Received: by 10.223.185.116 with SMTP id b49csp4489758wrg;
        Tue, 6 Mar 2018 17:22:49 -0800 (PST)
X-Google-Smtp-Source: AG47ELumNbVREI+O1tHGJYUSf8Na7wKBWHPiTiE72+YJFwADp8OKfGdWKf8rgVRlNt78gSFS9inO
X-Received: by 2002:a17:902:52a6:: with SMTP id a35-v6mr13148891pli.179.1520385769661;
        Tue, 06 Mar 2018 17:22:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520385769; cv=none;
        d=google.com; s=arc-20160816;
        b=XdaJHEbASFzRVu/oDXY8BwmiE+zSqagQ7mpDk0ASHw0YJZ+Iuy5n95SgVtMrvo+9TQ
         qCsJYMkvwBexkOfoPI9lE+T5mE46bGVP6Tn2wIu6lkmL8jqpK7+NI7bkQNKypQSPDa16
         ZNCWyQdKPbBUy30mYwYbliTQ89ClYZA77f+p9AcV872cvQRGoqTNuqpGFORRz82y2O7n
         gcGZNRrkZk/rWTlgNgV655gOwoJAuhCKgi6UU7JPeXoqUfCXdTaEdGkC3UCxkSpmg+xm
         wER6PhpP0S8ijLuOAmR/eveq+ToxqQpaw1uLIdI9D/tUwjcI0Yvrt/iQ6zi9saGW1mFS
         GpJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:references:in-reply-to:mime-version
         :dkim-signature:arc-authentication-results;
        bh=L8fyBPnqKQ4ad4kknNq1kQzu98aUYi7Yg2mbPAvXd3U=;
        b=PeEb4+VURZG6Q5qnMnkSgbaJhM/Zt86n9srLw8a9NEVvEgWSKQOfHXBG9gBGE1Y1pc
         cfI7MV7ckod3a7Q1hf9NN+Z5UCJwudGI9XrFBUnu4IPVRXvlCXKNJvaxt26UpnsyllYc
         xfm3QkKAItZsp5bMx0rrWe28QUbmTZHqIMhV0JTQFc1D4w/B70u87Qih+e7zm9iAuHG1
         LM/Otpb3Wm+grV8mItgh7dJQLUv6HlJalJw5bNG3AcaRrhxF0RLNuLKc8EhOUJ1dk1F4
         JEujQJJnHkpD/jvFoYGyhJnHzh52A3C6gb9VtFTL1vmKgz+Zq7uKGpHN18Ah5KYJhPdK
         tGaw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=q1lC2X6w;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u187si10675612pgc.451.2018.03.06.17.22.34;
        Tue, 06 Mar 2018 17:22:49 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=q1lC2X6w;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933158AbeCGBVf (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Tue, 6 Mar 2018 20:21:35 -0500
Received: from mail-it0-f45.google.com ([209.85.214.45]:53521 "EHLO
        mail-it0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933036AbeCGBVc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Mar 2018 20:21:32 -0500
Received: by mail-it0-f45.google.com with SMTP id w63so1266064ita.3
        for <linux-kernel@vger.kernel.org>; Tue, 06 Mar 2018 17:21:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=L8fyBPnqKQ4ad4kknNq1kQzu98aUYi7Yg2mbPAvXd3U=;
        b=q1lC2X6wwqjEamaS2nrMefY5X2q+9EWnKKR6WyC5Yz4Y+6uOsUboPRdTv8tTkWNK6n
         /syK4Fq42X73MmD7dytgcTsYD50O/jV8F/qDgeGOLJsijldUc10oI8WS/TtmxPTstORL
         Q6tLbddPEBT4Z8ifT0SdlAkRqDjuys7YzCG7TnWEtZfm9cEpw0zwFqnzEw0V+r9BjNg2
         hbo0CyQfJ6d9m1DK6VPQn0OA3MOaQ8rT/ziD6gxIm+7o5ao+mnSxYtBlcTK2LHo8LE6Z
         am3TKYm2S9Hpq67tMprbfbsPnKPmKNh0DKTUsKhypSJUr3PUaNrKhqa2j/7tcEz4d56j
         u6TQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=L8fyBPnqKQ4ad4kknNq1kQzu98aUYi7Yg2mbPAvXd3U=;
        b=k2Jkw3QxGKneYKeGPDr2edEAAg6Vr0pYkUbgcW+hAHXZ+Q8rfSc5nMkHMROUKOp5PE
         87Q8G+gr1mOkwE305Lr65dQ32Bu1BAzTMSh+oonf2YjJUlz+KW4R7Bw8NFsLmWenOpbS
         kZqzWSy4KWeDgkyodhkVOV0MeCzCiTwwsTWdaFta+tlHVtNXm7aYI47G1QiAhcE8HoYZ
         bzTVuyvNVbp8CRyExENGCaGkTd8w+d6A8Cjt93ZIof/3wNNBPEBp+0t0OoNH7ywjIalx
         2O9N1o/wmlLOBC9uxUNfT9+4KcIkjE5AWRw/rB3/ynkIa2ADHKe7if68j2L9Mu1FrJ//
         PJKQ==
X-Gm-Message-State: AElRT7E3t2W3kgO5RHLh33X8RKliv2WBnnoPXbzUUPVdIrdtboGBVX1c
        Ft4SLb+0HT0xfKu3ujD2S/WuHvOpm64rjpBHbdzBSw==
X-Received: by 10.36.90.212 with SMTP id v203mr21930153ita.150.1520385692062;
 Tue, 06 Mar 2018 17:21:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.137.101 with HTTP; Tue, 6 Mar 2018 17:21:11 -0800 (PST)
In-Reply-To: <7082be04-d6af-b853-4bb7-f331836662e2@digikod.net>
References: <20180227004121.3633-1-mic@digikod.net> <CALCETrV3OZb70o83uOG437PubwBwaUJ6SKQucq_7g1BuBOmxzg@mail.gmail.com>
 <2e06621c-08e9-dc12-9b6e-9c09d5d8f458@digikod.net> <CALCETrWnJ7WkkfiymyahQd7YqO0KXP4mG1pRMq7fp8LG8Bwtcw@mail.gmail.com>
 <a70b41ee-78cb-52cc-152c-ac5e43b7e45c@digikod.net> <CALCETrUQYp0ta4tLgUWJ79pZVwp3WRY7cp-XaPcn1WyTc=wZyg@mail.gmail.com>
 <20180306224636.wf5z3kujtc7r5qyh@cisco> <7082be04-d6af-b853-4bb7-f331836662e2@digikod.net>
From:   Andy Lutomirski <luto@amacapital.net>
Date:   Wed, 7 Mar 2018 01:21:11 +0000
Message-ID: <CALCETrXT8JUXVwDNKGVRG7=aenthDRePD+T+YiDY6cceaazDeA@mail.gmail.com>
Subject: Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing
To:     =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@digikod.net>
Cc:     Tycho Andersen <tycho@tycho.ws>,
        LKML <linux-kernel@vger.kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        David Drysdale <drysdale@google.com>,
        "David S . Miller" <davem@davemloft.net>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        James Morris <james.l.morris@oracle.com>,
        Jann Horn <jann@thejh.net>, Jonathan Corbet <corbet@lwn.net>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Paul Moore <paul@paul-moore.com>,
        Sargun Dhillon <sargun@sargun.me>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Shuah Khan <shuah@kernel.org>, Tejun Heo <tj@kernel.org>,
        Thomas Graf <tgraf@suug.ch>, Will Drewry <wad@chromium.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Network Development <netdev@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 6, 2018 at 11:06 PM, Micka=C3=ABl Sala=C3=BCn <mic@digikod.net>=
 wrote:
>
> On 06/03/2018 23:46, Tycho Andersen wrote:
>> On Tue, Mar 06, 2018 at 10:33:17PM +0000, Andy Lutomirski wrote:
>>>>> Suppose I'm writing a container manager.  I want to run "mount" in th=
e
>>>>> container, but I don't want to allow moun() in general and I want to
>>>>> emulate certain mount() actions.  I can write a filter that catches
>>>>> mount using seccomp and calls out to the container manager for help.
>>>>> This isn't theoretical -- Tycho wants *exactly* this use case to be
>>>>> supported.
>>>>
>>>> Well, I think this use case should be handled with something like
>>>> LD_PRELOAD and a helper library. FYI, I did something like this:
>>>> https://github.com/stemjail/stemshim
>>>
>>> I doubt that will work for containers.  Containers that use user
>>> namespaces and, for example, setuid programs aren't going to honor
>>> LD_PRELOAD.
>>
>> Or anything that calls syscalls directly, like go programs.
>
> That's why the vDSO-like approach. Enforcing an access control is not
> the issue here, patching a buggy userland (without patching its code) is
> the issue isn't it?
>
> As far as I remember, the main problem is to handle file descriptors
> while "emulating" the kernel behavior. This can be done with a "shim"
> code mapped in every processes. Chrome used something like this (in a
> previous sandbox mechanism) as a kind of emulation (with the current
> seccomp-bpf ). I think it should be doable to replace the (userland)
> emulation code with an IPC wrapper receiving file descriptors through
> UNIX socket.
>

Can you explain exactly what you mean by "vDSO-like"?

When a 64-bit program does a syscall, it just executes the SYSCALL
instruction.  The vDSO isn't involved at all.  32-bit programs usually
go through the vDSO, but not always.

It could be possible to force-load a DSO into an entire container and
rig up seccomp to intercept all SYSCALLs not originating from the DSO
such that they merely redirect control to the DSO, but that seems
quite messy.