From: jmorris@namei.org (James Morris)
To: linux-security-module@vger.kernel.org
Subject: The secmark "one user" policy
Date: Thu, 29 Jun 2017 19:10:52 +1000 (AEST) [thread overview]
Message-ID: <alpine.LRH.2.20.1706291826200.3111@namei.org> (raw)
In-Reply-To: <77bb65a4-d07e-7e92-2f80-d157833c07e8@canonical.com>
On Thu, 22 Jun 2017, John Johansen wrote:
> I don't see why not. The container could be built expecting smack
> labeling, selinux applies 1 or just a few labels to the whole
> container, and accesses within the container are mediated fine grained
> with smack.
This would require that all LSM-tagged objects and subjects be namespaced,
correct? If there is some way that a mediation happens across the
container boundary, things could get confusing (e.g. Smack policy not
seeming to allow things which SELinux is in fact denying).
Note also that LSM and namespaces are not abstracted in identical ways, so
we would need to know what it it means for LSM policy when say networking
is namespaced but not mounts. Or how to deal with shared subtrees.
Namespacing of LSM is probably the more fundamental issue to be resolved.
> A little more speculatively another potential example would be an LSM
> doing a personal firewalls around individual applications. Its really
> very similar to the snappy/flatpak sandboxing of apps but maybe
> someone wants that with out the additional baggage of a bigger LSM.
> Whether it would ever get in upstream is a separate question.
Landlock shows promise here, and stacking it inside one of the major MAC
LSMs seems to make sense.
--
James Morris
<jmorris@namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-06-29 9:10 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-21 0:41 The secmark "one user" policy Casey Schaufler
2017-06-21 7:13 ` James Morris
2017-06-21 15:23 ` Casey Schaufler
2017-06-21 23:07 ` John Johansen
2017-06-21 23:45 ` Casey Schaufler
2017-06-22 0:48 ` John Johansen
2017-06-22 9:54 ` James Morris
2017-06-22 16:17 ` Casey Schaufler
2017-06-23 3:12 ` James Morris
2017-06-23 15:26 ` Casey Schaufler
2017-06-25 9:41 ` James Morris
2017-06-25 18:05 ` Casey Schaufler
2017-06-26 7:54 ` José Bollo
2017-06-26 15:10 ` Casey Schaufler
2017-06-27 10:51 ` José Bollo
2017-06-27 11:58 ` Paul Moore
2017-06-22 18:49 ` John Johansen
2017-06-23 3:02 ` James Morris
2017-06-23 4:32 ` John Johansen
2017-06-29 9:10 ` James Morris [this message]
2017-06-29 16:46 ` John Johansen
2017-06-22 22:24 ` Paul Moore
2017-06-22 23:20 ` Casey Schaufler
2017-06-23 20:47 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.20.1706291826200.3111@namei.org \
--to=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.