <hidden> · 2023-05-02
Re: [RFC 2/4] landlock: Add LANDLOCK_ACCESS_FS_IOCTL access right · Mickaël Salaün <mic@digikod.net> · 2023-06-19
Re: [RFC 2/4] landlock: Add LANDLOCK_ACCESS_FS_IOCTL access right · "Günther Noack" <gnoack@google.com> · 2023-07-14
Re: [RFC 2/4] landlock: Add LANDLOCK_ACCESS_FS_IOCTL access right · Mickaël Salaün <mic@digikod.net> · 2023-07-31
[RFC 3/4] selftests/landlock: Test ioctl support · Günther Noack <hidden> · 2023-05-02
Re: [RFC 3/4] selftests/landlock: Test ioctl support · Mickaël Salaün <mic@digikod.net> · 2023-06-19
Re: [RFC 3/4] selftests/landlock: Test ioctl support · "Günther Noack" <gnoack@google.com> · 2023-08-07
Re: [RFC 3/4] selftests/landlock: Test ioctl support · Mickaël Salaün <mic@digikod.net> · 2023-08-07
Re: [RFC 3/4] selftests/landlock: Test ioctl support · "Günther Noack" <gnoack@google.com> · 2023-08-07
[RFC 4/4] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL · Günther Noack <hidden> · 2023-05-02
Re: [RFC 0/4] Landlock: ioctl support · Mickaël Salaün <mic@digikod.net> · 2023-05-04
Re: [RFC 0/4] Landlock: ioctl support · Günther Noack <hidden> · 2023-05-10
Re: [RFC 0/4] Landlock: ioctl support · Jeff Xu <hidden> · 2023-05-24
Re: [RFC 0/4] Landlock: ioctl support · Mickaël Salaün <mic@digikod.net> · 2023-06-17
Re: [RFC 0/4] Landlock: ioctl support · Jeff Xu <hidden> · 2023-06-20
Re: [RFC 0/4] Landlock: ioctl support · Mickaël Salaün <mic@digikod.net> · 2023-06-21
Re: [RFC 0/4] Landlock: ioctl support · Mickaël Salaün <mic@digikod.net> · 2023-06-17
Re: [RFC 0/4] Landlock: ioctl support · "Günther Noack" <gnoack@google.com> · 2023-06-19
Re: [RFC 0/4] Landlock: ioctl support · Mickaël Salaün <mic@digikod.net> · 2023-06-19
Re: [RFC 0/4] Landlock: ioctl support · "Günther Noack" <gnoack@google.com> · 2023-07-12
Re: [RFC 0/4] Landlock: ioctl support · Mickaël Salaün <mic@digikod.net> · 2023-07-12

From: Mickaël Salaün <mic@digikod.net>
Date: 2023-06-17 09:49:53
Also in: linux-fsdevel

On 24/05/2023 23:43, Jeff Xu wrote:

Sorry for the late reply.

quoted

(Looking in the direction of Jeff Xu, who has inquired about Landlock
for Chromium in the past -- do you happen to know in which ways you'd
want to restrict ioctls, if you have that need? :))

Regarding this patch, here is some feedback from ChromeOS:
  - In the short term: we are looking to integrate Landlock into our
sandboxer, so the ability to restrict to a specific device is huge.
- Fundamentally though, in the effort of bringing process expected
behaviour closest to allowed behaviour, the ability to speak of
ioctl() path access in Landlock would be huge -- at least we can
continue to enumerate in policy what processes are allowed to do, even
if we still lack the ability to restrict individual ioctl commands for
a specific device node.

Thanks for the feedback!

Regarding medium term:
My thoughts are, from software architecture point of view, it would be
nice to think in planes: i.e. Data plane / Control plane/ Signaling
Plane/Normal User Plane/Privileged User Plane. Let the application
define its planes, and assign operations to them. Landlock provides
data structure and syscall to construct the planes.

I'm not sure to follow this plane thing. Could you give examples for 
these planes applied to Landlock?

However, one thing I'm not sure is the third arg from ioctl:
int ioctl(int fd, unsigned long request, ...);
Is it possible for the driver to use the same request id, then put
whatever into the third arg ? how to deal with that effectively ?

I'm not sure about the value of all the arguments (except the command 
one) vs. the complexity to filter them, but we could discuss that when 
we'll reach this step.

For real world user cases, Dmitry Torokhov (added to list) can help.

Yes please!

PS: There is also lwn article about SELinux implementation of ioctl: [1]
[1] https://lwn.net/Articles/428140/

Thanks for the pointer, this shows how complex this IOCTL access control 
is. For Landlock, I'd like to provide the minimal required features to 
enable user space to define their own rules, which means to let user 
space (and especially libraries) to identify useful or potentially 
harmful IOCTLs.

Thanks!
-Jeff Xu

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help