On 04/10/2016 01:52, Kees Cook wrote: > On Wed, Sep 14, 2016 at 3:34 PM, Mickaël Salaün wrote: >> >> On 14/09/2016 20:43, Andy Lutomirski wrote: >>> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote: >>>> A Landlock program will be triggered according to its subtype/origin >>>> bitfield. The LANDLOCK_FLAG_ORIGIN_SECCOMP value will trigger the >>>> Landlock program when a seccomp filter will return RET_LANDLOCK. >>>> Moreover, it is possible to return a 16-bit cookie which will be >>>> readable by the Landlock programs in its context. >>> >>> Are you envisioning that the filters will return RET_LANDLOCK most of >>> the time or rarely? If it's most of the time, then maybe this could >>> be simplified a bit by unconditionally calling the landlock filter and >>> letting the landlock filter access a struct seccomp_data if needed. >> >> Exposing seccomp_data in a Landlock context may be a good idea. The main >> implication is that Landlock programs may then be architecture specific >> (if dealing with data) as seccomp filters are. Another point is that it >> remove any direct binding between seccomp filters and Landlock programs. >> I will try this (more simple) approach. > > Yeah, I would prefer that the seccomp code isn't doing list management > to identify the landlock hooks to trigger, etc. I think that's better > done on the LSM side. And since multiple seccomp filters could trigger > landlock, it may be best to just leave the low 16 bits unused > entirely. Then all state management is handled by the landlock eBPF > maps, not a value coming from seccomp that can get stomped on by new > filters, etc. Right, this approach should be simpler, more efficient and independent from seccomp. This will be in the next RFC.