From: Randy Dunlap <rdunlap@infradead.org> To: "Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>, "Mickaël Salaün" <mic@digikod.net>, linux-kernel@vger.kernel.org Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Alexei Starovoitov <ast@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Andy Lutomirski <luto@amacapital.net>, Arnaldo Carvalho de Melo <acme@kernel.org>, Casey Schaufler <casey@schaufler-ca.com>, Daniel Borkmann <daniel@iogearbox.net>, David Drysdale <drysdale@google.com>, "David S . Miller" <davem@davemloft.net>, "Eric W . Biederman" <ebiederm@xmission.com>, James Morris <jmorris@namei.org>, Jann Horn <jann@thejh.net>, John Johansen <john.johansen@canonical.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Michael Kerrisk <mtk.manpages@gmail.com>, Paul Moore <paul@paul-moore.com>, Sargun Dhillon <sargun@sargun.me>, "Serge E . Hallyn" <serge@hallyn.com>, Shuah Khan <shuah@kernel.org>, Stephen Smalley <sds@tycho.nsa.gov>, Tejun Heo <tj@kernel.org>, Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>, Thomas Graf <tgraf@suug.ch>, Tycho Andersen <tycho@tycho.ws>, Will Drewry <wad@chromium.org>, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH bpf-next v10 10/10] landlock: Add user and kernel documentation for Landlock Date: Thu, 1 Aug 2019 10:49:05 -0700 [thread overview] Message-ID: <08c94f99-68e0-4866-3eba-28fa71347fca@infradead.org> (raw) In-Reply-To: <2ced8fc8-79a6-b0fb-70fe-6716fae92aa7@ssi.gouv.fr> On 8/1/19 10:03 AM, Mickaël Salaün wrote: >>> +Ptrace restrictions >>> +------------------- >>> + >>> +A landlocked process has less privileges than a non-landlocked process and must >>> +then be subject to additional restrictions when manipulating another process. >>> +To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target >>> +process, a landlocked process must have a subset of the target process programs. >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Maybe that last statement is correct, but it seems to me that it is missing something. > What about this: > > To be allowed to trace a process (using :manpage:`ptrace(2)`), a > landlocked tracer process must only be constrained by a subset (possibly > empty) of the Landlock programs which are also applied to the tracee. > This ensure that the tracer has less or the same constraints than the ensures > tracee, hence protecting against privilege escalation. Yes, better. Thanks. -- ~Randy
WARNING: multiple messages have this Message-ID (diff)
From: Randy Dunlap <rdunlap@infradead.org> To: "Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>, "Mickaël Salaün" <mic@digikod.net>, linux-kernel@vger.kernel.org Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Alexei Starovoitov <ast@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Andy Lutomirski <luto@amacapital.net>, Arnaldo Carvalho de Melo <acme@kernel.org>, Casey Schaufler <casey@schaufler-ca.com>, Daniel Borkmann <daniel@iogearbox.net>, David Drysdale <drysdale@google.com>, "David S . Miller" <davem@davemloft.net>, "Eric W . Biederman" <ebiederm@xmission.com>, James Morris <jmorris@namei.org>, Jann Horn <jann@thejh.net>, John Johansen <john.johansen@canonical.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Michael Kerrisk <mtk.manpages@gmail.com>, Paul Moore <paul@paul-moore.com>, Sargun Dhillon <sargun@sargun.me>, "Serge E . Hallyn" <serge@hallyn.com>Shuah Khan <s> Subject: Re: [PATCH bpf-next v10 10/10] landlock: Add user and kernel documentation for Landlock Date: Thu, 1 Aug 2019 10:49:05 -0700 [thread overview] Message-ID: <08c94f99-68e0-4866-3eba-28fa71347fca@infradead.org> (raw) In-Reply-To: <2ced8fc8-79a6-b0fb-70fe-6716fae92aa7@ssi.gouv.fr> On 8/1/19 10:03 AM, Mickaël Salaün wrote: >>> +Ptrace restrictions >>> +------------------- >>> + >>> +A landlocked process has less privileges than a non-landlocked process and must >>> +then be subject to additional restrictions when manipulating another process. >>> +To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target >>> +process, a landlocked process must have a subset of the target process programs. >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Maybe that last statement is correct, but it seems to me that it is missing something. > What about this: > > To be allowed to trace a process (using :manpage:`ptrace(2)`), a > landlocked tracer process must only be constrained by a subset (possibly > empty) of the Landlock programs which are also applied to the tracee. > This ensure that the tracer has less or the same constraints than the ensures > tracee, hence protecting against privilege escalation. Yes, better. Thanks. -- ~Randy
next prev parent reply other threads:[~2019-08-01 17:49 UTC|newest] Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-07-21 21:31 [PATCH bpf-next v10 00/10] Landlock LSM: Toward unprivileged sandboxing Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 01/10] fs,security: Add a new file access type: MAY_CHROOT Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 02/10] bpf: Add expected_attach_triggers and a is_valid_triggers() verifier Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 03/10] bpf,landlock: Define an eBPF program type for Landlock hooks Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 04/10] seccomp,landlock: Enforce Landlock programs per process hierarchy Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 05/10] landlock: Handle filesystem access control Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 06/10] bpf,landlock: Add a new map type: inode Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-27 1:40 ` Alexei Starovoitov 2019-07-27 1:40 ` Alexei Starovoitov 2019-07-31 18:46 ` Mickaël Salaün 2019-07-31 18:46 ` Mickaël Salaün 2019-07-31 18:58 ` Alexei Starovoitov 2019-07-31 18:58 ` Alexei Starovoitov 2019-07-31 19:11 ` Mickaël Salaün 2019-07-31 19:11 ` Mickaël Salaün 2019-08-01 17:35 ` Alexei Starovoitov 2019-08-01 17:35 ` Alexei Starovoitov 2019-08-06 16:24 ` Mickaël Salaün 2019-08-06 16:24 ` Mickaël Salaün 2019-09-08 22:09 ` Mickaël Salaün 2019-09-08 22:09 ` Mickaël Salaün 2019-09-08 22:19 ` Al Viro 2019-09-08 22:19 ` Al Viro 2019-07-21 21:31 ` [PATCH bpf-next v10 07/10] landlock: Add ptrace restrictions Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 08/10] bpf: Add a Landlock sandbox example Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 09/10] bpf,landlock: Add tests for Landlock Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-21 21:31 ` [PATCH bpf-next v10 10/10] landlock: Add user and kernel documentation " Mickaël Salaün 2019-07-21 21:31 ` Mickaël Salaün 2019-07-31 1:53 ` Randy Dunlap 2019-07-31 1:53 ` Randy Dunlap 2019-08-01 17:03 ` Mickaël Salaün 2019-08-01 17:03 ` Mickaël Salaün 2019-08-01 17:49 ` Randy Dunlap [this message] 2019-08-01 17:49 ` Randy Dunlap
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=08c94f99-68e0-4866-3eba-28fa71347fca@infradead.org \ --to=rdunlap@infradead.org \ --cc=acme@kernel.org \ --cc=akpm@linux-foundation.org \ --cc=ast@kernel.org \ --cc=casey@schaufler-ca.com \ --cc=corbet@lwn.net \ --cc=daniel@iogearbox.net \ --cc=davem@davemloft.net \ --cc=drysdale@google.com \ --cc=ebiederm@xmission.com \ --cc=jann@thejh.net \ --cc=jmorris@namei.org \ --cc=john.johansen@canonical.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-api@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=mic@digikod.net \ --cc=mickael.salaun@ssi.gouv.fr \ --cc=mtk.manpages@gmail.com \ --cc=netdev@vger.kernel.org \ --cc=paul@paul-moore.com \ --cc=penguin-kernel@I-love.SAKURA.ne.jp \ --cc=sargun@sargun.me \ --cc=sds@tycho.nsa.gov \ --cc=serge@hallyn.com \ --cc=shuah@kernel.org \ --cc=tgraf@suug.ch \ --cc=tj@kernel.org \ --cc=tycho@tycho.ws \ --cc=viro@zeniv.linux.org.uk \ --cc=wad@chromium.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.