Received: by 10.223.185.116 with SMTP id b49csp5570738wrg; Tue, 27 Feb 2018 16:10:36 -0800 (PST) X-Google-Smtp-Source: AH8x225hHncccC9rmiI25ypd62DVmG+aAI2YmWRMI5khWf7eUMAMHaG6ogksAJP74cXvkTa6Zc/x X-Received: by 10.99.39.131 with SMTP id n125mr12618469pgn.292.1519776636083; Tue, 27 Feb 2018 16:10:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519776636; cv=none; d=google.com; s=arc-20160816; b=ekl7aP8/ErcqWWtdyK9NFT8aT5wHfM3vHmhK4vm3jOixlSwdYxifnxi7YwjuWlE6HZ JTtHvkucd4/Ux0Cb66pOLh83QsqtUgNQF8N8y6p44YMnNAmdUTUjpm0GK/VBXhyODvI0 ULauSUwonPNFSjrKvq70jpk/tQWClvACQoIIN777AaIYOfwLmIosbEvkCvkA3HINsc3o q4LZ1BMpp8I3oPXlpvp0opZYWCNEoBPV8Rim6sJ/PFSUjsS/BXiqL0ivfZk9OXfY1eMG Swja1Uh0tHvRgWvxfJg+43WxbJemBC79KSIh4JqG1+37fKlvbZ28bRs/TAmhiDiHq8yb BPAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dmarc-filter:arc-authentication-results; bh=iCMj855HKDnI0kPqnm1OhrBod1Fu75b7BOTFICrn3hY=; b=ikMwiqy3m7rUPKbIPAwGoYhu59Tdv+szt7XSGrCHxYIGf0LOafRO5wdAPIqffAM+o9 s7WPHp6XbT3uTNw8oMirGASI7ZqrvS5pa9BqYPndE6OnhloiADjBabvvXaknX/01SbT0 6zofBGAk1MGgpvhY6IPfrCzkxq7qrgoXKSlBwEE7iIxtGKNclS5AoJL73d4YD/9XcRel x5CDGHryNP4afZf276dQb0vR81GfcOCGJJNBpb0yMeLCvNDeyJACUWxvv07NmeZKhMul nhxQtU9h0GXogNfU/4o4UtIYzFg5jdQZ40zUaKHPm3Tm1Dg461yEdGYj3xeA/6vmqlFN Mz5Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i136si208043pgc.416.2018.02.27.16.10.21; Tue, 27 Feb 2018 16:10:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751742AbeB1AJh convert rfc822-to-8bit (ORCPT + 99 others); Tue, 27 Feb 2018 19:09:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:59904 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751126AbeB1AJf (ORCPT ); Tue, 27 Feb 2018 19:09:35 -0500 Received: from mail-io0-f180.google.com (mail-io0-f180.google.com [209.85.223.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DFD95217BE for ; Wed, 28 Feb 2018 00:09:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DFD95217BE Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f180.google.com with SMTP id h23so1230429iob.11 for ; Tue, 27 Feb 2018 16:09:34 -0800 (PST) X-Gm-Message-State: APf1xPA6y23uiL54dCmlJbu1ZkJTbc5eXHP/NkjN8uKdxw2+8RL2RfsS JTUFVJiAD1URa4+8lDvIb3bUJKk1pGwQUbm3jZT5Dw== X-Received: by 10.107.40.73 with SMTP id o70mr11371142ioo.6.1519776574183; Tue, 27 Feb 2018 16:09:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.101 with HTTP; Tue, 27 Feb 2018 16:09:13 -0800 (PST) In-Reply-To: References: <20180227004121.3633-1-mic@digikod.net> <20180227004121.3633-9-mic@digikod.net> <0e7d0512-12a3-568d-aa55-3def4b91c6d0@digikod.net> From: Andy Lutomirski Date: Wed, 28 Feb 2018 00:09:13 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH bpf-next v8 08/11] landlock: Add ptrace restrictions To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: Andy Lutomirski , LKML , Alexei Starovoitov , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Tycho Andersen , Will Drewry , Kernel Hardening , Linux API , LSM List , Network Development Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 28, 2018 at 12:00 AM, Mickaël Salaün wrote: > > On 28/02/2018 00:23, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 11:02 PM, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 10:14 PM, Mickaël Salaün wrote: >>>> >>> >>> I think you're wrong here. Any sane container trying to use Landlock >>> like this would also create a PID namespace. Problem solved. I still >>> think you should drop this patch. > > Containers is one use case, another is build-in sandboxing (e.g. for web > browser…) and another one is for sandbox managers (e.g. Firejail, > Bubblewrap, Flatpack…). In some of these use cases, especially from a > developer point of view, you may want/need to debug your applications > (without requiring to be root). For nested Landlock access-controls > (e.g. container + user session + web browser), it may not be allowed to > create a PID namespace, but you still want to have a meaningful > access-control. > The consideration should be exactly the same as for normal seccomp. If I'm in a container (using PID namespaces + seccomp) and a run a web browser, I can debug the browser. If there's a real use case for adding this type of automatic ptrace protection, then by all means, let's add it as a general seccomp feature.