Received: by 10.223.185.116 with SMTP id b49csp5527416wrg;
        Tue, 27 Feb 2018 15:11:04 -0800 (PST)
X-Google-Smtp-Source: AH8x226L6NfJSOJiGXeCyYUGhcPIZUyx31VP+dsGnZ2YGoSr/IgLbT9DrVjr/NKKxTzKrU0425LZ
X-Received: by 10.98.83.6 with SMTP id h6mr15745029pfb.174.1519773064088;
        Tue, 27 Feb 2018 15:11:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519773064; cv=none;
        d=google.com; s=arc-20160816;
        b=ASV4nbnUX78p/k/hBWnBio5IbDQoetTiD2x5zqLB7OaQbt+Xiu/y1xBs16fJhQPcxw
         P+RNCtPSTgH+aZDGfkVxyBg8/ecl2SxQMLrOspzvfJRiGtoh7Ag4jONhm9hie13tKa0W
         S9yAK9AKJldvOuWLn4TVSB4Sf+q5dG//yXkyl/E4Zz/K3/zaw+Hb3vDqNl6VStSMfpaW
         w1qXYPokB1y+VjOye/S1HVhHvu2ulaRcQ830fG1fY1m1r7hXNk9pm+31AzhnpbANKZd+
         UfcPqAcs0pGaP1QLea/vFFYrdDR5rwHg+KmKDE4Wu7d8TjTSNmFDqaIt1gszRnPkPViT
         SoEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:references:in-reply-to:mime-version
         :dkim-signature:arc-authentication-results;
        bh=WBul3vqmwiOJz9P9hcaCisR5OmPfgWwzlIoKVsIwH5Y=;
        b=WepLOIjciPB9MJ6N/SYYV/F5yngxnGfeFpwybFn9CjcXdsVApdbnbT6lmZcay13952
         vap34MoqssSlj8qNXwo8zROsh7Q1Rdyxf/GwcpflChy6zldPKl636WTWSPk/UyHEpMgJ
         zSHPftecN3KcNNasGFMTVWz07DebiSRTvOwjfFXG4sp650gx93puXyR6sIhN9oJ1SeJq
         th3ZfBMT/bFl+WucKPC805kmMKsSF4kMmDqkxTzdIIq4ZE2U3uOnD0bJNQa+hPV1MusY
         FsI1+B3ooE512yGci+nHbbmUWF4KWUFB0CokSLXYfyKfYa9EGzpBj3/BMyXXIDTZHkRw
         uE/Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=cACSqdSl;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h1-v6si186399pln.138.2018.02.27.15.10.48;
        Tue, 27 Feb 2018 15:11:04 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=cACSqdSl;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752025AbeB0XJm (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 27 Feb 2018 18:09:42 -0500
Received: from mail-io0-f194.google.com ([209.85.223.194]:40727 "EHLO
        mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751779AbeB0XJj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Feb 2018 18:09:39 -0500
Received: by mail-io0-f194.google.com with SMTP id v6so1118294iog.7
        for <linux-kernel@vger.kernel.org>; Tue, 27 Feb 2018 15:09:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=WBul3vqmwiOJz9P9hcaCisR5OmPfgWwzlIoKVsIwH5Y=;
        b=cACSqdSlT5MTU5kmJJDokMxTiFFUhqt8igtHMKJYOteVeAXIVJM8T57jfLoxwxoON4
         NXzHp+6BWJClCKvMNoa0zam9vELhcSqd2I9IhkGcNSKCyCDF2kBYvClvFlsFrHsNrCbF
         iwii7eequ/YRliSbTJGiRK57ECbkMgHBsz5Me5nTay/DnGn++EXSPCalahkvGjzOzonM
         q64F5D5pxagQG/pfDczPT/NoPQNQJamUdwVoSn98MeBOmPTWVyI2Tvv+ytRKbenS3IbY
         XfmM3StvnXyDn+Ke3QO20sKXHida7PqzKrqNLGfV+4Q+RgUjNJCrwMgcn+8Pf+kUuLj0
         QbVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=WBul3vqmwiOJz9P9hcaCisR5OmPfgWwzlIoKVsIwH5Y=;
        b=m0zxPA6wrVhoos78TUafpWk3pFQx/3ddli51Xv21VdKKC3li6/JWVw6fuQxwHkgLNf
         LSa/YbGhVZKsPCiHbAzTbCR9WpLeYzi3c94wtcc8crmtFBB81Ix1YLXF28cBboIJzO9q
         3eRJL1iH5em9vHRvPi/mwG+nf7R3y4iWAauPTIuKGHwQ0BQ9prTJCJ/2CrbQ5/8ir1Au
         1TL8Z48eU3jZMmGhHR8hnhy9K8qiuy1RXdCdl7ve63SEpPcp6uLmzkcesm6m6AS+1mhO
         dgqAoGq+YkBp6Mj7N0C2h/coHMbJHlGDYUnJpeQzorsnw5gs0MY6UNndf1AjDgL9Yp4h
         +x7Q==
X-Gm-Message-State: APf1xPACKGpKFH2tUh0kdRdDmG6Nkw+Gbp9C717zWNNtPrUscfe4gHiL
        SPFyXll/IaEzG5mO6fAI1S0stsD+lcmKTZvjSsiYZw==
X-Received: by 10.107.174.14 with SMTP id x14mr17859476ioe.67.1519772979005;
 Tue, 27 Feb 2018 15:09:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.137.101 with HTTP; Tue, 27 Feb 2018 15:09:18 -0800 (PST)
In-Reply-To: <2e06621c-08e9-dc12-9b6e-9c09d5d8f458@digikod.net>
References: <20180227004121.3633-1-mic@digikod.net> <CALCETrV3OZb70o83uOG437PubwBwaUJ6SKQucq_7g1BuBOmxzg@mail.gmail.com>
 <2e06621c-08e9-dc12-9b6e-9c09d5d8f458@digikod.net>
From:   Andy Lutomirski <luto@amacapital.net>
Date:   Tue, 27 Feb 2018 23:09:18 +0000
Message-ID: <CALCETrWnJ7WkkfiymyahQd7YqO0KXP4mG1pRMq7fp8LG8Bwtcw@mail.gmail.com>
Subject: Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing
To:     =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@digikod.net>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        David Drysdale <drysdale@google.com>,
        "David S . Miller" <davem@davemloft.net>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        James Morris <james.l.morris@oracle.com>,
        Jann Horn <jann@thejh.net>, Jonathan Corbet <corbet@lwn.net>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Paul Moore <paul@paul-moore.com>,
        Sargun Dhillon <sargun@sargun.me>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Shuah Khan <shuah@kernel.org>, Tejun Heo <tj@kernel.org>,
        Thomas Graf <tgraf@suug.ch>, Tycho Andersen <tycho@tycho.ws>,
        Will Drewry <wad@chromium.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Network Development <netdev@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 27, 2018 at 10:03 PM, Micka=C3=ABl Sala=C3=BCn <mic@digikod.net=
> wrote:
>
> On 27/02/2018 05:36, Andy Lutomirski wrote:
>> On Tue, Feb 27, 2018 at 12:41 AM, Micka=C3=ABl Sala=C3=BCn <mic@digikod.=
net> wrote:
>>> Hi,
>>>

>>>
>>> ## Why use the seccomp(2) syscall?
>>>
>>> Landlock use the same semantic as seccomp to apply access rule
>>> restrictions. It add a new layer of security for the current process
>>> which is inherited by its children. It makes sense to use an unique
>>> access-restricting syscall (that should be allowed by seccomp filters)
>>> which can only drop privileges. Moreover, a Landlock rule could come
>>> from outside a process (e.g.  passed through a UNIX socket). It is then
>>> useful to differentiate the creation/load of Landlock eBPF programs via
>>> bpf(2), from rule enforcement via seccomp(2).
>>
>> This seems like a weak argument to me.  Sure, this is a bit different
>> from seccomp(), and maybe shoving it into the seccomp() multiplexer is
>> awkward, but surely the bpf() multiplexer is even less applicable.
>
> I think using the seccomp syscall is fine, and everyone agreed on it.
>

Ah, sorry, I completely misread what you wrote.  My apologies.  You
can disregard most of my email.

>
>>
>> Also, looking forward, I think you're going to want a bunch of the
>> stuff that's under consideration as new seccomp features.  Tycho is
>> working on a "user notifier" feature for seccomp where, in addition to
>> accepting, rejecting, or kicking to ptrace, you can send a message to
>> the creator of the filter and wait for a reply.  I think that Landlock
>> will want exactly the same feature.
>
> I don't think why this may be useful at all her. Landlock does not
> filter at the syscall level but handles kernel object and actions as
> does an LSM. That is the whole purpose of Landlock.

Suppose I'm writing a container manager.  I want to run "mount" in the
container, but I don't want to allow moun() in general and I want to
emulate certain mount() actions.  I can write a filter that catches
mount using seccomp and calls out to the container manager for help.
This isn't theoretical -- Tycho wants *exactly* this use case to be
supported.

But using seccomp for this is indeed annoying.  It would be nice to
use Landlock's ability to filter based on the filesystem type, for
example.  So Tycho could write a Landlock rule like:

bool filter_mount(...)
{
  if (path needs emulation)
    call_user_notifier();
}

And it should work.

This means that, if both seccomp user notifiers and Landlock make it
upstream, then there should probably be a way to have a user notifier
bound to a seccomp filter and a set of landlock filters.