On 25/08/2016 13:05, Andy Lutomirski wrote: > On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote: >> Hi, >> >> This series is a proof of concept to fill some missing part of seccomp as the >> ability to check syscall argument pointers or creating more dynamic security >> policies. The goal of this new stackable Linux Security Module (LSM) called >> Landlock is to allow any process, including unprivileged ones, to create >> powerful security sandboxes comparable to the Seatbelt/XNU Sandbox or the >> OpenBSD Pledge. This kind of sandbox help to mitigate the security impact of >> bugs or unexpected/malicious behaviors in userland applications. >> > > Maybe I'm missing an obvious description, but: do you have a > description of the eBPF API to landlock? What function do you > provide, when is it called, what functions can it call, what does the > fancy new arraymap do, etc? > > --Andy > The eBPF context is described in "[RFC v2 06/10] landlock: Add LSM hooks". The provided eBPF functions are described in "[RFC v2 08/10] landlock: Handle file system comparisons" (bpf_landlock_cmp_fs_prop_with_struct_file and bpf_landlock_cmp_fs_beneath_with_struct_file) and "[RFC v2 09/10] landlock: Handle cgroups" (bpf_landlock_cmp_cgroup_beneath). The function descriptions are summarized in include/uapi/linux/bpf.h . This functions can be called by an eBPF program of type BPF_PROG_TYPE_LANDLOCK_FILE_OPEN, BPF_PROG_TYPE_LANDLOCK_FILE_PERMISSION and BPF_PROG_TYPE_LANDLOCK_MMAP_FILE as described in "[RFC v2 06/10] landlock: Add LSM hooks". I tried to split the commits as much as possible to ease the review. The "[RFC v2 10/10] samples/landlock: Add sandbox example" may help to see the whole picture. Hope this helps, Mickaël