Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp456749ybg; Tue, 28 Jul 2020 10:06:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxWuRYBGm7yFJ7O5eF+yMw1rT/AsaJdb1i37shxoClEdfOCl5+wWGSe2XmVadwyctrywuAp X-Received: by 2002:a05:6402:1597:: with SMTP id c23mr25869573edv.243.1595956006180; Tue, 28 Jul 2020 10:06:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595956006; cv=none; d=google.com; s=arc-20160816; b=F3CfPHpSIqmQMUpPj1WPNikBlBbZFuK7GXvlPYzh3vCvIB4hNMAalbCCTZSyLmhMOA EmayOK9KQYBPuW4mRpGIcP+2ZZmS7jgZwHOFcYlXl1SUzZO6r+GYiHf/OlFEmtvAFYXS FnF/3AXGyg9Wv1Cgb/NA9RO7qOur4I6Oi0FDlqCJzxpBNK0aIARISru047kZIkNunuV5 pDoS8UWTTlIcQKk7zLkabeE1GNGeK4PiDEd1ZyfXqvP9vClKXmmvhS9kO5WYRn2j+r+E yxQpOxyEz09sXJ0+YML+tPV+8hSFGG3d0jivbZB90H1AJJFqpJy1V3JTgWwg8xEyGhXp SqSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=W0snZe2l6O/kNxDPpfbLwVobSSFEzrjATaixsQqewis=; b=k19mLBF6ItAgf6qgwYS+fCP+SR0+1xggx8OayKnAiqn8HYkzkRtXJ3kPx52JwhnOfx xF5llGOOAZV31NBdmwi5/UIfQ4RnWEkLMyXk2ln1AbnVU+VYFcbaGGgjCgDNsic0nPk0 TH8tmp7WXd6p6UFmtqrcRX0C93tq45m9cwsBz+Ar3FwnSQ+gAZLbBrWU1XIeMWZW2NNM Er9fRPEkfXqjp3RladgVoHcik7+ORL8XnUV7pPwODnWEJjFJHfaT+fM0iyV+wdX7jGAZ YIaEe0x07r3T6a4MAXcYMSXgYiVk27FmuP7Iiw80GheNrQaoc+7jrFewhDwMgKs9ZPUE rIuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id fi14si1058554ejb.628.2020.07.28.10.06.23; Tue, 28 Jul 2020 10:06:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731737AbgG1RFg (ORCPT + 99 others); Tue, 28 Jul 2020 13:05:36 -0400 Received: from namei.org ([65.99.196.166]:55950 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731070AbgG1RFg (ORCPT ); Tue, 28 Jul 2020 13:05:36 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id 06SH58V8001021; Tue, 28 Jul 2020 17:05:08 GMT Date: Wed, 29 Jul 2020 03:05:08 +1000 (AEST) From: James Morris To: Casey Schaufler cc: madvenka@linux.microsoft.com, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, oleg@redhat.com, x86@kernel.org Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor In-Reply-To: <3fd22f92-7f45-1b0f-e4fe-857f3bceedd0@schaufler-ca.com> Message-ID: References: <20200728131050.24443-1-madvenka@linux.microsoft.com> <3fd22f92-7f45-1b0f-e4fe-857f3bceedd0@schaufler-ca.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 28 Jul 2020, Casey Schaufler wrote: > You could make a separate LSM to do these checks instead of limiting > it to SELinux. Your use case, your call, of course. It's not limited to SELinux. This is hooked via the LSM API and implementable by any LSM (similar to execmem, execstack etc.) -- James Morris