Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1834460pxb; Fri, 20 Nov 2020 23:03:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJwQjjsJIEUn4jx9vUQPhzN8Aan6/zF9uA3Ffw5v+TAVfCXrS+a3N8R/HG+pIEQAq12KwThc X-Received: by 2002:a17:907:2089:: with SMTP id pv9mr36691232ejb.34.1605942213765; Fri, 20 Nov 2020 23:03:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605942213; cv=none; d=google.com; s=arc-20160816; b=Grp+OUfG0tlg2yNIgCGUosbs3cz6W4VHEU32dzGvrBzGT07loK0Cj9/fRrp+dRd1EX g2yq2bcOJfG108vxJLmRTNWuGd+nZ3W+LumtAwj/nYMNZvsvgP4iskI57Sd25a+Ao2Xv k8xrbBqD8n7C64GTGXinecpod1YjGDhB6nB3kK55EP+CBag6PIsRzaSVmsBLnBf9KwJB kuXw8cg3DPisjdM+6A+wjzYtV5YGvAI01oWyzLI1c+Jjtm6C5k8iAA2HClLIkCzttdnO HRatfT3vDlVayOL3FbslY+vINNKIcXtGdjz0/JXeEIMxzGy87m80tVmAi26BTE3khF5h 75mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=P7RjcsAj6PX+UJP0fflQn8MvjwEMgqrgy1hcrPo11aE=; b=LUSrYPVSCO0/mG2nHj21uhaVW9s9CWN2sVdiyZ6+jm+MwEgL7AYF1xbtQh5YG1okGd N48oBvPlsrvidGE8Obvh0Diw3LCunLo6eeFP2gMG1njOJYogpT9/GyAdhG3K2yyI9P64 GybolyLCslfcFugM6UqZChohlxm1bSNnxMPT3jP0fFtLfuhTDa98PkV9YN8nQh+zt/Xu o0PcEn1OP0SYk8Zoewnv37zkj1mvZmlIVBvo2wAB9yW6Fla2Swu7LymNUEUlghdNlSxf 6i9L4Rf1xuZibLXfrm+utoijZavApmLiQ3K3SweMOsYseW1MPiXEGT5ZQMxSJ1v1LsBB mUUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CqqdXLzD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id fx4si2953171ejb.449.2020.11.20.23.03.11; Fri, 20 Nov 2020 23:03:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CqqdXLzD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726775AbgKUHAa (ORCPT + 99 others); Sat, 21 Nov 2020 02:00:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44404 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726674AbgKUHA3 (ORCPT ); Sat, 21 Nov 2020 02:00:29 -0500 Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4CFCBC061A49 for ; Fri, 20 Nov 2020 23:00:27 -0800 (PST) Received: by mail-lj1-x243.google.com with SMTP id p12so12404586ljc.9 for ; Fri, 20 Nov 2020 23:00:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=P7RjcsAj6PX+UJP0fflQn8MvjwEMgqrgy1hcrPo11aE=; b=CqqdXLzD4RSHdi1Ar3pP94BnBGH2/7bkpPzT9SZ3UVxCKNiRlNpe2RQapzql1gIm0T am2xz+0cm1WQPK4hE+ua1jVGF9VC83UFcIaMXQypAw6jE5utgWdZxOUYUFylOjfHEs4k cbp452z2BIJGzCSR/2hAGhsY0QSIsJEbDk4heZBZkmBlDwTtBd/AS/iCd8874yBuTf5T QD+koJXBJ9jZQb3KOZ/bZx4j7vb4L3rrLTabgKItYXXLtwSGDtDG7O0HsRGP6T2iCLK+ GNND4eZIvTwEJpJW7cZw1UxpXIjICH63bduH7dU7mXrLoZSkTtgZZS91V8myLILWnfZq nenA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=P7RjcsAj6PX+UJP0fflQn8MvjwEMgqrgy1hcrPo11aE=; b=gqoIJS5FM8jy5ta+3PEYurysjm94kCS/A5xfXwhVcwN4Xm8f58NqszeLYYuSI52TI5 dbGPWiy/hZ2R0JCbKUPqxKYBfyCF9ZRqPT3YxrF8Zt5xX/UGF+tujsElyqyLDoZQ7cQW Hpg9yNx9jWWDHcU3CV7iREVezQq5sOp9sZ7CRa/Ov3tcopWcTXs5Kgz8ha/zpthOYlwj UF8SwEfV3ndWMRyaNFRpbiaCYFOxKtef9axCw4IgHvtatvec2pk5fbwcXr4PcbDkMfEh geEOuqzzGT4FddKFeJbh3m1y8VWIjg6mLWDTSquwHIMY8/5n7FsyLRTGFcbgY5+GEI7n qYFQ== X-Gm-Message-State: AOAM533i3yswVEaAGVSMrFyfIpcCbm9rR8IHT7dZrSW3gaURs+mHjSnM eOC2pqCfCVW+00kppSEtG1AvpDdvJQJ27/mOU3HKlQ== X-Received: by 2002:a2e:8891:: with SMTP id k17mr8949700lji.326.1605942025591; Fri, 20 Nov 2020 23:00:25 -0800 (PST) MIME-Version: 1.0 References: <20201112205141.775752-1-mic@digikod.net> <20201112205141.775752-9-mic@digikod.net> In-Reply-To: <20201112205141.775752-9-mic@digikod.net> From: Jann Horn Date: Sat, 21 Nov 2020 08:00:00 +0100 Message-ID: Subject: Re: [PATCH v24 08/12] landlock: Add syscall implementations To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: James Morris , "Serge E . Hallyn" , Al Viro , Andy Lutomirski , Anton Ivanov , Arnd Bergmann , Casey Schaufler , Jeff Dike , Jonathan Corbet , Kees Cook , Michael Kerrisk , Richard Weinberger , Shuah Khan , Vincent Dagonneau , Kernel Hardening , Linux API , linux-arch , "open list:DOCUMENTATION" , linux-fsdevel , kernel list , "open list:KERNEL SELFTEST FRAMEWORK" , linux-security-module , "the arch/x86 maintainers" , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 12, 2020 at 9:52 PM Micka=C3=ABl Sala=C3=BCn = wrote: > These 3 system calls are designed to be used by unprivileged processes > to sandbox themselves: > * landlock_create_ruleset(2): Creates a ruleset and returns its file > descriptor. > * landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a > ruleset, identified by the dedicated file descriptor. > * landlock_enforce_ruleset_current(2): Enforces a ruleset on the current > thread and its future children (similar to seccomp). This syscall has > the same usage restrictions as seccomp(2): the caller must have the > no_new_privs attribute set or have CAP_SYS_ADMIN in the current user > namespace. > > All these syscalls have a "flags" argument (not currently used) to > enable extensibility. > > Here are the motivations for these new syscalls: > * A sandboxed process may not have access to file systems, including > /dev, /sys or /proc, but it should still be able to add more > restrictions to itself. > * Neither prctl(2) nor seccomp(2) (which was used in a previous version) > fit well with the current definition of a Landlock security policy. > > All passed structs (attributes) are checked at build time to ensure that > they don't contain holes and that they are aligned the same way for each > architecture. > > See the user and kernel documentation for more details (provided by a > following commit): > * Documentation/userspace-api/landlock.rst > * Documentation/security/landlock.rst > > Cc: Arnd Bergmann > Cc: James Morris > Cc: Jann Horn > Cc: Kees Cook > Cc: Serge E. Hallyn > Signed-off-by: Micka=C3=ABl Sala=C3=BCn Reviewed-by: Jann Horn