Received: by 10.223.185.116 with SMTP id b49csp5245730wrg; Tue, 27 Feb 2018 10:04:42 -0800 (PST) X-Google-Smtp-Source: AG47ELvRNjwSmPN49vLABnIFU34du71i0+qdOU572Kh+ztmVHBTcSPnF2dkriEcbWbBxCMXBUB3w X-Received: by 2002:a17:902:20e5:: with SMTP id v34-v6mr10825326plg.66.1519754682554; Tue, 27 Feb 2018 10:04:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519754682; cv=none; d=google.com; s=arc-20160816; b=qzhAojxXs8AVP1+lnZGbaDZmH16Fvyp/TyL/kP7DfJNN6pf9yybI7pOwx6gb7Qlk1L w6HFd+mdc7nNlxNazgi4qrsa2cMjG0n6h55nk0KeI6VEUfAoSNbQg5sx/nDCFIMW8dit Y4fj0e5XYCR4UB6ghTOhmYTZxu9j8gUE63DkpZ8auKq2QahXCyf4nyMm/o4+9mxesSgY xL7qk0M95r4hbBCGS0U5p+R+pObjtu+27GkXGLlNXThftsJhaHa+U8rriVJhgurzXOfm BhPWAv1TWi8bVFTZ8noWiipXoB9DCXAtgqjv+nTwhytgBOmVCZGM8ymswemSt73DKA9l II3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=I2AzXnLXH5X7gddWwl0T6UiiBr+rBOhY3ySyetnFak8=; b=rCPqqOjfxIbvFFAaooHwM8EGLKnxBJukVu/0qthcWF60xOP6DZV6MnK8BzO5p1S7Ti N1XEmyAdZodJhaMagoyOoP6jov0dFWK4kl0DNMDRBH0wluM7PTztACAPJKwMkfkSq/DX grA0NKvU8nrRHXowgkkYO+rBjIPRZ7uybh2GjI8ZjZ9QeH6YK1fZKe41MAEqRGonmZqw crLQVQGZdEXeqUjg2TTae+yULRhHgziqDsxHc5cFkXxKUQ11ty+11cEZczIwLZeUZ5rJ +raADGi0fQLWsQVY0zBAa4wJ+NRk9oXDe5QWATrhFo1mpN9zNzkz4zBJ2xbt/0TjG3/K oFAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=W2+jTSko; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 61-v6si235249plf.640.2018.02.27.10.04.27; Tue, 27 Feb 2018 10:04:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=W2+jTSko; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751968AbeB0SDK (ORCPT + 99 others); Tue, 27 Feb 2018 13:03:10 -0500 Received: from sonic302-28.consmr.mail.gq1.yahoo.com ([98.137.68.154]:34474 "EHLO sonic302-28.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751550AbeB0SDG (ORCPT ); Tue, 27 Feb 2018 13:03:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1519754586; bh=I2AzXnLXH5X7gddWwl0T6UiiBr+rBOhY3ySyetnFak8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=W2+jTSkoLkrHEapp50CB31Fp5wAaWn7hJhrp/a2vKSIfu6wIhb+pVYSDe6vyFo50EF2LqPxbkC/7GAems1wsQ/rveJlieOezRJ0dMvGlhArKOj/hj+3rTPaLLB8v+C5KDuFQX04s3NwUlPIXSpFw9HPzZ2AY1Zl8wG+BhJ+cEbBUKp8kIVsMWWBgN1Cj9WfXHRA50emREuNlj9fdf5SB7HUzA0ZKNg28Dn7upJhmDUE3WDYkg+ItloxIgFiu2tpYR4iknktLa+pq7jaLlhvOXZpOeJXSnXx/emovFXMSejAeCxQbFw4acZgkHPW++kFbZA560ggFQ2CgH4DBKF7DaQ== X-YMail-OSG: DfEgvQUVM1k7R6XRyjLxhxdH8qiAbyuTaXnQHxV3ughvC_Laj.T37moGQ4zdWit HhREg4wDTSAJGohO4bW.me5aXqJLvUzBGKZYITvt1NTOdnTrvrEpm5MoBHAeHr6s.YENfiyV4_fA zv5N6jUQnsHkGtTgRxYHHxSaWYUhxa39NbfC3vFKKEkJzhRsTawsXEcw8ki3Q.chH7zmJKE6mqKL pVKKcr3e26yH8TzHtklmhmMzEwhywv4kRx_LW6fjCvsbyY.fXHdcxtLzF76w8zHyvFujqq1Liymv .DkGBbFA47uIi2AAZ8T4niYXBkWc6L8Vj7M95I7eA6WFuIV_rVz.NLXrTsHw2Hv9VRU.NNX49Yw0 O_FgHZ473UR43gbAYymbG6ahooMKiuDOCudZ9jVAmrybQJ5jnbdB8ymtLy2m.C90VsyF4UaT2N91 5uCn3J2KX5gap1Zr2lEVGILxuwghyfX5Wy.scNmqffQ_L.L19QxfTBuAK7bUbaQGOnxdTspf8a5g mrbDmumefJPe3LrWoNmfmnEwhTE8TZuZGwgw5SQ-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.gq1.yahoo.com with HTTP; Tue, 27 Feb 2018 18:03:06 +0000 Received: from smtp108.rhel.mail.gq1.yahoo.com (EHLO [192.168.0.104]) ([216.39.57.224]) by smtp414.mail.gq1.yahoo.com (JAMES SMTP Server ) with ESMTPA ID 5cf5893113c933d47d2593ad1c8141fd; Tue, 27 Feb 2018 18:03:05 +0000 (UTC) Subject: Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy To: Andy Lutomirski Cc: Alexei Starovoitov , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , LKML , Alexei Starovoitov , Arnaldo Carvalho de Melo , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , Jann Horn , Jonathan Corbet , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Tycho Andersen , Will Drewry , Kernel Hardening , Linux API , LSM List , Network Development , Andrew Morton References: <20180227004121.3633-1-mic@digikod.net> <20180227004121.3633-6-mic@digikod.net> <20180227020856.teq4hobw3zwussu2@ast-mbp> <20180227045458.wjrbbsxf3po656du@ast-mbp> <20180227053255.a7ua24kjd6tvei2a@ast-mbp> From: Casey Schaufler Message-ID: Date: Tue, 27 Feb 2018 10:03:00 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/27/2018 9:36 AM, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:30 PM, Casey Schaufler wrote: >> On 2/27/2018 8:39 AM, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >>> wrote: >>>> [ Snip ] >>> An earlier version of the patch set used the seccomp filter chain. >>> Mickaƫl, what exactly was wrong with that approach other than that the >>> seccomp() syscall was awkward for you to use? You could add a >>> seccomp_add_landlock_rule() syscall if you needed to. >>> >>> As a side comment, why is this an LSM at all, let alone a non-stacking >>> LSM? It would make a lot more sense to me to make Landlock depend on >>> having LSMs configured in but to call the landlock hooks directly from >>> the security_xyz() hooks. >> Please, no. It is my serious intention to have at least the >> infrastructure blob management in within a release or two, and >> I think that's all Landlock needs. The security_xyz() hooks are >> sufficiently hackish as it is without unnecessarily adding more >> special cases. >> >> > What do you mean by "infrastructure blob management"? Today each security module manages their own module specific data, for example inode->i_security and file->f_security. This prevents having two security modules that have inode or file data from being used at the same time, because they both need to manage those fields. Moving the management of the module specific data (aka "blobs") from the security modules to the module infrastructure will allow those modules to coexist. Restrictions apply, of course, but I don't think that Landlock uses any of the facilities that would have issues.